Workplace attendance and hybrid working has many opinions, and no consensus. In this article, technology partner James Tumbridge highlights important considerations outside of ‘pure’ employment law matters, such as data and cyber security issues.
According to Fortune and NewtonX’s poll, 63% of high-growth companies are working hybrid. In 2024, the City of London published findings from their staff survey, with 77% responding negatively to more than 3 days a week in an office.
In London, some public sector organisations have mandated attendance but no London Borough requires more than 3 days in the office at present, with 47% of them having no attendance requirement at all and 84% have attendance requirements of less than 3 days a week. The private sector sees a range of requirements: Starling Bank, Deloitte, Unilever and NatWest have no mandated attendance, Google and Tesco require 3 days’ attendance per week, and Goldman Sachs and Barclays require 5 days’ attendance in office per week.
Clearly workers like a mix of office-based and non-office-based time, but there are important cyber security concerns to consider.
Technology challenges of home working
Typical concerns with hybrid working relate to the challenges of building and maintaining relationships, the loss of collaboration, sparking of new ideas, and the challenges of training junior staff. Hybrid working also requires good technology enablement. The hybrid model’s reliance on remote access also significantly heightens security risks, and data breaches are more likely with dispersed access points; indeed, your IT security is only as good as the home setups.
Regrettably once you have remote workers, your cyber security arrangements and digital compliance are only as good as a person’s home setup. Working remotely changes your risk profile and there are several different types of data breaches and cyber attacks that might affect you. In order to address common issues and de-risk, you may need a combination of legal advice, policy/contracts, and improved IT systems.
- Risk based on end-user access points – With a traditional in-office system, you have limited places an attack could occur via the internet connection, but with a dispersed workforce each remote worker’s home is a potential point of attack. You need to think about the apportionment of liability and risk between the business and the worker, and ask, who is responsible for what aspect of the cyber-security system? The dispersed workforce means more endpoint devices, networking connections and software to secure. You therefore need to think about what software security you have in place, and can you improve the security of your business and its data? Don’t forget that remote work increases the chance that employees use unsecured networks, such as public Wi-Fi, and home networks are also vulnerable to attacks.
- Line management and oversight – Do you have any ability to monitor what your employees are doing when working remotely? Are they using your devices or their own? What settings do you have to monitor what software is downloaded, and what data is being shared? There are many software solutions to monitor or prevent downloading to devices, so you should consider what is the right approach for your business. The 2024 Work Trend Index from Microsoft and LinkedIn, which surveyed 31,000 people across 31 countries, suggests your staff might be using AI whether you asked them to or not. Apparently, 75–78% of staff are bringing their own use of AI into their work. The worrying thing is that 89% of respondents said they would work around cyber security settings to use AI/meet a business demand.
Data loss due to remote work is a real problem, and people sometimes pay less attention to their organisations policies when away from the collective work environment of an office. There are also non-technical issues if your worker shares their home with others. Do you know what jobs the cohabitees have? Could they see something they should not on a screen while your worker is online? If you are in a regulated business, ask yourself, what is the regulatory expectation and the precautions/risk analysis you should take?
- Personal data and digital regulation – Remote workers can access and share data in ways that might breach data protection laws, and contractual obligations. You need to be asking yourself key questions when you allow flexible/hybrid working: have you considered if you gave contractual promises not to process data somewhere where your employee is now based? Have you promised a certain minimum level of security that home working cannot meet?
- Vulnerable hardware – You should ask yourself if your employee is taking suitable precautions with the physical devices they use for their work. Are they locking down their device when not in use? Do the devices have password protections? Can you remotely monitor the device location? What if they are burgled and the device is stolen – is the data on the local device at risk? Adequate protection of laptops and smartphones, plus suitable insurance, not only for the device, but the cyber risk all need to be considered.
- Document sharing and video conference security – Cyber attackers can exploit the increased use of video conferencing and platforms designed to share and edit documents. If the access to a meeting or documents goes undetected on Zoom and other platforms, information can be obtained to use to their advantage. You can reduce your risk with contracts, liability apportionment, insurance and enhanced IT security – but you need to decide what suits your business and its risks.
Once you take all these points into consideration, you need to think about whether you are able to comply with your contractual obligations, and the law covering data protection (GDPR), e-privacy and communications (PECR), and upcoming laws and regulation following the development of the AI Convention/Treaty and the EU AI Act. Digital compliance is growing, and you need to consider what risks you have and how hybrid working impacts them.
With flexible working now a day-one right, you need to think through how to deal with these requests and take advice if you are unsure how to legally deal with them to avoid the risk of employment claims against your business. You also need to think about the commercial consequences of flexible working requests from several angles, including cyber security, discrimination, business continuity, impact on the rest of your workforce, and productivity.
Do keep in mind that you have legal and sometimes contractual obligations that may create issues when someone is remote working. You have responsibility for their work area setup and cyber security, and you need to consider how you will justify your decisions. Whatever your decision, do review your software and IT security arrangements and consider if you have the right insurance in place.
If you have questions about the digital implications of hybrid working, please contact James Tumbridge.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.