‘Job huggers’ are a new cybersecurity problem

Working hard or hardly working?

For job huggers—people who cling to their current role even if they aren’t fully happy in that position—the answer is the former. However, job hugging is a little more nuanced than it might seem, and a little more risky for cyber pros.

A recent report from job search platform Monster, based on a survey of 1,004 US employees, found that 48% of workers are considered job huggers. Thomas Vick, a senior regional director at management consulting company Robert Half, told IT Brew the behavior is driven by economic uncertainty, with employees staying in their current roles out of fear.

“If you had the Great Resignation on one end of the spectrum, now we’re operating on the other end where people are a lot more cautious,” Vick said.

What does that have to do with cybersecurity? Job huggers may seem like an obvious issue for HR professionals and managers who want more productivity out of their teams, but some cybersecurity professionals believe the growing trend may also lead to a rise in insider threats. Ivanti CSO Daniel Spicer told IT Brew a disengaged employee does the “bare minimum” at their job…and for many, that doesn’t include cybersecurity best practices.

“They’re more likely to fall for a phishing email,” Spicer said. “They’re more likely to consider or accept an offer to share credentials or access to a third-party for ransomware.”

Other risky behaviors from unenthusiastic employees include being less likely to report security issues right away or paying less attention to software patches, according to Spicer.

“The weakest part of any security program is still people, and disengaged people are just that much weaker of the link,” he said.

Rajan Koo, CTO of insider risk management company DTEX, said that, when interviewed after an incident, malicious insiders often felt professionally stagnant or disengaged.

“Just because somebody is disgruntled, just because they’re stuck in their job and they’re not moving to another job, doesn’t necessarily mean they’re going to be a malicious insider,” Koo said. “But it is often a precursor for those that do become malicious insiders.”

Koo referenced Mitre’s concept of bidirectional loyalty, when employees and employers have a “positive mutual reliance” on one another, as especially relevant in the job-hugging era.

“They’re not happy in their current job and a lot of the time, that disgruntlement increases and that loyalty towards the company decreases and…it can be a recipe and a precursor for a range of things, whether that be non-malicious or malicious types of insiders,” said Koo.

Pulse check. Vick told IT Brew that job huggers can be hard to identify “if you’re not having regular communication as to what the career goals of that individual are” or what they want to learn.

What should a cybersecurity expert do if they suspect job huggers are present in their workforce? Spicer told IT Brew they could start by looking at employee engagement surveys within their organization, something he pays a lot of attention to. An IT Brew poll of 201 readers found that over one-third (35%) of professionals use engagement surveys in some capacity to gauge insider threats within their organization. The remaining two-thirds (65%) said they either don’t review or care for these workplace surveys or don’t use them to determine potential insider threats.

“Obviously, any good engagement survey doesn’t out an individual, but if I see a weakness in a particular department…that’s something that I need to have a conversation with my peers,” he said.

Koo added that when organizations detect a disengaged employee, that doesn’t automatically mean they should give them the boot. Instead, he suggests that companies spend time reengaging that employee.

“That’s the right time to be even more loyal to that individual, especially if they’re somebody who you feel is doing their job.”