Risks of Using a Personal VPN at Work

Quick Verdict: Is it Allowed?

Usually no on managed work devices

On a company-issued laptop, desktop or managed phone, installing a personal VPN such as NordVPN, Surfshark, Proton VPN or ExpressVPN is usually not allowed unless IT has approved it. The issue is not the VPN brand. The issue is that an unmanaged encrypted tunnel can bypass firewalls, web filtering, data loss prevention tools and security logging.

On a personal device using guest Wi-Fi, a VPN may be reasonable for privacy, but you should still check the guest network terms and workplace policy. On a managed BYOD device, the answer is more complicated because the employer may still apply security controls, mobile device management rules or acceptable use restrictions.

Risk Level (Managed Work Device): High

Risk Level (Personal Device on Guest Wi-Fi): Usually Low, Policy Dependent

Corporate VPNs vs Personal VPNs

Workplace VPN confusion usually comes from mixing up two very different tools:

• Corporate VPNs: Approved tools such as Cisco Secure Client, Palo Alto GlobalProtect, Zscaler Private Access or OpenVPN Access Server. These connect staff into company systems and are normally managed, logged and supported by IT.
• Personal VPNs: Consumer apps such as NordVPN, Surfshark, Proton VPN, PrivadoVPN or ExpressVPN. These are designed to protect personal browsing, not to sit inside a managed corporate environment without approval.
• Shadow IT risk: The UK National Cyber Security Centre describes shadow IT as unknown or unmanaged assets used inside an organisation. The problem is not always malicious intent, but the organisation does not know what it needs to protect or how data is being handled.

The safe rule is simple: use the VPN your employer gives you for work, and use a personal VPN only on personal devices where workplace policy allows it.

What Your Employer Will See

Many employees believe a VPN makes them invisible to IT. On a managed work device, that is not a safe assumption. The VPN may encrypt traffic after it leaves the device, but local security tools, device management platforms and browser controls may still record installed apps, running processes, security alerts, policy violations and some browsing or file activity depending on the employer's setup and privacy notices.

Real World Consequences

Public examples rarely say "fired for using a VPN" because disciplinary records usually use broader wording such as unauthorised software, policy breach, circumvention of controls or misuse of company equipment. That is why it is better to look at the underlying employment and security logic.

• Wells Fargo dismissals: In 2024, Reuters reported that Wells Fargo fired more than a dozen employees after allegations that they simulated keyboard activity to create the appearance of active work. It was not a VPN case, but it shows how technology misuse on work systems can become an employment issue quickly.
• NCSC shadow IT guidance: The NCSC says unmanaged or unknown IT assets can make risk management harder and may expose organisations to data theft, malware, ransomware and legal issues. An unauthorised personal VPN on a work device can fall into that broader shadow IT concern.
• ICO workplace monitoring guidance: UK employers can monitor workers in some circumstances, but they must consider data protection rules, transparency, proportionality and the least intrusive way to meet a legitimate purpose. This means monitoring is not a free-for-all, but employees should not assume a VPN hides work-device activity.

Bottom line: the employment risk depends on your contract, acceptable use policy, local law, the facts, and whether the employer follows a fair process. But deliberately bypassing security controls is rarely a good defence.

How IT May Detect It

A personal VPN is often difficult to hide on a managed estate. Detection depends on the tools your employer uses, but common signals include:

1. Endpoint security tools: Products such as Microsoft Defender for Endpoint, CrowdStrike or SentinelOne may report device health, alerts, software inventory, suspicious processes and risky behaviour. Microsoft documents device inventory features that can show risk level, operating system, onboarding status and other device details.
2. Application control and allow lists: Some organisations block unapproved executables from running at all. Others flag new VPN drivers, browser extensions or background services for review.
3. Network monitoring: Firewalls and secure web gateways may identify traffic to known commercial VPN endpoints or recognise common VPN protocol patterns, even where the payload itself is encrypted.
4. Policy and audit logs: A personal VPN may appear as a new installed app, a new network adapter, a blocked connection, a DNS change or an unusual tunnel to an external IP address.

Common Myths About Workplace VPNs

These assumptions are where people get into trouble:

• Myth: "A VPN hides everything from work."
  Reality: It may hide traffic contents from a network device, but it does not hide local activity from a managed laptop, endpoint agent, browser policy or mobile device management profile.
• Myth: "Five minutes will not show up."
  Reality: Some tools log process starts, network connections and policy events in near real time. Even short activity can leave a record.
• Myth: "Split tunnelling makes it fine."
  Reality: Split tunnelling changes routing. It does not make an unauthorised VPN approved, and the VPN app itself may still be visible locally.
• Myth: "A small business will never notice."
  Reality: Many small firms outsource IT to managed service providers that use central monitoring tools across all customer devices.

Can You Get Fired?

Possibly. A personal VPN is not automatically a dismissal in every workplace, but using one on a managed work device can become a disciplinary issue if it breaches policy, bypasses controls or creates a security risk.

• Policy breach: Most acceptable use policies ban unauthorised software, circumvention of filters or unapproved changes to security settings.
• Data protection risk: If business data moves through an unmanaged tunnel, the organisation may lose visibility over where that data went and whether it was protected properly.
• Malware and inspection bypass: A personal tunnel can reduce the effectiveness of corporate web filtering, malware scanning and data loss prevention tools.
• Trust issue: Even if no data is stolen, deliberately working around security controls can damage trust with IT, HR and management.

Risks for Small Businesses

The risks are not limited to large corporations. A small business may have fewer layers of monitoring, but it may also have fewer people available to recover from a mistake.

• MSP escalation: Many small businesses use a managed service provider. Unknown VPN software, new network adapters or blocked tunnel traffic may be logged as a security event.
• Bandwidth and reliability: Encrypted personal traffic can consume limited office bandwidth and make troubleshooting harder because the normal traffic categories are hidden.
• Insurance and compliance: If a breach happens, unauthorised software can complicate cyber insurance, client assurance and incident response.
• Owner visibility: In a small office, an alert often goes straight to the owner or office manager. That can create an awkward conversation quickly.

Who to Ask for Permission

If you have a legitimate business reason for VPN access, do not install your own consumer VPN first and explain later. Ask for approval before changing the device or network setup.

1. IT helpdesk: Ask whether there is an approved corporate VPN, secure browser, research machine, virtual desktop or whitelisted route for the task.
2. Line manager: Explain the business need in plain language and ask them to support a formal exception request.
3. Security or compliance team: If the request involves client data, regulated systems or unusual internet access, let the right team assess the risk.
4. Get it in writing: Verbal permission is easy to forget. Save the ticket, email or policy exception.

Safer Personal Use at Work

There are situations where a personal VPN can make sense, but only when you are using a device you own and the network rules allow it.