The original clean desk policy was straightforward: lock your screen when you leave your desk, shred sensitive documents, don’t write passwords on sticky notes. Good advice in an open-plan office where colleagues, visitors, and cleaning staff all move through the space.
In 2026, most knowledge workers do some or all of their work from home. The risk profile is different — not necessarily worse, but different in ways that the traditional clean desk checklist doesn’t fully address.
The home office threat model
Shared devices and spaces. A household member using a work laptop to check their email, a child doing homework on a device that’s also used for work, a partner who knows the login PIN because they’ve watched you type it. None of these are malicious. All of them represent access that shouldn’t exist.
Unattended sessions. An authenticated browser session left open on a home screen is a physical access point. Anyone who can reach that screen — a tradesperson visiting, a house guest, a delivery driver who steps inside — has a window into your business systems without needing to know a single credential. Session hijacking doesn’t require malware when the session is already open and the attacker is already in the room.
Accumulated old hardware. Home offices tend to accumulate equipment: an old router that “still works,” a spare laptop that gets passed to family, a NAS drive that hasn’t been updated in years. Each of these is a potential entry point if it’s still connected to the network and no longer receiving security updates.
AI agent sessions. As AI tools become embedded into daily workflows — drafting emails, managing calendar, summarising documents — an unattended session isn’t just passively accessible. It’s an active environment where someone with physical access can interact with tools that have real-world consequences: sending messages, accessing documents, making bookings.
What Clean Desk 2.0 actually looks like
Lock automatically and habitually. Configure auto-lock to trigger within two to three minutes of inactivity. Train yourself to lock manually (Windows key + L, or Command + Control + Q on Mac) every time you leave the desk, even for two minutes.
Work devices are work devices. No household members use your work laptop. No exceptions, including for “just quickly.” If this is impractical, a separate family computer is cheaper than the incident it prevents.
Deal with old hardware. Anything connected to your home network that isn’t receiving security updates needs to be either replaced or removed from the network. This includes old routers, NAS drives, smart home hubs, and spare devices.
Treat authenticated sessions as physical keys. An open browser signed into Microsoft 365, your PSA, your accounting software — these are keys that happen to be digital. Apply the same instinct you’d apply to a physical key: don’t leave them unattended in a place where someone else could pick them up.
Most home office security incidents aren’t sophisticated. They happen because someone left a session open, let a household member use a work device, or kept a piece of outdated hardware on the network without thinking about it. Small habits, consistently applied, close most of these gaps.
If you’d like to review your team’s remote work security posture, get in touch.