Latest news with #StuartRose
Times
21-05-2025
- Business
- Times
Working from home is here to stay — if workers get their way
The former M&S boss Stuart Rose deemed that staff working from home were 'not doing proper work', while Lord Sugar branded them 'lazy gits'. But as business chiefs line up to lambast the work from home trend, workers themselves appear ever more determined to maintain their new work-life balance. Research has found that the majority of employees in the UK would refuse to comply with full-time return-to-the office mandates. The study, by the Global Institute for Women's Leadership at King's College London and King's Business School, analysed more than a million observations from the government's labour force survey and 50,000 responses from the Survey of Working Arrangements and Attitudes UK. The analysis showed that only 42 per cent of workers would agree to return to
Yahoo
01-05-2025
- Business
- Yahoo
How working from home made Britain a sitting duck for cyber attackers
Former M&S boss Lord Stuart Rose has long branded himself an 'unreconstructed get-back-to-work man', claiming the practice of working from home is damaging both the economy and employees' wellbeing. Now, the 76-year-old businessman may have another reason to oppose remote working – with the arrangement possibly putting one of Britain's best-loved retailers, and his former employer, at the mercy of hackers. Since Easter weekend, M&S has been reeling from a major cyber attack that has paralysed online orders, disabled contactless payments in-store, and wiped nearly £700 million off its market value. And M&S is not the only retailer that has been subjected to such an attack. Earlier this week, the Co-op said it was having to fend off hackers and, on Thursday evening, luxury department store Harrods said they had 'recently experienced attempts to gain unauthorised access to some of their systems'. In a statement, the store added: 'Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites.' Harrods said all its stores remained open and it is unknown if the three attacks are related. Though M&S bosses have yet to reveal the cause, questions are mounting over whether the hackers were able to penetrate the multibillion-pound firm's cyber defences through one of its remote workers. It would not be a surprise as for years security experts and intelligence agencies have warned that hackers are targeting remote workers as the weakest link in the chain in a company's digital infrastructure. Indeed, just last year the retailer – which is understood to allow staff to work two days a week at home – warned in its annual report that WFH was increasing its exposure to cyber attacks. But why? The answer is simple – computers in most corporate offices have a vast array of tough defences installed to keep bad actors out, from firewalls to secure internet routers, all of which are kept under close watch by the on-site security team. Yet such protection wanes as soon as staff are out the revolving doors. Suddenly, the onus falls instead on the employee, whether it's keeping their devices updated or being vigilant when using unsecured public WiFi while working in cafes. A survey by Malwarebytes Lab, carried out around six months after the first Covid lockdown, found one in five businesses had faced a security breach as a result of a remote worker. Four years later, a poll by Absolute Security in 2024 revealed three out of four bosses still believed staff working from home was their 'biggest weakness' when trying to defend against cyber attacks. Experts believe M&S was infected by a ransomware called Dragonforce, a malicious software that locks a user out of their computer or network and scrambles the data – with the criminals demanding a fee to unlock it. In its rush to contain the attack, M&S bosses quickly moved to lock remote-working staff out of the company's internal IT systems. But could these remote workers have also been the crucial weakness that let the hackers in? To infect a computer, hackers need to find a chink in digital defences – and staff working from home can often be easy prey. A common target is through a virtual private network (VPN), used by remote employees to securely connect to their office networks. Such software is only useful if it's kept up-to-date and uses multi-factor authentication, which requires several forms of verification to access. In 2021, investigators traced the huge ransomware attack that took down the Colonial Pipeline – which supplies 45 per cent of United States' fuel on the East Coast – to an old version of a VPN account commonly used by remote employees. The same year, a hacker gained control of the Oldsmar water treatment plant in Florida, and tried to poison the supply by increasing the chemical content, through a remote access software called TeamViewer. All the plant's computers were using the same password for remote access, and were running on an outdated Windows operating system. In other words, both were ripe for exploitation. In 2022, an alert by the Five Eyes intelligence alliance warned that the Microsoft software, Remote Desktop Protocol (RDP), that linked 'millions' of Britons to their company networks, was 'one of the top ways' Russian hackers could potentially gain a crucial foothold within critical infrastructure, from the NHS to nuclear power stations. Yet often, the real weakness is not a system flaw but the people behind the systems – either the security team or the employees themselves. One of the most popular methods of gaining unauthorised access is 'social engineering', which involves tricking humans into compromising their security. Such tactics were used in the attack on Twitter in July 2020 when a 17-year-old boy was able to gain access to 130 celebrity Twitter accounts – including Barack Obama, Kim Kardashian, and its future owner Elon Musk – to promote a Bitcoin scam. An investigation by the New York State Department of Financial Services found the teen had 'directly exploited Twitter's shift to remote working' by calling up employees and pretending to be from the IT department to get access to the internal systems. Earlier this week it was revealed the Met Police are investigating whether the M&S attack was carried out by a hacking collective called Scattered Spider. The group first appeared in 2022 and have already been linked to more than 100 targeted attacks, including US casino operator Caesars, which paid over £11 million to restore its network. Unlike the majority of such gangs, who are generally based in places such as Russia, the group are English-speaking and known to include UK and US citizens, some as young as 16. Their motivation is said to be as much about bragging rights as money. According to the FBI, the group's modus operandi is tricking people into letting them into their systems, from impersonating IT staff to 'sim swapping', a tactic in which a fraudster persuades their victim's mobile provider to transfer the phone number to a sim card under their control. 'Scattered Spider have been linked to dozens of attacks over the last few years and their clever tactics often target the human element,' Jake Moore, global security advisor at cybersecurity software company ESET, tells The Telegraph. Moore points to remote workers in particular as a potential target. 'Working from home adds yet another attack entry point which has limited control.' He reveals how, as a test, he once hacked into the work account of a superintendent simply by calling the Police HQ help desk. 'They asked me two security questions, which were easy to find out the answers to online – vehicle registration and shoulder number – and then I was able to convince them I was the superintendent and had forgotten my password after being on holiday for two weeks. 'They reset the password to a new string of text and gave me the password over the phone. I then logged in and had full access to the police networks. At this point I made the chief constable aware of this vulnerability.' The heightened danger of WFH on M&S's cybersecurity is not a view shared by all however. 'That's total BS as far as I'm concerned,' says Ciaran Martin, ex-chief executive of the UK's National Cyber Security Centre (NCSC). 'I don't have a strong view on either side of the culture war, but it's not a thing, so far as I understand the details in this incident specifically. 'I was head of the NCSC when lockdown one happened, and I was stunned at how little rise there was in cyber harm when we went on an unplanned, short-notice experiment in home working. Turns out the bring your own device security and other remote working things we'd been doing for years before 2020 worked pretty well. We have many systemic problems in cyber security but remote working isn't on my list!' But the NCSC is clearly aware of the vulnerabilities, saying in an advisory note published in April 2020 that 'the surge in home working has increased the use of potentially vulnerable services… amplifying the threat to individuals and organisations'. Often, remote workers are the first in line to have their access removed from internal systems when there is an attack – suggesting security teams are wary of the threat. As it battled to contain damage from its cyber attack, on Wednesday, Co-op told staff they could no longer log on to the company's IT system from home, a 'proactive measure' it explained after detecting 'third parties' trying to break in over the weekend. Indeed, experts warn the threat to companies from remote work is only rising with the advent of generative AI, the technology behind chatbots. Not only is it making social engineering easier, both in terms of scale and its believability, but it is also inadvertently giving away vast swathes of confidential company data to third parties that in-house security teams have no ability to protect. 'Hybrid work has made enforcing security standards a minefield,' says Arkadiy Ukolov, co-founder of Ulla Technology. 'Employees increasingly rely on AI-powered tools such as ChatGPT – often outside corporate oversight – unaware that these systems may quietly harvest client data to train their models. This opens doors to data leakages where third parties gain access to very sensitive information.' 'The risk isn't theoretical – it's happening in the background, right now,' he adds. In response, the London-based firm has developed an AI-powered assistant that can be integrated into a company's infrastructure to keep the data private. 'The most vulnerable industries are the legal sector, government departments and the NHS. 'Their employees manage highly sensitive information such as intellectual property, corporate secrets and medical documents on a daily basis. For them, poorly managed hybrid working systems pose an existential security threat.' Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.
Telegraph
01-05-2025
- Business
- Telegraph
How working from home made Britain a sitting duck for cyber attackers
Former M&S boss Lord Stuart Rose has long branded himself an 'unreconstructed get-back-to-work man', claiming the practice of working from home is damaging both the economy and employees' wellbeing. Now, the 76-year-old businessman may have another reason to oppose remote working – with the arrangement possibly putting one of Britain's best-loved retailers, and his former employer, at the mercy of hackers. Since Easter weekend, M&S has been reeling from a major cyber attack that has paralysed online orders, disabled contactless payments in-store, and wiped nearly £700 million off its market value. And M&S is not the only retailer that has been subjected to such an attack. Earlier this week, the Co-op said it was having to fend off hackers and, on Thursday evening, luxury department store Harrods said they had 'recently experienced attempts to gain unauthorised access to some of their systems'. In a statement, the store added: 'Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites.' Harrods said all its stores remained open and it is unknown if the three attacks are related. Though M&S bosses have yet to reveal the cause, questions are mounting over whether the hackers were able to penetrate the multibillion-pound firm's cyber defences through one of its remote workers. It would not be a surprise as for years security experts and intelligence agencies have warned that hackers are targeting remote workers as the weakest link in the chain in a company's digital infrastructure. Indeed, just last year the retailer – which is understood to allow staff to work two days a week at home – warned in its annual report that WFH was increasing its exposure to cyber attacks. But why? The answer is simple – computers in most corporate offices have a vast array of tough defences installed to keep bad actors out, from firewalls to secure internet routers, all of which are kept under close watch by the on-site security team. Yet such protection wanes as soon as staff are out the revolving doors. Suddenly, the onus falls instead on the employee, whether it's keeping their devices updated or being vigilant when using unsecured public WiFi while working in cafes. A survey by Malwarebytes Lab, carried out around six months after the first Covid lockdown, found one in five businesses had faced a security breach as a result of a remote worker. Four years later, a poll by Absolute Security in 2024 revealed three out of four bosses still believed staff working from home was their 'biggest weakness' when trying to defend against cyber attacks. How do the hackers get in? Experts believe M&S was infected by a ransomware called Dragonforce, a malicious software that locks a user out of their computer or network and scrambles the data – with the criminals demanding a fee to unlock it. In its rush to contain the attack, M&S bosses quickly moved to lock remote-working staff out of the company's internal IT systems. But could these remote workers have also been the crucial weakness that let the hackers in? To infect a computer, hackers need to find a chink in digital defences – and staff working from home can often be easy prey. A common target is through a virtual private network (VPN), used by remote employees to securely connect to their office networks. Such software is only useful if it's kept up-to-date and uses multi-factor authentication, which requires several forms of verification to access. In 2021, investigators traced the huge ransomware attack that took down the Colonial Pipeline – which supplies 45 per cent of United States' fuel on the East Coast – to an old version of a VPN account commonly used by remote employees. The same year, a hacker gained control of the Oldsmar water treatment plant in Florida, and tried to poison the supply by increasing the chemical content, through a remote access software called TeamViewer. All the plant's computers were using the same password for remote access, and were running on an outdated Windows operating system. In other words, both were ripe for exploitation. In 2022, an alert by the Five Eyes intelligence alliance warned that the Microsoft software, Remote Desktop Protocol (RDP), that linked 'millions' of Britons to their company networks, was 'one of the top ways' Russian hackers could potentially gain a crucial foothold within critical infrastructure, from the NHS to nuclear power stations. Yet often, the real weakness is not a system flaw but the people behind the systems – either the security team or the employees themselves. One of the most popular methods of gaining unauthorised access is 'social engineering', which involves tricking humans into compromising their security. Such tactics were used in the attack on Twitter in July 2020 when a 17-year-old boy was able to gain access to 130 celebrity Twitter accounts – including Barack Obama, Kim Kardashian, and its future owner Elon Musk – to promote a Bitcoin scam. An investigation by the New York State Department of Financial Services found the teen had 'directly exploited Twitter's shift to remote working' by calling up employees and pretending to be from the IT department to get access to the internal systems. Who carried out the M&S attack? Earlier this week it was revealed the Met Police are investigating whether the M&S attack was carried out by a hacking collective called Scattered Spider. The group first appeared in 2022 and have already been linked to more than 100 targeted attacks, including US casino operator Caesars, which paid over £11 million to restore its network. Unlike the majority of such gangs, who are generally based in places such as Russia, the group are English-speaking and known to include UK and US citizens, some as young as 16. Their motivation is said to be as much about bragging rights as money. According to the FBI, the group's modus operandi is tricking people into letting them into their systems, from impersonating IT staff to 'sim swapping', a tactic in which a fraudster persuades their victim's mobile provider to transfer the phone number to a sim card under their control. 'Scattered Spider have been linked to dozens of attacks over the last few years and their clever tactics often target the human element,' Jake Moore, global security advisor at cybersecurity software company ESET, tells The Telegraph. Moore points to remote workers in particular as a potential target. 'Working from home adds yet another attack entry point which has limited control.' 'Hybrid work has made enforcing security standards a minefield' He reveals how, as a test, he once hacked into the work account of a superintendent simply by calling the Police HQ help desk. 'They asked me two security questions, which were easy to find out the answers to online – vehicle registration and shoulder number – and then I was able to convince them I was the superintendent and had forgotten my password after being on holiday for two weeks. 'They reset the password to a new string of text and gave me the password over the phone. I then logged in and had full access to the police networks. At this point I made the chief constable aware of this vulnerability.' The heightened danger of WFH on M&S's cybersecurity is not a view shared by all however. 'That's total BS as far as I'm concerned,' says Ciaran Martin, ex-chief executive of the UK's National Cyber Security Centre (NCSC). 'I don't have a strong view on either side of the culture war, but it's not a thing, so far as I understand the details in this incident specifically. 'I was head of the NCSC when lockdown one happened, and I was stunned at how little rise there was in cyber harm when we went on an unplanned, short-notice experiment in home working. Turns out the bring your own device security and other remote working things we'd been doing for years before 2020 worked pretty well. We have many systemic problems in cyber security but remote working isn't on my list!' But the NCSC is clearly aware of the vulnerabilities, saying in an advisory note published in April 2020 that 'the surge in home working has increased the use of potentially vulnerable services… amplifying the threat to individuals and organisations'. Often, remote workers are the first in line to have their access removed from internal systems when there is an attack – suggesting security teams are wary of the threat. As it battled to contain damage from its cyber attack, on Wednesday, Co-op told staff they could no longer log on to the company's IT system from home, a 'proactive measure' it explained after detecting 'third parties' trying to break in over the weekend. Indeed, experts warn the threat to companies from remote work is only rising with the advent of generative AI, the technology behind chatbots. Not only is it making social engineering easier, both in terms of scale and its believability, but it is also inadvertently giving away vast swathes of confidential company data to third parties that in-house security teams have no ability to protect. 'Hybrid work has made enforcing security standards a minefield,' says Arkadiy Ukolov, co-founder of Ulla Technology. 'Employees increasingly rely on AI-powered tools such as ChatGPT – often outside corporate oversight – unaware that these systems may quietly harvest client data to train their models. This opens doors to data leakages where third parties gain access to very sensitive information.' 'The risk isn't theoretical – it's happening in the background, right now,' he adds. In response, the London-based firm has developed an AI-powered assistant that can be integrated into a company's infrastructure to keep the data private. 'The most vulnerable industries are the legal sector, government departments and the NHS. 'Their employees manage highly sensitive information such as intellectual property, corporate secrets and medical documents on a daily basis. For them, poorly managed hybrid working systems pose an existential security threat.'
Yahoo
28-01-2025
- Business
- Yahoo
Why working from home stigma is bad for workers and businesses
Does working from home count as "proper" work? According to Stuart Rose, the former boss of Marks & Spencer (MKS.L) and ASDA, it does not. Speaking recently on BBC One's Panorama, Rose, who was the chief executive of M&S and then the executive chair of Asda, claimed remote work has harmed productivity. 'We are creating a whole generation and probably a generation beyond that of people who are used to actually not doing what I call proper work,' he commented, sparking anger among remote workers. Half of UK workers work from home for at least part of the week now. And contrary to Rose's opinion, multiple studies show flexible work — including fully remote and hybrid options — are beneficial to both workers and organisations. In a survey of 1,026 people by the International Workplace Group, reported feeling less drained (79%), less stressed (78%) and less anxious (72%) as a result of part-time home-working. While some corporate leaders say remote work is a Covid-era privilege that only benefits workers, research suggests that when home-workers are properly supported, productivity can rise — bringing bottom-line benefits for businesses. But as the culture war surrounding remote work grinds on, one key problem persists — stigma. Read more: How employers can bring 'positive psychology' into the workplace Flexible work, including remote work and flexible hours, is the only way many people can remain in the workforce. It can be a lifeline for working parents, disabled workers, neurodivergent workers, those with caring responsibilities and more. Yet "flexibility stigma" — a biased attitude against remote workers — is still prevalent. 'The recent push-back from some employers to roll back on hybrid and remote work is unhelpful, and risks undoing some of the gains that have been made in this area since the pandemic,' says Rebecca Florisson, principal analyst at the Work Foundation think tank at Lancaster University. 'For many, remote work is not a 'nice to have' but a key element to their ability to get into and remain in work,' she says. 'Ultimately, there is no convincing evidence that remote and hybrid working is affecting companies' productivity or bottom line. Given the government's aim to support more workers into the workforce and grow the economy, access to flexible working is a key lever to achieve this.' Often, stigma stems from psychological perceptions surrounding remote work. For example, proximity bias is founded on the idea that we work better with people who are physically closer to us. It's the false assumption that employees who work in the office — where managers can see and hear them — are more productive than their remote peers. Although this is untrue, it often leads those in positions of power to treat workers who are physically closer to them more favourably. 'There may be a preference within the business to make opportunities more suitable for office-based staff,' says career coach Jennie Bayliss, founder of Mantralis. 'It may be an unconscious or conscious bias towards inhouse staff to make promotions or key projects available to the office team, due to the perception that remote workers are less visible or committed.' The negative effects of stigma can be extremely detrimental for workers and businesses. 'Home workers may be working longer hours to prove themselves committed, which may lead to burnout, increased stress, and worse mental health,' says Bayliss. 'It can be pretty demoralising to feel like you have to keep justifying your value whilst feeling guilty and isolated.' For employers, treating remote workers poorly can lead to decreased employee morale, hinder talent acquisition, limit career advancement opportunities for remote workers, and impact productivity. If workers decide to quit, a high turnover can be costly in terms of both time and money. And a poor reputation can make it difficult to attract new skilled employees. However, offering flexibility and ensuring remote workers are treated fairly can attract a wider range of workers from different backgrounds. Treating remote workers equally also levels the playing field for workers to progress, too. Read more: Are shorter working days the answer to better health and productivity? And diversity isn't just a moral imperative — companies in the top quartile for board-gender diversity are 27% more likely to outperform financially than those in the bottom quartile. Supporting workers who work flexibly pays off for employers. This includes prioritising open communication and regular check-ins, to make sure everyone is included and has the opportunity to raise questions or concerns. Providing the necessary tools and technology, as well as showing people how to use it, is also essential. For managers, being aware of ingrained biases like proximity bias is important. For example, before sending out a meeting invite, double check that you've not forgotten any remote workers. If you're deciding on a promotion and have someone in mind, make sure it's because of their skills, experience or hard work — not their in-office location. 'Consultation and training is the key to success — where managers are supported and trained to lead hybrid teams, and where workers have the right equipment in place to do work in different locations,' says Florisson. Danny Stacy, UK head of talent intelligence at Indeed, adds: 'What flexible working looks like will differ between industries and individual businesses, but the good news for employers is that different forms of flexibility are gaining popularity. Not every business is able to offer remote work, for example, and could instead put into place a shortened work week or flexi-time. 'Organisations who believe in flexibility and want to ingrain this in their culture must ensure that senior employees lead by example, so workers at all levels feel empowered to follow suit.' Read more: Working parents are missing out on networking, new research suggests How to spot if you're being love-bombed at work Monotasking: How to focus on one thing at a timeSign in to access your portfolio
The Independent
27-01-2025
- Business
- The Independent
Four-day working week adopted by more than 200 UK companies
More than 200 UK companies have made the permanent switch to a four-day working week with no loss of pay, marking the latest milestone in the campaign to change the way British people work. The companies range from marketing agencies, IT firms and consultancies to those in the charity sector, and collectively employ more than 5,000 people. Joe Ryle, campaign director of the 4 Day Week Foundation, said the five-day working week was 'invented 100 years ago and is no longer fit for purpose'. Instead, his organisation is pushing for a four-day week with the same pay and benefits as those working five out of every seven days. With 50% more free time, a four-day week gives people the freedom to live happier, more fulfilling lives Joe Ryle, the 4 Day Week Foundation He said: 'As hundreds of British companies and one local council have already shown, a four-day week with no loss of pay can be a win-win for both workers and employers.' 'With 50% more free time, a four-day week gives people the freedom to live happier, more fulfilling lives.' The latest landmark signals growing popularity for less onerous working patterns at a time when large corporations are forcing their employees to return to the office full-time. US investment bank JP Morgan and tech giant Amazon have demanded staff come back to the office every day despite having allowed hybrid working patterns for the last five years since the Covid-19 pandemic. And former Asda and Marks & Spencer chief executive Lord Stuart Rose claimed earlier in January that remote working does not amount to 'proper work'. The 4 Day Week Foundation's campaign, by contrast, aims to promote people's wellbeing over hours spent at work. Marketing and press relations firms made up 30 of the companies adopting the policy, while charities, non-governmental organisations and social care companies accounted for 29. They were followed by 24 in technology, IT and software, while 22 companies in the business, consulting and management sector have also offered four-day weeks to their workers. A new poll by Spark Market Research suggested that 78% of 18 to 34-year-olds believe a four-day working week will become the norm within five years, while 65% said they do not want to see a return to full-time office working. Spark managing director Lynsey Carolan said that '18 to 34 (year-olds), the core workforce of the next 50 years, are making their feelings known that they don't intend to go back to old-fashioned working patterns. 'This group also say that mental health and improving their overall wellbeing are their top priorities, so a four-day week is a really meaningful benefit and a key enabler of their overall quality of life.' It comes after South Cambridgeshire District Council brought in the four-day system for some staff. The trial for desk-based staff was introduced at the start of 2023, before it was expanded to include people working in its waste collection service.
