Your account database is on internet
Mar 4th, 2008 by Jesper Kråkhede
Last week there was still another site hacked in Sweden. This time it was Dataföreningen (in English Computer Association) who lost quite a lot of user accounts (mine included) out to the internet. Within hours I saw several attempts to log on to my mail and my website (everything was logged and remediation actions have been taken). The most interesting with this event is that when accounts are published on internet searches are done to find where that particular username is used and then logon attempts are made with the same password as in the hacked site.
Taking this one step further and looking at your VPN solution. Do your users use the same username and password there as they use on internet? Sadly it is most likely the case. You could (and should) pass a policy stating that this was not allowed but that would be rather hard to enforce. From a logon perspective you should implement two factor authentications for external access to mitigate the problem.