Securing Claude Cowork
Claude Cowork can significantly improve employee productivity by helping users retrieve information, summarize context, and perform actions across local and enterprise systems. As organizations roll out Claude Cowork to their workforce, it is crucial to set up guardrails to prevent sensitive data leaks and ensure data integrity.
This post is a practical rollout guide: the risks to understand, the access paths to control, and a phased plan for getting to productive — and governed — usage.
Claude Cowork security risks
While Claude Cowork can boost employee productivity, it also exposes the organization to significant security risks by gaining access to sensitive data and acting on behalf of users.
| Risk | Impact |
|---|---|
| Over-permissioned access | Users may grant Claude access to too many apps, files, folders, or connectors, exposing the organization to sensitive data exfiltration and data integrity issues. |
| Local file exposure | If Cowork has access to local files, sensitive documents, financial files, source code, credentials, or customer data could be read, summarized, copied, or leaked. |
| Computer-use risk | Cowork can use the screen directly when it lacks a connector: clicking, typing, opening apps and files, using browsers, and running dev tools. That makes governance harder because actions are visual/UI-based rather than structured API calls, increasing the risk of unintended destructive actions. |
| Prompt injection | Malicious content in a webpage, email, document, Slack message, ticket, or support case could instruct Claude to ignore prior instructions, reveal data, or take unsafe actions. This is especially risky when Cowork combines reading untrusted content with tool access. |
| Data exfiltration through connectors | Connectors can let Claude access apps and services, retrieve data, and take actions using the user’s own permissions. If the user has broad access, Claude may inherit that broad access. |
| Unsafe actions | Claude may update tickets, send messages, edit documents, move files, change configurations, or trigger workflows incorrectly if approvals and scopes are too broad. |
| Cross-system data leakage | Cowork may combine information from one system and put it into another: copying HR data into Slack, customer data into a doc, or confidential financials into an email draft. |
| Insufficient auditability | If actions happen through browser or desktop UI, it can be harder to capture clean logs like “tool X accessed resource Y with arguments Z.” Structured MCP/API access is much easier to audit. |
| Sensitive app exposure | If Cowork can see or operate email, calendar, HRIS, finance systems, admin consoles, dev tools, or browser sessions, it may encounter data outside the intended task. |
| Third-party connector risk | Custom connectors, MCP servers, plugins, and desktop extensions may run code or access systems beyond what users expect. A local MCP server can have the same OS permissions as the user account running it. |
Securing Claude Cowork
Getting the most out of Claude Cowork while keeping your organization secure requires a fine balance: restricting dangerous actions, but giving access to enough functionality to realize productivity gains. Safeguarding Claude Cowork with a combination of controls within Claude and DTwo’s MCP Gateway with policy enforcement allows corporate IT teams to strike the right balance.
Below are Claude’s access paths to local and external systems, along with risk levels and recommended controls:
| Access path | Example | Risk level | Recommended control |
|---|---|---|---|
| Built-in connectors | Google Drive, Slack, CRM | Medium / High | Disable direct access to sensitive systems where policy enforcement is required; prefer DTwo-governed MCP equivalents. |
| Remote MCP servers | Jira, Figma, internal APIs | High | Route through the DTwo gateway. |
| Local MCP / desktop extensions | Filesystem, Git, local DB | High | Allowlist, approved workspace only. |
| Browser / computer use | UI clicking, typing, screen reading | Very high | Disable or tightly restrict. |
| File/folder access | Local workspace folders | High | Restrict to a dedicated folder. |
Organizations should follow this step-by-step guide to safely roll out Claude Cowork.
Phase I: Restrict risky access paths
-
Disable visual computer and browser control. Claude Cowork’s visual computer and browser control tools allow Claude to click around any apps on the user’s local machine and in their browser. These UI-based tools are difficult to govern and don’t provide an audit trail. Disable these tools (Computer Use & Claude in Chrome) at the organization level and instead use structured MCP connectors.
-
Govern desktop extensions and local MCP servers. Desktop extensions are powerful because they give Claude broad access to the user’s local machine, including local files, local databases, desktop apps, and local processes. Enable an allowlist for desktop extensions for your organization and allow only vetted extensions.
-
Limit local filesystem access. Avoid giving Claude Cowork broad access to users’ filesystems. Instead, create a dedicated Claude Cowork workspace and give Cowork read and write permissions only to this workspace.
Phase II: Route MCP access through DTwo
Claude Cowork can connect to remote systems through MCP. Secure access to remote MCP servers by disabling direct access and routing traffic through the DTwo gateway.
Phase III: Apply policy
-
Block destructive tool calls. Define policies in DTwo which block access to destructive tool calls. Some examples: sending emails outside the organization, deleting CRM records, and modifying payroll or compensation.
-
Prevent sensitive data exfiltration. Define policies in DTwo which redact sensitive data such as social security numbers, credit card numbers, and API keys from being exposed to Claude. Write policies that redact sensitive data before it is sent to external systems such as email or Slack/Teams.
-
Defend against prompt injection. Treat content retrieved from emails, webpages, tickets, documents, and Slack messages as untrusted data, not instructions. Use DTwo policy to block tool calls that appear to be triggered by malicious instructions embedded in retrieved content.
Phase IV: Train users and publish acceptable-use guidelines
Publish an internal acceptable-use policy that tells employees which Cowork use cases are approved, which systems may be connected, what data must not be exposed, and which Claude-generated outputs employees must review before accepting, sending, or applying.
Phase V: Monitor usage and evolve policy
Use DTwo to monitor and audit Claude Cowork’s MCP tool usage. Look for high-risk actions which were not blocked by policy and evolve your policies to mitigate risk.
Unlocking productivity, securely
A properly secured Claude Cowork implementation can significantly increase the productivity of your workforce. Here are examples of ways Claude Cowork can help different functions — with the right security controls:
| Team | Use case | Security controls |
|---|---|---|
| Finance | Support the month-end close process by having Claude gather information from spreadsheets, ERP systems, and Slack — identifying missing items, summarizing variances, and drafting close-status updates for leadership. | Limit access to approved local folders and apply read-only policies to ERP, spreadsheets, and Slack. |
| HR | Answer questions about company policies, ensuring consistent answers while reducing repetitive workload. | Allow answers only from approved policy sources and redact compensation and PII data. Block updates to employee records. |
| Engineering | Analyze and debug incidents by gathering data from alerts, Slack threads, and logs. Cowork can draft incident summaries, customer updates, and postmortems. | Apply read-only policies to alerts, logs, Jira, GitHub, and Slack for incident analysis. Redact secrets and production data; block deployments, rollbacks, monitor changes, PR merges, and production config changes. |
| Customer Success | Prepare for QBRs by pulling and summarizing CRM notes, product usage, support tickets, renewal information, and call transcripts. | Apply read-only access to CRM, support, product usage, renewal, and call transcript data. Redact customer PII, pricing, contract terms, and internal risk notes; block changes to renewals, entitlements, account health, or support ticket status. |
| Marketing | Streamline campaign launches by coordinating campaign assets, messaging, audience segments, channel plans, launch dates, approvals, and performance updates across docs, project tools, CRM, email, and analytics. | Allow campaign summaries and content drafts, but block publishing, email sends, social posts, audience changes, budget changes, and customer-list exports. Redact customer lists, prospect PII, unreleased roadmap details, and confidential launch information. |
| Go-to-Market | Forecast risk by reviewing CRM opportunities, email/call notes, recent activity, and deal stages to identify stale deals and missing qualification, and recommend next steps. | Apply read-only access to CRM, forecast, email, and call-note data. Redact pricing, discounts, legal terms, and sensitive buyer notes; block changes to opportunity stage, amount, close date, forecast category, quotes, or discounts. |
Conclusion
Claude Cowork can create meaningful productivity gains, but organizations should not treat it like a simple chat assistant. Because it can retrieve data and take action across systems, it should be governed like an enterprise automation layer. By disabling high-risk access paths, routing tool access through a policy gateway, limiting local filesystem access, redacting sensitive data, and monitoring usage, organizations can safely unlock Cowork’s value while protecting sensitive data and critical systems.
Want help securing your Claude Cowork rollout? Reach us at connect@dtwo.ai.