With numerous manual penetration testing services out there, all claiming to be the best at finding more vulnerabilities: how do you differentiate between them and decide which is right for your team?
Prioritize understanding and mitigating clear and present risks, then plan for emerging risks. Clearly understand and mitigate current risks using basic practices before planning for emerging risks.
Whether or not the device is under the control of the business, VPNs, when properly configured, ensure the traffic is protected end-end, and therefore meets several regulatory requirements.