You should consider both talking to your colleague and alerting your manager, or the organization's cyber risk manager, as soon as you can. Cyber risk is a serious concern of any reasonably informed organization. Your colleague is actively creating breaches and leaks. You are also contributing to the real potential of a cyber incident by not promptly reporting what you've observed.

You'll risk your relationships with your colleagues by handling the situation unprofessionally or indelicately, not by reporting your concern alone. Keep the following in mind and you can expect to maintain the respect and trust of your colleagues:

• Don't discuss your observations with anyone except a trustworthy manager and your colleague that you've observed creating security issues. This isn't a topic to be used for gossip or banter among your teammates or at home.
• Do have a frank but friendly discussion with your colleague about your concerns. Make sure they understand you're genuinely concerned about the wellbeing of the firm. Be upfront about having alerted a manager.
• Do give your colleague the benefit of the doubt. It's reasonable to assume he/she really doesn't understand the riskiness of his/her actions. Focus on your specific observations - don't make judgements about the person.
• Don't nit-pick. Identify and report big issues. It's okay to let some things go (e.g., installing Spotify on a company laptop against policy). Leave monitoring to the IT team.
• After reporting, let it go. If the appropriate individuals in the company don't intervene to correct the issues, let it go. You've done your part.
• Listen to the feelings and feedback from your colleague and the rest of the team. At minimum, your colleague will be embarrassed. Don't lecture or chastise. Listen to what your colleague has to say, apologize for any hurt feelings, and let him/her know that you do respect them as a colleague and want to keep working together.

You should consider both talking to your colleague and alerting your manager, or the organization's cyber risk manager. Cyber risk is a serious concern of any reasonably informed organization.

You'll risk your relationships with your colleagues by handling the situation unprofessionally or indelicately, not by reporting your concern alone. Keep the following in mind and you can expect to maintain the respect and trust of your colleagues:

• Don't discuss your observations with anyone except a trustworthy manager and your colleague that you've observed creating security issues. This isn't a topic to be used for gossip or banter among your teammates or at home.
• Do have a frank but friendly discussion with your colleague about your concerns. Make sure they understand you're genuinely concerned about the wellbeing of the firm. Be upfront about having alerted a manager.
• Do give your colleague the benefit of the doubt. It's reasonable to assume he/she really doesn't understand the riskiness of his/her actions. Focus on your specific observations - don't make judgements about the person.
• Don't nit-pick. Identify and report big issues. It's okay to let some things go (e.g., installing Spotify on a company laptop against policy). Leave monitoring to the IT team.
• After reporting, let it go. If the appropriate individuals in the organization don't intervene to correct the issues, let it go. You've done your part.
• Listen to the feelings and feedback from your colleague and the rest of the team. At minimum, your colleague will be embarrassed. Don't lecture or chastise. Listen to what your colleague has to say, apologize for any hurt feelings, and let him/her know that you enjoy having him/her as a colleague and want to keep working together.