According to TechRadar, businesses using older on-premise VPN devices face significantly higher ransomware risks according to At-Bay’s 2025 InsurSec Report. The analysis of cyber insurance claims found organizations using Cisco and Citrix VPN systems were 6.8 times more likely to be hit by ransomware than those without such devices, based on more than 100,000 policy years of data collected between January 2024 and March 2025. The study examined incidents among approximately 40,000 insured U.S. customers, with SonicWall VPN users facing 5.8 times higher risk, Palo Alto Global Protect at 5.5X, and Fortinet at 5.3X. At-Bay’s CISO for Customers Adam Tyra emphasized that companies should strongly consider transitioning to modern cloud-based remote access solutions, noting that 80% of ransomware cases began through remote access tools with 83% involving VPN devices. This alarming data reveals a fundamental shift in enterprise security priorities.
Table of Contents
The Hidden Maintenance Burden
The core issue isn’t that these VPN solutions are inherently insecure—they’re simply too complex for most organizations to maintain properly over time. What begins as a properly configured deployment inevitably drifts into vulnerability as security teams juggle competing priorities. Missing patches, outdated configurations, and forgotten access rules accumulate like digital debt. The problem is particularly acute for on-premise solutions where responsibility falls entirely on internal IT teams who may lack the specialized expertise required for continuous security hardening. Unlike cloud services where security updates are automatically deployed, on-premise systems require manual intervention at every step, creating countless opportunities for human error and oversight.
Why Ransomware Groups Target VPNs
Ransomware operators have become sophisticated business strategists, and they recognize VPN systems as high-value targets with excellent return on investment. These gateways provide direct access to corporate networks, often with elevated privileges and broad network visibility. Attackers understand that once they compromise a VPN connection, they can move laterally through the network, identify critical assets, and maximize their leverage during extortion negotiations. The economics are simple: why spend resources breaching multiple endpoints when a single VPN vulnerability can provide access to the entire digital kingdom? This strategic targeting explains why traditional perimeter defenses are increasingly inadequate against determined adversaries.
The Legacy Vendor Challenge
Companies like Cisco and Citrix Systems face a difficult transition as the market shifts toward cloud-native security. Their business models were built around selling hardware and software licenses for on-premise deployment, creating inherent tension as customers move toward subscription-based cloud services. While these vendors offer modern alternatives, many organizations continue running older versions due to compatibility concerns, budget constraints, or simply organizational inertia. The insurance data suggests this hesitation carries real financial consequences—businesses using any on-premise VPN were 3.7 times more likely to fall victim to attacks than those using cloud-based alternatives or no VPN at all.
The Zero Trust Imperative
The solution isn’t simply moving VPN functionality to the cloud—it’s rethinking remote access entirely. Modern security approaches embrace Zero Trust principles where every access request is verified, regardless of its origin. Instead of granting broad network access through VPN tunnels, organizations should implement context-aware policies that provide least-privilege access to specific applications and resources. This architectural shift dramatically reduces the attack surface by eliminating the “trusted internal network” concept that has proven so vulnerable. Combined with comprehensive endpoint protection and mobile security layers, organizations can create defense-in-depth strategies that don’t rely on perimeter-based security models.
How Cyber Insurance Is Driving Change
At-Bay’s findings represent a watershed moment where cyber insurance data is directly influencing security best practices. Insurers are increasingly using empirical claims data to set premiums and coverage terms, creating financial incentives for security modernization. Organizations clinging to legacy VPN solutions may soon face higher premiums, reduced coverage, or even denial of cyber insurance altogether. This economic pressure could accelerate cloud migration more effectively than any security recommendation alone. As insurance underwriters become more sophisticated in their risk assessment, we can expect to see clearer differentiation between organizations implementing modern security architectures and those maintaining vulnerable legacy systems.
The Practical Transition Path
For organizations dependent on traditional VPNs, the migration path requires careful planning. Immediate steps should include comprehensive vulnerability assessments, strict patch management protocols, and network segmentation to limit lateral movement. However, these are temporary measures—the ultimate solution involves adopting cloud-native secure access service edge (SASE) architectures that integrate networking and security functions into a unified cloud service. The transition won’t happen overnight, but starting with pilot projects for specific user groups or applications can demonstrate value while building organizational confidence in modern approaches to remote access security.
