Written by Jhanna Boutsyk
Blended lives, new risks
The boundaries between work and personal life have dissolved. Many businesses have embraced this flexibility—but have we accepted the new risks that come with it?
A few months ago, I heard a story that stuck with me. An employee in managed services desktop support, received a phone call from someone claiming to be from Telstra, offering a limited-time internet discount. The caller said a code had been sent to their work email on their personal device to verify eligibility. In reality, the code was an MFA token for their work Outlook. They read it aloud—
And what happens now? In many cases, there’s no clear process for a compromise that starts on a personal device but impacts corporate data. Incident response plans often ignore the grey areas—and that’s a risk in itself. Businesses need playbooks that reflect how people actually operate, not how they’re ideally supposed to.
Companies have shown huge improvements in the training & awareness space, but if people in the IT department are making these mistakes, then it’s clearly not as simple as training.
The Stories that show the gaps
Another example came from a long-time staff member at a large Australian university received an email that looked like it came from the University’s IT department. The message claimed there was a problem with google workspace — where they also stored personal photos (and passport photo) because it seemed easier and secure.
The email looked convincing, and they clicked the link. The person didn’t think twice about updating their log-in details when prompted—after all, they’d just been dealing with real IT issues the week before. The attackers got access to the user’s work account, scraped the data, and began blackmailing them over sensitive personal photos.
The university’s IT department said, essentially: "Nothing we can do" because they had no sensitive business data on their drive. But the employee's personal and professional lives had blended long ago. And no business process existed for what to do when a scam targets someone at that intersection.
This story hit home for me—not just because of the impact on the individual, but because of the business failure. As consultants, we often focus on frameworks, audits, and tooling. But sometimes we miss the forest for the trees. We forget to ask: How do people actually live and work?
This wasn’t a user failure. It was a system failure. Why wasn’t there a failsafe for such a basic social engineering tactic? And what happens now?
Why our processes are failing us
A book I recently read The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity by Christian Espinosa has a quote that really resonated with me.
“Hackers are often better than us not because they’re smarter, but because they’re more motivated. They have a clear incentive—money, reputation, impact. Meanwhile, we sit in our cubicles, constrained by corporate red tape, politics, and paychecks.”
This quote encapsulates Espinosa’s larger theme: technical skill isn’t enough in cybersecurity. We also need to develop emotional intelligence, communication, and leadership—otherwise, we lose to attackers who are simply more driven and agile. We need to invest to support our goals.
Even when security teams do recognise the risks, they often face roadblocks in addressing them. Many professionals have seen the boundaries blur firsthand, but are limited in what they can do when it comes to assets and services outside corporate ownership. For instance, we might want to test how a phishing campaign could exploit personal email accounts, or evaluate malware risks on personal devices that access work systems— but there’s a conflict of breaching employee trust and legal boundaries. And it’s a valid concern. But avoiding these conversations doesn’t make the risk go away. It simply makes it harder to respond when things go wrong.
I often see businesses refer to cyber risk within clear, legacy boundaries:
Corporate email = secure
Personal email = user’s responsibility
Work laptop = monitored
Personal phone = not our concern
But those lines don’t exist anymore. The attack surface now spans across devices, identities, and behaviours traditional policies address by saying “you shouldn’t be doing this” and most risk registers haven’t caught up. But is that realistic?
Be honest with yourself, are you or your team guilty of any of these?
Cloud apps accessed from any device.
Public Wi-Fi widely used at cafes and airports.
Personal cloud storage (e.g., Google Drive) becomes a work backup.
AI assistants and browser extensions being granted access to sensitive data without proper scrutiny.
What can be done
As cyber security consultants, we need to lead this evolution. That means asking the tougher questions:
Have we mapped the real ways employees interact with technology?
Do our policies reflect modern hybrid workflows?
Do our incident response plans account for personal-device compromise that spills into corporate systems?
Does our training address these use cases?
It’s time to have an adult conversation about what is realistic, with the expectations we set on our employees, is it reasonable to expect a separation between personal and work devices? Do we think it’s realistic that our employees will carry two phones and two laptops wherever they go? Or enroll their personal device risking that a failure in process may cause their device to be wiped?
And if the answer is no, then why aren’t we prepared to protect and support our employees in the face of these threats.
That includes investing in relatable education, modernising acceptable use policies, and designing systems that guide—not punish—user behaviour.
At the same time, it can be difficult to weigh up what is practical for an organisation to do.
Device-agnostic support: Whether it’s a work laptop or a personal iPad, offer secure access methods.
Threat detection beyond corporate SaaS tools: Use behavioural analytics to detect unusual activity across blended environments.
Training that includes real-world examples: Move beyond phishing simulations and teach judgment in blended contexts.
Risk registers that reflect reality: Include risks associated with personal tech, shared access, and unmonitored tools.
Consulting that’s grounded in empathy: Employees aren’t negligent—they’re overwhelmed. Design with that in mind.
We also need to reframe how we measure maturity. Compliance with the Essential Eight or ISO 27001 is just a start. Real maturity comes from asking: How resilient are we when our assumptions are broken?
Because they will be broken.
How Zero Trust Frameworks can support us
Attackers don’t care whether a device is "personal" or "corporate." They care whether it gives them access. That means security needs to be in the details.
The “Zero Trust Security Model” is a hot topic that can seem complex and overwhelming, when in reality it’s worth your time to get your head around. Ultimately, as the name suggests, zero trust = trust nobody, always verify. It’s not necessarily a new technology, it’s a mixture of security policies and the right tools. Implemented correctly zero trust will:
Embrace hybrid workplace
Secure people, devices, apps and data regardless of location
Considers applications, users, groups, devices & operations
So how does it work?
The three core principles:
Verify explicitly – Always authenticate, per session, per app.
Use least privilege access – Only grant the access a person needs right now.
Assume breach – Design systems assuming attackers already have a foothold.
To illustrate, let’s discuss the first of the 3 principles “Verify Explicitly” Zero trust is per application basis, verified independently
Use credentials and multi-factor authentication
Ensure up-to-date operating systems, endpoint protection, and geo-location checks
Authenticate continuously and dynamically, to prevent abuse of open sessions
Zero Trust gives organisations the flexibility to support remote, hybrid, and mobile-first workers without compromising on security.
What’s different?
Traditional perimeter-based security relies on the idea that devices are owned by the business, connected to a secure corporate network, and protected by firewalls and physical controls. Anything outside that perimeter is untrusted by default. Similar to your home, you can trust your house is secure by locking the doors, but if, like in my case, a neighbour’s giant cat finds an open window, that entry point can cause chaos. Your poor indoor floof is permanently traumatised and there’s nothing local authorities can do, because they don’t have a process for it … But I digress…
So… Do employees have to re-authenticate all the time?
Not quite. That’s one of the biggest myths.
Modern Zero Trust systems are smart.
They use adaptive authentication—which means users aren’t constantly prompted unless something about their behaviour or device changes. For example:
Logging in from a known device in your usual location? You might pass with a fingerprint or Face ID.
Suddenly accessing sensitive files from an overseas IP on an unknown browser? You’ll be prompted for re-authentication—or blocked.
Single Sign-On (SSO) plays a big role.
Once a user has passed the necessary checks, SSO allows access to multiple apps without repeated logins. It’s secure and seamless—especially when paired with biometrics or passwordless methods.
Behind the scenes, it's doing a lot more than you see.
Zero Trust platforms continuously evaluate risk during a session:
Is the device still healthy?
Has the user’s IP address changed?
Are they downloading way more data than usual?
If something looks off, access can be throttled or revoked in real-time—without waiting for a full-blown breach.
Now what?
In the first two examples the business’ risk is reduced and the attacker is unlikely to be able to access or will be prompted to re-authenticate from a suspicious location or device. These are examples that have come up within my sphere in the last few weeks, but the scenarios are vast and varied. They’re signals—telling us where our models of trust, access, and response are outdated. As consultants, our job is to listen to those signals and help our clients evolve.
I’ll leave you with one more story—An employee goes on a personal holiday, and travels through a country on the “restricted” list for a company. Whilst he’s waiting for a flight, out of habit, they check their work emails. The IT department immediately flagged this and wiped the phone. What happened here? — The person is now in a country they don’t know without any way to contact his friends or family and no idea what’s happened, they’ve long forgotten what "registering your device” means. — Yes the business did the right thing on their part, but in this specific scenario, this was not someone with sensitive information on their phone, was it necessary? Could it have been avoided?
Zero Trust isn’t a magic fix—but it’s a solid step in the right direction. It helps stop attacks before they escalate, especially in today’s messy mix of personal and work devices. By using frameworks such as zero trust, incidents like the ones I’ve described go from corporate horror stories to something that can be mitigated or avoided completely.