Most people don’t question what a VPN is doing.
They just know it’s there — and assume it’s handling the risk.
A laptop connects. A browser opens. Work continues as normal.
Whether it’s a home network, a café, or a hotel Wi-Fi connection, everything looks and behaves exactly as expected.
And that’s usually where the assumption sits.
“I’m on a VPN, so it’s secure.”
But that confidence isn’t always based on what’s actually happening — it’s based on what people think the tool is doing for them.
In this blog, we look at what a VPN actually does, where it helps, and where that sense of security can quietly lead to the wrong decisions.
VPNs aren’t bad. Far from it. But they’re not enough.
They do a specific job — and when they’re used in the right context, they’re useful. But the way they’re often relied on doesn’t always match what they’re actually designed to do.
Understanding that difference is where things start to shift.
What a VPN Really Does (Explained Without Jargon)
A VPN creates a secure connection between your device and the internet.
When it’s active, the data leaving your device is encrypted and sent through a separate server before it reaches its destination. You can think of it as creating a private, protected route between your device and wherever you’re connecting to — rather than sending that data directly across the network you’re on.
From a user’s perspective, everything still behaves the same. Websites load, systems are accessed, and work continues as normal. But in the background, the connection itself is being handled differently. Other people on the same network — such as in a café, airport, or hotel — can’t easily see or intercept what’s being transmitted.
That’s where a VPN is useful. It protects the path your data takes, particularly when the network itself isn’t trusted.
But that protection is specific. It applies to how data travels — not what happens once it reaches its destination.
What a VPN Can’t Protect You From
A VPN secures the connection. It doesn’t change how decisions are made within it.
A link arrives in an email. It looks familiar — the branding is right, the wording feels normal, and it fits with what the person is expecting. A page loads, and nothing about it stands out as unusual.
At that point, there’s no clear reason to question it.
And that’s exactly why these situations work.
The decision to continue doesn’t feel risky. It feels routine. The VPN is active, the connection appears secure, and everything behaves as expected. From a user’s perspective, there’s no signal that anything needs to be treated differently.
That’s the gap.
A VPN doesn’t recognise context. It doesn’t understand whether a request makes sense, whether a login page is genuine, or whether something feels slightly off. It simply protects how data moves — not why it’s being sent.
So the outcome isn’t shaped by the presence of the tool.
It’s shaped by the moment where something feels normal enough to trust.
The False Comfort of “I Use a VPN”
The assumption usually doesn’t feel like an assumption.
It builds gradually, through experience.
A VPN is switched on. Work continues without interruption. Systems load, logins succeed, and nothing behaves in a way that suggests anything is wrong. Over time, that consistency becomes meaningful. The connection is no longer just a tool — it becomes associated with safety.
Not because anyone has actively evaluated it, but because nothing has challenged it.
That’s how the belief takes shape.
The VPN is present at the same time as everything else that’s working. Emails are opened, links are followed, files are accessed, and accounts are used — all while the connection appears stable and protected. There’s no clear distinction between what the VPN is responsible for and what it isn’t. It all becomes part of the same experience.
So the logic becomes simple.
“If I’m connected, I’m covered.”
And that logic holds — because, in most cases, nothing immediately contradicts it.
A login page looks familiar, so it’s trusted. A request fits the context of the day, so it’s acted on. A system responds as expected, so there’s no reason to question it. Each of these decisions makes sense in isolation, and each one is reinforced by the presence of a connection that feels secure.
That’s what makes it difficult to recognise.
The VPN isn’t just protecting the connection — it’s shaping how the situation is interpreted. It creates a stable backdrop, where everything appears consistent, and where the absence of visible issues becomes a signal of safety.
But that signal isn’t based on what the VPN is actually doing.
It’s based on the fact that nothing has gone wrong yet.
And in that environment, the decision to continue doesn’t feel risky — it feels reasonable.
Real-World Example: VPN On, Still Breached
This pattern isn’t limited to individual users. It shows up at an organisational level as well.
In 2021, Colonial Pipeline — one of the largest fuel pipeline operators in the United States — was forced to shut down operations following a ransomware attack.
The initial access point wasn’t a complex exploit or a failure of advanced security controls.
It was a VPN account.
In simple terms, a VPN account is one of the ways employees securely connect into internal systems from outside the organisation. When someone logs in with the correct credentials, the system treats that access as legitimate — just as if they were connecting from within the business itself.
In this case, the account had been left active but wasn’t being used. The password associated with it had likely been exposed in a previous breach, and multi-factor authentication hadn’t been enabled — meaning there was no additional step to verify that the person logging in was who they claimed to be.
From a technical perspective, everything was working as intended. The VPN was in place, access was restricted to authenticated users, and the infrastructure appeared secure.
But the conditions around it hadn’t been revisited.
The account still existed. The credentials were still valid. And because nothing had happened to suggest a problem, there was no clear moment where it felt necessary to question it.
So when the attackers used those credentials, the access didn’t appear unusual. It followed the same process a legitimate user would have taken — entering a username and password, and being granted access.
The VPN didn’t fail.
It did exactly what it was designed to do — allow authenticated access.
What failed was the assumption that the presence of the tool was enough to prevent something like that from happening.
And in that moment, the difference wasn’t technical.
It was in how the situation had been understood — and what hadn’t been questioned.
Where VPNs Are Useful (And Still Worth Using)
VPNs are useful — especially in situations where the network itself can’t be trusted.
Connecting from a café, airport, or hotel Wi-Fi introduces a level of uncertainty. You don’t know who else is on that network, how it’s configured, or whether traffic is being monitored. In those cases, creating a secure connection between your device and the destination you’re accessing adds a layer of protection that wouldn’t otherwise be there.
They’re also commonly used to provide access to internal systems from outside the organisation. In that context, they act as a controlled entry point — allowing people to connect securely without exposing those systems directly to the wider internet.
From a user perspective, none of this feels particularly different. The connection works, systems are accessible, and work continues as expected. That consistency is part of what makes VPNs valuable — they provide a stable way to connect in environments that aren’t always predictable.
But their usefulness is specific to that role.
They protect the connection in environments where the network introduces risk.
They don’t remove risk from the situations themselves.
What a VPN Will Never Replace: Human Behaviour
A VPN can secure the connection, but it can’t interpret the situation.
An email arrives that looks familiar. A request fits with what’s expected. A login page appears exactly as it should. In each case, the decision to continue doesn’t feel like a risk — it feels like part of the normal flow of work.
That’s where behaviour comes in.
Not as something separate, but as the way decisions are made in those moments — when nothing appears obviously wrong, and there’s no clear signal to stop.
Because most of the time, there isn’t one.
There’s just a situation that feels normal enough to trust, and a choice to continue without questioning it.
And that choice doesn’t belong to the tool.
It belongs to the person using it.
A VPN doesn’t pause before clicking a link. It doesn’t question whether a request makes sense, or whether something feels slightly out of place. It simply maintains the connection — regardless of what happens within it.
Which means the outcome isn’t defined by how secure the connection is.
It’s defined by how decisions are made within it.
When Security Feels Routine
A VPN creates a secure connection.
It encrypts traffic, protects data in transit, and reduces exposure on networks that can’t be trusted. In the right context, it does exactly what it’s designed to do.
But the situations it’s used in don’t always feel like risk.
A device connects. A system loads. A request appears.
Everything behaves as expected — and that’s what makes it easy to trust.
Because in most cases, nothing looks obviously wrong.
There’s no warning, no interruption, no clear signal that something needs to be questioned. Just a sequence of actions that feel familiar enough to continue, supported by a connection that appears secure.
And that’s why tools alone aren’t enough.
They operate in the background, doing their job consistently. But the decisions that shape the outcome happen in the foreground — in moments where something feels routine, expected, and safe to proceed.
And that’s why tools alone aren’t enough.
They operate in the background, doing their job consistently. But the decisions that shape the outcome happen in the foreground — in moments where something feels routine, expected, and safe to proceed.
Because security doesn’t usually break down when something looks wrong.
It breaks down in the moments that feel routine enough not to question.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
