The Coffee Shop Compliance Test: What Working in Public Reveals About Your Security Posture

I was sitting at a coffee shop last week, waiting for a coffee and catching up on email. The place was full of people working. Laptops open, video calls running, spreadsheets glowing on screens. From where I sat, I could see at least five people clearly working on what appeared to be company business. And I noticed something that made me uncomfortable as a cybersecurity professional: I could see details I shouldn’t have been able to see.

A customer support ticket with a name, email address, and account number visible on one screen. A Slack channel with internal project names scrolling by on another. Someone reviewing what looked like a CRM with contact details, deal values, and company names. None of these people were being careless on purpose. They were just working, the same way millions of people do in coffee shops, airports, and hotel lobbies every single day.

The Gap Between Policy and Reality

Here’s what struck me: most of these companies probably have security policies. They likely have compliance frameworks they adhere to. They might even have annual security awareness training that tells employees not to work in public places without precautions. But policies written in a handbook and reality in a coffee shop are two different things.

The modern workforce is mobile. Research shows that 58% of employees have worked remotely from places besides a home office or coworking space, and 27% of workers are currently in hybrid arrangements with another 11% fully remote.[1] A coffee shop offers Wi-Fi, caffeine, and a change of scenery. It is a practical choice for many workers. But it also creates a layer of exposure that most security policies do not address in a realistic way.

When I looked around that room, I was not trying to find sensitive information. I was just observant. And that is exactly the point. An attacker does not need sophisticated tools or network access to gather intelligence in that environment. They just need a chair and a willingness to watch.

Visual Privacy Is the Overlooked Attack Surface

We spend a lot of time in cybersecurity thinking about network security, endpoint protection, and phishing defense. Those are critical. But we often overlook the simplest attack surface of all: the screen itself.

Shoulder surfing is not a new concept, but it is a persistent and under-addressed threat. In that coffee shop, I could see:

• Internal tools and platforms - identifiable logos and interfaces that reveal which software a company uses
• Project names and customer details - enough to map organizational structure and client relationships
• Personal identifiers - names, emails, phone numbers, and account numbers visible on tickets and records
• Communication patterns - who is talking to whom, what channels are active, and what issues are urgent

An attacker with malicious intent does not need to hack anything in that moment. They just need to collect fragments. Those fragments become the foundation for something more dangerous later.

From Observation to Exploitation

The information visible on a screen in a coffee shop is rarely enough to cause direct damage on its own. But it is incredibly valuable for reconnaissance. And reconnaissance is the first phase of a targeted attack.

Consider what a social engineer can do with the information I observed. Research from Tessian found that attacks targeting people and human error are at the root of more than 90% of successful cyberattacks, and 65% of data loss incidents result from misdirected email.[2] Knowing the tools a company uses, the names of internal projects, and the structure of teams makes phishing emails far more convincing. Armed with real customer names, account details, or internal project names, an attacker can call an employee and sound credible enough to extract more information.

This is not theoretical. Social engineering attacks rely on credibility, and credibility comes from details. The details I saw in that coffee shop were freely visible. An attacker sitting in the same room, or even at a nearby table, could have harvested enough context to build a credible pretext for a follow-up attack.

The Compliance Blind Spot

Many organizations invest heavily in compliance. SOC 2, ISO 27001, GDPR, HIPAA - these frameworks require documented controls, training programs, and risk assessments. But there is often a gap between what compliance requires on paper and what employees actually do in the field.

A compliance checklist might ask whether employees have been trained on acceptable use policies. It might verify that a VPN is available. It might review whether screens lock automatically after a period of inactivity. These are good controls. But they do not address the cultural reality that working in public has become normalized, and the practical risks that come with it are not front of mind for most employees.

The statistics support this concern. While 87% of organizations say they train employees to spot cyberattacks at least once a quarter, 33% of security decision-makers still fear mistakes and human error in handling email threats.[3] The real question is not whether your policy says employees should be careful in public. The real question is whether your workforce understands what that means, why it matters, and what they are actually protecting. Awareness without context is just checkbox training. Context is what turns a policy into behavior.

What This Means for Security Awareness

Effective security awareness training needs to meet people where they are. It needs to address the real environments they work in, not just the ideal ones. That means talking honestly about remote work, public spaces, and the practical risks of visual exposure.

Employees should understand that:

• Screens are readable from angles they might not expect - privacy filters are a simple and effective investment
• The information visible on their screen is more valuable than they think - an attacker does not need to see everything; fragments are enough
• Internal tools and communication platforms reveal organizational intelligence - simply seeing what apps a company uses helps attackers craft credible lures
• Working in public requires situational awareness - positioning, posture, and awareness of surroundings are security habits, not just comfort choices

This is not about creating fear or telling employees they can never work outside the office. It is about helping them understand the trade-offs and giving them practical habits that reduce risk without reducing productivity.

Automation and Continuous Reinforcement

The other challenge is that awareness is not a one-time event. Annual training is a baseline, but it is not enough to shape behavior. Research shows that mandatory compliance drives 79% of training participation, while only 12% of employees say real-world examples boost their engagement.[4] Security awareness needs to be continuous, contextual, and embedded in the daily workflow.

This is where automation makes a difference. Phishing simulations that arrive in inboxes on a regular schedule keep employees alert. Microlearning modules that deliver short, relevant lessons based on current threats reinforce key concepts. Automated reminders about policy updates and seasonal risks (like travel season or conference periods) keep awareness fresh without overwhelming employees.

At Symbol Security, we built our platform around the idea that human risk management requires ongoing engagement, not just annual compliance. The goal is to create a culture where security awareness feels relevant and practical, not bureaucratic and distant. When employees see the connection between training and their real work environment, they are more likely to internalize the behaviors that protect the organization.

A Practical Checklist for Remote Work Security

If you manage security or compliance for your organization, consider whether your policies and training address the reality of public workspaces. Here are a few practical questions to ask:

• Do employees know what visual exposure risks look like in practice?
• Are privacy filters recommended or provided for employees who work remotely?
• Does your training include specific scenarios about working in public spaces?
• Is there a clear, simple way for employees to report suspicious behavior or concerns?
• Do your policies distinguish between acceptable use in the office and acceptable use in public?

These questions are not about adding bureaucracy. They are about closing the gap between what compliance promises and what daily work actually looks like.

The Real Test Is the One You Don’t Schedule

That morning in a coffee shop was an unscheduled audit. I was not a penetration tester. I was not an assessor. I was just a person with a coffee, looking around. And I saw enough to be concerned. That is the nature of this risk. It does not require a sophisticated attack or a determined adversary. It just requires an ordinary moment in an ordinary place, and someone who knows what to look for.

The good news is that this risk is addressable. It does not require massive investment or complex technology. It requires awareness, practical habits, and a culture that treats security as part of the work environment, not separate from it.

If your organization has a security awareness program, test it against the coffee shop scenario. Ask yourself whether your employees would know what to notice, what to avoid, and why it matters. If the answer is uncertain, that is not a failure. It is an opportunity to close a gap that is hiding in plain sight.

References

1. Owl Labs, “State of Hybrid Work 2024,” 2024. https://www.owllabs.com/state-of-hybrid-work
2. Tessian, “Psychology of Human Error Report,” 2024. https://www.tessian.com/research/psychology-of-human-error-report/
3. Infosecurity Magazine, “95% of Data Breaches Tied to Human Error in 2024,” March 2025. https://www.infosecurity-magazine.com/news/data-breaches-human-error/
4. Infrascale, “Security Awareness Training Statistics USA,” 2025. https://www.infrascale.com/security-awareness-training-statistics-usa/