top of page

Should small businesses and charities be concerned about insider threats?

Welsh Government reported in 2023 that there were an estimated 253,800 enterprises active in Wales, employing an estimated 1.1 million people. SMEs accounted for 99.6% of the total enterprises, and in the charitable sector, there were 6,754 registered organisations in the country.





If you’re a regular reader of our blog or social media content, you’ll be aware that small businesses and charities are incredibly vulnerable to the threat of cybercrime. There are many factors for this such as a lack of basic cyber knowledge, no IT department or resource, budget restrictions and often, the belief that a cyber-attack could never happen to a company because it’s too small/turnover is modest/the location is too rural to be on a hackers’ radar etc.


This last point is particularly detrimental as criminals are acutely aware of this mindset and it becomes an even greater motivator for them to attack. If you’re not expecting something to happen, you most certainly won’t be prepared for it. All cyber intruders want is to gain access to data – employee records, email addresses, financial documents, bank details or supplier contracts for example - so size, sector or location are completely irrelevant.

 

What’s an insider threat?


How a business or charity operates in terms of the part-time hours, seasonal contracts or volunteering opportunities being offered needs to be considered carefully from a cyber security perspective, as do policies about individuals bringing their own laptops or other devices such as USB sticks, as this is often where cracks appear. These things can increase online vulnerabilities, which criminals capitalise on. Amongst various other issues, insider threat is one of the things to be aware and vigilant of when considering cyber safety.


As the name suggests, insider threats are cyber security dangers posed by those that work within a business or organisation. This could be current or former employees, volunteers, contractors, or partners. Many insider threats are accidental, resulting from careless or negligent cyber security behaviours. However, they can be malicious too - a disgruntled employee may intend to commit fraud or sabotage, or you may inadvertently hire someone who is there for espionage purposes, and using cyber is a way to cause chaos and damage or to prevent day-to-day functions from being performed.


On the other hand, unintentional insider threats can occur simply by somebody being unaware or unclear on what cyber-safe working practices look like. As mentioned earlier, bring-your-own-device (BYOD) and activity such as storing sensitive company data on unsecured personal devices increases the vulnerability of the data.

The user may be visiting other websites in their own time that could be infected with malware or accessing their personal email inbox which may contain a lot of spam and phishing emails. Certain things which may not be accessible on a centrally managed company device are readily available, increasing the potential attack surface for a criminal.

  

How Can Insider Threats Be Mitigated?


There are various things that can be done to reduce the risk of insider threats:


  1. Taking the time to understand the data which a business or charity holds will highlight what is sensitive and put in the necessary permissions and protections to safeguard it. From there, formulating a clear policy about safe online working means that everybody is aware of what they can and cannot be expected to share online, as well as what being carried out over public Wi-Fi connections, or requiring the use of a VPN for work activity.


  2. Additionally, with charities or businesses relying on support casual workers or volunteers, it is important to have a clear process when somebody no longer works there. Ensuring that people’s data access is regularly reviewed helps to protect against any former volunteers or employees being able to access things they should not, reducing the risk of a malicious insider threat. This also means having appropriate data permissions for everybody. Depending on people’s roles, volunteers and employees should not be able to access sensitive data that is not pertinent to their work, and there should be solutions in place to ensure this.


  3. Security awareness training is another valuable investment that not only reduces the risk of insider threat but also improves the overall cyber security stance of the business or organisation. Training teaches what the online risk profile looks like, how people can keep themselves safe online, and what to look out for in terms of a potential attack. Not only does this reduce the chances of an accidental insider threat, but it also reinforces any policies around working online. If people are aware of why they are being asked to do something, they are more likely to do it, as well as more likely to report something suspicious as soon as they see it.

 

How the WCRC can help


Joining the WCRC’s free membership community ensures small businesses, charitable organisations and staff are supported in implementing simple changes to improve cyber defences. We provide national guidance, practical resources, cyber updates and monthly newsletter and more in simple language so that cyber best practice methods can be implemented quickly and easily into day-to-day working habits.


We also run bespoke staff awareness training tailored to those with limited or no cyber knowledge. Small organisations with less than 10 employees are encouraged to take advantage of our discounted rate and for those outside this criterion, we offer an affordable session also covering everything needed for understanding basic yet effective teachings, so please contact us for further details.

 

Comments


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

​

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page