Are IT professionals really ready for a four-day working week? asks Martyn Ditchburn, pictured, Director of Transformation Strategy at the cyber firm Zscaler.
After a successful breakthrough in the world’s largest trial of a four-day week – which resulted in 92 per cent of participating UK companies opting to continue with a 32-hour work week – it’s time to question the major obstacles that organisations still need to overcome in advance of its adoption.
While organisations are focusing on its major health and wellbeing benefits for the workforce, IT professionals are stuck focusing on the implications of a shorter week and how that may jeopardise company security. As workers adapt to matching productivity outputs to that of a five-day working week, security teams are raising concerns over the impact of cutting corners and deprioritising best security practices.
The question is, are IT professionals ready to embrace a four-day working week and what parameters need to be in place to make it a safe and secure reality. To answer this, it’s important to address a range of factors that ensure cybercriminals can’t take advantage of fatigued employees, and outline how businesses can future proof their security models to take on a four-day working week.
Addressing flexibility and the added security risks
Flexibility is one of the most commonly reported bonuses of a four-day working week, allowing employees to take charge of their time and shift tasks around their personal lives to improve productivity and work life balance.
While this does wonders for employees’ flexibility, it has the potential to wreak havoc on security teams who rely on predictable patterns of behaviour to make security decisions. Access context is a key element in deciding whether access to a resource should be allowed or denied. Take, for instance an employee who is typically active in the work environment on Mondays but not Fridays. When that employee changes their routine in line with flexibility policies, SOC analysts will no longer be able to rely on that context to help discern whether activity is usual or unusual, creating blind spots for organisations which can become a security liability.
Device location is another critical element of context that’s in danger of being scrambled by the four-day work week. Not long ago, many Europeans experienced lockdowns abroad when travel bans were issued during their travels. We could witness a near-permanent state of resource access requests from holiday destinations abroad as employees take advantage of hybrid work and weekly “long weekends” to travel. Detection of a security compromise heavily relies on an established baseline of behaviour. Deviation from the baseline is a trigger for further investigation. But how do security practitioners establish a baseline when everything is abnormal? On top of managing the flexibility of UK employees maintaining a four day working week, many security professionals are also having to grapple with the company’s global obligations, where its other teams are forced to fulfil a five-day working week. Therefore, CISOs will have no choice but to tackle flexibility issue now or face consequences of becoming reactive later.
New schedules make it difficult to manage devices
On top of managing employee flexibility, security practitioners are also at the mercy of keeping up with employees’ daily schedules for device posture management purposes. The guaranteed 9-5 was manageable for security teams to ensure updates or patches could be provided on a regular basis. However, when endpoints are off the network for extended periods of time, IT teams have to adapt to making updates less regularly. This means that when the next severe zero day happens to be identified, it could be several days before all endpoints have the necessary updates to protect them, putting workloads and devices at risk.
As a result, teams will have to devise new patching and update schedules to better suit the new working patterns which likely won’t be achievable overnight.
Rethinking security solutions throughout dramatic change
Despite the fear of change, society and the latest technology is designed to be adaptable. In fact, IT professionals have already adapted in the past to securely connect users to applications regardless of network, location, or device type. A four-day working is realistic but will require certain changes to security solutions to ensure protection.
Zero trust network architecture represents the most resilient response to changing user patterns because it operates on the principle of “never trust, always verify.” While IT teams struggle to keep up with the new normal by managing behaviours and attacks, a trusted security solution such as zero trust will aid in reducing the time and cost of responding to and cleaning up after a breach to give security professionals more time to trouble shoot and focus on bigger issues at hand.
Conclusion
While momentum around the four-day working week is growing, larger organisations will need to consider factors like patching schedules, access request context and security solutions before switching to a new way of working. Fail to do so will only lead to burnout of ongoing breaches that will defocus businesses from scaling.
