When considering insider threats, the familiar mental image often involves envisioning an undercover operative or a double agent with a singular objective: The covert extraction of sensitive information from large and technologically advanced corporations. The portrayal of such scenarios in James Bond films effectively establishes the backdrop for this perception.
However, insider threats are much more widespread than many people realise.
While we may think that large organisations are the perfect target for such scenarios, small to medium-sized businesses (SMEs) also suffer the consequences of a breach of trust.
In fact, insider threats pose a serious risk in any business environment, but they can be disastrous for SMEs.
Take the Example of the Largest Municipal Fraud in American History
Rita Crundwell stole over $53 million of public funds across two decades in office as the City Comptroller and Treasurer for Dixon, Illinois, a town with a population of just 16,000.
She used the funds to build one of the nation’s leading quarter horse breeding empires and threw lavish parties for community leaders at her home, all while the town endured cuts to public staff, emergency services budgets, and work on maintaining public infrastructure.
In 2012, after a close colleague turned whistleblower finally uncovered her scheme and alerted the Mayor, the FBI arrested Crundwell as the largest municipal fraud perpetrator in American history.
This story has turned into a feature film called “All the Queens Horses” and tells the story of Rita Crundwell, the perpetrator of the largest case of municipal fraud in American history.
When business owners focus towards safeguarding their enterprises, the primary emphasis is frequently placed on countering cybersecurity threats.
Cyberattacks like phishing, social engineering, malware and other direct cyber assaults aimed at compromising the integrity of business computer systems are a vital concern.
However, not all threats originate from outside your organisation. Insider threats are a real security risk, and there are many types that you should be aware of if you want to ensure your business is protected.
This article will examine why SMEs must proactively identify hidden dangers to their business.
To start with, let’s define insider threats.
An insider is anyone who has or had authorised access to your business assets. This insider can be your employee, a contractor, a former employee, a trusted third party, a partner, a vendor, or even a former employee.
Insider threat can be defined as the potential for an individual who has or had authorised access to an organisation’s assets to use their access, either maliciously or unintentionally, to act in a way that could cause harm to the organisation’s assets.
Insider threats can be broken into two groups: Malicious and non-Malicious.
What makes them different is the intention. There is a motive.
The principal goals of malicious insider threats include espionage, fraud, intellectual property theft, sabotage and misuse of information. They intentionally abuse their privileged access to steal information or degrade systems for financial, personal and/or malicious reasons.
What motivates people to intentionally cause harm to their organisation? The most simplistic explanation that the community tends to talk about is “MICE”, which can be explained as follows:
Although “malicious insider threats” tend to be the subject of newsworthy media stories, most insider incidents are caused accidentally through carelessness, negligence, or ignorant actions.
Common Examples of Unintentional Insider Threats:
While I have outlined the different types of insider threats above, here are some of the more troubling threats that SMEs need to be aware of.
Embezzlement is the misuse or theft of company funds or company property. Embezzlement occurs when funds or resources from a business are misused for personal gain.
There are a variety of ways that an employee or business owner can steal or misappropriate resources. Here are some of them:
Employee embezzlement can have significant and wide-ranging impacts on an organisation. Some of the critical consequences include:
The following is a real story of how an IT manager defrauded the organisation for which he worked.
Example: IT Manager Defrauded $1.7 Million from a TAFE in Western Sydney
Ronald Cordoba was acting manager of information and communications technology services at the TAFE NSW South Western Sydney Institute.
He admitted using his position as ICT manager at the TAFE to sign off on $1.7 million worth of invoices from a company he had set up called ITD Pty Ltd.
For example, he charged the TAFE $150,000 for two year’s worth of Dropbox enterprise licenses, which he had bought from Dropbox for a little over $70,000.
He conducted email exchanges between himself and a fake ITD account manager called ‘Alicia’ to copy in colleagues and maintain the semblance of a legitimate third-party provider.
He also admitted to buying dozens of products that the TAFE never received.
The above example clearly demonstrates the interconnectedness between the physical-cyber-human world. No amount of cybersecurity tools would have stopped this crime from taking place
At first glance, “employee theft” might evoke images of a staff member discreetly leaving with office supplies like pens or a stack of paper. However, upon closer inspection, it becomes clear that this issue extends beyond physical items. Employee theft manifests in diverse forms and complexities, from the misuse of company time for personal activities to more intricate forms of dishonesty.
Workplace theft can significantly impact an organisation’s financial health, reputation, and overall functioning, similar to workplace embezzlement.
Here are some statistics that you should know:
While large enterprises have taken considerable measures to combat insider threats through an insider threat program (through prevention, detection, deterrence and response measures), small and medium-sized businesses have been left vulnerable due to their lack of financial, IT resources and internal expertise.
While it’s essential to understand how devastating insider threats can be, there is a way to reduce the risk for your organisation.
Some Essential Points
Concept Of The Three-legged Chair
The three-legged principle works as follows: It takes only three principles working together to protect yourself, your family or your organisation from insider threats. If one of the three-legged stools is missing or broken, it will not support you
Damage and the risk of damage from trusted insiders are not new for small to medium size businesses. There are plenty of stories, both malicious and unintentional, that have caused damage and sorrow.
A common misconception for SMEs is an idea of security through obscurity that your business is too small to be a target, but unfortunately, this is not the case.
SMEs hold valuable assets and are a much easier target given that they have less stringent technological defences, less awareness of threats and less time and resources to protect themselves effectively.
The impact of security breaches on SMEs is more substantial than for larger organisations. The costs to the business are proportionately higher. Lost customers. Lost brand confidence. Lost proprietary IP. Lost vendor relationships. Loss of reputation. And potentially loss of business.
Running a business is no small feat. It requires dedication, hard work and smart decision making.
When it comes to securing your business from insider threats, consider the three-legged analogy. Remember that no security measure is future-proof, so doing the little things well and continuously adapting to new changes within your business is the key to protecting your business.