A venture capital firm in SOMA just discovered that one of their principals had been accessing deal flow documents from a coffee shop in Noe Valley for the past eight months. Using public WiFi. With no VPN. Reviewing term sheets and cap tables for companies that would very much prefer their fundraising details stay confidential.

Nobody knew until their San Francisco IT consulting team ran a routine access audit and noticed the pattern. By then, who knows how many people sitting nearby with packet sniffers might have intercepted sensitive data. The firm got lucky—no breach they’re aware of—but it’s the kind of exposure that could torpedo relationships with portfolio companies if it ever became public.

This isn’t an isolated incident. It’s the new normal, and most SF companies have no idea how exposed they actually are.

The Permanent Hybrid Miscalculation

Here’s what happened: when everyone went remote in 2020, companies implemented emergency measures. VPNs got deployed quickly (sometimes), security policies got written (mostly ignored), and IT teams held their breath hoping nothing would break catastrophically.

Then we all expected to go back to the office. So those emergency measures stayed temporary, patched together, “good enough for now.”

Except we didn’t go back. Or rather, we went back to a hybrid model that’s clearly permanent—and those temporary security measures are still in place three years later, held together with duct tape and optimism.

The problem is that hybrid work creates security vulnerabilities that didn’t exist when everyone was either in a secure office or fully remote. You’ve got people bouncing between environments constantly, accessing systems from different networks, using personal devices alongside company equipment, and generally operating in a way that traditional security models weren’t designed to handle.

Where the Real Vulnerabilities Hide

Most companies think they have this covered because they’ve implemented some basics: VPN access, multi-factor authentication, maybe endpoint protection software. And sure, those help. But they’re not addressing the actual risks specific to how San Francisco companies operate in hybrid mode.

The Coffee Shop Problem

People work from cafes constantly here. It’s part of SF work culture—grab your laptop, hit Sightglass or Blue Bottle, knock out a few hours of focused work. Seems harmless.

But here’s what’s actually happening:

  • Confidential video calls in public spaces where anyone can listen or shoulder-surf screens
  • Sensitive documents accessed over networks that dozens of strangers share
  • Company credentials entered on WiFi networks that could easily be compromised
  • Devices left unattended during bathroom breaks or coffee refills

A financial services firm I know had an employee working on M&A documents at a Starbucks in the Financial District. Another patron noticed the company logo on the documents, recognized the target company name, and made some very profitable trades before the deal was announced. They only found out months later when the SEC started asking questions about unusual trading patterns.

The Home Network Weakness

Corporate offices have firewalls, network segmentation, monitoring tools. Your employee’s home network? That’s got the router their ISP provided five years ago running default credentials, probably connected to their teenager’s gaming PC, their partner’s work laptop from a different company, smart home devices with questionable security, and who knows what else.

When your senior accountant is processing payroll from home, they’re doing it on the same network as their kid’s TikTok-infected tablet and their spouse’s potentially compromised work laptop. And your company data is flowing across all of that.

The Device Blur

The line between personal and work devices has basically evaporated. People check work email on personal phones, use personal laptops for work when their work laptop is in the office, access corporate systems from tablets, whatever’s convenient.

Each one of those devices is a potential entry point. And unlike company-managed equipment, you have no visibility into what else is installed, whether security patches are current, if there’s malware lurking in the background.

Why Traditional Security Doesn’t Work Anymore

The security model most companies operate under was designed for a perimeter-based approach: secure the office network, control what comes in and out, trust everything inside.

Hybrid work demolished that perimeter. Now your “inside” is wherever your employees happen to be that day—coffee shops, home offices, co-working spaces, airport lounges, their in-laws’ house over the holidays.

And the tools companies deployed for remote work often weren’t designed for this permanent hybrid reality. VPNs slow everything down, so people turn them off when they think they don’t need them (spoiler: they’re wrong about when they need them). Security policies written for office-first work become obstacles that employees route around.

I talked to a San Francisco IT consulting specialist who described finding a sophisticated phishing attack that had succeeded because the target employee was working from a noisy coffee shop, got distracted, clicked without thinking carefully, and entered credentials on a fake login page that looked legitimate at a quick glance.

In the office, surrounded by colleagues, they probably would have been more cautious. But working solo from a distracting environment, they made a split-second mistake that exposed the entire company network.

The Compliance Nightmare Nobody’s Discussing

For SF companies in regulated industries—finance, healthcare, legal services—hybrid work creates compliance risks that are just starting to surface.

HIPAA doesn’t care that your medical biller prefers working from their apartment in the Sunset. If patient data gets accessed on an unsecured home network and something goes wrong, you’re liable.

SOC 2 auditors are starting to ask much harder questions about remote work controls. “We allow remote work” isn’t sufficient anymore—they want to see evidence of secure home network configurations, device management, access controls that work outside the office perimeter.

Financial firms subject to SEC regulations are discovering that their compliance frameworks never contemplated scenarios where investment advisors are reviewing non-public information from home offices they share with family members.

The regulatory risk isn’t theoretical. I’ve seen two companies in the past year face significant penalties because their hybrid work setup violated compliance requirements they didn’t realize applied to remote access scenarios.

What Specialized Security Actually Requires

Fixing this isn’t about buying more security software. It’s about rethinking your entire security architecture for a world where “the office” is now dozens of different locations, most of which you don’t control.

Zero Trust Architecture isn’t just a buzzword anymore—it’s necessary. That means verifying every access request regardless of where it comes from, never assuming that because someone’s logged in they should have access to everything, continuously monitoring for anomalous behavior.

Endpoint Management that actually works across all devices people use for work, whether company-owned or personal. Mobile device management (MDM) that can enforce security policies, remote wipe capability if devices go missing, visibility into what’s install and running.

Network Security that follows your employees wherever they work. Secure DNS, always-on VPN that doesn’t destroy performance, cloud-based security filtering that protects them even on untrusted networks.

Security Training that addresses real hybrid work scenarios—not generic “don’t click suspicious links” training, but specific guidance on working securely from cafes, home networks, travel situations.

Access Controls that are contextual: maybe full access from the office or a properly configured home office setup, limited access from coffee shops or travel situations, extra verification required for sensitive operations from unknown locations.

This requires San Francisco IT consulting expertise that understands not just security tools but how people actually work in the Bay Area—the cafe culture, the flexible schedules, the “work from Tahoe” weeks that have become standard.

The Cost of Ignoring This

Most companies won’t face a catastrophic breach. But they’re bleeding risk constantly through small exposures: confidential information accessed in public, credentials entered on compromised networks, sensitive data flowing across unprotected home networks.

Eventually, something will break. Maybe it’s a ransomware attack that enters through an employee’s compromised home network. Maybe it’s a compliance violation that triggers an audit and reveals systematic failures. Maybe it’s a competitor who gains access to strategic information because someone was careless at a coffee shop.

The longer companies pretend their pandemic-era temporary measures are sufficient for permanent hybrid work, the larger that risk grows.

Hybrid work is here to stay in San Francisco. The security models need to catch up.