After a successful trial in the U.K., Australian company Oxfam Australia has become the first to trial a four-day week after a landmark bargaining agreement.
The company agreed to a deal with the Australian Services Union to run a six-month pilot without losing pay to see how it impacts the workforce. The New Zealand-based non-profit 4 Day Week Global is behind many of the pilots and takes the stance that, when given the option, employees will maintain the same or higher productivity and greater wellness when given the option to work a 32-hour workweek for the same pay.
It’s still too early to tell if the four-day workweek will gain serious traction, and even proponents admit it’s not a good fit for all industries. But if we are to see our second tectonic shift in the way we work in just the past five years, it won’t hurt to consider the IT security implications of a four-day workweek well in advance of its adoption.
Access without context?
Many companies participating in the U.K. pilot program opted to stagger workers’ schedules during the trial to ensure at least five-day coverage for business needs. Others operated on what the study’s operators called “decentralised” hours, where departments and individuals could choose their day off. Some opted to mandate a 32-hour workweek and leave it up to employees when to accomplish their responsibilities. Some varied their workdays from week to week.
While this does wonders for employees’ flexibility, it has the potential to wreak havoc on security teams who rely on predictable patterns of behaviour to make security decisions. Access context is key in deciding whether access to a resource should be allowed or denied.
But take, for instance, an employee who is typically active in the work environment on Mondays but not Fridays. When that employee takes advantage of their newfound flexibility to switch which days of the week to work, SOC analysts will no longer be able to flag this as unusual, eliminating what was previously a handy source of context. For one employee, this is an unfortunate blind spot. For entire organisations, it’s a security liability.
Device location is another critical element of context that’s in danger of being scrambled by the four-day workweek. Not long ago, many Australians experienced lockdowns abroad when travel bans were issued during their travels. We could witness a near-permanent state of resource access requests from holiday destinations abroad as employees take advantage of hybrid work and weekly “long weekends” to travel.
Detection of a security compromise heavily relies on an established baseline of behaviour. Deviation from the baseline is a trigger for further investigation. But how do security practitioners establish a baseline when everything is abnormal?
Device management difficulties
Another unintended consequence for IT teams whose organisations shift to a four-day workweek involves device posture management. IT teams will face uncomfortably long gaps between updates and patches when endpoints are off the network for extended periods. They can continue to update the main infrastructure regularly, but many updates still require devices to be on the corporate network to be pushed. When the next severe zero-day happens to be uncovered, it could be several days before all endpoints have the necessary updates to protect them.
Undoubtedly, IT teams will devise new patching and update schedules to accommodate new working schedules. But it won’t be an overnight process and will entail a learning curve. Businesses with a four-day workweek should consider this side-effect before enacting the change.
The readiness is all
Ultimately, a four-day workweek may become something our children take for granted. Business leaders may see it as an extension of the health benefits of having fruits available in the office or productivity gains from dispensing freshly-brewed coffee in the canteen. Many points out that the five-day workweek is commonly attributed to Henry Ford, who reduced it from six on a hunch working fewer hours would make employees more productive. Organisations participating in the U.K. study noticed lower stress levels, higher productivity, and reduced turnover.
But it’s hard to imagine companies at the enterprise level will make the transition anytime soon. Most companies that participated in the trial had fewer than 25 employees, the largest around 1,000. Currently, Oxfam Australia has less than 200 employees participating in the trial.
While momentum is growing, larger organisations must consider factors like patching schedules and access request context before switching. In fact, many unforeseen, IT-related obstacles could arise because of such a significant change.
But we’ve seen such changes before, and we know those able to securely connect users to applications regardless of network, location, or device type were most insulated from disruption. The workspaces of tomorrow require a firm technology foundation and the appropriate protections to back them up. This is where zero trust comes into play.
When a zero-trust network architecture is accompanied by fine-grained policies that heighten end-point security and identity verification while diminishing exposed attack surface, IT teams are able to implement a much more resilient response to such evolving behavioural changes. In a world of changing baselines, the best way to secure our experiences is zero trust.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.