The typical perception is that insider threats are generally portrayed as undercover operatives or double agents who steal crucial knowledge from huge, technologically advanced corporations. James Bond films effectively set the stage for this attitude.
However, insider threats are much more widespread than many people realise. Their effects on small and medium-sized enterprises (SMEs) can be catastrophic.
Take the example of the largest municipal fraud in American history when Rita Crundwell stole over $53 million of public funds across two decades in office as the City Comptroller and Treasurer for Dixon, Illinois, a town with a population of just 16,000.
What are insider threats?
To start with, let's define insider threats. An insider is anyone with authorised access to your corporate assets. This insider could be an employee, contractor, previous employee, trusted third party, partner, vendor, or past employee.
Insider threat can be described as someone with authorised access who has the intention to cause harm to an organisation’s information and other sensitive assets.
Types of insider threats
Insider threats can be broken into two groups: Malicious and non-Malicious.
What makes them different is the intention. There is a motive.
- Malicious threats are those that intend to cause harm and negatively affect their organisations.
- Non-malicious (accidental) are those people who, through their actions, unknowingly (without intention) cause harm.
What are the most significant threats facing SMEs?
Here are some of the more troubling threats that SMEs must be aware of.
-
Workplace embezzlement
Embezzlement is the misuse or theft of company funds or company property. There are a variety of ways that an employee or business owner can steal or misappropriate resources:
- Stealing money from cash registers
- Cashing customer checks
- Overbilling customers
- Forging payments
- Faking vendor payments
- Stealing customer credit card details
- Stealing cash
- Stealing office supplies
- Stealing tax funds / returns
- Using company resources to start/run their business
Employee embezzlement can have significant and wide-ranging impacts on an organisation:
- Financial loss
- Reputation damage
- Operation disruptions
- Legal significance
- Loss of productivity
-
Workplace Theft
Employee theft manifests in diverse forms and complexities, from the misuse of company time for personal activities to more intricate forms of dishonesty.
- Time theft
- Data theft
- Financial theft
- Customer theft
- Identity theft
- Software theft
- Hardware theft
- Inventory theft
- Services theft
Workplace theft can significantly impact an organisation's financial health, reputation, and overall functioning, similar to workplace embezzlement.
Here are some statistics that you should know:
- 34% of fraud cases in small businesses are internal/employee-related (Verizon Report – Very Small Business Cybercrime Protection Sheet)
- 22% of small business owners have had employees steal from them (Business.org)
- 88% of employee theft cases include attempts to hide the fraud (Association of Certified Fraud Examiners: Occupation Fraud 2022)
- Small businesses are more likely to deal with check and payment tampering and skimming than other businesses (ACFE)
What can you do to mitigate the risks?
While it’s essential to understand how devastating insider threats can be, there is a way to reduce the risk for your organisation.
Some essential points
- Insider threat is a business, not a technology problem. You are dealing with people’s behaviour.
- It is essential to realise that every organisation is unique, and the type of threats it faces will be different due to the type of assets it holds and the strategies it tries to execute.
- Protecting everything is a useless goal. While perhaps it's not impossible, it is economically impractical and will likely impede important business initiatives.
Concept of the three-legged chair
Principle of three legs: Protecting yourself, your family, or your organisation from insider dangers requires only three concepts. A missing or broken three-legged stool will not support you.
1. You must accurately judge trust
- Begin with the hiring process – Companies should verify a candidate's character capabilities and skill set with thorough background checks.
- Establish clear security policies – Set and enforce company policies. Employee behaviour will be shaped by the company's safety standards and expectations.
- Nurture cyber awareness within the organisation – Increase cyber and insider threat awareness. Staff should receive regular training to identify external and internal cybersecurity dangers to the firm.
- Have strict offboarding procedures. Terminating employee accounts soon after they leave is vital because former employees pose various dangerous insider threats.
2. You must accurately judge access
- Know your critical assets – Inventorying your assets is crucial for implementing the required security controls and policy measures to protect them.
- Limit strict access controls on what people can do – Organisations should use stringent password and account management policies and practices to prevent insiders from compromising user accounts.
- Enforce separation of duties – Separation of duties requires dividing functions among multiple people to limit the possibility that one workforce member could steal information or commit fraud.
3. You must be vigilant
- Anticipate and manage risky behaviour – Ensure clear and consistent communication with your workforce about acceptable workplace behaviour to avoid any unexpected negative situations.
- Pay attention to possible insider threat indicators – One of the most effective ways to reduce the risk of insider attacks is to monitor employee behaviour for known threat indicators.
- Maintain good cybersecurity Hygiene - Practicing strong cyber hygiene goes a long way towards protecting your business from insider threats and deterring would-be bad actors in the first place.
Takeaway
Insider threats pose a persistent risk for small to medium-sized businesses, challenging the misconception that obscurity provides security.
SMEs, often seen as easier targets due to weaker defences, limited threat awareness, and resource constraints, face significant consequences from security breaches, including higher proportional costs, customer loss, damaged brand confidence, and potential business decline.
In safeguarding against insider threats, adopt a proactive approach, acknowledging that security measures are not foolproof. Consistent attention to detail and adaptability to evolving business dynamics are essential for effective protection - Consider the three-legged analogy.
