You stepped away for 60 seconds. Coffee, bathroom, a quick chat in the hallway. Your screen is still on. That was enough.

Physical access to a device - even briefly - can defeat encryption, bypass MFA, and extract everything. No hacking skills required. Just opportunity and a ticking clock.

Here is how it plays out across the places you work and live:

🖥️ Unlocked screen, open door - the most common scenario by far. A colleague, visitor, or cleaner browses open tabs, forwards emails, reads documents, or photographs sensitive data with their phone. Takes seconds. Leaves no trace.

👁️ Shoulder surfing - in open offices, airport lounges, and trains, nearby observers capture passwords, PINs, and confidential content just by watching. A 3M/Ponemon experiment showed visual hacking succeeded in 91% of trials across 46 companies - and 52% of stolen data came directly from unattended screens.^[ref]

🔌 Hardware keylogger - a tiny device plugged between keyboard and USB port, costing as little as $10, silently records every keystroke for days or weeks. Invisible to your system. Your IT team will never find it with software alone.

💾 USB drop - a malicious drive plugged in while you are away installs malware or exfiltrates files. In a University of Illinois field study, nearly half of the people plugged in USB drives found on the ground - the first within six minutes.^[ref]

🏨 The Evil Maid - coined by security researcher Joanna Rutkowska in 2009: brief physical access to an unattended laptop allows firmware tampering so the device captures your password on next login. Hotel rooms, border crossings, and repair handoffs are favourite venues.

🔧 The repair shop - a University of Guelph study found that 6 of 16 repair technicians accessed personal data unrelated to the repair, with two copying files to an external device - and several attempting to cover their tracks afterward.^[ref]

🚗 Forgotten and sold - Blancco research found 42% of second-hand drives resold on eBay still contained sensitive data, including scanned passports and archived email - despite every seller claiming they had wiped everything.^[ref]

The numbers are sobering. Ponemon's 2026 Cost of Insider Risks Report puts the average annual organizational cost of insider incidents - most caused by negligence, not malice - at $19.5 million.^[ref] IBM's 2024 data identifies malicious physical-access incidents as the single most expensive breach vector at $4.99 million per event.^[ref] And the Verizon 2024 DBIR found that 91% of lost or stolen device incidents resulted in a confirmed data disclosure.^[ref]

Your screensaver is not a security measure. "I'll be right back" is not a lock.

👤 For all of us: lock your screen every time you walk away (Win+L / Cmd+Ctrl+Q). Set auto-lock to 1-2 minutes. Use a privacy screen in public. Before sending a laptop for repair, back up and wipe it first.

🏢 For organizations: enforce mandatory screen-lock policy via group policy. Block or monitor unauthorized USB connections. Physically inspect workstations in shared or visitor-accessible areas. Treat a lost device as a confirmed breach - not a maybe.