Clean Desk 2.0: How Your Home Office Can Expose Your Business

It is 9:15am and you step away from your desk to make a coffee. Your laptop is open, your browser is logged into your practice management system, and your inbox is sitting there unattended. Your partner's teenager walks through. A courier knocks. A houseguest wanders in. None of them need to be technically sophisticated to cause a serious problem. They just need a few unattended minutes and a screen that is still logged in.

The old clean desk idea - shred the sensitive paperwork, lock the filing cabinet, do not write passwords on sticky notes - still applies. But in 2026, most of the real risk is digital, and it lives right there on an unlocked screen. For professional services businesses where staff work from home some or all of the time, that gap between the physical world and the digital one is worth taking seriously.

The reason an unlocked screen is a genuine security problem is not obvious until you understand how login sessions work. When you sign into a cloud application, your browser stores a session token - essentially a temporary pass that keeps you logged in without asking for your password on every click. That pass is still valid whether you are sitting at the keyboard or not. Someone who sits down at your open machine does not need your password. They do not need to get past multi-factor authentication. They are already inside, with full access to whatever you were using. Client records, financial tools, email, document storage - all of it is accessible until the session expires or the screen locks.

The fix is straightforward but it needs to become habit. Set your screen to lock automatically after a short period of inactivity - two or three minutes is reasonable. Lock it manually every time you leave your desk, even for a moment. Treat an open session the same way you would treat your office door left unlocked with a client file sitting on the front counter. For healthcare practices in particular, that comparison is not hypothetical. An unsecured workstation with patient records visible is a potential breach under the NZ Privacy Act 2020, regardless of how it happened. These kinds of exposures are among the steps that reduce your risk of a data breach that are easiest to overlook precisely because they feel routine.

Old hardware is the other common weak point. Most people keep old routers, spare laptops, and backup devices because they still power on. But hardware that has passed its end-of-support date stops receiving security updates. That means known vulnerabilities stay open indefinitely, and anything internet-facing - your router, a VPN device, an older work laptop - becomes a soft target. The only real answer is to retire unsupported equipment. You cannot patch something that no longer receives patches. Older devices in particular can be checked for signs of hidden malware before they are decommissioned, just to be certain nothing has already taken hold.

There is a newer dimension to this as well. AI-assisted tools are now embedded in everyday business software - drafting correspondence, updating records, moving tasks through a workflow with minimal human input once they have been started. If one of those automated processes is running while your screen is unlocked and unattended, an uninvited set of hands at your keyboard is not just browsing your files. They could approve an action, change a destination, or interfere with something already in motion. The answer is not to avoid these tools, but to be deliberate about what they are allowed to do without you present, and to build in approval steps for anything consequential. Understanding where AI tools create unexpected risks at work is a useful starting point for those conversations with your team.

Getting this right does not require a major project. It requires a clear baseline: screens lock automatically, unsupported devices are replaced, and anyone using AI-assisted workflows understands what those tools can and cannot do on their own. When those habits are consistent across your team - whether they are working from your main office or from home - small lapses stop turning into larger problems. An IT provider experienced with professional services firms can review your current setup and confirm whether that baseline is actually being met across every device and location your team uses.

If you are not sure whether your current setup meets that baseline, managed IT support for professional services businesses includes exactly this kind of review. ITstuffed offers a free 15-minute IT Fit Check if you want a quick read on where your business stands.