← All writing
SecurityWorkplaceDeveloper Workflow

Workplace Security Starts with Boring Habits

Most workplace security failures do not start with a sophisticated breach. They start with an unlocked device, a convincing message, a shared password, or software installed from the wrong place.

Most workplace security failures do not begin with a dramatic breach. They begin with a normal day and a small mistake.

Someone clicks a rushed message. Someone installs a browser extension they did not really verify. Someone sends a password in chat “just this once.” Someone leaves a laptop unlocked while stepping away for coffee.

That is the part people often miss. Workplace security is mostly habit. Not exciting habit, either. Screen locks. Updates. Suspicion around inbound messages. Password discipline. Installing software from the right place.

The boring controls are still doing most of the work.

Secure the device before you secure anything else

If the device is weak, everything on top of it is weak too.

That means the baseline matters:

  • Turn on automatic updates for the operating system and core apps.
  • Use full-disk encryption.
  • Require a real screen lock, not a casual swipe.
  • Keep antivirus or endpoint protection enabled if your workplace requires it.
  • Reboot when updates need it instead of postponing for days.

CISA’s guidance on protecting data stored on devices is straightforward: encrypt devices and protect the data on them. Its guidance on physical device security is just as blunt: lock your screen when you step away, and treat physical access as a real security risk.

That sounds obvious until you remember how many work laptops spend time in cafes, airports, co-working spaces, meeting rooms, and home offices.

The easy test is this: if someone got five unsupervised minutes with your work device, how much trouble would that create?

If the answer is “quite a lot,” then screen lock, encryption, and device-management basics are not optional polish. They are the first line of defense.

Treat inbound messages as untrusted input

Developers are good at distrusting user input in code and strangely bad at distrusting input in their inbox.

Phishing is not just email anymore. CISA’s phishing guidance explicitly calls out email, text messages, direct messages, social media messages, and phone calls. In a workplace context, add Slack, Teams, LinkedIn, WhatsApp, and calendar invites.

The dangerous messages usually ask for one of four things:

  1. Click this link.
  2. Open this attachment.
  3. Log in here.
  4. Send me a code, password, or document.

The message may even mention a real colleague, project, invoice, recruiter, vendor, or executive. That does not make it trustworthy.

The habit I care about most is simple: never trust urgency that arrived through an inbound message.

If the CEO, HR team, IT admin, bank, courier, or vendor suddenly needs action right now, verify through a separate channel. Open the official site yourself. Message the colleague directly using a known contact. Call the published support number. Do not reply to the same thread and do not type your password into a page you reached from a surprise link.

This rule is inconvenient. It is also cheaper than incident response.

Passwords should not travel through chat or email

Sharing passwords in workplace chat tools is one of those behaviors that stays common because it solves a short-term problem fast.

“Can you send me the password?” “Can you forward the OTP?” “Use this account for now.”

All of those shortcuts create a larger problem than the one they solved.

NIST’s guidance on MFA and cybersecurity basics keeps returning to the same foundations: strong passwords, password managers, and MFA. That is the right direction for workplace behavior too.

The practical rules are boring and strict:

  • Do not send passwords over email, chat, tickets, or text.
  • Do not ask coworkers to send you their password “temporarily.”
  • Do not share one-time passcodes or MFA prompts.
  • Use a password manager for shared access if the organization supports it.
  • Prefer SSO, delegated access, or role-based access over credential sharing.

If a team keeps sharing one login, the real problem is access design, not team discipline.

Sometimes secrets do need to move. API keys, service credentials, recovery codes, and deployment tokens are real. But when that happens, use the approved company vault or secret-sharing workflow with expiration, access control, and auditability. A chat window is not a secret-management system.

”Well-known software” is the wrong standard

This one is worth being precise about.

A common guideline is to use only well-known software, but that rule should be tightened: use only approved software from official or company-managed sources.

Well-known does not mean safe.

A popular tool can still be downloaded from a fake site. A real brand can be copied in a phishing ad. A familiar browser extension can be impersonated. A random PDF tool, screen recorder, or meeting plugin can ask for broad permissions that nobody properly reviewed.

Microsoft’s own support guidance says to download apps only from trusted sources and be thoughtful about what you install. That is the better standard.

For workplace systems, trusted usually means one of these:

  • The company-managed app catalog or MDM workflow
  • The official vendor site
  • The official platform store
  • A software package approved by IT or security

It does not mean “I have heard of it.”

That distinction matters most for browser extensions, desktop utilities, remote-access tools, cracked software, and anything that asks for admin access. Those tools can see more than people think.

If you would not let a stranger sit at your desk and watch your screen all day, do not casually install software that can do the digital version of that.

Work devices need work boundaries

Work devices become risky when they quietly turn into general-purpose personal machines.

Personal cloud sync. Random note-taking apps. Unapproved USB storage. Side-loaded tools. Family members borrowing the laptop. Browser profiles mixed between work and personal accounts. It all feels harmless until one of those boundaries matters.

This gets even messier with BYOD. NIST’s mobile device security guidance for BYOD exists because personal devices create real tension between convenience and control.

The simplest rule is still the best one: if the device handles company data, treat it like a work boundary, not just a nice personal laptop that also opens Slack.

That usually means:

  • Separate work and personal accounts
  • Separate browser profiles
  • No casual file sharing to personal apps
  • No installing tools just because they are convenient
  • Reporting lost devices, suspicious popups, and strange login prompts early

Security teams do not want these reports because they enjoy tickets. They want them because time matters. A suspicious login prompt reported in five minutes is a very different problem from one reported three days later.

The small checklist that prevents most pain

If I had to reduce workplace security to a short list, it would be this:

  1. Keep work devices patched, encrypted, and screen-locked.
  2. Treat all unexpected emails, texts, and direct messages as untrusted until verified.
  3. Never share passwords, one-time codes, or MFA approvals through chat or email.
  4. Install only approved software from official or company-managed sources.
  5. Report suspicious messages, logins, and device behavior early.

None of this is glamorous. That is exactly why it works.

The lesson

Most workplace security is not about having perfect instincts. It is about building default habits that still hold up when you are tired, distracted, traveling, or in a rush.

The goal is not to become paranoid. The goal is to make the safe action the normal action.

Lock the device. Update the software. Verify the message. Use the password manager. Install from the right place.

That is not advanced security. It is the floor. Most incidents still happen below it.