Most small business owners understand and appreciate the risks a cyber attack can bring. However, few are prepared to contemplate that their issues may start from their side of the firewall with insider threats.
Well-meaning individuals are a common target in cyber attacks. An educated, observant workforce is considered the best defense against online attacks. However, with the importance of security training only now entering the corporate mainstream, 95% of successful cyber attacks can be traced back to human error.
What may take many entrepreneurs by surprise is that a significant proportion of these attacks originate from within. Few owners can fathom the possibility that one of their employees might go rogue. However, it does happen and within companies of all sizes.
These insider threats aren’t solely limited to those with an axe to grind, either. Internally compromised website security spans both malicious and negligent actions.
Being a smaller company brings benefits in this context but also accounts for drawbacks. With fewer employees, there’s less likelihood of a rogue individual. Smaller organizations also foster cultures of team spirit and togetherness, with no single employee seeking to let the side down.
Conversely, small businesses are more centralized. Fewer people have broader access to data and systems than they might in a larger organization. One compromised employee from a team of 10 with a single password can equate to giving away the keys to the kingdom.
The majority of small business owners believe that they are an unlikely target for a cyber attack. That alone makes them a target. While humans often prove the weakest link, automated bots seek out potential weak points at low cost and high efficiency. When the attack originates from inside the business, the antagonist already has what they need to achieve their goals.
Types and Examples of Insider Threats
The nature of insider threats means that it’s essential to be aware of and, wherever possible, prepared for a wide variety of potential breaches. Even the smallest companies can’t operate without granting employees access to data and systems, and access is all they need if they have malicious intentions.
Data Breaches and Leaks
Customer data is valuable. In some cases, it is worth more than it costs to convince employees to acquire and distribute it. Unfortunately, this results in embarrassment for the company involved, a fall in consumer confidence in a brand, and, depending on where it happens in the world, hefty fines for the organization.
In 2020, two Shopify employees accessed and copied personally identifiable information related to approximately 200 merchants on the platform. When the breach came to light, the brand’s stock price fell by 1.27%.
While rarely a cause for concern in smaller businesses, the risk of insider trading highlights the vulnerabilities and attractiveness of financial information.
Even some of the world’s largest companies are not immune. The mighty Amazon suffered in this way when a finance manager was found to have used internal tax information to inform family members of likely stock price adjustments.
Malware and Ransomware
When most business owners think of cyber attacks, ransomware and malware are the first things that come to mind. Malicious software can be challenging to place on well-protected corporate networks, but insiders have all the access they need to cause issues.
This example covers both malicious and negligent insider threats. An erroneous attachment download can be all it takes to set off a chain reaction on a company network. For those with bad intentions, manually adding a file to the network is sufficient for ransomware and malware to get to work.
Restoring faith in the virtue of employees, one of the most famous examples was ultimately unsuccessful. A Russian national offered a Tesla employee $1 million to deploy malicious software on the car maker’s network but was unceremoniously turned down. The loyal team member even played a pivotal role in the subsequent Department of Justice investigation.
The Insider Threat to Small Businesses
Each of the above examples shares something in common – multi-billion-dollar market caps. So why should small businesses worry?
With thousands of successful cyber attacks every day, not all of them make the news. When it happens to a big brand, reporters have an angle, and there is public interest. Unfortunately, attempted attacks on businesses with under 50 employees are so common that there aren’t enough journalists out there to cover them all.
It would be remiss to consider any business immune. A solvent business usually involves both cash flow and data. That’s more than enough to attract the attention of a potential hacker, whether inside or outside the organization.
Appreciating the Insider Threat Risk
Most small business owners know all their employees on a personal level, and there is a certain degree of trust. Discounting that trust based on a hypothetical situation is not the correct course of action. However, it is vital to understand the risks.
The riskiest of all are privileged and accredited employees. IT workers and senior managers boast the kind of widespread system access that could prove valuable. The latter also have greater access to confidential information.
Regular employees can also be a risk, but less so than their privileged counterparts.
It’s also essential not to overlook the potential risks associated with temporary workers, contractors, and employees in the supply chain.
Understanding the Potential Damage
A successful cyber attack is never pleasant for those on the receiving end. However, an inside job can be particularly damaging. Bosses and colleagues have to cope with the stress of an errant colleague, no matter whether the breach was negligent or malicious. The former is emotionally easier to deal with, so business owners can take solace in the fact that a relatively meagre 14% of insider threats are malevolent.
Most small businesses divert the cybersecurity resources they have, if any, to prevent attacks from the outside. As a result, the majority have no plan for if the worst happens, let alone active defenses.
Fortunately, that does not mean that smaller companies must remain defenseless.
Protecting Your Business Against Insider Threats
Even with the resources of Amazon and Shopify, cyber threats represent a genuine concern. Many believe that it is impossible to fully protect against them, especially when unpredictable humans enter the equation.
Nevertheless, there are steps that businesses of all sizes can take to limit their potential exposure.
Upgrade Automated Defenses
One in three small businesses relies on free cybersecurity software or nothing at all. Both carry similar levels of threat protection. Investment in technical security should be commensurate with the value of what’s protected. When 60 percent of small businesses fail after falling victim to a cyber attack, that value is incredibly high.
Ringfence Sensitive Data
Many small businesses have an open-door policy in terms of data. However, unscrupulous actors can’t share what they can’t access. Policies limiting access only to information required to perform a role cannot eliminate insider threats, but they can reduce their effectiveness.
Plan for the Worst
Planning for adverse outcomes is never fun but is time well-spent for peace of mind and recovery. Of course, every business is different, but a plan could involve cutting off network connections in the event of a software infection or having a list of people to contact in the event of a data breach.
Consult Cybersecurity Professionals
The potency of cybersecurity is now mainstream, but the concept remains in its infancy. There is no shame in a business owner admitting that they’re unsure of the implications. However, there are experts out there that can foster a defensive culture as new threats arise.
Vervology’s passion for electronic security drove the creation of our Vervology.Care plans, and we’d be delighted to discuss not only keeping your website secure but what cybersecurity as a whole means for your business and how to ensure you remain protected.
Contact us today for personalized insight into keeping your business safe from threats so you can focus on what you do best.