While we are battling Covid-19 most employees are forced to work remotely. This brings up the question of what's the most secure way to connect remote employees.
VPN is one that gets a lot of attention and there are 2 kinds of business VPN. The first is called split-route VPN. This kind connects workers to their office resources but all web browsing still gets routed over their local internet connection. The benefit is that you save on internet traffic at the office, so all users get better performance.
The second type of VPN is called full-route and this one favors security over performance. Since most office settings have better security than that of their employee's home networks. The idea with a full-route VPN is that you can effectively tunnel your traffic through your most secure firewall, get visibility with your IDS/IPS, log that traffic in your SIEM and etc. In practice this is not often used with small businesses because most of the time they just want to get things done.
Users also prefer split-route VPNs as well because it lets them connect to their network printers at home so if they need to print a document as part of their work this is a big decision factor.
With the advent of new remote access tools however a third option is now available. This type of software installs an agent on your end users machine and a user can connect to it from any place. From a security perspective it's as secure as a split-route VPN.
In general all of these options have one fatal flaw. Your network is only as strong as it's weakest link. So if your employees devices (from which they are connecting) has been compromised, then everything downstream will also be compromised. A lot of modern malware has the ability to take periodic screenshots of the computer and to upload it to the attackers. This is totally invisible to the user and doesn't use enough computer resources to create any symptoms.
This type of screenshot based reconnaissance would be sufficient for an attacker of any skill to learn about the workplace setup and how to exploit potential weaknesses. The next stop is often ransomware.
So is there a solution? Yes, protect your employees devices as if they are your own. Don't allow employees to use personal devices with insufficient protection to connect to any work resources. Either offer then a work laptop to use, a license for all of the protection that you use in the office, such as centrally managed Anti-virus, or potentially both to give them more freedom. Lastly, you need to implement some controls to prevent them from being able to use compromised devices to connect to network resources.