Rising Risk: The Escalating Menace Of Insider Threats In Small To Medium-Sized Businesses

When considering insider threats, the familiar mental image often involves envisioning an undercover operative or a double agent with a singular objective: The covert extraction of sensitive information from large and technologically advanced corporations. The portrayal of such scenarios in James Bond films effectively establishes the backdrop for this perception.

However, insider threats are much more widespread than many people realise.

While we may think that large organisations are the perfect target for such scenarios, small to medium-sized businesses (SMEs) also suffer the consequences of a breach of trust.

In fact, insider threats pose a serious risk in any business environment, but they can be disastrous for SMEs.

Take the Example of the Largest Municipal Fraud in American History

What happened?

Rita Crundwell stole over $53 million of public funds across two decades in office as the City Comptroller and Treasurer for Dixon, Illinois, a town with a population of just 16,000.

She used the funds to build one of the nation’s leading quarter horse breeding empires and threw lavish parties for community leaders at her home, all while the town endured cuts to public staff, emergency services budgets, and work on maintaining public infrastructure.

In 2012, after a close colleague turned whistleblower finally uncovered her scheme and alerted the Mayor, the FBI arrested Crundwell as the largest municipal fraud perpetrator in American history.

Questions

  • How did Rita Crundwell steal over $37,000 daily from a town with an annual budget of around $6 million?
  • How could such embezzlement go undetected in annual audits by two independent accounting firms and in annual audit reviews by state regulators?
  • How did local residents not become suspicious of Crundwell’s extravagant wealth and frivolous spending?

Feature film

This story has turned into a feature film called “All the Queens Horses” and tells the story of Rita Crundwell, the perpetrator of the largest case of municipal fraud in American history.

When business owners focus towards safeguarding their enterprises, the primary emphasis is frequently placed on countering cybersecurity threats.

Cyberattacks like phishing, social engineering, malware and other direct cyber assaults aimed at compromising the integrity of business computer systems are a vital concern.

However, not all threats originate from outside your organisation. Insider threats are a real security risk, and there are many types that you should be aware of if you want to ensure your business is protected.

This article will examine why SMEs must proactively identify hidden dangers to their business.

What Are Insider Threats?

To start with, let’s define insider threats.

An insider is anyone who has or had authorised access to your business assets. This insider can be your employee, a contractor, a former employee, a trusted third party, a partner, a vendor, or even a former employee.

Insider threat can be defined as the potential for an individual who has or had authorised access to an organisation’s assets to use their access, either maliciously or unintentionally, to act in a way that could cause harm to the organisation’s assets.

Types Of Insider Threats

Insider threats can be broken into two groups: Malicious and non-Malicious.

What makes them different is the intention. There is a motive.

  • Malicious threats are those that intend to cause harm and negatively affect their organisations.
  • Non-malicious (accidental) are those people who, through their actions, unknowingly (without intention) cause harm.

Malicious Insider Threats

The principal goals of malicious insider threats include espionage, fraud, intellectual property theft, sabotage and misuse of information. They intentionally abuse their privileged access to steal information or degrade systems for financial, personal and/or malicious reasons.

What motivates people to intentionally cause harm to their organisation? The most simplistic explanation that the community tends to talk about is “MICE”, which can be explained as follows:

  1. M for Money: This refers to individuals motivated by financial gain. Insider threats driven by the desire for monetary rewards may involve theft, fraud, or the unauthorised sale of sensitive information.
  2. I for Ideology: Individuals motivated by ideology are guided by strong beliefs or convictions. Insider threats in this category may arise when employees align themselves with a particular ideology or cause that conflicts with the organisation’s interests.
  3. C for Coercion: Coercion involves using force, threats, or other pressure to compel individuals to act against their will. Insiders may become threats if they are coerced into compromising the organisation’s security.
  4. E for Ego: Ego-driven motivations involve individuals seeking recognition, status, or personal satisfaction. Insider threats with ego motivations may manifest as employees who attempt to prove their capabilities, challenge the system, or seek revenge for perceived slights.

Non-malicious Threats

Although “malicious insider threats” tend to be the subject of newsworthy media stories, most insider incidents are caused accidentally through carelessness, negligence, or ignorant actions.

  • Negligence refers to taking those who do not take reasonable care or fulfil a duty of care. Such people may disregard safety protocols or rush through their jobs without reasonable care, which can harm themselves or their organisation. For example, someone who clicks on a link or opens a malicious attachment.
  • Carelessness refers to a lack of attention that results in mistakes or accidents. For example, someone who may leave sensitive information lying around.
  • Ignorance refers to someone making poor decisions and failing to follow the rules or guidelines due to a lack of knowledge or awareness about a particular situation.

Common Examples of Unintentional Insider Threats:

  • Clicking on malicious phishing links
  • Opening up malicious attachments
  • Falling for social engineering attacks
  • Send confidential data to the wrong recipient
  • Ignoring security policies
  • Oversharing personal and confidential information on social media
  • Careless use of USB drives
  • Using easily guessable passwords

What Are The Most Significant Insider Threats Facing SMEs?

While I have outlined the different types of insider threats above, here are some of the more troubling threats that SMEs need to be aware of.

Workplace Embezzlement

Embezzlement is the misuse or theft of company funds or company property. Embezzlement occurs when funds or resources from a business are misused for personal gain.

There are a variety of ways that an employee or business owner can steal or misappropriate resources. Here are some of them:

  • Stealing money from cash registers – Employees may void the transaction and keep the money for themselves
  • Cashing customer checks – Employee sets up a bank account similar to the company, and they then cash customer money
  • Overbilling customers – Employee may charge customers more than the company’s rate and pocket the difference
  • Forging payments – Employees writing company checks to themselves
  • Faking vendor payments – Employee sets up a fake vendor account and sends that money to themselves
  • Stealing customer credit card details – Employee uses customer card to buy goods and services for themselves
  • Stealing cash – Taking small amounts of money and hoping no one notices.
  • Stealing office supplies – Stealing the company’s assets and tasking it home
  • Stealing tax funds / returns – Employees responsible for tax payments may keep that money.
  • Using company resources to start/run their business – Employee uses company time, equipment, or funds to start their own business without their knowledge
  • Creating ghost employees – Employees who control payroll may set up fake employees on the system but pay these false employees to accounts that this person owns.

Employee embezzlement can have significant and wide-ranging impacts on an organisation. Some of the critical consequences include:

  • Financial loss
  • Erosion of trust
  • Reputation damage
  • Operation disruptions
  • Legal significances
  • Loss of productivity
  • Employee morale
  • Increased security measures
  • Long-term effects

The following is a real story of how an IT manager defrauded the organisation for which he worked.

Example: IT Manager Defrauded $1.7 Million from a TAFE in Western Sydney

What happened?

Ronald Cordoba was acting manager of information and communications technology services at the TAFE NSW South Western Sydney Institute.

He admitted using his position as ICT manager at the TAFE to sign off on $1.7 million worth of invoices from a company he had set up called ITD Pty Ltd.

For example, he charged the TAFE $150,000 for two year’s worth of Dropbox enterprise licenses, which he had bought from Dropbox for a little over $70,000.

He conducted email exchanges between himself and a fake ITD account manager called ‘Alicia’ to copy in colleagues and maintain the semblance of a legitimate third-party provider.

He also admitted to buying dozens of products that the TAFE never received.

Workplace Theft

The above example clearly demonstrates the interconnectedness between the physical-cyber-human world. No amount of cybersecurity tools would have stopped this crime from taking place

Managing Risk And Uncertainty

At first glance, “employee theft” might evoke images of a staff member discreetly leaving with office supplies like pens or a stack of paper. However, upon closer inspection, it becomes clear that this issue extends beyond physical items. Employee theft manifests in diverse forms and complexities, from the misuse of company time for personal activities to more intricate forms of dishonesty.

  • Time theft – Using company time to conduct personal businesses or simply not working while on the clock
  • Data theft – Stealing company intellectual property and other company data, including sensitive or confidential information
  • Financial theft – Stealing company funds, including diversion of funds or payments before they get recorded by the company
  • Customer theft – Pocketing payments from customers without recording the transaction
  • Identity theft – Using a colleague’s personal information for identity theft or fraud
  • Software theft – Stealing organisation software and licenses for personal use or to sell
  • Hardware theft – Taking organisation hardware for personal use or to sell
  • Inventory theft – Taking the company’s equipment, tools or inventory for personal use or sale.
  • Services theft – When an employee uses a service for personal gain without permission from their company

Workplace theft can significantly impact an organisation’s financial health, reputation, and overall functioning, similar to workplace embezzlement.

Here are some statistics that you should know:

  • 34% of fraud cases in small businesses are internal/employee-related (Verizon Report – Very Small Business Cybercrime Protection Sheet)
  • 22% of small business owners have had employees steal from them (Business.org)
  • 88% of employee theft cases include attempts to hide the fraud (Association of Certified Fraud Examiners: Occupation Fraud 2022)
  • Small businesses are more likely to deal with check and payment tampering and skimming than other businesses (ACFE)

What Can You Do To Mitigate The Risk?

While large enterprises have taken considerable measures to combat insider threats through an insider threat program (through prevention, detection, deterrence and response measures), small and medium-sized businesses have been left vulnerable due to their lack of financial, IT resources and internal expertise.

While it’s essential to understand how devastating insider threats can be, there is a way to reduce the risk for your organisation.

Some Essential Points

  1. Insider threat is a business, not a technology problem. You are dealing with people’s beliefs, values, emotions, habits and needs that change dynamically over time.
  2. It is essential to realise that every organisation is unique, and the type of threats it faces will be different due to the type of assets it holds and the strategies it tries to execute.
  3. Protecting everything is a useless goal. While perhaps it’s not impossible, it is economically impractical and will likely impede important business initiatives.

Concept Of The Three-legged Chair

The three-legged principle works as follows: It takes only three principles working together to protect yourself, your family or your organisation from insider threats. If one of the three-legged stools is missing or broken, it will not support you

  1. You must accurately judge trust.
    • Begin with the hiring process – Companies should verify a candidate’s character capabilities and skill set with thorough background checks.
    • Establish clear security policies – Establish and enforce organisation cybersecurity policies. So much of the employee conduct will be guided by what the organisation considers safe and acceptable use.
    • Nurture cyber awareness within the organisation – Create a cyber and insider threat awareness culture. Staff should undergo regular training so that they have the confidence to identify both external cybersecurity threats and internal risks that could potentially harm the organisation. People cannot protect themselves or the business from risks they aren’t aware of
    • Have strict offboarding procedures – Since many malicious insider threats originate with former employees, it is critical to take fast action to terminate employee accounts and access them as soon as an individual leaves the company. This should significantly reduce any risk imposed by disgruntled or departed employees.
  2. You must accurately judge access
    • Know your critical assets – Inventorying your assets is crucial for implementing the required security controls and policy measures to protect them.
    • Limit strict access controls on what people can do – Organisations should use stringent password and account management policies and practices to prevent insiders from compromising user accounts.
    • Enforce separation of duties – Separation of duties requires dividing functions among multiple people to limit the possibility that one workforce member could steal information or commit fraud.
  3. You must be vigilant
    • Anticipate and manage risky behaviour – Ensure clear and consistent communication with your workforce about acceptable workplace behaviour to avoid any unexpected negative situations.
    • Pay attention to possible insider threat indicators – One of the most effective ways to reduce the risk of insider attacks is to monitor employee behaviour for known threat indicators. For example, if their behaviour has changed somewhat from their everyday activities.
    • Maintain good cybersecurity Hygiene – Practicing strong cyber hygiene goes a long way towards protecting your business from insider threats and deterring would-be bad actors in the first place.

Takeaway

Damage and the risk of damage from trusted insiders are not new for small to medium size businesses. There are plenty of stories, both malicious and unintentional, that have caused damage and sorrow.

A common misconception for SMEs is an idea of security through obscurity that your business is too small to be a target, but unfortunately, this is not the case.

SMEs hold valuable assets and are a much easier target given that they have less stringent technological defences, less awareness of threats and less time and resources to protect themselves effectively.

The impact of security breaches on SMEs is more substantial than for larger organisations. The costs to the business are proportionately higher. Lost customers. Lost brand confidence. Lost proprietary IP. Lost vendor relationships. Loss of reputation. And potentially loss of business.

Running a business is no small feat. It requires dedication, hard work and smart decision making.

When it comes to securing your business from insider threats, consider the three-legged analogy. Remember that no security measure is future-proof, so doing the little things well and continuously adapting to new changes within your business is the key to protecting your business.