Why ‘quiet quitting’ could fuel the next major cybersecurity breach

Only one-third of people describe themselves as engaged at work, while the U.S. workforce is less productive than it was a year ago. Much has been written about the potential for “quiet quitting” to negatively impact the economy and business performance, yet there’s another major consequence that’s being overlooked: increased cybersecurity risk.

Employees who’ve “quiet quit” their jobs are likely to be either burned out or checked out, making them more prone to mistakes that could jeopardize cybersecurity. Human error is the number one cause of breaches, and research shows employees are more likely to make these mistakes when they’re distracted or fatigued.

While they may seem minor, these mistakes — like sending an email to the wrong person or falling for a phishing scam — can have major consequences. Almost one-third of businesses lost customers after an email was sent to the wrong person, and just last month UK interior minister Suella Braverman resigned after making an email mistake that jeopardized confidentiality. Meanwhile Uber’s recent headline-making breach started with a simple phishing scam. This puts organizations at major risk for a cybersecurity incident.

Business leaders must understand the impact of quiet quitting on insider risk (malicious or not), and take steps to help prevent it from turning into a costly data breach.

A perfect storm of stress and quiet quitting

So-called “quiet quitters” make up half the U.S. workforce, according to some estimates. These employees are described as disengaged from their work, often because their needs aren’t being met, and doing the minimum required for their role.

This detachment from work could be caused by factors like return-to-work mandates or other resentments, but the impact of stress and burnout can’t be ignored. According to an ADP poll, 67% of people said they experience stress at work at least weekly, while one in seven said they feel stressed at work every day. Employees’ high stress levels, combined with disengagement from their jobs, could pose significant security risks to the organization.

In Tessian’s report studying the link between psychological factors and falling for phishing scams, 52% of employees said they make more mistakes when they’re stressed. This is why cybercriminals play on stress and fear in their scams. They send phishing emails late in the day while peoples’ guards might be down; they send urgent, time-sensitive requests that look like they’ve come from the CEO; they even take advantage of high-stress situations like looking for a job, student loan forgiveness and tax season to trick people.

Amid this combination of employee burnout and sophisticated cyber threats, it’s not a matter of if an employee will click a malicious link or fall for a phishing scam, it’s when. Nearly 60% of organizations experienced data loss due to an employee’s mistake on email in the last year. Organizations must be prepared for this insider risk.

For CISOs, quiet quitting isn’t an option

Given this increased risk of vulnerability, security teams are more important than ever to help safeguard an organization. Unfortunately, these teams are facing high levels of burnout and more pressure than ever as cyberattacks become more advanced. A report from Tessian found that CISOs are working more overtime than in past years. Eighteen percent of CISOs said they work 25 extra hours a week, which is twice the amount of overtime that they worked in 2021.

Security leaders are also having trouble unplugging from their jobs. Three-quarters report being unable to always switch off from work, while 16% say they can rarely or never switch off. CISOs don’t have the luxury of quiet quitting. The stakes have never been higher for cybersecurity, with the average cost of a data breach reaching a record $4.35 million. Stress and distraction take their toll: Not only are fatigued employees more likely to make mistakes, but security professionals when overworked may be less likely to spot the signs of a breach.

To defend against today’s threats, organizations must strengthen company-wide cybersecurity culture.

Engage every employee in cybersecurity

Virtually all IT and security leaders surveyed by Tessian (99%) agreed that strong cybersecurity culture is important to maintaining a strong security posture. Unfortunately, the quiet-quitting trend may be leaving employees disengaged from cybersecurity as well as from their day-to-day jobs. One in three employees said they don’t understand the importance of cybersecurity at work. A quarter said they don’t care enough about cybersecurity to report an incident.

To combat this, organizations must engage employees as parts of the solution. A strong cybersecurity culture is one where every employee — not just the security team — plays an active role in safeguarding an organization. Everyone must take responsibility for flagging suspicious activity, alerting security teams to potential breaches and avoiding cybersecurity mistakes. This makes it crucial to implement a simple, accessible incident reporting system, like an email alias or a phone number employees can contact.

It’s also important to train employees on the latest advanced threats and how they might be targeted, using real-world examples. One-size-fits-all training is not enough to stand up to today’s personalized and sophisticated attacks. Cybersecurity training should be tailored to individual factors such as a person’s role, geographic location and the types of data they handle.

By taking these steps, organizations can help counteract the impact of quiet quitting on cybersecurity and take the pressure off an overworked security team.

Tim Sadler is CEO of Tessian.