Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Point/Counterpoint: Is the right to disconnect a threat to good cyber security practice?

The Australian federal government is making out-of-hours work out of bounds, but is this a recipe for disaster when it comes to cyber security?

user icon David Hollingworth
Tue, 13 Feb 2024
Point/Counterpoint: Is the right to disconnect a threat to good cyber security practice?
expand image

Australia’s new “right to disconnect” law passed last week, effectively putting the kibosh on bosses contacting employees out of hours.

For some, this is a signal victory, enforcing the proposed human right to leave work to work hours and simply switch off at the end of the day or over the weekend. Unions are all for it, and many European countries already have similar laws on the books.

However, for every voice for the right to switch off your work phone out of hours, there’s one that says it is a serious blow to productivity. Some conservative commentators, such as Andrew Bolt, have even gone so far as to label the laws a sign of Australia’s decline.

============
============

But the debate’s a hot one within cyber security circles, where those out-of-hours calls could be part of mitigating a cyber attack. Hackers don’t stick to nine-to-five hours, so it’s argued that cyber security professionals should be similarly on call.

That’s what Stuart Low, founder and chief executive of open data specialists Biza.io, explained.

“In theory, the new ‘right to disconnect’ legislation that will give employees an enforceable right to refuse contact from their employer out of hours unless they are paid for it is great for mental health and promoting work/life balance,” Low admitted. “However, despite taking into account factors like the reason for contact, the level of contact, compensation, job role and responsibility, and workers’ personal circumstances in deciding what is reasonable contact from an employer, this legislation lacks insight into industry-specific challenges and any crisis situations affecting thousands of people, such as a telco power outage or a data breach.”

“With incidents like data breaches, time is of the essence to limit the damages and the impact on potentially millions of users. In the case of a data breach taking place on a Friday evening, for example, any organisation simply cannot afford to wait until start-of-business Monday for highly qualified engineers of various specialisations to respond and start to address the incident. The damages would be phenomenal and exponential relative to response time, significantly decreasing the chances an organisation could recover in terms of financial loss, reputational damages and potential fines.”

For instance, according to the Australian Signals Directorate’s Australian Cyber Security Centre, there is a hard 12-hour deadline for reporting a “critical cyber security incident”. Lesser incidents need to be reported within 72 hours. Any incident taking place, as Low suggested, on a Friday could well make these after-hours calls essential.

“We applaud the intention behind the new proposed legislation; however, more work needs to be done in order to make the bill beneficial to all industries,” Low said. “Moreover, what is considered ‘reasonable contact’ needs to be clearly defined so organisations, employers and employees are all protected under this new legislation.”

Nick Flude, chief marketing officer at Sekuro, feels differently and points out that for many cyber security professionals, out-of-hours activity is baked into the job at a contractual level and, therefore, not an issue under the new laws.

“The right to disconnect bill is correct in drawing the line between the nature of some roles and the unfair and unpaid nature of out-of-hours tasks and expectations,” Flude told Cyber Daily. “However, the cyber security, and many other tech industries, run 24x7 with a salary and an employment contract that recognises and fairly remunerates staff who are expected to be ‘on call’ or provide emergency support.”

“This is very different from a ‘can you do this before Monday, or can you come in an hour early and help set up for…’ request, which is often unpaid. I think that’s the bigger issue.

“For organisations that do send messages out of hours, many managers will state this isn’t urgent and it does not need to be replied to out of hours. And of course, there are many who don’t, and this bill will help them fight that overreach.”

With Opposition Leader Peter Dutton promising to repeal the laws should the LNP return to power, we’re sure the debate over the right to disconnect will continue.

What do you think? Leave us a comment below to let us know.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.