Quiet quitting is an increasingly common workplace trend. It has caused many business owners to become concerned about productivity levels. But it’s also important to consider another side effect of the practice: quiet quitting can be a security risk.
If somebody is putting less effort into their day-to-day activities, mistakes are going to happen and best practices are not likely to be implemented. Some types of quiet quitting can also cause insider threats.
So how does quiet quitting interact with cybersecurity and what should be done about it?
What Is Quiet Quitting?
Quiet quitting is the practice of doing as little as possible at work while still fulfilling the requirements of your position. If a quiet quitter is given specific tasks, those tasks will still be performed but often without enthusiasm or any unnecessary effort.
Somebody who is practicing quiet quitting still turns up for work and therefore isn’t likely to be fired. Quiet quitting is often referred to as doing the opposite of going above and beyond. Instead, a quiet quitter works on what is strictly required and won’t put effort into anything else.
Why Is Quiet Quitting a Security Risk?
Any professional organization invests significant resources into cybersecurity. Online threats are constantly increasing and the importance of adequate defenses in terms of both security posture and security software is now well known.
Despite these efforts, however, many security incidents are caused not by hackers, but by employees. Employees who cause security incidents, either maliciously or accidentally, are known as insider threats. And quiet quitters are significantly more likely to become one.
Insider threats are notorious for being difficult to stop because the vast majority of security is concerned with external actors rather than those who are actually employed by a business. And while the prevalence of this can be reduced through training, it isn’t always possible to control.
Why Is Quiet Quitting Indicative of Insider Threats?
If somebody is doing as little as possible at work, mistakes are more likely to happen. An employee not taking due care and opening the wrong email attachment is the most obvious example.
Employees not paying attention and not following security procedures is problematic enough but quiet quitting can also suggest the presence of insider threats who are acting deliberately.
The motivation of deliberate insider threats varies widely, but they are typically disgruntled employees who don’t like their work very much and take action either to harm a business out of spite or to simply make a profit.
Quiet quitting is potentially the most obvious sign that an employee is disgruntled. Any employee stealing confidential information or otherwise taking action to harm a business is unlikely to follow security procedures or put much attention into their day-to-day tasks.
The idea that an insider threat would take on any additional work without being asked is equally illogical.
Quiet Quitters Aren’t Always a Security Risk
It’s important to note that quiet quitting is often carried out for the purpose of having a better work-life balance. There is obviously nothing wrong with this idea and somebody seeking such a balance isn’t necessarily a security risk.
Being a quiet quitter doesn’t automatically mean that assigned work isn’t being performed properly. There’s a big difference between not doing unnecessary work and doing necessary work poorly.
Many quiet quitters also have nothing against their employer and may even like their work. Assuming that all quiet quitters have ulterior motives is therefore not recommended.
The problem facing businesses is how to distinguish between somebody who simply wants a better work-life balance and somebody who is putting a business at risk either accidentally or on purpose. Here are a few potential questions to ask.
- Are core responsibilities being performed properly? If primary tasks are being performed well, quiet quitting is less likely to cause significant problems.
- Is the employee planning on being at the organization for a long time? Employees who are planning on quitting are more likely to become insider threats.
- Has anything happened which could cause a grudge? Deliberate insider threats often occur after an employee has been treated unfairly.
- Are employees encouraged to have an adequate work-life balance? If employees tend to be overworked, quiet quitting may be a normal reaction.
How to Protect Against Insider Threats
Understanding whether a business is facing insider threats isn’t easy. Quiet quitters, and other types of insider threats, don’t advertise their intentions. There are, however, many ways that a business can protect against insider threats by simply limiting their capacity to cause harm. Here are a few tips.
Implement Policies of Least Privilege
Under a policy of least privilege, users of a network are only given the privileges required to perform their assigned tasks. If a user doesn’t need access to a particular part of a network, they aren’t given access to it. This significantly reduces the ability of a rogue user to cause harm.
Provide Security Training
Training should be provided that illustrates the harm caused by failure to follow security procedures. If a user knows that downloading the wrong email attachment can cause a ransomware attack, they are likely to pay significantly more attention.
Monitor User Behavior
The threat posed by deliberate insider threats can be reduced by monitoring the behavior of all users on a network. Suspicious behaviors include attempting to access private information, copying such information unnecessarily, and logging into the network using personal devices.
Quiet Quitting Is a Security Risk All Businesses Should Understand
Quiet quitting is performed for a variety of different reasons and the risk associated with the practice varies widely. A quiet quitter who is performing their work properly is not necessarily a security risk. Despite this, it’s important to understand that other types of quiet quitters can prove problematic. This includes both the employee who isn’t paying attention to security procedures and those who are actively seeking to harm a business.
Any business that is witnessing this workplace trend should understand the potential threat posed and take precautionary measures against it.