What Might a Four-Day Work Week Mean for IT Security?

Originally published by CXO REvolutionaries.

Written by Martyn Ditchburn, Director of Transformation Strategy, Zscaler.

Now that the largest-ever pilot program for testing the feasibility of a four-day workweek has concluded in the U.K., it may be worth asking what the IT security implications of widespread adoption of this scheme may be.

Nearly four thousand employees across 61 companies in Britain participated in the trial, with 92% opting to continue on with a 32-hour workweek, at least for the time being. Proponents say the switch helped to boost employee morale and productivity. According to the World Economic Forum, Belgium, Iceland, and New Zealand have also run trials with similar results.

The New Zealand-based non-profit 4 Day Week Global is behind many of the pilots and takes the stance that, when given the option, employees will maintain the same or higher productivity and greater wellness when given the option to work a 32-hour workweek for the same pay.

It’s still too early to tell if the four-day workweek will gain serious traction, and even proponents admit it’s not a good fit for all industries. But if we are to see our second tectonic shift in the way we work in just the past five years, it won’t hurt to consider the IT security implications of a four-day workweek well in advance of its adoption.

Access without context?

Many companies that participated in the U.K. pilot program opted to stagger workers’ schedules during the trial to ensure at least five-day coverage for business needs. Others operated on what the study’s operators called “decentralised” hours, where departments and even individuals could choose their day off. Some opted to mandate a 32-hour workweek and leave it up to employees when to accomplish their responsibilities. Some varied their workdays from week-to-week.

While this does wonders for employees’ flexibility, it has the potential to wreak havoc on security teams who rely on predictable patterns of behaviour to make security decisions. Access context is a key element in deciding whether access to a resource should be allowed or denied.

But take, for instance, an employee who is typically active in the work environment on Mondays but not Fridays. When that employee takes advantage of their newfound flexibility to switch which days of the week to work, SOC analysts will no longer be able to flag this as unusual, eliminating what was previously a handy source of context. For one employee, this is an unfortunate blind spot. For entire organisations, it’s a security liability.

Device location is another critical element of context that’s in danger of being scrambled by the four-day workweek. In the U.K. study, 52% of employees reported increased leisure travel during their trial periods. Not long ago, many Europeans experienced lockdowns abroad when travel bans were issued during their travels. We could witness a near-permanent state of resource access requests from holiday destinations abroad as employees take advantage of hybrid work and weekly "long weekends" to travel.

Detection of a security compromise heavily relies on an established baseline of behaviour. Deviation from the baseline is a trigger for further investigation. But how do security practitioners establish a baseline when everything is abnormal?

Device management difficulties

Another unintended consequence for IT teams whose organisations shift to a four-day workweek involves device posture management. When endpoints are off the network for extended periods of time, IT teams will be faced with uncomfortably long gaps between updates and patches. They can continue to update main infrastructure regularly, but many updates still require devices to be on the corporate network to be pushed. When the next severe zero day happens to be uncovered, it could be several days before all endpoints have the necessary updates to protect them.

Undoubtedly, IT teams will devise new patching and update schedules to accommodate new working schedules. But it won’t be an overnight process and will entail a learning curve. Businesses that decide to go to a four-day workweek should consider this side-effect before enacting the change.

The readiness is all

Ultimately, a four-day workweek may become something our children take for granted. Business leaders may see it as an extension of the health benefits of fruit in the office or productivity gains from keeping fresh-brewed coffee in the canteen. Many point out that the five-day workweek is commonly attributed to Henry Ford, who reduced it from six on a hunch working fewer hours would make employees more productive. Organisations that participated in the U.K. study indeed noticed lower levels of stress, higher productivity, and reduced turnover.

But it’s hard to imagine companies at the enterprise level will make the transition anytime soon. Most of the companies that participated in the trial had fewer than 25 employees, the largest around 1,000. While momentum is growing, larger organisations must consider factors like patching schedules and access request context before switching. In fact, many unforeseen, IT-related obstacles could arise as a result of such a significant change.

But we’ve seen such changes before, and we know those able to securely connect users to applications regardless of network, location, or device type were most insulated from disruption.

Zero trust network architecture, in addition to the following tenets, represents the most resilient response to changing user patterns:

• Go dark – Establish fine-grained rules to prevent threat actors from fishing for exposed assets through DNS and IP pings.
• Prevent lateral movement – Connect users to applications, not networks
• Create your own context – Leverage additional context through tight integrations of endpoint security and identity protection/verification solutions. Log every transaction to the SOC to help create new baselines.
• Stop backhauling – Capitalize on end users’ proximity to regional data centres, ensuring performance worldwide by cloud localised presence.

In a world of changing baselines, the only way forward is to trust no one.