Why everyone hates it
Screen lock is one of those security mechanisms that is widely used and widely disliked. The reason is simple: it gets in the way. You step away for coffee for a moment, come back - and you have to enter your password. You step away from your desk for a moment - password. You go to the restroom - password.
Users bypass this mechanism whenever they can: they set the lock timer to 30 minutes or disable automatic locking entirely. In companies without an enforced IT security policy - they simply don't lock at all, because "why bother, I'm in the office".
What happens when you do not lock your computer
An unlocked computer is an open door. Any person who sits at your workstation gets immediate access to everything you can access - email, documents, company systems, browsing history, saved passwords in the browser.
Most incidents do not look like a spy movie. There are no hooded hackers here. More often: an employee leaves for a meeting and leaves the computer unlocked. A coworker from the office who "just wanted to check one file" accidentally sees confidential correspondence, sometimes intentionally and sometimes simply because the opportunity appeared.
It also looks like this: a laptop is left in a cafe, a coworking space, or a client's waiting area. The owner leaves it for a moment. A stranger walks up and gets access to the entire corporate environment.
Or like this: a service technician, courier, or client comes to the office. The employee steps out to meet them, leaving the desk for a moment. Email, documents, and customer data are open on the screen. A third party can see everything - even if that was not their intention.
In each of these scenarios, the problem does not result from an advanced attack. It results from the lack of the simplest safeguard.
Screen lock vs personal data and GDPR
This is not just a matter of good practice. Lack of screen lock in an environment where personal data is processed may be treated as a violation of data protection principles.
GDPR requires the use of appropriate technical and organisational measures to ensure data security. An unlocked computer with open documents containing customer, employee or partner data is a clear violation of this principle - especially when unauthorised individuals have access to the screen.
In the case of an incident resulting from lack of screen lock, the supervisory authority may determine that the company did not implement basic, available protection measures - which directly affects the assessment of accountability and potential consequences.
Proper settings - between security and usability
Locking after 30 minutes of inactivity is not a lock - it is an illusion of security. For half an hour away from the desk, the computer remains completely open.
A reasonable compromise for an office environment is a lock after 5 minutes of inactivity. That's short enough to genuinely protect the workstation during an employee's absence, and long enough not to lock the screen during a brief pause in typing.
For laptops used outside the office - in cafes, at client sites, in transit - it is worth considering a shorter time, e.g., 2-3 minutes. The risk is much higher here because the computer is accessible to complete strangers.
It is also worth enabling screen lock when closing the laptop lid. This is a simple safeguard that costs nothing and does not require any changes in daily habits.
Screen lock policy in the company
Building the habit in employees to lock the device every time they leave their workstation is a good practice. It is better to lock the device immediately than to leave it unlocked, even for a moment. However, this is not enough. Relying only on employee memory is insufficient. People forget, rush, and have other things on their minds.
The right approach is to enforce locking through system policy - a setting that the IT administrator deploys centrally and that the user cannot change. The computer locks after a defined period regardless of whether the employee remembers it or not.
The same applies to requiring a strong password or a strong PIN to unlock - using a simple code that can be observed over the shoulder makes no sense. Some organizations implement biometric authentication - fingerprint or facial recognition. The computer unlocks almost immediately.
How it looks at Helpwise
The screen lock policy is part of the standard workstation configuration that we implement for our clients. We set the lock timeout, enforce a PIN or password for unlocking, and do it centrally through a device management system - so the setting is consistent across all computers and no user can bypass it.
At Helpwise, we encourage implementing biometrics. Unlocking a computer with a fingerprint or face takes a fraction of a second - and suddenly it turns out that no one is looking for a way to disable the lock. Biometrics removes the only real obstacle people have with this mechanism, and makes security stop being a burden.