Are Your VPNs and NACs Secretly Sabotaging Your Security?

In today’s cloud-first, hybrid enterprise, how do you deliver secure access without slowing down performance or agility?

For many, the answer still involves legacy VPNs and Network Access Control (NAC), familiar tools from a different era. But what if those trusted systems aren’t protecting you anymore, and are instead becoming some of your biggest liabilities?

To explore this shift, Netskope partnered with Cybersecurity Insiders, a leading research platform for CISOs and cybersecurity professionals, to dig into the real risks of relying on outdated access solutions.

The result: the 2025 VPNs Under Siege Report, a data-driven look at why organizations are rapidly rethinking their access strategies. The takeaway is clear: VPNs are falling short, and the move to modern, zero trust access is gaining serious momentum.

The alarming reality: Why legacy access is failing you

The report lays bare a troubling truth: VPNs have become a primary attack vector. More than half of the organizations surveyed (56%) experienced at least one VPN-related security incident in the past year, many experienced multiple breaches.The report highlights real-world examples, like the Ivanti CVE-2025-0282 vulnerability, which allowed attackers to run remote code without even authenticating and has been actively exploited since at least December 2024.

The problem? VPNs were built for a world that doesn’t exist anymore. They grant broad, implicit trust access across the network, something adversaries love to exploit. That’s how you end up with data leaks, ransomware infections, and major disruptions.

Unfortunately, NAC isn’t doing much better. These systems were designed for on-prem, perimeter-based networks, and it shows. Over half (53%) of respondents do not believe that NACs offer enough security for modern threats, and nearly a third (31%) recognize that  they don’t support zero trust principles. When your workforce is hybrid and your infrastructure is in the cloud, NAC just can’t keep up.

And then there’s the human cost. The report details persistent user frustrations with VPNs: 22% of users complain about slow connection speeds, and 19% are frustrated by complex, cumbersome authentication processes. These issues kill productivity, flood the help desk with tickets, and often lead users to bypass security entirely just to get their work done. 

IT teams feel the burden too, balancing performance (21%) and constant troubleshooting (18%) top the list of VPN headaches. And when agility matters most, VPNs fall short: 91% say third-party access and M&A integration are very challenging using VPNs.

The imperative shift: Embracing zero trust network access (ZTNA)

There’s good news amid the challenges: organizations are taking action. 

ZTNA is no longer just a future goal, it’s happening now. According to the report, 26% of organizations have already deployed ZTNA, and another 37% plan to implement it within the next year. That’s more than half of all respondents moving quickly to modernize how secure access is delivered.

So, what’s driving the urgency? The report highlights three main reasons:

• Stronger Security (78%): Risk reduction is the top motivator, as organizations seek smarter, more adaptive access control.
• Simplified Infrastructure Management (63%): Teams want to move away from the complexity and overhead of outdated systems like VPNs and NAC
• Better Application Performance (51%): Users expect fast, seamless access to stay productive. ZTNA delivers it without the slowdowns and frustrations of traditional tools

Beyond basic access: The demand for full replacement with an integrated approach 

ZTNA’s mandate goes beyond the initial drivers. With ZTNA quickly becoming the core of a modern access strategy, organizations are no longer looking for partial fixes, they are demanding a complete transformation. 

In fact, 75% of respondents say it’s important that ZTNA can fully replace both VPN and NAC with more application-aware solutions that enable consistent, secure access to both on-premises and cloud applications, including support for all essential legacy applications. The goal? Eliminate the need to maintain outdated, vulnerable infrastructure for specific use cases, which only introduces the complexity, security gaps, and inefficiencies that ZTNA is meant to solve.

And expectations go even further:

• 86% consider real-time visibility critical for faster threat detection, policy enforcement, and response.
• 75% prioritize seamless policy enforcement across hybrid environments, because fragmented access controls simply don’t scale.
• 60% want ZTNA tightly integrated into a broader Secure Service Edge (SSE) platform to ensure unified access, data protection, and threat prevention across all traffic.

Bottom line? ZTNA has to do more than replace—it has to future-proof access security.

From replacement to reinvention: Rethinking access security

The 2025 VPNs Under Siege Report leaves no doubt: the transition to ZTNA isn’t just about replacing legacy tools. It’s about adopting a smarter, more adaptive approach to access security that aligns with the way we work today: cloud-first, hybrid, and always on.

ZTNA delivers where legacy systems fall short. It enforces least-privilege access, continuously verifies user and device context, and provides real-time visibility across the full environment, from cloud apps to on-prem systems, and even into OT and IoT networks.

This report is more than a set of findings, it’s a practical guide for security professionals leading the charge. It brings the data, insights, and best practices needed to escape the limitations of the past and build a future-ready access model.

Don’t let legacy hold you back. If you’ve ever wondered, “Are my VPNs and NACs secretly sabotaging my security?”This report gives a definite answer. ZTNA isn’t just the next step, it’s the new standard.

Download the Full 2025 VPNs Under Siege Report Today.