Lock your computer when you walk away: the security habit most teams skip

The conversation about cyber security in a business almost always starts with the technology layer: multi-factor authentication, endpoint detection, email security, backups. Those things matter, and we have written about them at length. But the single most overlooked security control in any office is not technical at all. It is the keyboard shortcut you use, or do not use, when you stand up from your desk to grab a coffee.

Most people in most businesses do not lock their computer when they walk away. They assume the office is safe. They assume anyone who walked past would not look. They assume the screen saver will kick in soon enough. None of those assumptions hold up to the way modern offices actually operate, and the cost of getting it wrong is much higher than people think.

Why an unlocked computer matters more than it used to

A logged-in workstation is no longer just a computer. It is a live, authenticated session into:

• Microsoft 365: your email, your files in SharePoint and OneDrive, the company’s Teams conversations, the calendar that shows who you meet with and when
• Your CRM or PSA system, with client records, contracts, pricing, notes
• Your accounting platform, with banking details, payee records, recent transactions
• Your password manager, often unlocked for the working session, with the keys to everything else
• Active multi-factor sessions that bypass the second factor for the next several hours

An unlocked screen is not "a logged-in computer". It is your entire authenticated working day, sitting on a desk, available to anyone who walks past it.

Three scenarios that should change the calculation

The "but our office is safe" instinct is anchored in a model of an office that no longer matches reality.

1. Visitors who should be in the building

The most common breach scenario is not the obvious one. It is a legitimate visitor (a courier, a tradesperson, a candidate waiting for an interview, a salesperson dropping samples) who is in the office for an entirely valid reason and finds themselves alone in a workspace for a few minutes. Most have no interest in your screen. The minority that do can cause real damage in 90 seconds with no special skills.

2. Shared spaces and hybrid working

Coworking spaces, client offices, hotel lobbies, airport lounges. If your team works anywhere except your own controlled office, the assumption that "no one would look" stops applying entirely. The kind of attacker who specifically targets shoulder surfing in public spaces is a real category, especially for small businesses in finance, professional services, and any industry handling regulated client data.

3. Cleaning crews, contractors, after-hours access

Most offices have people in them outside business hours. The overwhelming majority are completely trustworthy. But "the computer is locked between 6pm and 7am" is a control. "I assume our cleaner has no interest in our files" is a hope.

The actual habit, and why it has to be a reflex

Locking your computer is technically trivial:

• Windows: press Windows + L
• Mac: press Control + Command + Q

Both shortcuts take less than half a second once they are in muscle memory. The problem is they have to be muscle memory. "I will lock it if it feels like I should" does not survive contact with a busy Tuesday afternoon. The pattern that works is: every time you stand up, even for a moment, your fingers hit the shortcut without thinking about it.

Phrase it as a rule, not a judgement call: chair movement triggers the keyboard shortcut. If you are standing up, the screen is locking. That removes the moment of decision that almost always defaults to "she’ll be right".

The technical controls that back the habit up

The habit is the first line. Microsoft 365 and Windows together can enforce the second line, in case someone forgets.

For AgileMANAGED clients with the AgileSECURE arrangement, we configure:

• Screen lock after inactivity, typically 5 minutes for general use and 1 to 2 minutes for laptops in shared spaces
• Password or PIN required on resume, with Windows Hello biometric unlock where the device supports it so the friction is minimal
• Conditional access policies in Microsoft 365 that require re-authentication periodically and on suspicious sign-in patterns
• Endpoint encryption (BitLocker on Windows, FileVault on Mac) so a lost or stolen device is not also a data breach
• Remote wipe capability through Intune for devices that genuinely go missing

These controls do not replace the habit. They are the safety net that catches the times the habit fails.

How to make it stick across a team

Telling people to lock their screens does not change behaviour. These do:

• Demonstrate it on day one. Include the keyboard shortcut in every new starter induction, alongside the basics of how email and Teams work. Treat it as a standard onboarding item, not a security afterthought
• Make it a leadership behaviour. If the owner and the senior managers visibly lock their screens every time they stand up, the rest of the team picks it up. If they do not, the rest of the team also does not
• Run the friendly version of an unlocked-screen joke. The light-hearted "did you mean to leave this open?" sticky note culture is genuinely effective. It relies on the embarrassment of being caught with an open screen, not the embarrassment of a real incident
• Tie it to the technical controls. A 5-minute inactivity lock plus the habit means most slips do not become a problem. Make sure the team knows the lock is there, so they understand that the habit is the front line

What we see in real engagements

When Agile IT runs a security review on a new client environment, the screen-lock habit is one of the small but consistent indicators of whether security is taken seriously at the team level. It is a leading indicator. Businesses where the habit is strong tend to have other good security behaviours in place. Businesses where staff routinely leave logged-in screens unattended tend to have other gaps, not because the gaps are connected technically, but because the culture is.

None of this requires a big project, a new tool, or a budget line. It is a habit, a keyboard shortcut, and a five-minute induction conversation, plus the technical safety net that your managed IT partner should be configuring as a baseline anyway.