“Quit quietly” poses a cybersecurity risk that requires a shift in work culture

“Quit quietly” poses a cybersecurity risk that requires a shift in work culture

Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Look now.


Are your employees mentally checked out from their positions? According to Gallup, “silent quitters,” workers who are psychologically disengaged and do the bare minimum required as part of their roles, make up at least 50% of the American workforce.

Disengaged employees create new security risks for businesses because it only takes small mistakes, such as clicking on an attachment in a phishing email or reusing login information, to allow a threat actor to gain access to the network.

Considering that 82% of data breaches last year involved the human element or human error, security leaders cannot afford to overlook the risks of a quiet exit, especially in the midst of the mass layoff, where employees expect better work-life balance.

Quietly quit and insider threats

While disengaged and under-engaged employees pose an insider risk, they are not necessarily a threat. Gartner draws a distinction between the two by asserting that “not every insider risk becomes an insider threat; However, every insider threat started as an insider risk.”

Event

Intelligent Security Summit

Learn the critical role of AI and ML in cybersecurity and industry-specific case studies on December 8. Sign up for your free pass today.

Register now

According to Gartner’s definition, any employee, contractor, or third-party partner can be considered an insider risk if they have credentials to access your company’s systems and resources, because they have the ability to leak sensitive information and intellectual property.

As a result, organizations must be prepared to prevent insider risks from growing into threats that leak regulated data. Part of that comes down to identifying the employees who have checked out.

“It is important to be aware of silent termination, so that a silent termination does not become a loud leak. Leading indicators of quiet quitting include a person becoming more withdrawn and apathetic toward their work, says Forrester VP Principal Analyst Jeff Pollard.

“If these emotions simmer long enough, they turn into anger and resentment, and these emotions are the dangerous leading indicators of insider risk activity such as data leaks and/or sabotage,” Pollard said.

Unfortunately, employee-facilitated data leaks are exceptionally common. A recent report released by Cyberhaven found that nearly one in 10 employees will exfiltrate data over a six-month period. It also found that employees are much more likely to leak sensitive information in the two weeks before they resign.

CISOs and security teams also cannot afford to ignore this threat, due to the long-term damage caused by insider incidents, which the Ponemon Institute estimates take an average of 85 days to mitigate and cost organizations $15.4 million annually.

Considers work-life balance

Of course, when addressing quiet quitting, it’s important to remember that it’s often difficult to draw the line between employees striving for better work-life balance and those who have checked out and are acting carelessly.

“While the term [quiet quitting] is practically alliterative and ripe for buzzworthy, below is problematic and requires further definition. Do employees who are satisfied with their current position and maintain reasonable work-life boundaries leave?” said Tessian CISO, Josh Yavor.

“A large number of ‘quiet quitters’ may actually be some of our safest and most reliable employees, so let’s redefine ‘quiet quitters’ as only those who are intentionally disengaged and apathetic but stay just above the thresholds that could potentially lead to dismissal,” Yavor said.

When looking to mitigate the threats posed by this minority of disengaged and apathetic employees, it is important not to blame yourself, but to consider that the work environment itself can be toxic, with unreasonable expectations and deadlines or even bullying and harassment at the workplace.

In this sense, silent quitting is not only a challenge for security teams to address, but requires an enterprise-wide effort to support employee well-being and work-life balance. The problem is that these can be extremely challenging external work environments with a lack of clear separation between an employee’s home and professional life.

Reduce insider risk in external work environments

In remote and hybrid work environments, CISOs and other business leaders must be proactive in supporting employees to ensure they are not at risk of stress and burnout.

“While quiet exit is a relatively new term, it describes an age-old problem – workforce attrition,” said CISO of (ISC)2, Jon France.

“The difference this time is that in a remote work environment, the signs can be a little harder to spot. To prevent employees from quietly quitting, it’s important for CISOs and security leaders to ensure and foster connectivity and team culture,” France said.

To help maintain a satisfactory work environment, France recommends that managers should have regular check-ins with their teams to maintain a strong work culture, which provides access to regular social events and activities. This can help employees feel more engaged in their work.

At the same time, it is important to ensure that employees are not overloaded with work that can lead to burnout. Active communication with employees is essential for teams to ensure that employees are engaged and comfortable handling the tasks they are expected to complete.

Address human risk

In addition to improving employee engagement, security leaders should also look to reduce human risk across the organization to reduce the likelihood of data leaks.

One of the simplest solutions is to implement the principle of least privilege, ensuring that employees only have access to the data and resources they need to perform their job. This means that if an unauthorized user gains access to the account or they try to leak information themselves, the exposure to the organization is limited.

Another approach is for organizations to offer security awareness training to teach employees security-conscious behaviors, such as choosing a strong password and teaching them how to identify phishing scams. This can help reduce the chance of identity theft and account takeover attempts.

When implementing security awareness training, the SANS Institute suggests that the program should be managed by a dedicated full-time individual, such as a Human Risk Officer or Security Awareness and Education Manager who sits on the security team and reports directly to the CISO.

This individual can take responsibility for helping the organization identify, manage and measure human risk in all its forms and kick-start cultural change.

VentureBeat’s mission will be a digital town square for technical decision makers to gain knowledge about transformative business technology and transactions. Discover our orientations.

Leave a Reply

Your email address will not be published. Required fields are marked *