With decades of experience helping organizations navigate change through technology, HRTech expert Ling-yi Tsai has a unique perspective on the hidden risks of our new working world. As companies embrace hybrid models—with nearly three-quarters of UK businesses now offering some form of remote work—she sees a growing intersection of human behavior, technology, and security that falls squarely in HR’s lap. Today, we’re exploring the subtle but significant dangers of data drift and “Shadow IT,” discussing how HR can move from being a gatekeeper of sensitive information to a proactive architect of a secure digital culture. We will touch upon the critical importance of seamless tech onboarding and offboarding, the power of clear policies, and the often-overlooked link between employee burnout and risky digital habits.
When employees work across multiple devices, sensitive data often drifts to unsecured locations for convenience. What are the most common risky behaviors you see, and how can HR and IT collaborate to provide better training and technical controls to mitigate this risk? Please provide an example.
It’s a classic case of convenience overriding compliance. I see it constantly. An employee is working on a sensitive report on their company laptop at home, but they need to quickly review a paragraph on their personal tablet while making coffee. So, they email the file to their personal account. It feels harmless, a tiny shortcut to stay productive, but now that sensitive data lives on an unmanaged device, potentially on an unsecured network. This “information drift” is the single most common issue. The solution isn’t just about IT locking things down; that can frustrate people. It’s about a joint effort. HR needs to lead the charge on training that isn’t just a boring slideshow, but one that tells a story about why we use the secure file-sharing platform. At the same time, IT needs to ensure that the sanctioned platform is actually easy to use, and not a clunky, slow mess. The collaboration is key: HR explains the ‘why’ and builds the right behaviors, while IT provides the ‘how’ with user-friendly, secure tools.
Employees often turn to unapproved apps—or “Shadow IT”—when official systems feel too slow or complex. How can HR build psychological safety so employees feel comfortable admitting they need help or better tools, rather than resorting to unsafe shortcuts? Please share a practical step.
This is such a critical, human-centered problem. Shadow IT isn’t born from malice; it’s born from frustration. An employee is on a deadline, the official project management tool is a nightmare to navigate, but a sleek, free third-party app can get the job done in half the time. They’re trying to be a good employee, but they’re creating a massive security hole. The root cause is often a culture of fear—fear of looking incompetent, fear of bothering IT, or fear of a manager who prizes speed above all else. HR’s most powerful tool here is to build psychological safety. A practical first step is for HR to champion “technology feedback sessions.” These aren’t grievance meetings but collaborative forums where employees can openly say, “This system is slowing me down,” without fear of reprisal. When leadership and IT listen actively and actually implement changes based on that feedback, it sends a powerful message: we trust you, and we want to give you tools that work. That trust is the antidote to Shadow IT.
Insecure practices can start on day one if a new hire lacks proper equipment. How can HR streamline tech onboarding to prevent this? Conversely, what is the most overlooked step in the tech offboarding process, and what are its potential consequences for data security?
The first day sets the tone for an employee’s entire tenure, and that includes their security habits. If a new hire arrives excited and ready to go, but there’s no laptop waiting for them, what do they do? They start using their personal computer as a stopgap. Right away, you’ve normalized the use of an unsecured device. HR can prevent this by integrating the IT equipment request directly into the hiring workflow, making it an automatic, non-negotiable step that’s triggered the moment a contract is signed. On the flip side, the most dangerously overlooked step in offboarding is de-provisioning access to all the smaller, non-integral cloud services and SaaS platforms. Everyone remembers to shut off the main network login and email, but what about the subscription to that niche analytics tool or the team’s project management app? Forgetting to revoke that access leaves a digital back door wide open. A disgruntled ex-employee or even a well-meaning one could access sensitive company data months after they’ve left, creating a significant and totally preventable security risk.
Many companies have data security policies, but they are not always followed. How can HR managers ensure policies on device use and file storage are practical and written in everyday language? What role does a transparent, supportive culture play in making these policies effective?
Policies are useless if they live in a dusty, unread manual filled with technical jargon. I’ve seen 50-page security documents that not even a lawyer could love. To make them effective, HR managers need to stop thinking like compliance officers and start thinking like communications specialists. The policy shouldn’t just say, “All files must be stored on the Z-drive.” It should say, “To keep our client data safe and make sure your team can always find the latest version, we save all our work in this one secure place.” It needs to explain the ‘why’ in simple, human terms. A transparent and supportive culture is the engine that makes these policies work. In a rigid culture, an employee who makes a mistake—like accidentally emailing a file to the wrong person—will hide it. In a supportive culture, that same employee feels safe enough to report the mistake immediately, allowing the security team to contain the breach before it becomes a disaster. The policy provides the map, but the culture determines if people will actually follow it.
Unsafe digital habits often emerge when employees are feeling overwhelmed. How should managers be trained to identify when time pressure or burnout is causing their teams to take risky shortcuts? Could you outline a key talking point for that training?
This is where the line between wellbeing and security completely blurs. A burned-out employee is not a secure employee. When someone is overwhelmed, their brain is focused on survival, not on following a multi-step security protocol. They’ll skip the VPN, use a personal device, or download an unapproved app simply to get through the day. Managers are on the front lines of seeing this. They need to be trained to spot the behavioral changes—not just missed deadlines, but a frantic energy, a sudden drop in communication, or a new reliance on “quick-and-dirty” solutions. A key talking point for this training would be: “Your team’s digital hygiene is a direct reflection of their workload and well-being. If you see them taking shortcuts with data, don’t just see it as a compliance issue; see it as a workload issue. Ask ‘What can I take off your plate to help you do this the right way?’ instead of ‘Why didn’t you follow the policy?'” This reframes the conversation from one of blame to one of support.
What is your forecast for hybrid work security?
My forecast is that the responsibility for security will continue its decisive shift from being solely an IT problem to being a core HR and leadership function. Technology can build the walls, but it can’t account for the human element—the person who is tired, frustrated, or simply trying to be efficient. The companies that will thrive in the hybrid era are those who stop treating security as a set of rigid rules and start treating it as a shared cultural value. We are going to see a much deeper integration of digital wellness and security training into performance management and employee development. The future of hybrid work security isn’t a new piece of software; it’s a more empathetic, human-centric approach to how we work, driven by HR professionals who understand that a secure organization is a supportive one.