New Publication: Remote Working and (In)Security?
Georgia Crossland and I are delighted to announce our research on the 'Impact of Pandemic-Driven Remote Working on Employee Wellbeing, the Psychological Contract and Cyber Security is now published and accessible through the Research Institute for Sociotechnical Cyber Security (RISCS) website. The full report is available at: https://www.riscs.org.uk/new-publication-remote-working-and-insecurity/. This blog post covers the goals (and context), findings, and recommendations of the report.
Context and goals
Cliché after cliche could be used to try to explain the sheer breadth of impact of COVID-19 on (all) our lives. Just one aspect of this change was the rapid transition to remote working as people were encouraged to work from home and limit contact with others as far as possible -through repeated lockdown conditions and, typically, in high-stress conditions. Georgia Crossland and I were delighted to design and carry out a research project exploring how remote working has impacted the experiences - and security practices - of employees. Collaborate with RISCS, the UK National Cyber Security Centre and RISCS Leadership and Culture fellow Berta Pappenheim on a project designed to capture the initial impacts of remote working. The final report was published in July 2021, includes key findings and recommendations to be considered by the UK Government in policy terms, organisations managing their approach to remote working, and academia.
Approaching the research
Having previously collaborated on a publication on cyber security behaviours in organisations, and both having experience interviewing senior cyber security personnel, Georgia and I worked collaboratively to coordinate, carry out, and ultimately publish this report with RISCS. This research built on a literature review on remote working and cyber security, a publication coordinated by Georgia and released in January 2021, which highlighted significant research gaps on the impact of forced remote working (in which the employee has no choice to physically go to the office) given that remote working had been previously more typically viewed as a ‘perk’. Analysing existing research through the review also informed our research questions; while previous studies have shown that remote working can have some impact on the unwritten contract between employers and employees (the ‘psychological contract’) in terms of loyalty and compliance with organisational policy, and we were interested in measuring this potential change through this initial study. Speaking with 18 senior cyber security professionals (either Chief Information Security Offers or equivalent cyber security colleagues with management responsibilities) employed across a range of sectors, we conducted the interviews remotely and in the context of a UK lockdown. We used a ‘semi-structured’ interview style which allowed the interview to flow naturally according to the interviewee’s direction, while ensuring the conversation remained centred on the agreed themes of the psychological contract, employee wellbeing, and changes to cyber security practices. Once we had our transcripts fully anonymised, we used qualitative research software Nvivo to collaboratively ‘code’ the data and inductively draw out themes and perspectives shared through the interviews.
Given our relatively small sample size, our report does not analyse by sector or attempt to generalise the experiences of our interviewees. We instead present our research findings as an initial insight and evidence source for employee experiences, and as a prompt for future research, with several opportunities for future projects highlighted in the report. In this context, our major findings can be summarised as follows:
Organisations have taken different approaches to security risk management. While some employers relaxed corporate device policy and displayed increased trust in employees to ‘get the job done’, other employers increased restrictions, occasionally to the perceived detriment of productivity and collaboration.
Remote working has increased security colleagues’ worry associated with insider threats. Through shadow IT practices, inadequate remote working security controls or mitigations, and decreased visibility of remote working environments, participants suggested that there are more opportunities for employees to, deliberately or unwittingly, expose organisations to risk.
Flexible working and virtual team socials were the most common organisational support mechanisms. Additional support mechanisms included informal carer days, financial allowances for equipment, and mental health support resources.
There is no ‘one-size-fits-all’ to employee wellbeing through remote working.
Organisational leadership shapes employee experiences. Positive security culture and organisational handling of employee wellbeing were reported where respondents felt leadership clearly articulated and justified a consistent approach to remote working.
As a result of this research, several recommendations can be drawn which may be of use to government policymakers and organisations:
Senior leadership colleagues should strive for clear and consistent top-level communication across all areas including security best practices, wellbeing and employee support.
Senior leadership colleagues should both understand and incorporate employee needs when determining policy, considering employee wellbeing alongside organisational objectives.
Senior leadership should take the impact of remote working into consideration when looking at employee retention, and record any potential implications for the psychological contract, especially when remotely onboarding new colleagues.
Security leadership colleagues should understand employee needs when setting specific policy/ processes for cyber security awareness.
Security leadership colleagues should ensure employees at all levels understand the purpose of cyber security controls and the justification for using them, leveraging executive leadership support where this is required.
Senior leadership colleagues should note that employees have experienced the pandemic and remote working pressures in different ways. These needs should be taken into consideration when planning future hybrid or ‘return to office environment’ patterns.
Download directly (Please note clicking this link will prompt the PDF file to download.)
This publication update was originally written for the Royal Holloway Centre for Doctoral Training blog. The original piece, along with other student contributions, can be read on the CDT blog site.
Please check out our other work or contact us through our LinkedIn profiles (Mine / Georgia's). Georgia's academic research continues to focus on the user and human factors in cyber security, while my focus continues to broadly draw in education and training, leadership and cyber strategy, and organisational security management. We're both happy to send through resources for those who would like further information.