Back to the status quo with RTO
Return to office (RTO) mandates are spreading fast, driven by everything from culture concerns to productivity targets. Security rarely gets top billing in these announcements, yet it is often part of the calculation, given that many organizations still assume that being physically inside the corporate network automatically lowers cyber risk.
That assumption sounds logical, but it is also increasingly outdated. RTO does not automatically shrink cyber risk. In many cases, it simply reshapes it, sometimes reviving security problems organizations spent the pandemic years trying to solve.
Does the return to office mean fewer cyber risks?
Enterprise security used to assume the office was a safe zone. Keep attackers outside the firewall, and most problems stay outside with them. The mass shift to remote work blew holes in that thinking, leaving organizations to manage employees signing in from kitchen tables, shared Wi-Fi, and all kinds of personal devices.
That shift pushed many organizations toward identity-focused security, tighter endpoint monitoring, and Zero Trust policies designed to verify users continuously rather than trust them based on location.
RTO risks nudging companies back toward older assumptions that once employees are physically inside the building, the network itself is inherently safer. In practice, the office can create its own set of vulnerabilities, at least if trust is assumed within the physical network perimeter.
How assumed trust in the physical network creates vulnerabilities
Assuming the corporate network is safer than remote work could leave organizations at risk. Here’s why:
Office environments can increase the risk of insider threats
Some of the most damaging breaches in recent years have not started with outside hackers at all. They have come from people who already had legitimate access to company systems.
In 2023, Tesla said two former employees were responsible for leaking confidential data belonging to tens of thousands of staff members. The breach did not involve hackers exploiting technical vulnerabilities but rather relied on individuals with legitimate internal access.
Insider activity is notoriously difficult to detect because it often blends into normal workplace behavior. Employees already have credentials, understand internal workflows, and know where sensitive information lives.
Office environments can unintentionally increase exposure to these risks. Shared workspaces, unlocked devices, and casual credential sharing are all common in collaborative office settings, and they create opportunities that rarely exist in tightly controlled remote setups where employees operate in isolation.
Some security vendors, including ThreatLocker®, have started paying closer attention to what happens inside networks rather than just watching traffic coming in and out. That includes tightening controls on which applications are allowed to run in the first place, rather than waiting to spot suspicious behavior after it appears.
That model reflects a broader industry shift toward assuming that compromise is inevitable. Instead of trusting users because they are physically present, organizations increasingly focus on controlling what those users can do.
The challenge is cultural as much as technical. Office environments naturally encourage collaboration and information sharing, behaviors that can conflict with strict least-privilege security models. Employees will bypass controls to get work done faster, particularly when returning to offices after years of remote flexibility.
Remote work doesn’t have a USB problem
Another security issue resurfacing alongside RTO is centered around removable storage devices.
USB malware was a major problem long before remote work entered the picture. In the late 2000s and early 2010s, infected flash drives caused repeated security scares, especially in government and defense environments. The U.S. Department of Defense (DoD) eventually responded by banning removable media altogether after malicious code spread through drives plugged into internal machines.
Organizations tightened rules around removable media over the years, but remote work introduced an unexpected side effect. With fewer people sharing office equipment, there were fewer opportunities for mystery devices to get plugged into corporate systems.
The return to office changes that dynamic. Suddenly, there are shared printers, docking stations, meeting room kits, and other communal tech back in the mix. Along with it comes the familiar problem of personal devices and random peripherals quietly finding their way onto company systems.
Ransomware spreads faster on internal systems
The biggest technical risk tied to office environments is often lateral movement (the ability for attackers to move between systems once they gain an initial foothold).
The 2021 ransomware attack on Ireland’s Health Service Executive (HSE) is a reminder of how fast infections can spiral. An intrusion that started on a single endpoint spread through connected networks and ultimately shut down large parts of the country’s healthcare IT infrastructure, forcing widespread appointment cancellations.
Although the incident did not hinge on workplace location, it showed how quickly malware can spread once it reaches shared internal systems. Office networks often connect employees to legacy platforms, shared storage, and internal services, giving attackers far more room to move than tightly controlled remote access setups.
The good and bad of remote work
The shift to remote work created plenty of security problems of its own. Phishing attempts spiked, home networks became part of enterprise risk, and IT teams struggled to keep track of devices scattered far beyond office walls.
However, the distributed workforce also forced organizations to modernize security architectures at unprecedented speed. Companies invested heavily in identity verification, behavioral monitoring, application control, and device trust validation because traditional network boundaries no longer existed.
Many now worry that RTO creates pressure to loosen those controls in the name of convenience or operational simplicity.
The complications of hybrid work
Many organizations are not returning to fully office-based operations. Hybrid work models have become the default in some cases, and certainly the majority. This adds additional complexity.
Security teams must now defend both distributed remote endpoints and internal office infrastructure simultaneously as devices move between home networks, public Wi-Fi, and corporate environments. This creates constantly shifting trust boundaries.
The use of hybrid models also makes policy enforcement harder. A device that appears compliant on a home network may behave differently when connected to internal systems, particularly if network segmentation or monitoring varies between environments.
Hybrid scheduling can also complicate oversight of physical access. When employees rotate in and out of offices on irregular schedules, it becomes harder for organizations to track who should legitimately be on-site at any given time. That uncertainty can create small but meaningful gaps in badge auditing, visitor monitoring, and access verification that attackers may exploit.
Wherever you are, Zero Trust controls provide the best security
Attackers are not particularly concerned about whether someone is working from home or sitting in an office. What they really want are valid login details, trusted tools they can hijack, and access to everyday systems that help them stay resident and unnoticed.
The belief that office networks are safer by default is colliding with how modern IT works. With cloud platforms and software-as-a-service (SaaS) tools handling so much corporate data, access often comes down to a matter of credentials rather than location.
That is why many organizations now treat every user and device as requiring continuous verification. That means preserving identity-centric controls, enforcing least privilege access, monitoring internal activity, and maintaining strong endpoint visibility regardless of where employees work.
RTO does not make that thinking obsolete. If anything, it highlights why it exists.
Read the rest of this article and more cybersecurity insights in the upcoming Issue 4 of Cyber Hero Frontline, a magazine by ThreatLocker.
