When a Donegal-based professional services firm suffered a ransomware attack in 2024, the forensic investigation traced the entry point to an exposed VPN server running software that had not been updated in eight months. The attacker had used a publicly known vulnerability to authenticate without valid credentials, then moved laterally through the network over three days before deploying the ransomware payload. The entire internal network was accessible once the VPN was compromised — because that is how VPNs work. Once you are in, you are in.
The attack was not sophisticated. The vulnerability was patched months earlier. The firm had simply not applied the update. But the architecture of the VPN — its fundamental design assumption that authenticated users can access the whole network — is what turned a single entry point into a full breach.
The Problem with How VPNs Work
A VPN creates an encrypted tunnel between a remote device and your internal network. Once a user authenticates, they are logically inside your network and can typically reach everything that network contains — file servers, internal applications, finance systems, and anything else that does not have additional access controls in front of it. This "all or nothing" model made sense in 2005, when your entire digital infrastructure lived on-premises and your staff worked from the office. It is significantly less appropriate for 2026.
The NCSC Ireland specifically lists exposed or poorly secured remote access services — including VPNs — as one of the primary initial access techniques used by attackers against Irish organisations.[^1] The attack against the Donegal firm followed a pattern the NCSC has documented repeatedly: discover the VPN, find a vulnerability or use stolen credentials, authenticate, then move laterally at leisure. When the VPN is the only barrier between an attacker and your entire network, the risk is concentrated at a single point.
Is your VPN actively monitored, up to date, and protected by MFA — and do you know which internal systems a compromised VPN session would expose? Book a free 20-minute strategy call — we can assess your remote access security posture in a single session.
What Zero Trust Network Access Does Differently
Zero Trust Network Access (ZTNA) operates on a fundamentally different principle: never trust, always verify. Instead of placing a user inside the network perimeter and trusting them to access only what they should, ZTNA grants access only to the specific application or resource a user needs, after verifying both their identity and their device health, on a per-session basis.
In practical terms, this means a staff member using ZTNA to access your accounting software cannot see your file server, your HR system, or any other internal resource they have not been explicitly granted access to. The network itself is not exposed — only the specific application the user is authorised to reach. If their credentials are stolen or their device is compromised, the blast radius is limited to what that user was entitled to access, not everything on the network.
ZTNA also adds continuous verification: access can be revoked automatically if a device becomes non-compliant — missing an update, antivirus disabled, logging in from an unusual location at an unusual time. This is access control that responds to context rather than treating authentication as a one-time gate.
When a VPN Is Still Appropriate
VPNs are not inherently outdated for all use cases. For a small business with a simple on-premises setup, a well-configured VPN with MFA enforced, updated regularly, and restricted to specific users and systems can be adequate and proportionate. The key word is "well-configured." An Garda Síochána's National Cyber Crime Bureau consistently sees VPN-related incidents where the underlying security was simply not maintained — no MFA, unpatched software, default credentials still in place.[^2]
If you have a VPN, ensure it has MFA enabled for every user without exception, that updates are applied within 14 days of release, that only named users are permitted VPN access, and that your logging is sufficient to detect unusual access patterns. These four controls address the majority of VPN-based attacks seen in Ireland.
For businesses with a mix of on-premises systems and cloud services, a hybrid approach often makes sense: ZTNA for cloud application access, a tighter VPN for specific on-premises resources that cannot yet be moved to an application-level access model. The transition from VPN to ZTNA does not have to be immediate or total.
When ZTNA Is the Better Choice
ZTNA is particularly valuable when your team works remotely across multiple locations, when you have significant cloud application usage, when you need to grant access to contractors or partners without exposing your whole network, or when you have already experienced a remote access security incident and need to reduce the blast radius of any future compromise.
The Data Protection Commission expects businesses handling personal data to implement appropriate technical measures proportionate to the risk.[^3] For a business where remote access to personal data is routine — healthcare, financial services, HR, legal — the granular access controls of ZTNA represent a more robust technical measure than a VPN that exposes the entire dataset to anyone who authenticates.
The cost of business-grade ZTNA solutions has come down significantly. Cloud-based ZTNA services from providers including Cloudflare, Zscaler, and Microsoft (through Entra Private Access) are now accessible for Irish SMEs at a per-user monthly cost that is comparable to a quality VPN solution.
The VPN problem is not the technology — it is the assumption that authentication at the perimeter is sufficient. ZTNA removes that assumption entirely.
What to Do Next
Three actions for Irish SMEs reviewing their remote access security:
Audit your current VPN posture. Check whether MFA is enforced for every user, when the VPN software was last updated, and what access an authenticated session actually grants. If the answer to any of these questions concerns you, address it before considering a replacement.
Map which applications your remote staff actually need. A ZTNA migration starts with understanding the real usage pattern — which people need access to which specific systems. This inventory is valuable regardless of which remote access technology you use.
Ask your IT provider about ZTNA options. Most major cloud platforms have ZTNA capabilities built in or available as add-ons. Microsoft Entra Private Access, for example, is available to Microsoft 365 Business Premium subscribers at no additional licence cost. Understanding what is already included in your existing platform is a useful starting point.
Related Reading
- Access Control and Least Privilege for Irish SMEs
- The SME Cybersecurity Starter Kit: 10 Steps to Get Protected Today
- Top 5 Cybersecurity Threats Facing Irish SMEs in 2026
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.