Security in Coworking Spaces: What Corporate Travellers Need to Know

Coworking has expanded into almost every major business city. Operators like WeWork, IWG, Regus, and dozens of independent brands offer day passes and flexible membership in central locations that suit corporate travellers who want somewhere better than a hotel lobby. The convenience is genuine. The security assumptions that come with it are often not.

James Whitfield, Senior Security Consultant, has this assessment: a coworking space is a shared-access environment with no meaningful control over who is present, what technology they are running, or what they can observe. For anyone handling commercially sensitive information, that is not a neutral backdrop.

The information security risk in shared environments

The primary risk in a coworking space is not physical. In most locations, it is informational.

Open-plan hot-desking means your screen is visible to multiple strangers simultaneously. The person at the next desk can read your emails, your documents, your presentations. Most will not be interested. A small number will be. In a city where corporate espionage is elevated — Beijing, Shanghai, Moscow, Dubai — the person at the adjacent desk may be actively looking.

NCSC guidance on overseas travel makes the point bluntly: assume any screen in a public or semi-public environment can be observed. A privacy filter reduces the viewing angle of your laptop screen to approximately 30 degrees, making it unreadable from the sides. It is a low-cost, high-value control.

Phone calls are a separate concern. An open-plan floor carries voices across a surprisingly wide area. A call discussing pricing, an acquisition, personnel, or a client relationship — held at a regular conversational volume at a hot desk — may be audible to twenty people. In-ear audio with a microphone eliminates the broadcast; it does not eliminate the risk that the person sitting next to you can hear your end of the conversation clearly.

Wi-Fi: the infrastructure you share without knowing it

Coworking Wi-Fi is a shared network. The architecture varies by operator, but in most facilities, devices on the same network are potentially reachable by other devices on the same network. In a facility that does not segment client traffic properly, this creates a real attack surface.

The NCSC Cyber Essentials guidance treats public or shared Wi-Fi as untrusted by default. The correct response is a VPN that routes all traffic through your organisation’s network before it exits to the internet. Without a VPN active, anything transmitted over coworking Wi-Fi passes through infrastructure you have no visibility of, managed by a company whose security posture you cannot assess.

An alternative that removes the dependency entirely: use a mobile hotspot from a separate travel SIM rather than connecting to the venue’s Wi-Fi at all. For anyone accessing financial systems, board-level communications, or legally privileged material, this is the appropriate baseline.

USB charging ports at hot desks and meeting rooms present a separate risk. The FBI Denver field office issued a public advisory in April 2023 warning against using public USB ports, which can be configured to transfer data or install malware. Use your own charger with a mains socket, or carry a USB data blocker if you are working in facilities where mains access is restricted.

Physical access control: what to assess before you arrive

The physical security of a coworking space is a function of its access control. There is a wide spectrum.

At one end: buildings where the reception desk for the coworking operator is inside the main entrance lobby, staffed continuously, with visitors required to sign in and receive a visitor badge, and all working floors accessible only by keycard. At the other: converted office buildings where the coworking operator occupies one floor, the main entrance is unstaffed outside business hours, the lift requires no authentication, and anyone can reach the working floor without challenge.

The CPNI identifies tailgating — following an authorised person through a secured door — as one of the most common physical access failures in commercial buildings. Coworking spaces, designed to project openness and a welcoming atmosphere, are structurally predisposed to this failure. A team member holding a door for a stranger with their arms full of a bag and a coffee is a social behaviour, not a security failure, until it enables unauthorised access to the floor your meeting is on.

In high-risk cities this baseline matters more. In Lagos, Bogota, Manila, and Nairobi, the coworking building’s ground-floor security architecture — whether there is a guard, whether visitors are challenged, whether the building is known to business travellers or is a relatively obscure location — feeds into the broader targeting calculus for express kidnapping and robbery. Buildings that are visibly frequented by foreign professionals create a predictable pattern. Building-level access control reduces the exposure.

Visitor management in practice

A coworking space with a working visitor management policy should be able to tell you, on request:

• Whether visitors are pre-registered by the member they are meeting before arrival, or can arrive unannounced
• Whether visitor identity is verified against photo ID
• Whether visitors receive a time-limited badge that must be returned on departure
• How far into the facility an unescorted visitor can travel

Many operators will not have thought through these questions in any depth. The answers reveal whether visitor management is an enforced control or a sign above the desk that nobody reads.

For any meeting involving a person who is not a member of the coworking facility, a bookable private meeting room with a door that closes is the baseline. Glass-walled rooms that give clear sight-lines to the open floor are unsuitable for any conversation involving non-public information.

TSCM and meeting room discipline

Technical Surveillance Countermeasures (TSCM) — sweeping for listening devices — is a standard control for permanent executive offices. It is not practical before every coworking meeting room booking.

What is practical: do not hold conversations in bookable meeting rooms that you would not hold in a hotel lobby. Assume the room has been occupied by other people, with their own interests, before your meeting. Do not leave documents on the table when you leave, even briefly. If you are discussing something that would give a competitor or adversary material advantage, a coworking meeting room is not the venue.

For consistently sensitive meetings, a serviced office within a coworking campus — a private, lockable space allocated to your organisation — provides meaningfully better assurance than a shared room. The cost difference is modest relative to the information at risk.

City-specific considerations

In Istanbul, coworking facilities in Levent and Maslak are heavily used by the international business community. Physical security is adequate in established buildings. Communications surveillance by Turkish intelligence services is documented by the FCDO and is a relevant consideration for politically sensitive work.

In Mumbai, facilities in BKC and Lower Parel are well-established. The primary risk is device theft — laptop bags left unattended at hot desks are a known target. Do not leave equipment unattended on a shared desk when you step away, even briefly.

In Lagos, independently vetted, established coworking operators in Victoria Island and Ikoyi offer a meaningfully safer environment than improvised alternatives. Ground-floor security matters here: a building with an active security guard and controlled entry is a different proposition from one that is effectively open.

In Manila, BGC coworking spaces have reasonable physical security. Digital security is the primary concern: Philippine NBI has documented device seizure as part of surveillance operations targeting foreign professionals.

In Bogota and Nairobi, vetting the building rather than just the operator is essential. Both cities have documented express kidnapping patterns that target foreign professionals identified in transit between known business locations.

The standard that applies

ISO 31030:2021, the international standard for travel risk management, classifies coworking spaces as requiring a pre-use assessment where commercially sensitive activity is being conducted. The assessment is not complex: it covers network security, physical access controls, visitor management, and whether the facility is appropriate for the sensitivity level of the work being done.

For the majority of business travel tasks — email processing, routine calls, document review — a coworking space with a VPN active and a privacy screen fitted is a workable environment. For anything involving M&A, litigation, board-level communication, regulatory investigation, or proprietary technical information, the appropriate question is whether the environment provides adequate assurance. Often, it does not.

For more on information security in transit, see our guides to executive digital security during international travel and TSCM and technical surveillance countermeasures.