By connecting to the WiFi you’re encrypting once. And once on that WiFi depending on how it’s configured, you’re also visible to everyone else on it. It’s like plugging into the same hub so to speak. The proper setup is to not allow clients to see each other but that’s often missed by public WiFi.
In addition connecting to OPEN WiFi that has NO encryption is insanely bad. This means a snoop doesn’t even have to join the WiFi to read all of your data. Just pick it off with a cheap radio dongle.
There’s even ways for a nefarious person to hijack your session away from you (say after you logged into some non-SSL site) or get in between you and whatever you’re connected to with Man-in-the-Middle or MitM attacks.
Most of the above is trivial. The code to do it is already written and a ten year old can download and play with it. The bad guys are far more advanced.
Meanwhile...
If your office/server VPN is set up correctly to encrypt ALL traffic and send it to the office and then out to the Internet from there, you avoid ALL of the above. A hijacker can’t (easily) steal an encrypted session to your server nor MitM it *if* it’s set up correctly and the VPN protocol doesn’t have any security flaws that need patching.
If instead your VPN is set up “split tunnel” where traffic for the office goes over the VPN but regular internet traffic goes out normally, then you’re still vulnerable to a number of attacks including some listed above. But it’s “more convenient” if your machine can’t get to the office.
Your IT guy is basically making life simple. Instead of listening off the hundred ways you can be screwed on public WiFi, he’s saying “just get on the VPN” which kills 99% of it by making you either impossible to attack, or a lot less likely target than the idiot next to you who connected to an open WiFi called “Airport WiFI” that is actually an attacker with his wireless card in AP mode sitting three feet away from you in the airport.
Windows actually has hooks that can be set to require a VPN be active prior to even logging in, and some VPN client software (including the built in IPSEC client) can be forced to do it. Some companies have to operate that way to meet their security audits. Macs don’t do this well, without third party software. If even then really.
Some companies won’t allow staff to use their own laptops for travel anymore. They take a loaner that has VPN and remote access software only and no data leaves the building. The laptop is wiped and reloaded after the trip. Especially true fir international travel where US Customs is essentially exempt from search and seizure laws for even Cirizens. Go ahead, seize or copy the whole laptop. There’s nothing on it.
All depends on how valuable your data is.
But VPN on someone else’s WiFi that is not split-tunnel is mandatory for many. And if there’s no route to your VPN server then you’re dead in the water but your data is safe.
The contingency plan that works best is a cellular hotspot. Then only your carrier, the NSA, and whoever has hacked the carrier has access to your data stream. And again the VPN helps with all of those also.
DEFCON has had the huge “Wall of Sheep” displaying any attendees or innocent bystanders silly enough to connect to open WiFi at a security conference, going on almost twenty years now...
Don’t do it.
By the way these fly by night “Cloud VPN providers” are crap. Recently one used massive marketing money to plaster nearly every tech YouTube channel with their advertising and got tech YouTubers to day their product was just lovely by giving them cash.
NordVPN. Guess who should have spent more on auditing their data centers instead of Marketing? Yeah. They were completely owned by another tenant in one of their shared data center facilities. Which says more about NordVPN than their data center provider but does say something about the provider as well as them.
Remember kids: “The cloud is just someone else’s computer...”
Stick to a brand name that has something real to lose in the overall security sector if you have to use someone else’s VPN server. Better yet, use your own.
I would add that I don’t recommend using any built in VPN server software in any Microsoft server platform nor exposing those to the web because of their horrid track record with L2TP vulnerabilities being an indication that OS makers make lousy security software, but configured right they’re “meh, okay”, as long as that is NOT a server doing anything else but remote access.
Even then, real security brands and products from networking and security companies are going to generally be better.
Or just use something better like OpenVPN if you have no $ for basic security.
Nothing is perfect. But there’s no point in joining the crowd on the Wall of Sheep!
Let someone else take one for the team. Hahaha.
Oh ... and since the advent of letsencrypt.org there has been NO reason for every public website to do https by default. None.
If you run a public website go install a letsencrypt SSL certificate, learn how to auto-Renew it and redirect all http requests to https. Today.
You can really mix up your threat vectors. Run a VPN server of your own inside of someone else‘s computer. (Cloud... LOL...)
And of course it’s been proven time and again most companies are far more vulnerable to someone dropping a USB stick that says “Let me know what you think” signed by the boss, on any desk in the company. LOL. Instantly owned. Entire network.
