It's not encryption but the fact database could be siphoned off by just stealing the credentials and possibly getting one of your IPs whitelisted. If it's inside the network, they have to establish a bridgehead and maintain it which is in theory, more difficult and higher risk of detection.