Device security is not an IT-only topic. Laptops, phones and tablets are the central tool of nearly every employee in 2026 and therefore a prime target. A lost laptop without full disk encryption, a phone without a lock screen, a tablet on an end-of-life operating system: each of these gives an attacker a direct way in. What should employees actually do, and how do you anchor this in an awareness programme?
Why device security is a shared responsibility
IT takes care of MDM policy, disk encryption, anti-virus and patches. The employee takes care of what IT cannot enforce: not leaving the device unattended, only work data on work devices, fast reporting on loss or theft, and actually letting updates run. That combination decides whether a device is a safe tool or an open door into your organisation.
In practice, most device incidents are not advanced hacking attacks but loss, theft and misconfiguration. A laptop on a train, a phone in a café, a tablet a family member borrows: in each case the difference between a data breach and an isolated incident depends on how the device was set up and how quickly it was reported.
The six basics for every user
Not complicated, just apply consistently:
- Lock your screen. Whenever you get up, even just to go to the printer. Set automatic lock to a short interval.
- Keep devices and apps up to date. Security updates close holes attackers actively exploit. Use automatic installation wherever possible.
- Install apps only from official stores. Apps from random websites can contain malware. On corporate devices the company portal is the only source.
- Use full disk encryption. Standard on laptops (BitLocker, FileVault). A lost laptop without encryption is a data breach; with encryption it is usually just a replacement matter.
- Separate work and personal life. No confidential work data in personal apps, no personal accounts on work devices. That separates consequences if either world is compromised.
- Report loss or theft immediately. The faster IT can wipe remotely, the smaller the damage. An hour's delay can be the difference between a notification and a breach.
Laptops: disk encryption, accounts and remote work
A laptop used outside the office crosses unsafe environments daily: cafés, trains, hotel rooms, home offices. Three principles make the difference.
Full disk encryption must be on and proven to work. BitLocker (Windows) and FileVault (macOS) are standard; the challenge is usually that it was turned on but never tested. Ask IT to confirm it is active for you and the recovery key is safely stored.
Use a separate work account, not your personal Microsoft or Apple account. Otherwise personal and work files mix, and on device loss both worlds are at risk at once.
When working remotely: use a trusted network or a VPN if IT recommends, and do not have confidential calls on open Wi-Fi in public spaces. A shoulder-surf attack is low-tech but real in 2026.
Mobile phones: separation, biometrics and app policy
The business phone is both a tool and a personal device in many organisations. Three agreements prevent most pain.
Set a strong lock (six-digit PIN or biometrics). Set auto-lock to a few seconds. Disable lock-screen preview for sensitive apps like mail and authenticators.
Use a work profile or business container on the phone where possible. That separates work and personal data and lets IT wipe only the work part on loss, without touching your personal photos.
Install apps only via the official store or the company portal. Avoid sideloading and reject invitations to install an unknown app for a single purpose. The same applies to BYOD devices used for work.
Tablets, USB sticks and peripherals
Tablets often slip under the radar because they 'seem less important'. They are not: a tablet with mail and collaboration access is functionally a laptop. Apply the same rules: lock, encryption, only approved apps, fast reporting.
USB sticks require extra care. Found or received USB sticks are still an attack vector in 2026 (USB-drop attacks). Never plug an unknown stick into a work device. For sharing files the cloud solutions of your organisation are demonstrably safer.
Peripherals such as docking stations, wireless keyboards and mice need current firmware and original gear. Cheap wireless keyboards have shown vulnerabilities that led to access in the past.
What to do after loss, theft or a suspected compromise
Act immediately to keep damage manageable. Follow the order:
- Report loss or theft within the hour to IT and, if personal data is involved, to the privacy officer. GDPR requires breach reports within 72 hours; the clock starts when you become aware of the loss.
- Ask IT for remote wipe if technically available. Modern MDM can wipe a business partition without touching personal data.
- Change passwords for the main business accounts active on the device (mail, collaboration, possibly CRM).
- Check for unusual activity in your accounts in the hours after the loss: unknown logins, mailbox forwarding rules, recent shares.
- For a suspected compromise (strange pop-ups, sudden slowness, unknown app appearing): take the device offline immediately and have IT assess before continuing.
How to anchor this in an awareness programme
Device security belongs as a practical module in the year cycle, followed by short reminders. Practical build: a six- to eight-minute module on the six basics, plus role-based add-ons for staff who work much outside the office (reps, engineers, community-care staff).
Combine this with practical visibility: a poster in the corridors reinforcing clean-desk and lock-screen principles, a short instruction video about work profiles on phones, and a quick internal guide for loss-and-theft reporting. Make it visible when someone reports fast: a short internal newsletter showing that a lost laptop was wiped within an hour normalises the right behaviour.
Refresh annually at minimum: operating systems gain new features (shared access, biometrics, security centres), and the workable instructions from last year may be labelled differently this year.
See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.
View the training pageRelated articles
- Password management best practices
- How to secure the mobile workplace
- Lost devices and reporting duties
- Cloud security basics for end users
Sources
FAQ
What does device security cover?
Laptops, phones, tablets, and their peripherals. For end users it is about locking, updates, only approved apps, disk encryption, separating work from personal use, and fast reporting on loss or theft.
What is full disk encryption?
A technique that encrypts all data on the hard drive so a lost or stolen device stays unreadable without the right key. BitLocker (Windows) and FileVault (macOS) are the standards. A laptop without encryption on loss is almost always a data breach.
Should I lock my phone with biometrics or a PIN?
Both work. Biometrics (fingerprint, face) are practical and strong; a strong PIN or passphrase is the needed fallback. Avoid short PINs like 1234 or birthdays. Set auto-lock to a few seconds.
Can I have personal apps on my work phone?
Preferably not, and on employer-managed devices with MDM that is often restricted. Separation prevents a personal incident (a stolen Netflix password) from giving access to work data, and vice versa.
What do I do if I lose my work device?
Report within the hour to IT, ask for remote wipe, change passwords for accounts active on the device, and check activity in those accounts. With personal data, GDPR sets a 72-hour reporting duty via the privacy officer.
Are USB sticks still safe to use?
For sharing files, cloud solutions from your organisation are safer. Found or received USB sticks remain an attack vector; never plug an unknown stick into a work device.
How often should I update my device?
As soon as a security update is available, preferably automatically. Attackers often exploit known vulnerabilities within days of a patch. Postponing is no longer an innocent choice in 2026.
External source: NCSC - Awareness resources