Most of the SMEs we look after have more people working outside the office on any given day than inside it. The estate that serves them, though, was usually designed the other way round: a VPN (virtual private network, the encrypted tunnel that drops a remote laptop onto the office network) bolted on as the way home workers “get in”. It worked when remote access was the exception, but it creaks now that it’s the norm, and the cracks are the kind that show up in a cyber-insurance claim rather than a help-desk ticket.

We’ve spent the last two years moving clients off that model, and the destination is clearer than the marketing makes it sound. Here’s where SMEs are actually landing.

What the VPN got wrong

The classic SME VPN gives a remote device a route onto the internal network, and once it’s on, it’s largely trusted, which is the problem in one sentence. A laptop on the sofa, on a home network shared with a teenager’s games console and a smart doorbell, gets dropped into the same trust zone as a machine in the server cupboard.

Three failure shapes recur. The credentials get phished, and the VPN happily admits whoever holds them. The device itself is out of date, or someone’s personal machine, and the tunnel doesn’t care. And the access is all-or-nothing: once you’re in, lateral movement across the network is wide open, which is exactly the path ransomware takes.

None of this means VPNs are useless. For a site-to-site link between two offices, they’re still the right tool. For “how do my people reach their work from home”, they’ve been overtaken.

Where SMEs are landing instead

The replacement is a small set of capabilities that most SMEs already half-own through the Microsoft or Google licences they pay for, switched on properly. It isn’t a single product, whatever the vendors say.

Identity-aware access. The decision about whether someone gets to an application is made at sign-in, based on who they are, what device they’re on, and where they are, not on whether they’ve reached the network. In the Microsoft world this is Conditional Access (the Entra ID policy engine that gates each sign-in); in the Google world the equivalent context-aware controls. The application checks the person, every time, instead of the network vouching for them once.

Apps published directly, not a network dropped onto the device. Where there’s a genuinely internal system (a line-of-business app, an on-prem server), it gets published to the specific people who need it through an access proxy, rather than handing the whole laptop a network route. This is the ZTNA idea (zero-trust network access, the model where you reach one named application rather than “the network”). The blast radius of a compromised laptop shrinks from the whole estate to one app.

Device posture as a condition. Access is allowed only from a device the business actually knows: enrolled, encrypted, patched, running its security tooling. An unmanaged personal machine can be allowed a cut-down web-only path, or refused, on purpose rather than by accident.

What this looks like for a 30-person firm

Concretely, for a typical SME we’d expect: MFA (multi-factor authentication) on every account, no exceptions for directors; Conditional Access policies that require a managed, compliant device for anything sensitive; the two or three genuinely internal apps published through a proxy instead of a blanket VPN; and the old VPN concentrator retired or cut back to site-to-site only.

The licensing usually already covers most of it. The work is in the design and the rollout, not the purchase, which is the opposite of how it’s often sold.

The migration nobody regrets

The order matters. Turn on MFA and device compliance first, while the VPN still runs, so nobody’s locked out mid-transition. Publish the internal apps one at a time and watch who actually uses them, which is always fewer systems than the original VPN exposed. Then retire the tunnel for user access once the dashboards show everyone’s coming in the new way.

That sequencing is the difference between a weekend of firefighting and a fortnight nobody notices. We’ve done it both ways in the past, and the calm version is worth the planning.

That’s our Security Solutions practice. We design the access model, switch on what your licences already include, and run the migration so nobody loses access on the Monday.

The VPN made sense when the office was the centre of gravity. For most SMEs it isn’t any more, and the access model is usually the last thing to find out.

Still routing your home workers through an office VPN and wondering what’s next? Drop us a note at info@jmopartners.co.uk. One of us will read it.

JMO|Partners · Enterprise IT, sized for SMEs.