Insider Threats: A Big Fear for Small Businesses

In the list of things that keep SMB leaders awake at night, insider threats rate at the top. Here’s why this threat is far bigger for smaller companies.

A recent report finds that more than half (58 percent) of small-to-medium-sized business (SMB) executives are “more concerned about suffering a major data breach than a flood, a fire, a transit strike, or even a physical break-in of their office.” Most think the dreaded data breach will come from within rather than through an outside attack. That’s a surprise to many who think of SMBs as tight, family-like environments where everyone knows your name and loyalties run strong. Unfortunately, plenty can go wrong with that idyllic picture.

Breaking Up is Hard to Do

According to the AppRiver report, SMBs are more concerned about attacks from disgruntled ex-employees than from nation-states, competitors, rogue hacking groups or lone-wolf hackers. Breakups with employees who felt strong emotional ties to the company are often hard on both parties. But managing the aftermath is almost an impossible task for many SMBs.

“Small businesses often have limited IT resources, and lack confidence in their own firm grasp on exactly what the disgruntled ex-employee possessed in terms of IT access. So the SMBs fear what they don’t know the ex-employee may or may not have,” said Troy Gill, Senior Security Analyst at AppRiver. “They often lack the control and expertise to ensure that the ex-employee has had their permissions comprehensively denied. Also, there are often cases where some ex-employees had actual ownership of company assets.”

Without the necessary controls in place, SMBs are in extreme danger of insider threats in general, as well as revenge attacks from disgruntled ex-employees. So, too, are larger companies that the SMB partners with or serves as a client.

“SMBs hold valuable data and potential connections to larger organizations. Fraudsters target SMB data to gain access to other organizations, such as through unprotected connections within a supply chain. Recall that the Target data breach of 2013 was instigated through a small HVAC company,” said Rich Scott, chief commercial officer at EZ Shield, an identity protection service.

The loss of a valued client and a hard-won vendor status approval constitute only some of the losses SMBs incur after a data breach.

“The impact of security breaches on SMBs is more substantial than for larger organizations. The costs to the business are proportionately higher. Lost customers. Lost brand confidence. Lost future business. Lost proprietary IP. Lost vendor relationships,” said David Kirkdorffer, vice president of marketing at Cygilant.

From Rogue Hactivists Marauders to Competitor Espionage

While disgruntled ex-employees scare SMBs the most, they are not the only threat SMBs worry about at night.

“The second most concerning group of common cybercriminals to all SMBs are rogue hacktivist groups. When looking at SMBs of different sizes, leaders in larger SMBs with 150 to 250 employees tend to be more concerned about competitors targeting their intellectual properties,” Gill said.

A large part of SMBs’ unease over the possibility of a data breach is their own general unreadiness that they fear will contribute to a catastrophic event. According to the report, 61 percent of all SMBs and 70 percent of large SMBs believe cyberhackers have more sophisticated technology at their disposal than the SMBs’ own cybersecurity resources.

Security Technologies vs. Cybersecurity Insurance

Almost half of the SMBs surveyed in the AppRiver report believe a major data breach would “shut down their business permanently.” But this oversized fear doesn’t necessarily correlate with a smaller business size. The fear level increases among the larger set of this group of businesses. A majority—66 percent—of large SMBs, defined as those with 150 to 250 employees, fear a data breach over any of the more traditional natural or manmade disasters.

Their fear is not unfounded. “Today, 6 in 10 U.S. SMBs go out of business within six months of a successful cyberattack,” Gill said.

With that being the case, one would think SMBs would be quick to buy more security software and appliances. But many SMBs don’t hold much hope that buying more security technology can make their organizations much safer.

“SMBs without a prior background in security or risk management are overwhelmed by the fog of more. There are more threats, more news stories, and more breaches every year,” noted Kayne McGladrey, IEEE member and director of security and IT at Pensar Development. “This goes hand in hand with the increasing number of vendors, solutions and buzzword technologies. There’s a fear that an SMB will buy the solution that solves a problem defined by a venture capitalist and not address a genuine threat to their business.”

In a desperate attempt to protect their companies, some SMBs put their faith in cyberinsurance rather than in new technologies.

“With regard to insurance, and again dependent on how SMB is defined, policies are fairly readily available at premiums starting in the low thousands of dollars for a $1 million limit. The potential benefits of embedded incident response mechanisms are substantial, even apart from the limits of coverage provided,” said Josh Ladeau, executive vice president, global head of cyber and tech E&O at Aspen Insurance.

“As many of these organizations have never experienced a breach, and often do not have dedicated internal personnel, they are much less likely to have access to the caliber of resources and established response protocol that cyber policies can provide,” he added. “Beyond the response aspects of some cyber policies, some carriers offer meaningful pre-incident products and services that an SMB can leverage to supplement their internal privacy-related policies and improve their overall security position.”

However, it’s likely a mistake to rely only on either insurance or tech. The best defense posture for SMBs often includes both. Relying on one or the other can lead to fatal overconfidence and related missteps.

“Cyber insurance may promote moral hazards, where companies feel they don’t have to invest in cyber security because ‘the insurance will cover it’ if they get hacked,” warned Mike Baker, founder and principal at Mosaic451, a managed cyber security service provider (MSSP). “Yet, even the most robust policy will not cover all of a business’s losses after an attack. It may not cover regulatory fines, and it won’t cover all of the losses incurred if a business has to scale back operations or even temporarily shut down in the wake of an attack.

“Cyber policies also generally don’t cover ransomware attacks that can be traced back to malicious insiders, such as rogue employees or disgruntled third-party vendors,” he said.

Pam Baker