Silent But Deadly: The Cybersecurity Risks of Quiet Quitting

Half the nation is practicing “quiet quitting,” and while headlines are being made about its negative impact on businesses, it’s also a cybersecurity risk. Quiet quitting isn’t just a workplace phenomenon that needs to be thwarted, it is a security risk that requires a cultural shift to fix. According to Gallup, “quiet quitters,” workers who are detached and do the minimum required as part of their roles, make up at least 50 percent of the U.S. workforce. One could argue that quiet quitting translates to a 50 percent increase in cyber threats.

The top motivations behind whether an employee quietly quits are lack of recognition and advancement opportunities, low pay and feeling disrespected at work, according to a Pew Research Center survey, and burnout is one of the most hazardous security risks. Burnout isn’t just needing an extra cup of coffee to get through the day – it’s a state of physical and emotional exhaustion and a breeding ground for human error. Critical mistakes are more often made when disengaged, checked out or overtaken by the lethargy absorbed by burnout and human error is the number one reason for cyber breaches. 43 percent of people claimed to have experienced workplace burnout, and while it may not be intentional, it poses an incredible security risk to any company whose employees fall on the wrong side of those statistics.

In fact, a large amount of data breaches last year involved the human element or human error, and this is something that leaders can’t afford to ignore. And, the Great Resignation, showed that employees are not afraid to walk away when they are burnt out.

The main behavior employees present when quiet quitting is simply choosing to disengage and cease going above and beyond, all in an effort to meet the minimum requirements of their job description. This attitude could eventually lead to a “reverse snowball effect” in productivity, causing them to accomplish even less than the bare minimum and overlooking seemingly dull yet critical tasks. Most businesses, if not all, have strict cybersecurity initiatives in place, including regular software and hardware updates. Employees that quietly quit could find these updates mundane or even insignificant and disregard them all together thus becoming negligent in the viewing of sensitive data, overlooking incoming and outgoing network traffic ultimately putting a large amount of data at risk.

Unmotivated lapses in attention or little consideration for monotonous yet critical tasks are certainly side effects of quiet quitting but likely not driven by intent. The dangers that lie with quiet quitters are those that are angry or resentful toward the company and its working conditions. Studies show that nearly one in 10 employees will exfiltrate data over a six-month period, and they’re much more likely to leak sensitive information in the two weeks before they actually resign.

Employees can also copy company data, save it as an email draft, and retrieve it later via a personal device. A third-party browser may also use VPN, which can make it fairly easy to exfiltrate data by circumventing security controls.

“It’s important to be aware of quiet quitting, so a quiet quitter doesn’t become a loud leaker. Leading indicators for quiet quitting include an individual becoming more withdrawn becoming more apathetic towards their work,” Forrester VP Principal Analyst Jeff Pollard, told VentureBeat. “If those feelings simmer long enough, they turn into anger and resentment, and those emotions are the dangerous leading indicators of insider risk activity like data leaks and/or sabotage.”

This resentment is birthed through the initial reasons why someone would quietly quit, so for companies to minimize the threats associated with quiet quitting, they must first consider what is causing employees to disengage in the first place. Employers that don’t understand how to motivate and retain employees and long-winded company issues that are not met head-on will eventually lead to employee resentment. And a work-life balance is not enough to secure your business.

Only investing in your employees – and their health and wellbeing – as much as you invest in business resources will solve the root problem and in turn, minimize the cybersecurity risks that can easily be avoided.

The author, Gabriel Sanchez is the Director of Industrial Security Operations Center (SOC) at 1898 & Co.