An Employee Uses His Work Laptop for Personal Browsing When He’s Working from Home. His Kids Use It for Homework. His Spouse Occasionally Checks Email on It. He Is Careful and Security-Conscious. Is There a Compliance Problem?

Quick Answer

Does allowing family members to use a work device for personal activities create a security compliance problem even when the employee personally follows all security practices?

Yes — and the employee’s personal security habits are not the relevant variable. A work device that connects to corporate VPNs, email systems, and internal networks is a potential entry point into corporate infrastructure regardless of who is using it. A phishing link clicked by a child doing homework, malware downloaded from an entertainment site, or a compromised personal email accessed on the device all create the same corporate security exposure as if the employee had clicked or downloaded them. The work device policy exists to protect the organization’s security perimeter — and that perimeter includes every session on the device, not just the employee’s.

The Situation

A senior project manager works from home three days a week. He is security-conscious — he uses a VPN when accessing company systems, doesn’t click suspicious links, and locks his screen when he steps away. His company laptop is the most capable computer in the house. Over time, it has become the household’s primary computer: his two children (ages 13 and 16) use it for schoolwork and streaming, his spouse uses it to check personal email and manage household finances when their personal laptop is being used for something else, and the employee himself uses it for personal banking and social media in the evenings.

The company’s acceptable use policy states that company devices are for business purposes and should not be used by non-employees or for personal activities unrelated to work. The employee has read the policy. He interprets it as applying to work hours — outside of work hours, he reasons, what he does on the device is his own business.

Nothing has gone wrong. The device has not been compromised. He’s been working this way for two years.

Choice AContinue as is. He is responsible for the device, and he is careful. Nothing has gone wrong in two years. The policy applies to work behavior — outside of work hours, his personal use of his assigned device is reasonable.

Choice BStop allowing family members to use the work device and limit his own personal use to activities that don’t create a security risk — personal banking on a company device that could be keylogged, for example, creates risk in both directions. Report to IT that the device has been used for non-employee personal use and ask whether any remediation is needed.

Choice CStop allowing family members to use the device going forward — but no disclosure to IT is needed since nothing has gone wrong and the device appears clean.

The Right Call

Choice B — Stop the personal and family use and report to IT for assessment.

Choice A continues a two-year policy violation and assumes that no compromise has occurred, even though none has been detected, which is not the same thing. Many compromises go undetected for months. Choice C stops the behavior but doesn’t provide IT with the information it needs to assess whether the device’s security posture has been compromised by 2 years of non-employee use during unsecured personal browsing sessions. The IT disclosure in Choice B isn’t punitive — it’s the mechanism that lets the security team run a device assessment, check for any indicators of compromise, and either clear the device or remediate it. The employee who reports proactively is in a significantly better position than one whose device compromise is discovered in an audit.

The employee’s personal security habits don’t extend to other users of the device.

He doesn’t click suspicious links. His 13-year-old does. He doesn’t download software from unknown sources. His 16-year-old does. His spouse’s personal email account may be a phishing target — and accessing it on a device with corporate credentials cached creates a bridge between a personal attack and a corporate compromise. The security perimeter of a work device is only as strong as the least security-conscious person who uses it.

“Nothing has gone wrong” is not the same as “nothing has gone wrong that I know about.”

The average time between a corporate network compromise and its detection is measured in months. A device that has had two years of non-employee use during unmonitored personal browsing sessions may have indicators of compromise that the employee hasn’t seen and that the security team hasn’t been given the opportunity to assess. The absence of visible problems is not evidence of the absence of problems — it is evidence of the absence of detection.

The policy applies to the device at all times — not only during work hours.

The employee’s interpretation — that the policy doesn’t apply outside work hours — is the most common misreading of work device policies. The policy governs the device’s use because the device carries corporate credentials, connects to corporate systems, and represents a potential entry point into the organization’s network. None of those properties is switched off after 5 PM. The corporate risk posed by unauthorized use exists around the clock, not only during business hours.

Why do work device policies typically prohibit personal use and family access?

Work devices connect to corporate VPNs, email systems, and internal networks. They carry cached credentials, authentication tokens, and potentially sensitive data. Any compromise of the device — regardless of who caused it — is a potential corporate network compromise. Personal browsing, entertainment, and email access introduce security risks that enterprise device management is not designed to monitor or control. The policy is not about restricting what employees do — it is about maintaining the integrity of the security perimeter that the device represents.

What should an employee do if they have been using a work device for personal activities in violation of policy?

Stop the policy-violating behavior and report to IT — describing the nature of the personal use, its duration, and who had access to the device. IT can then conduct a security assessment to check for indicators of compromise and either clear the device or take remediation steps. Proactive disclosure is almost always treated more leniently than discovered violations. IT security teams routinely handle these situations — their goal is to assess and remediate the security risk, not to punish the employee for honest disclosure.

Are there any personal activities that are generally acceptable on a work device?

This varies by organization and policy. Many organizations permit limited personal use — checking personal email, occasional personal browsing — on work devices while prohibiting activities that introduce significant security risk: downloading software, accessing entertainment platforms that may carry malicious advertising, storing personal files, or allowing non-employees to use the device. The clearest guidance is to check the organization’s acceptable use policy and ask IT if anything is unclear. The default assumption should be that work devices are for work — personal use is a permitted exception only where the policy specifically allows it.

How to Use This Scenario in Training

Recommended for all employees who have company-issued laptops or mobile devices — particularly remote and hybrid workers whose work devices are more likely to be used in shared home environments. Most effective when delivered alongside the organization’s acceptable use policy as a clarifying example of why the policy exists. The scenario works well as a conversation starter in manager-facilitated team discussions: most teams will have members who recognize the situation from their own home setups.

This scenario demonstrates the ownership rationalization from the Decision Readiness Engine™ — “it’s my computer, and I’m responsible for it” is the framing that makes shared family device use feel like a personal decision rather than a corporate security matter. Decision-ready employees recognize that responsibility for the device doesn’t include authority to waive the security perimeter it represents.

More Security Awareness Scenarios