How could security be impacted by a shorter, four-day working week? asks Jon Fielding, pictured, Managing Director, Apricorn, which offers encrypted drives.
The world of work has been completely transformed in recent years. It seems that the normalisation of hybrid and remote working options are just the beginning, with organisations of all shapes and sizes now experimenting with novel and innovative working patterns. In some camps, the potential merits of a shorter working week are now actively being explored. Just last year, it was reported that more than 3,300 workers at 70 UK companies, ranging from a local chippy to large financial firms, began trialling a four-day week in the summer.
The motivations are clear. The employee experience has risen to the fore in recent times, with organisations increasingly recognising that the new frontier when it comes to competing for talent is quality of life. And whilst employee wellbeing is at the heart of the proposed changes, there are reasons to err on the side of caution. The idea is simple – employees work four days instead of five, while still receiving the same pay and benefits and managing the same workloads. In essence, that means completing 40 hours of work in 32.
While this might be feasible and serve to bolster productivity and motivation in some professions, in others, it is less realistic. For those that are already at capacity, the loss of eight hours a week could create additional pressures and add to the threat of burnout among those employees looking to seek reprieve. As staff become overtired, shortcuts will be taken and cybercriminals will be looking for the weak security links, which in this case, will be the employees. Here lies the fear, with overworked and overstretched employees are more likely to cut corners, drop best practice and put data security at risk.
Now, more than ever, security must not be undermined
It is critical that this doesn’t happen. It is not a coincidence that phishing campaigns and other social engineering tactics are so commonly used – indeed, the actions and errors of individuals are already significant target for threat actors. According to the World Economic Forum, 95 per cent of cybersecurity issues can be traced to human error.
Further, the threat landscape has continued to intensify in recent times. In 2022, the total global cost of cybercrime was estimated to be $8.44 trillion – more than seven times the $1.16 trillion recorded in 2019. As attackers continue to enhance the volume and complexity of their attacks, it is imperative that firms looking to embrace a four-day working week consider the potential security implications and ensure that they strengthen, not weaken, their defences in the process.
That means making security a priority through the development of comprehensive policies, alongside efforts to ensure that employees gain an understanding and awareness of their importance. Of course, this begs the question of what policies exactly should be prioritised. Here, we’ll outline four critical considerations which should be at the focal point of discussions:
1.Only IT-approved devices should be used to connect to the corporate network
First, it is critical that unmanaged personal devices are not allowed to access corporate networks. This has been a key security issue since the COVID-19 pandemic first began – not only do unmanaged devices reduce visibility and undermine security protocols, but they will also expand an organisation’s attack surface, enabling cybercriminals to leverage user endpoints much more easily to gain a foothold on a network. Ensuring that only IT-approved devices can access a network is therefore vital, particularly for those employees opting to work extra hours remotely and into the evening as they make adjustments for a four-day working week.
2.Implementing the principle of least privilege
Restricting access to known devices is one important step, yet this should also be supplemented by the principle of least privilege – a critical aspect of zero trust, stipulating that employees should only have access to those applications they truly need to complete their job, rather than the entire corporate network. Not only does this approach help to secure data, limiting the damages that could be done by insider threats and compromised accounts, but it can also help to enhance employee productivity by streamlining the digital asset portfolios of each individual user.
3.It is essential that these security policies do not impede employee productivity
Having sound security policies in place are all well and good. However, it is critical that these policies are easy to understand and navigate. If employees view policies as being too complex or a barrier to productivity – particularly in the context of a shorter working week, where time is at an even greater premium – then they will be more likely to resort to non-sanctioned tools and devices which circumvent IT departmental control and result in additional risks to corporate data.
4.Improving awareness is also key
It is critical that organisations continually work to improve understanding and awareness of sound security practices among employees, regularly reiterating their importance. By maximising education in addition to creating user-friendly policies and procedures, staff will be much more likely to adhere to vital policies, and organisations will in turn be much better placed to avoid non-compliance and the threat that data is at risk of a breach.
Indeed, while a four-day working week can offer many benefits, from reducing costs and enhancing productivity, to attracting top talent and developing positive corporate cultures, considerations must be balanced. By making security a priority in considering any major operational changes, organisations can develop strategies that won’t leave them vulnerable to potentially devastating attacks while still allowing the employee experience to flourish.
