Employee wellbeing 2021:
Learning from the new reality

Introduction

Remote working is no longer an occasional work perk. Driven by the pandemic, huge numbers of global workforces had a chance to test working remotely, and for many employees remote or hybrid working have already become the ‘new normal’. By allowing people to choose whether they attend the office or work from home, they now have the autonomy to structure their working week, helping to improve productivity and create a better work-life balance.

The seismic change has made people question whether they should continue to do long commutes when they could use that time to improve their lives by spending more time with their families, pursuing interests or other personal commitments. On the flip side, isolation and anxiety caused by changes for employees can be a huge drain on morale and productivity, making it a priority for businesses to address.

With technology a great enabler and providing the tools for businesses to remain operational no matter where employees are based, what effect is remote working having on people themselves? Businesses are aware of the benefits, but what are the plus points and downsides for workers and also the risks of remote work for organizations?

To understand the impact of the new normal and what more businesses can be doing to support workers and mitigate any associated risks to their business, this report delves into the attitudes and actions of global decision makers, providing insights and recommendations to get the balance right for employee and employer.

Methodology

The Kaspersky Global Corporate IT Security Risks Survey (ITSRS) is a survey of IT workers, which is now in its 11th year. A total of 4,303 interviews from businesses with more than 50 employees were conducted across 31 countries in May – June 2021.

Throughout the report, businesses are referred to as either SMBs (small and medium sized businesses with 50 to 999 employees), or enterprises (businesses with over 1,000 employees). Not all survey results are included in this report.

Key findings

  • Remote working has led to an increase in workload for 54% of employees, most people (67%) feel comfortable working remotely
  • Despite being physically separated from colleagues, 61% of employees haven’t noticed any difference when it comes to communicating with their teams or even feel more connected
  • 80% of firms have taken steps to manage employee burnout, but only 45% have implemented solutions that actually help to mitigate the amount of workload
  • 42% of SMBs and 43% of enterprises have experienced IT security infringement by employees, while changes to security policies is the most popular measure that companies use to prevent the repetition of data breaches
  • Almost half of companies (45%) prefer not to disclose leakage of personal employee data publicly. This type of leakage is the least frequently disclosed compared to corporate or customer data breaches

How hybrid working impacts employee wellbeing

The way we work has changed dramatically since organizations worldwide were forced to rethink operations in the face of the COVID-19 pandemic. Now global businesses, large and small across all industries, are starting to think about the longer term, including alternative ways to structure work communication and hours as well as the physical presence of their employees.

But while the new, remote working model suits well for many employees, it has led to them facing a more significant workload than before the pandemic hit. Just over half (54%) reported an increased work burden, 37% said their workload had remained the same, and only 9% noted a decrease.

Change in workload after switching to working from home

Change in workload after switching to working from home

However, despite a heavier workload, two-thirds (67%) report feeling more comfortable working remotely or have not noticed an increase in anxiety due to overtime. The majority also say they don’t feel any more tired working at home, with a third (36%) even reporting having more energy at the end of the working day compared to before the move to remote working.

One reason for this could be that swapping long commutes to pursue hobbies and interests and spend more time with loved ones, has given them a more balanced lifestyle, improved their wellbeing and overall health.

Employees' attitudes to remote and home working

Employees’ attitudes to remote and home working

Technology is key to continued communication

The pandemic has transformed the way we communicate. Phone and video calls, FaceTime appointments, video and digital conferences, social media – with hundreds of millions of people under lockdown around the world, the prevalence of digital and remote communication has increased dramatically.

The emergence of new technologies has also enabled remote employees to communicate just as effectively with their colleagues whether in the office or not. In fact, 61% report no difference in liaising with colleagues in the workplace or home, with more than a third (37%) of them even feeling more connected with their teams since working remotely.

Isolation and mental health

While complete remote working has promoted the ‘feel good factor’ for many, others have found their jobs affecting their wellbeing. Without the start and end of a work day commute, it can be difficult for many to compartmentalize and draw a line under the working day. For many people, the absence of live communication with colleagues is also among some of the frustrating factors. This is reflected in our survey, which found 39% of employees are suffering from feelings of isolation, 36% from tiredness, and 33% from anxiety.

According to the Harvard Business Review, employee burnout is a common phenomenon, but companies tend to consider it as a talent management or personal issue rather than a broader organizational challenge. The psychological and physical problems of burned-out employees, which cost an estimated $125 billion to $190 billion a year in healthcare spending in the U.S., are the most obvious impacts. The true cost to business can be far greater, thanks to low productivity across organizations, high turnover, and the loss of the most capable talent.

Is hybrid working the solution?

The hybrid working model is gaining ground among businesses and across industries by offering the ‘best of both worlds’. It can lead to the same or better results in productivity and efficiencies, as well as giving more freedom for employees. Our research found that nearly half of employees (45%) now divide their working week between home and the office. Employees of large enterprises are slightly more eager to work remotely (22%), while SMBs are less enthusiastic about remote work (18%).

Nicholas Bloom, a Stanford University economics professor with expertise in remote work, believes that once the pandemic subsides, working from home two days a week will be optimal for balancing collaborative and quiet work, while benefitting from the reduced stress of less commuting. By allowing employees to choose whether they attend the office or work from home, they now have the autonomy to structure their working week, helping to improve productivity and create a better work-life balance.

The human factor in IT security: are companies and employees doing enough to protect themselves?

Cyberattackers have used the pandemic as an opportunity to step up their criminal activities by exploiting the vulnerability of employees working from home. One reason for a spike in attacks is that some employees use their personal devices (phones, tablets, or laptops) to access corporate information.

Our research found that the use of non-corporate devices and services continues to grow: those communicating for work purposes via non-corporate e-mail services has risen from 67% to 69%; non-corporate messenger use has risen from 61% to 64%; non-corporate resource planning software from 42% to 45%; web-conferencing platforms from 83% to 86%; and social networks from 67% to 70%.

At the same time, compliance of staff and dealing with a poor end-user security culture remains one of the biggest concerns when it comes to IT security (42% of respondents cited it as one of the most pressing issue). When we drill down into what this means in practice, 42% of SMBs and 43% of enterprises have faced IT security infringements by employees; 42% of organizations have experienced inappropriate IT resource use by employees; and 38% of companies reported inappropriate sharing of data via mobile devices.

This is despite changes to security policies being the most popular measure (cited by 40% of respondents) that companies use to prevent the repetition of data breaches.

“Updating policies alone is not enough to mitigate the probability of data leaks. Breach prevention requires skillful coordination between everyone who interacts with a system and can be a potential vulnerability. Policies need to be accompanied by regular and prompt patching and the updating of software, high-grade encryption for sensitive data, and enforcing strong credentials and multi-factor authentication. Another integral aspect is training and regular refresher courses for employees. All levels of a company’s staff should understand the necessity of IT security policies and be aware of the consequences in case of non-compliance. Workers must also be regularly trained on how to react and respond in the face of a threat and know how to use corporate and personal devices safely and responsibly.

In addition to protective measures, companies also need to consider two important factors: the value of the information and the number of people who have access to it. Breaches are more likely to occur in organizations where too many employees work with confidential valuable information that can be sold or somehow used. In this case, if possible, it is necessary to change business processes by decreasing the number of people with access to crucial data, reducing the amount of data available to all employees, and also making available information less attractive for theft (anonymizing data, deleting the last digits of a credit card number, etc.).

A holistic approach to technology defenses, data access, employee accountability, and the right risk awareness is the only way to ensure cybercriminals can be stopped in their tracks,” explains Andrey Evdokimov, Head of Information Security at Kaspersky.

What has changed in your organization as a result of the incidents that occurred in the past 12 months?

What has changed in your organization as a result of the incidents that occurred in the past 12 months?

The good news is that 44% of organizations have implemented security education and training, but despite this more than half (64%) of them have experienced at least one issue relating to the quality of these services. This includes dissatisfaction with the high complexity of courses, and a lack of support and expertise on the part of the training provider.

A lack of security education could be one of the reasons why workers fail to observe policy rules and requirements. Employees should be offered guidance to understand the risks and the part they play in mitigating them, which can be achieved through comprehensive training and refresher courses. Learning should be fun and informative and not just a tick box exercise.

Keeping security top of mind

Personal employee data is of great interest to adversaries. According to our research, this type of information is most involved in data breaches. It is surpassed only by customer personally identifiable information and customer or user authentication credentials. However, our research found that almost half of companies prefer not to disclose the leakage of personal employee data publicly. In fact, this type of leakage is the least frequently disclosed, compared to corporate or customer data breaches.

45% of organizations (43% for SMBs and 49% for enterprise) haven’t disclosed a breach of personal employee information. However, 43% have disclosed the incident proactively and 12% did so after it has been leaked to the media. By way of comparison, the percentage of other undisclosed breaches was cited as: customer personally identifiable information (33%); customer payment / credit card data (33%); customer / user authentication credentials (36%); customer account numbers (33%); other customer personal data (38%); corporate financial data (37%); corporate intellectual property (42%); and other sensitive corporate data (43%).

Was data breach disclosed and how?

Was data breach disclosed and how?

Cathie-Rosalie Joly, a partner at the Bird&Bird international law firm, shares the following advice on how employees and organizations should act in the event of a data breach:

What should employees do if their data is leaked?

Employees who have suffered from a data leak should first contact the person in charge of personal data in the company, such as the data protection officer (DPO) in order to clarify the extent of the leak and be informed on the steps they should take to avoid or mitigate risk.

For example, in the case of a data breach concerning passwords, it will be necessary to change the passwords used, giving priority to the most important services such as email tax or bank accounts.

What measures should companies take if employee data is leaked?

In the event of a breach of personal employee data, the first step is to analyse the leak to qualify the nature of the breach and its consequences and assess the risk for the employees.

The data controller needs to implement appropriate remediation measures and inform the employees as soon as possible. When analyse demonstrates that the breach creates a risk to the employees, the data controller must inform them of the likely consequences of the breach. It will then be necessary to prepare and send mandatory notifications.

How can companies avoid legal complications in case of a leak involving employee data?

The first step is to comply with GDPR to implement measures to:

  • train employees on cyber-risk
  • prevent a data breach
  • respond appropriately in the event of a breach, i.e., terminate the breach and mitigate its effects.

Whether malicious or not, or intentional or not, any security incident which results in the integrity, confidentiality or availability of personal data being compromised, must be notified to the relevant supervisory authority by the data controller and, where a high risk exists, to the data subjects. Notification to the relevant supervisory authority must be made as soon as possible and no later than 72 hours after the data controller becomes aware of it.

Due to the multidimensional consequences of data breaches, it is necessary to consider both legal and operational aspects, including the technical aspects (such as produce evidence or document the measures implemented, as well as public communication.

Managing burnout to keep workers on board

Feeling overworked and overwhelmed has led to some employees re-evaluating their jobs and the impact of stress and isolation on their overall wellbeing. In response, our research found that businesses are seeking ways to help manage potential burnout.

Indeed, 80% of firms are investing in training courses to improve core skills such as management and timekeeping (31%), offering paid time off or annual leave (30%), and providing online wellbeing consultations and courses (29%).

However, there is still work to be done. Only 45% of firms have undertaken at least one measure to tackle employee burnout, with automation of security operations significantly under-utilized (26%).

There is also no evidence that companies are taking steps to mitigate the increased burden of work among remote workers. One fifth of employers have not signed up to any company programs to prevent burnout.

Programs / assistance provided to prevent burnout

Programs / assistance provided to prevent burnout

“Regarding burnout, as the report findings indicate, while many employers are implementing measures to address it, tackling workload is not common. Employers need to remedy the underlying issues in a systematic way, not just looking at workload but also the balance of control/demand, management practices, predictability, social support, redistribution of work, etc. These factors need to be assessed and tracked throughout. This is best achieved through a mix of surveys and indicators, e.g. engagement survey, psychosocial risk assessment, wellbeing survey, Employee Assistance Programs (EAPs) utilization, sick leave, stress survey, burnout inventory. Some of these can be integrated so they do not overburden employees with surveys. Most companies do not know, more than anecdotally, where on the wellbeing continuum their employees stand and only react when disease or serious cases manifest. Measures that merely address the symptoms, such as time management, stress management, resilience programs, or days off are minimally efficient. Through the Global Healthy Workplace Awards program, we emphasize a comprehensive approach including the psychosocial work environment (key component), a practice that followed by the best companies,” comments Wolf Kirsten, co-founder and co-director at the Global Centre for Healthy Workplaces.

Aside from company support, our research found 93% of individuals are taking their own steps to manage stress. However, activities such as excessive social media use, smoking or drinking alcohol might be a distraction and are more likely to adversely impact health and wellbeing in the long-term.

Activities undertaken to relieve stress when working from home / remotely

Activities undertaken to relieve stress when working from home / remotely

Conclusion

Getting the balance right between employee wellbeing and working well is key to the success of post-pandemic measures, which are set to become the norm for many businesses. Our research found that remote working has enhanced employee wellbeing, even though the cost has been a significant increase in workload. However, most of those surveyed say they are more comfortable working from home and feel more energized at the end of a remote working day.

But while many are thriving under the remote work model, others are struggling. The combination of lockdown fatigue, and increased hours spent at their desk at home, has led to some employees reporting tiredness, anxiety, and feelings of isolation. Despite many companies taking steps to mitigate burnout, these measures are not aimed directly at workload reducing.

While modern technology is changing working patterns, companies must remain vigilant to the working day blurring with homelife and the subsequent impact on wellbeing. They also need to educate staff on the increased risks associated with cybersecurity vulnerabilities when working from home, and pay special attention to safety of employees’ personal data.

It is clear that companies need to keep employee wellbeing and security at the top of their agenda. After all, organizations are only as good as the people they employ. Only by nurturing talent and taking steps to ensure a happy, motivated workforce people (and businesses) can thrive and become the best they can be.

To help businesses take the right path on the way to achieving a successful balance between employee wellbeing, productivity and safety, Kaspersky and Global Centre for Healthy Workplaces share the following advice:

  • Provide burnout programs and activities suitable for your employees. Understand their needs, interests, and expectations proactively through an internal survey or informal communication.
  • If circumstances of your business allow, be flexible and open to various work practices. Hybrid formats can provide the flexibility needed by today’s workforce whilst ensuring a focus on delivering results.
  • Ensure that all employees, including remote, office and hybrid workers, are equally involved in the work process and have the same opportunities to collaborate with managers and each other.
  • Develop clear guidelines for your team that will determine rules for each work format and reduce the feeling of uncertainty and anxiousness.
  • Encourage your team to have common activities. The shift to a hybrid model that requires office visits can be stressful and some people will need more help and support during the adaptation period.
  • Make sure that your employees stay safe no matter where and how they work. Educate them to use basic security practices when working remotely, such as how to avoid becoming a victim of email or web phishing, or how to manage accounts and passwords. Implement efficient security awareness training or at least maintain the level of cyber-hygiene skills of workers with free courses.

To reduce the workload and pressure on the IT security team, Kaspersky experts recommend taking the following steps:

  • Ensure that your company has an adequate number of employees. Use the formula ‘one cybersecurity employee for every 10 IT professionals’.
  • Entrust typical IT security tasks to a trusted MSSP provider. That will reduce the workload for in-house employees so they have more time to focus on company-specific requirements.
  • Give your employees an opportunity to ask experts for help in difficult situations. This will help relieve the psychological pressure on the IT security team and help to avoid serious mistakes.
  • Make sure that your team has a clear view of their objectives, goals, and the company’s priorities, whilst having enough freedom to manage their own time. Micromanagement gives a feeling of control but can have a negative impact on employees’ emotional state.
  • Encourage your team to solve non-standard problems and find non-standard solutions. This approach will help to motivate the team and combat fatigue from routine actions.