Short answer is 'It depends'. It depends upon what you're protecting. This is a risk-based decision, as many of the technical and security controls are. A VPN is a technical control intended to mitigate a security risk. The security risk is that the company network is no longer confined to the walls of an office, but spans across the public Internet. Having a VPN ("virtual private network") encrypts the traffic to keep it private as it travels throughout the world.
Implementing a VPN should not be done just because you read an article, or someone said you have to have one. If you don't understand the risk that's being mitigated, then a VPN might be solving for the wrong problem. A VPN is most often used as one technical control for keeping data (e.g. PHI, PII, proprietary code) secure. Understanding the risks of your specific data is key to the decision-making and implementation process.
A VPN has a cost way beyond the money to implement it. It has to be maintained. It has to be fixed when it breaks, and upgraded to keep it secure. You probably have to have staff to run it, train for it, document it. It's year-over-year spend. And, your employees (e.g. Sales people) won't like a VPN because it slows them down doing their day-to-day job.
MFA ("multi factor authentication") is another technical control that often pairs with VPN, but mitigates a different risk. MFA mitigates the risk of someone else using my credentials to log in. VPN mitigates the risk of keeping my company network private.
In closing. You make the best decision for your company by understanding the risk(s) you're intending to mitigate. Then, you can evaluate and fit the appropriate technical control(s) within your budget and resources that actually accomplish the intended goal.