Is HR Ready for the Data Risks of Hybrid Work?

With decades of experience helping organizations navigate change through technology, HRTech expert Ling-yi Tsai has a unique perspective on the hidden risks of our new working world. As companies embrace hybrid models—with nearly three-quarters of UK businesses now offering some form of remote work—she sees a growing intersection of human behavior, technology, and security that falls squarely in HR’s lap. Today, we’re exploring the subtle but significant dangers of data drift and “Shadow IT,” discussing how HR can move from being a gatekeeper of sensitive information to a proactive architect of a secure digital culture. We will touch upon the critical importance of seamless tech onboarding and offboarding, the power of clear policies, and the often-overlooked link between employee burnout and risky digital habits.

When employees work across multiple devices, sensitive data often drifts to unsecured locations for convenience. What are the most common risky behaviors you see, and how can HR and IT collaborate to provide better training and technical controls to mitigate this risk? Please provide an example.

It’s a classic case of convenience overriding compliance. I see it constantly. An employee is working on a sensitive report on their company laptop at home, but they need to quickly review a paragraph on their personal tablet while making coffee. So, they email the file to their personal account. It feels harmless, a tiny shortcut to stay productive, but now that sensitive data lives on an unmanaged device, potentially on an unsecured network. This “information drift” is the single most common issue. The solution isn’t just about IT locking things down; that can frustrate people. It’s about a joint effort. HR needs to lead the charge on training that isn’t just a boring slideshow, but one that tells a story about why we use the secure file-sharing platform. At the same time, IT needs to ensure that the sanctioned platform is actually easy to use, and not a clunky, slow mess. The collaboration is key: HR explains the ‘why’ and builds the right behaviors, while IT provides the ‘how’ with user-friendly, secure tools.

Employees often turn to unapproved apps—or “Shadow IT”—when official systems feel too slow or complex. How can HR build psychological safety so employees feel comfortable admitting they need help or better tools, rather than resorting to unsafe shortcuts? Please share a practical step.

This is such a critical, human-centered problem. Shadow IT isn’t born from malice; it’s born from frustration. An employee is on a deadline, the official project management tool is a nightmare to navigate, but a sleek, free third-party app can get the job done in half the time. They’re trying to be a good employee, but they’re creating a massive security hole. The root cause is often a culture of fear—fear of looking incompetent, fear of bothering IT, or fear of a manager who prizes speed above all else. HR’s most powerful tool here is to build psychological safety. A practical first step is for HR to champion “technology feedback sessions.” These aren’t grievance meetings but collaborative forums where employees can openly say, “This system is slowing me down,” without fear of reprisal. When leadership and IT listen actively and actually implement changes based on that feedback, it sends a powerful message: we trust you, and we want to give you tools that work. That trust is the antidote to Shadow IT.

Insecure practices can start on day one if a new hire lacks proper equipment. How can HR streamline tech onboarding to prevent this? Conversely, what is the most overlooked step in the tech offboarding process, and what are its potential consequences for data security?

The first day sets the tone for an employee’s entire tenure, and that includes their security habits. If a new hire arrives excited and ready to go, but there’s no laptop waiting for them, what do they do? They start using their personal computer as a stopgap. Right away, you’ve normalized the use of an unsecured device. HR can prevent this by integrating the IT equipment request directly into the hiring workflow, making it an automatic, non-negotiable step that’s triggered the moment a contract is signed. On the flip side, the most dangerously overlooked step in offboarding is de-provisioning access to all the smaller, non-integral cloud services and SaaS platforms. Everyone remembers to shut off the main network login and email, but what about the subscription to that niche analytics tool or the team’s project management app? Forgetting to revoke that access leaves a digital back door wide open. A disgruntled ex-employee or even a well-meaning one could access sensitive company data months after they’ve left, creating a significant and totally preventable security risk.

Many companies have data security policies, but they are not always followed. How can HR managers ensure policies on device use and file storage are practical and written in everyday language? What role does a transparent, supportive culture play in making these policies effective?

Policies are useless if they live in a dusty, unread manual filled with technical jargon. I’ve seen 50-page security documents that not even a lawyer could love. To make them effective, HR managers need to stop thinking like compliance officers and start thinking like communications specialists. The policy shouldn’t just say, “All files must be stored on the Z-drive.” It should say, “To keep our client data safe and make sure your team can always find the latest version, we save all our work in this one secure place.” It needs to explain the ‘why’ in simple, human terms. A transparent and supportive culture is the engine that makes these policies work. In a rigid culture, an employee who makes a mistake—like accidentally emailing a file to the wrong person—will hide it. In a supportive culture, that same employee feels safe enough to report the mistake immediately, allowing the security team to contain the breach before it becomes a disaster. The policy provides the map, but the culture determines if people will actually follow it.

Unsafe digital habits often emerge when employees are feeling overwhelmed. How should managers be trained to identify when time pressure or burnout is causing their teams to take risky shortcuts? Could you outline a key talking point for that training?

This is where the line between wellbeing and security completely blurs. A burned-out employee is not a secure employee. When someone is overwhelmed, their brain is focused on survival, not on following a multi-step security protocol. They’ll skip the VPN, use a personal device, or download an unapproved app simply to get through the day. Managers are on the front lines of seeing this. They need to be trained to spot the behavioral changes—not just missed deadlines, but a frantic energy, a sudden drop in communication, or a new reliance on “quick-and-dirty” solutions. A key talking point for this training would be: “Your team’s digital hygiene is a direct reflection of their workload and well-being. If you see them taking shortcuts with data, don’t just see it as a compliance issue; see it as a workload issue. Ask ‘What can I take off your plate to help you do this the right way?’ instead of ‘Why didn’t you follow the policy?'” This reframes the conversation from one of blame to one of support.

What is your forecast for hybrid work security?

My forecast is that the responsibility for security will continue its decisive shift from being solely an IT problem to being a core HR and leadership function. Technology can build the walls, but it can’t account for the human element—the person who is tired, frustrated, or simply trying to be efficient. The companies that will thrive in the hybrid era are those who stop treating security as a set of rigid rules and start treating it as a shared cultural value. We are going to see a much deeper integration of digital wellness and security training into performance management and employee development. The future of hybrid work security isn’t a new piece of software; it’s a more empathetic, human-centric approach to how we work, driven by HR professionals who understand that a secure organization is a supportive one.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable