‘Quiet quitting’ poses a cybersecurity risk that calls for a shift in workplace culture 

Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.


Are your employees mentally checked out from their positions? According to Gallup, “quiet quitters,” workers who are detached and do the minimum required as part of their roles, make up at least 50% of the U.S. workforce. 

Unengaged employees create new security risks for enterprises as it only takes small mistakes, such as clicking on an attachment in a phishing email or reusing login credentials to enable a threat actor to gain access to the network. 

Considering that 82% of data breaches last year involved the human element or human error, security leaders can’t afford to overlook the risks presented by quiet quitting, particularly amid the Great Resignation, where employees expect greater work-life balance. 

Quiet quitting and insider threats 

While quiet quitting and under-engaged employees constitute an insider risk, they’re not necessarily a threat. Gartner draws a distinction between the two by arguing that “not every insider risk becomes an insider threat; however, every insider threat started as an insider risk.” 

Event

Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

Under Gartner’s definition, every employee, contractor or third-party partner can be considered an insider risk if they have credentials to access to corporate systems and resources, because they have the ability to leak sensitive information and intellectual property. 

As a result, organizations need to be prepared to prevent insider risks from growing into threats that leak regulated data. Part of that comes down to identifying those employees that have checked out. 

“It’s important to be aware of quiet quitting, so a quiet quitter doesn’t become a loud leaker. Leading indicators for quiet quitting include an individual becoming more withdrawn becoming apathetic towards their work,” Forrester VP Principal Analyst Jeff Pollard. 

“If those feelings simmer long enough, they turn into anger and resentment, and those emotions are the dangerous leading indicators of insider risk activity like data leaks and/or sabotage,” Pollard said.

Unfortunately, employee-facilitated data leaks are exceptionally common. A recent report released by Cyberhaven found that nearly one in 10 employees will exfiltrate data over a six-month period. It also found that employees are much more likely to leak sensitive information in the two weeks before they resign. 

CISOs and security teams can’t afford to overlook this threat either, due to the prolonged damage caused by insider incidents, which Ponemon Institute estimates take an average of 85 days to contain and cost organizations $15.4 million annually. 

Considering work-life balance 

Of course, when addressing quiet quitting, it’s important to remember that it’s often difficult to draw the line between employees who are pursuing greater work-life balance, and those that have checked out and are acting negligently. 

“While the term [quiet quitting] is conveniently alliterative and ripe for buzzworthyness, underneath it’s problematic and requires further definition. Are employees who are content with their current position and maintaining reasonable work-life boundaries quitting?,” said Tessian CISO, Josh Yavor.

“A large portion of “quiet quitters may actually be some of our safest and most reliable employees, so let’s redefine “quiet quitters” as only those who are wilfully disengaged and apathetic but staying just above the thresholds that would potentially lead to their dismissal,” Yavor said. 

When looking to mitigate the threats caused by that minority of disengaged and apathetic employees, it’s important not to assign blame, but to consider that their working environment itself could be toxic, with unreasonable expectations and deadlines or even workplace bullying and harassment. 

In this sense, quiet quitting isn’t just a challenge for security teams to address, but requires a company-wide effort to support employee wellness and work-life balance. The problem is that this can be immensely challenging remote working environments with lack of clear separation between an employee’s home and professional life. 

Mitigating insider risks in remote working environments 

In remote and hybrid working environments, CISOs and other enterprise leaders need to be proactive about supporting employees to ensure that they’re not at risk of stress and burnout.  

“While quiet quitting is a relatively new term, it describes an age-old problem — workforce disengagement,” said CISO of (ISC)2, Jon France. 

“The difference this time around is that in a remote work environment, the signs may be a little harder to spot. To prevent employees from quiet quitting, it is important for CISOs and security leaders to ensure and promote connection and team culture,” France said. 

To help maintain a fulfilling working environment, France recommends that leaders should have regular check-ins with their teams to maintain a strong work culture, providing access to regular social events and activities. This can help employees to feel more engaged in their work. 

At the same time, it’s important to ensure that employees aren’t being overburdened with work that can lead to burnout. Active communication with employees is critical for teams to ensure that employees are engaged and comfortably handling the tasks they’re expected to complete. 

Addressing human risk 

In addition to improving employee engagement, security leaders should also look to mitigate human risk throughout the organization to reduce the likelihood of data leaks. 

One of the simplest solutions is to implement the principle of least privilege, ensuring that employees only have access to the data and resources they need to perform their function. This means if an unauthorized user does gain access to the account or they attempt to leak information themselves, the exposure to the organization is limited. 

Another approach is for organizations to offer security awareness training to teach employees security-conscious behaviors, such as selecting a strong password and educating them on how to identify phishing scams. This can help to reduce the chance of credential theft and account takeover attempts. 

When implementing security awareness training, SANS Institute suggests that the program should be managed by a full-time dedicated individual, such as a Human Risk Officer or Security Awareness and Education Manager that sits within the security team and reports directly to the CISO. 

This individual can take charge of helping the organization to identify, manage, and measure human risk in all its forms and kickstart cultural change. 

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Advertisement