(January 12, 2023) As the pandemic caused a fundamental shift in how and where we work, it also prompted many employees to reconsider why they work. This has resulted in the phenomenon known as “quiet quitting,” in which employees perform only the minimum requirements of their jobs. They don’t go in early, and they don’t stay late. They don’t attend meetings unless those meetings are mandatory. And they’re not really engaged.
There is limited data on the scope of quiet quitting, although anecdotal evidence suggests it’s widespread. However, cybersecurity experts agree that quiet quitting and the Great Resignation have led to increasing incidents of insider threats.
In Kroll’s “Q3 Threat Landscape: Insider Threat the Trojan Horse of 2022,” the risk consulting firm found that 35 percent of all unauthorized access incidents were related to insider threats. That’s the highest level the company has ever reported. Kroll analysts found a direct correlation between insider threats and quiet quitting and the Great Resignation.
Disgruntled employees are more likely to steal data or take steps to undermine an organization’s operations. According to research by the DETEX i3 Team, about half of employees leave the company with information on projects they worked on, and 12 percent take sensitive data on projects they were not involved in.
The Human Error Element
Insider threats are rarely malicious in intent, however. They usually result from employees who unintentionally mishandle sensitive data or commit policy violations with “workarounds” that bypass the IT process. There are a number of common behaviors that are known to create risk: failing to log off computers, using unsecure public Wi-Fi networks, sending files to personal email accounts, downloading data to an external drive or memory stick, and writing down passwords.
Quiet quitting tends to increase these types of threats because mistakes are more likely to happen. Employees who only do the minimum may not pay close attention to email links or attachments, for example. All it takes is one person opening a malicious attachment to create a security incident. Employees who aren’t engaged are also less likely to abide by security policies and follow proper procedures, putting systems and sensitive data at risk.
Cybercriminals have already been targeting remote workers because they lack many of the protections typically provided in a secure office environment. Kroll reports rising rates of phishing and credential-stealing malware in 2022, suggesting that hackers are taking advantage of the quiet quitting trend as well.
Reducing Risk
Employee education and training programs can help organizations combat insider threats. However, a single webinar or PowerPoint presentation won’t do much to modify employee behavior. Security training must be repeated regularly to produce lasting behavioral changes. It also needs to be interactive and engaging so that employees pay attention and retain what they have learned.
Organizations should also follow least-privilege access principles, only giving employees access to those resources they need to do their jobs. This can help prevent the spread of malware, reduce the risk that hackers will gain access to sensitive systems, and minimize data loss. Of course, it’s important to rapidly disable all access when an employee leaves the company.
When developing an insider threat strategy, a good place to start is by partnering with a managed services provider (MSP). An MSP with a strong security practice can assess your environment and recommend tools and procedures for reducing the risk of insider threats.
Risky behaviors of less-engaged employees are creating insider threats that compromise the overall security of their organizations, according to a number of recent studies and surveys. Whether inadvertent or intentional, these behaviors have contributed to an increase in cyber threats. An MSP can help you mitigate insider threats and keep your businesses secure and productive.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile
