← Back to Blog

Why VPNs Are No Longer Enough for Organizations

Why VPNs Are No Longer Enough for Organizations

At Good Heart Technology, we help many nonprofits secure their systems. We still see breaches that modern practices could have prevented. The old VPN-plus-firewall playbook is cracking, and recent incidents make that obvious.

What's Changed: Recent Incidents That Show the Risks

SonicWall Cloud Backup Breach

In September 2025, SonicWall disclosed that hackers accessed cloud backup firewall configuration files for "fewer than 5%" of its firewall install base. These backups included encrypted credentials plus other configuration details that can help attackers understand how a firewall is set up, what ports are open, and which services run. That gives attackers a roadmap. SonicWall is urging customers to reset all passwords and tokens, and to disable WAN (internet) access for admin services like HTTP, HTTPS, SSH, and VPNs until they can ensure their configs are safe.

Other VPN / Firewall Vulnerabilities

A long-exposed flaw in SonicWall's SSLVPN appliances has been actively exploited by the Akira ransomware group. Even patched vulnerabilities are risky because many organizations are slow to apply updates. Exposed firewall ports and VPN endpoints continue to be the top attack vectors for ransomware, brute force attacks, and credential stuffing.

Why VPNs + Open Firewalls Are Now So Risky for Organizations

Here's why relying on VPNs and open firewall ports to enable remote access is no longer sustainable:

Exposed attack surface: To allow remote access, organizations must open firewall ports (e.g., for VPNs, RDP, SSH, or admin consoles). Each open port is a direct invitation for attackers.

AI-assisted scanning: Attackers use automated tools (often AI-assisted) to find open ports, match known vulnerabilities, and try exploits. What used to take months can take minutes.

Configuration leaks: Cloud-based firewall backups, like those recently breached at SonicWall, make it easier for attackers to understand exactly what's exposed.

Cyber insurance response: Insurance providers increasingly consider exposed ports uninsurable. If your infrastructure is wide open, you may lose coverage altogether.

Why Nonprofits Are Especially at Risk

Nonprofits are often more vulnerable than large enterprises because they typically have:

Smaller IT teams (or none at all): Limited staff to apply patches, monitor threats, or respond to incidents.

Tighter budgets: Expensive enterprise-grade security solutions may be out of reach.

Less visibility: Many nonprofits don't even realize their firewall or VPN is exposed until after an incident.

Even with these limits, modern security practices matter. Any open port on the public internet will get scanned; it's a question of when, not if. Affordable, nonprofit-friendly options do exist.

Clarifying the Context: Organization vs. Individual VPN Use

It's important to separate two very different uses of VPNs:

VPNs for organizations (remote access): Firewalls and VPN appliances often expose ports on public IPs so staff can connect. Those exposed ports are the weak point we're warning about.

VPNs for individuals (privacy): Personal VPNs still help people on public Wi-Fi and add a layer of browsing privacy. They don't secure an org's servers by themselves, but they help individual users stay safer online.

In short: VPNs are still useful for privacy, but not safe as the sole remote access solution for organizations.

What to Do Instead: Move Toward Zero Trust

Zero Trust is built around one principle: never trust, always verify. Instead of assuming someone on a VPN is safe, access is given only when identity, device, and context all check out.

For nonprofits, here are two solutions we recommend:

Cloudflare Zero Trust (Cloudflare Access)

Protects apps and services without exposing them to the public internet.

Enforces identity verification, MFA, and granular access controls.

Free plans exist, with advanced features available at nonprofit-friendly pricing.

Tailscale

Builds secure, encrypted connections between devices using WireGuard.

Lets you expose services to staff without opening firewall ports.

Has a free tier that works well for small teams.

Both options reduce the attack surface, eliminate the need for open ports, and are easier to manage than traditional VPNs.

Key Takeaway for Nonprofits

Open firewall ports are a serious liability. They attract attackers and are increasingly seen as uninsurable.

VPNs still have a role for individuals, but as a method for organizational remote access, they're outdated and risky.

Even with limited resources, nonprofits can (and must) adopt modern, affordable Zero Trust solutions. Free tools like Tailscale or Cloudflare Zero Trust allow you to secure your mission without breaking the budget.

At Good Heart Tech, we believe that protecting nonprofits means securing their technology. If your organization still relies on a traditional VPN with open firewall ports, now's the time to rethink it before a breach forces your hand.