Rethinking endpoint security: the overlooked risk in hybrid public sector work

In today’s hybrid and mobile-first work environments, it’s easy to focus exclusively on digital cybersecurity measures, such as firewalls, encryption, identity management and endpoint detection. Yet, one of the most significant vulnerabilities often goes unnoticed: the physical security of devices and the information displayed on screens.

As public sector organisations increasingly adopt hybrid working models, laptops, tablets and other mobile devices are moving beyond secure offices into shared spaces, transport hubs and field operations. Research shows this shift amplifies security risks: 76% of organisations have experienced device theft in the last two years, rising to 85% in hybrid environments.¹ The impact is significant, as one-third of organisations report legal or regulatory consequences following device theft, while 32% experience productivity losses.

One of the challenges is ‘visual hacking’. Sensitive data can be compromised not through a software exploit but by someone simply glancing at a screen. In shared spaces, from cafés and airports to coworking hubs, shoulder surfing has become a real, everyday threat. Nearly 23% of IT leaders now identify visual hacking as a growing concern. Even within office environments, open-plan layouts and hot-desking arrangements create opportunities for unintended data exposure.

Another concern is the risk of physical device theft. While digital protections like encryption help mitigate the damage, the initial loss of a laptop or tablet can trigger significant operational, legal and regulatory consequences. With the average global cost of a data breach now reaching US$4.88 million (according to an IBM Cost of a Data Breach Report 2024), when compared to the low cost of basic physical security measures, such as device locks costing less than US$40, the risk-to-cost imbalance is stark. The reality is that even the most robust cybersecurity frameworks are only as strong as the endpoints they protect.

Public sector leaders often underestimate how accessible these risks are. Yet the solutions are not only simple but cost-effective. Measures such as locking devices to workstations, controlling physical access and employing privacy screens can dramatically reduce the likelihood of unauthorised access, visual hacking and device theft. Organisations that use physical locks are 37% less likely to experience data breaches caused by unsecured devices², while 84% of IT decision-makers consider physical locks a cost-effective mitigation tool. The principle is straightforward: secure the physical environment, and the digital systems become far less vulnerable.

It’s also important to view this through a defence-in-depth lens. Cybersecurity is no longer solely about software hardening or network monitoring. Layering digital protections with physical security strategies creates a comprehensive approach to risk management. Organisations that integrate these controls through combining authentication, encryption and physical device safeguards establish resilience against both digital and real-world threats.

Demand for these measures is rising, particularly in government, healthcare and financial services. Leaders are recognising that low-cost interventions can prevent high-impact incidents. Protecting information in transit, securing endpoints and limiting visual exposure are becoming integral parts of day-to-day security practice, rather than optional extras.

As we approach Data Privacy Week (26–30 January), it’s an opportune moment for public sector agencies to reassess how they approach endpoint security. Technology investments remain critical, but without attention to physical vulnerabilities, organisations leave a significant gap in their risk posture. My advice to leaders is to take a holistic view of cybersecurity: digital controls matter, but securing the physical layer is equally essential to protect sensitive information in our increasingly mobile and hybrid work environments.

^{1. Kensington 2025, ‘Secure Your Devices, Protect Your Data’, white paper.
2. Ibid.}

Image: Laptop with a privacy screen. Supplied.