Silent Threat: Disengagement and Cybersecurity
Research now shows that disengaged employees are a key risk to cybersecurity.
Are you managing this emerging threat?
The Hollywood cliché
According to Hollywood, the threat to our cybersecurity looks something like this.
"We just need to hack the mainframe!"
It's a cliché so well known, that compilations of the best movie mainframe scenes exist on YouTube.
The silent threat
Yet, the realities of cybersecurity in the corporate world unveil a far less cinematic, but equally potent silent threat.
We'll call them Brian from Accounts and he's indifferent to the potential havoc he might wreak.
The Hollywood illusion vs. reality
While Hollywood often paints a picture of external IT threats breaking through formidable cybersecurity measures, the truth is that internal human vulnerabilities can be equally, if not more, perilous.
It's why you'll already have a whole range of employee strategies to minimise that vulnerability including:
- Regular employee security training
- Secure email policies and practices
- Mobile device management
- Secure password and sign-in management
- Employee offboarding procedures
While at most organisations this list will be comprehensive and thorough, one human factor is very easy to overlook.
What about Brian?
Picture this: Brian is in Accounts, typing away at his workstation, seemingly absorbed in his tasks.
However, beneath that façade of routine, there's an alarming lack of concern for the organisation's cybersecurity.
Perhaps he:
- had been allowed to work from home, but has now felt forced to come back to the office?
- doesn't feel like he has a voice in the organisation, or anyone listens to his ideas?
- has lost valued team mates through layoffs and now feels stressed and overworked?
Whatever the reason, he's become disengaged.
What is disengagement?
Disengagement is all about workplace needs not being met.
In fact Harvard go further, describing disengaged employees as employees that "lack motivation and inspiration...they don’t put in any extra effort to help the organisation reach its goals. They are often absent, have low energy, and exhibit a bad attitude."
The danger of disengagement
You'd be forgiven for starting to thinking this sounds like a problem for HR. But the repercussions extend beyond a mere dip in morale, attitude or productivity.
A disengaged employee like Brian can inadvertently become the weak link in your cybersecurity chain.
Why? It's that general lack of care and attention from a disengaged employee that can increase the chance of them:
- overlooking security protocols
- compromising sensitive information
- falling prey to social engineering tactics
As you know, even the smallest misstep in one of these areas can then lead to a full blown security breach, data leak or compromised system.
A risk that won't go away
So how big is the problem of disengaged employees? Well big enough to coin new workplace terms that have gone viral online.
You might already be aware of "quiet quitting" where employees essentially do the bare minimum; but we now have "loud quitting" too.
In a recent HRD article, this was described as where "disengaged employees take actions that directly harm the organisation, undercutting its goals and opposing its leaders."
In the Gallup State of the Global Workplace: 2023 Report key findings included:
- 67% of Australian workers are not engaged
- 11% of Australian workers are actively disengaged
- The majority of the world's employees are quiet quitting
So it looks like Brian is not alone in feeling a degree of disengagement and this cybersecurity threat needs to be actively managed.
Bridging the gap
Addressing the threat of disengagement requires a shift in perspective from everyone.
We need to remember that despite cutting-edge technology, humans often remain the weakest link in the security chain and particularly disengaged ones. It's imperative to foster a culture of vigilance, visibility and awareness on this issue by allocating time and budget to minimise the risk.
For example, do you have any real-time data on the levels of engagement i.e. risk, across your teams, division and organisation?
Real-time visibility and insights
To address the disengagement dilemma, many organisations are already deploying tactics from a multiple of angles.
This includes:
- Ensuring leaders have high levels of real-time visibility into how engaged their teams are
- Building employee engagement by regularly asking people for their ideas and insights into what's working and what's not
- Taking action on these employee insights to quickly remove blockages and frustrations
- Keeping risk front of mind by actively prompting employees for anonymous, specific insights on this metric
You can imagine how disengagement reduces as more and more unspoken issues are raised and addressed.
Within a team, we might call this managing reality.
For example after using Teamgage in this way, Tom Upitis, Associate Director IDS Risk at Flinders University suggests that "the metrics keep us in touch with reality and support our commitment to authenticity, transparency, and trust in everything we do. Teamgage has given everyone a voice, and the opportunity to influence how we continuously evolve and improve.” Sarah Leo, CEO of Resonate Consultants confirms that “Teamgage gives our teams a space to add anonymous comments and observations that are otherwise hard to raise."
The domino effect of engagement
So creating a more open and inclusive work environment fortifies against cybersecurity disengagement threats, but it also has a positive cascading effect too.
Engaged teams are more likely to perform better and proactively surface potential risks while they're at it. This helps to foster a collaborative approach to addressing vulnerabilities before they escalate.
As Steve Burnell, Senior Organisational Development Specialist at NEC Australia found, "insights provided help business leaders and business partnering teams identify and address issues early, delivering a positive outcome for staff engagement and business performance."
So what's next?
Organisations must find a way to come together to ensure that employee disengagement is continuously monitored, minimised and improved.
As the saying goes, "The chain is only as strong as its weakest link," and in cybersecurity, that link is undeniably human.
Their name is Brian and they need to be engaged.