A four-day working week must not undermine security

A four-day working week must not undermine security

A four-day working week provides many benefits for employees and employers alike. But moving to a four-day week needs to be done carefully with a particular focus on the continuation of cybersecurity across the company. Jon Fielding, Managing Director, Apricorn, explains what companies need to consider when moving to a four-day week.

The changes we’ve seen in working patterns haven’t resembled a simple switch between office-based operations to hybrid and remote models.

Rather, the entire employment landscape has been overhauled, paving the way for the implementation of creative and experimental policies as organisations seek to strike the optimal balance that benefits both them and their employees.

From allowing people to choose their own hours, to offering unlimited annual leave, companies have been exploring several progressive approaches. Yet one trend that is gathering notable momentum in this space is the shorter working week.

This is not a new concept. Between 2015 and 2019, Iceland ran trials that cut the work week from 40 hours to 35 without reducing pay for 1% of its workforce, for example. However, we’ve seen other countries and companies eyeing it more readily in recent times.

There have been several different takes. In 2019, the municipality of Odsherred in Denmark trialled a Monday to Thursday schedule for 300 public employees whereby total hours weren’t reduced. In 2022, the UAE reduced the work week for public staff to 4.5 days. And come the spring, the Spanish city of Valencia will also roll out a four-day work week test on a broad basis.

These trials aren’t simply for fun, but to explore the widespread benefits that they can bring to the table.
According to a co-ordinated six-month trial involving 33 companies and 903 workers, a four-day week leads to a happier workforce. Of the 495 employees who responded to the post-trial survey, 97% said they wanted to continue with a four-day week, with 45% stating they had greater job satisfaction and 60% citing an improved work/life balance.

Where the employee experience has become a key frontier of competition, reducing the working week can give companies a competitive advantage when it comes to attracting and retaining talent. However, it’s not just beneficial to staff. Equally, the study showed that, on average, company revenues rose 8.14% during the trial – more than one percentage point every month.

These advantages are enticing, but it’s important to note that they won’t be realised overnight.
Embracing a shorter working week isn’t a simple case of flicking a switch. To ensure such a dramatic operational change doesn’t result in any radical and unwanted outcomes, it’s a process that needs to be carefully managed to ensure continuity (or ideally improvement) is achieved across the board.

While the whole idea revolves around employees working more efficiently, with less hours in the week to manage the same responsibilities, it is critical that this dynamic doesn’t lead to shortcuts.

From an IT perspective, there is a fear that employees favouring productivity could be more likely to cut corners, drop best practice and jeopardise company security.

Cybercriminals today see the individual as an easy target. It is no coincidence that social engineering campaigns such as phishing are so common – according to an IBM study, human error was the primary reason for 95% of cybersecurity breaches.

Given that the cost to the global economy stemming from cybercriminal activities is expected to almost triple in the next five years, organisations must ensure they prioritise the improvement of their protective efforts as the threat landscape only gets worse.

It is therefore critical that any adaptations in the working week do not undermine security and lead to key protocols being swept under the carpet in favour of time savings. Indeed, organisations must ensure that the security chain becomes stronger, not weaker.

Security policies to consider when implementing a shorter working week

Improving awareness is a critical piece of this puzzle.
By maximising awareness of security best practices among the employee base, any risks stemming from particular actions, devices and tools will be better understood by those who are often responsible for them.

With that said, employee awareness isn’t a silver bullet. Indeed, individuals will still be prone to slip ups if faced with particularly convincing phishing campaigns, for example.

Therefore, firms should supplement educational efforts with comprehensive policies that are specifically designed to manage employee responsibility and enhance the overall security posture.

This should begin with embracing the principle of least privilege. A central pillar of Zero Trust, this ensures that users only have access to the software, systems and applications that they truly need to complete their job, rather than the entire corporate network. Not only will this serve to ensure that any damages inflicted by potential attacks or insider threats are reduced, but it can also improve productivity by narrowing the scope of each user’s digital asset portfolio.

This approach should then be paired with the effective management of those devices being used to access corporate networks. Unmanaged devices are the root cause of several security problems. Not only do they limit visibility, but also expand an organisation’s attack surface, enabling cybercriminals to exploit user endpoints much more easily. Ensuring that only IT-approved devices can access a network can go a long way to mitigating against these threats.

Firms should also mandate procedures that require the encryption of all business data across devices as standard. With many employees now working wherever and however they like, the need to secure data on the move has never been more important. Hardware encryption offers much greater security than software encryption and PIN pad authenticated, hardware encrypted USB storage devices offer additional, significant benefits. Being software-free eliminates the risk of keylogging and screen capture while removing specific Operating System usage restrictions. As all authentication and encryption processes take place within the device itself, critical security parameters are never shared with a host computer.

Encryption can be easily rolled out across the organisation through the deployment of hardware encrypted, removable storage devices to ensure all data can be stored or moved around safely and offline. Even if the device is lost or stolen, the information will be unintelligible to anyone not authorised to access it and organisations will have peace of mind that company secrets or sensitive data won’t be revealed.

And finally, a sound backup strategy should be adopted to ensure that data can always be recovered. According to IBM, the average cost of a ransomware attack in 2022, not including the cost of the ransom itself, was US$4.54 million. The 3-2-1 rule should form the basis of any backup processes: keep at least three copies of your data, on at least two different mediums, with at least one copy stored off-site.

Maintaining physical backups even if you use cloud storage is essential in case your cloud provider experiences downtime and/or faces a breach. By developing a sound backup plan that comprises offline backups in parallel with a centralised cloud back-up plan, the worst of these astronomical costs can be mitigated thanks to speedy and reliable recovery methods.

In embracing simple policies such as these, organisations can rein in staff responsibilities and make sure that any adverse outcomes stemming from operational changes, such as the implementation of a shorter working week, are far less likely to lead to potentially catastrophic cyber incidents.

Not only will staff members be less likely to put information at risk, but if they do, then threat actors will have a harder time taking advantage, and organisations will be better prepared to respond and recover.

Browse our latest issue

Intelligent CXO

View Magazine Archive