Yes VPN is secure but not all the case, for example what Windows provide by default PPTP or L2TP is not secure at all.
Instead like openVPN would be a great choice, but config does matter, strongly recommended to require peer certificate and also a password for.
But honestly, so many changes so many stress so less time, what will the users do? writing their credentials into a paper or a text file in the Desktop. So therefore why VPN? why anything if users do these kind of errors..
Using Remote Desktop
Now at this point the resource is outsourced with a local 'safe' machine which can be remotely used as Desktop for every user.
Now maybe time to buy some Microsoft stocks if they have for sale. This could be safe or safer than VPN for a normal 'Windows' user, but the companies have enough license? no, just crack -it <- another security issue by modifying Windows binaries or installing some unknown third-party software which makes deep system changes to hack out the RDP sessions.
So .. is there any option left? Okay SOPHOS & Active Directory & VPN combo, but this infrastructure if you dont have, you wont have enough time to deploy asap.
Okay smartass, then WHAT?
Question is what is the critical data to users have to keep their work?
- Really need that past 5 years of documents?
- Really need all the folders?
So in home office the users can work with limited resource, why dont just give their minimal DATA to keep their work at home? Why would you want to give them the whole DATA you have risking a leak or even-worse a trojan into the server over RDP, or a yummy ransomware.
Give them an enviroment whatever you choose with minimal data and focus the security as a CEO you should feel bad yourself over-time while they are working through the whole internet.
Make backup more frerquently and teach them.
This is a keyword, teach the users what they have to care over.