Why SMBs Are at Greater Risk of an Insider Attack
Insider attacks don’t discriminate based on business size, but SMBs face a unique challenge: managing the rapid expansion of IT infrastructure and connected devices without the benefit of enterprise-scale resources.
According to Gregory Touhill, a retired Brigadier General and board director of global tech association ISACA, this leads to “task saturation” — small business owners and employees are constantly switching between roles and tasks to support daily operations, develop new strategies and manage growing cyber risk.
The result? Speed becomes the watchword for SMBs. Touhill says that this creates the ideal environment for insider threats to flourish because when speed outpaces security, “trust is presumed, but it is misplaced.” Staff are given broad access to critical company files and resources to streamline business functions, even if they don’t necessarily need it. Insider events become a matter of when, not if.
While Touhill admits that “you’ll never get risk to zero,” SMBs can reduce the rate of inside jobs by boosting cybersecurity across three key areas: people, processes and technology.
1. SMBs Should Consider Managed Security Service Providers
For Touhill, the foundation of any effective information security strategy is zero-trust, meaning instead of presuming altruistic intent, companies must continually authenticate every person and device seeking access to the network. Tools such as multifactor authentication and role-based access help ensure the right people have the appropriate access to the data they are authorized to access when they need it. But Touhill says it’s not always enough. “Too many small businesses are task saturated and forget to go beyond the technology,” he said.
Touhill, who is also the nation’s first federal CISO, says that for SMBs, managed security service providers (MSSPs) are often a better option. “You don’t have the resources to buy a large-scale IT shop,” he said.
The caveat? Not all MSSPs are created equal. Just like employees, it’s essential to assess potential providers on reliability and reputation. Beyond basic internet searches, Touhill suggests that small business owners ask their financial institution for MSSP recommendations, since banks and lenders require substantive cybersecurity risk management and can speak to in-situ experience.
2. Simpler IT Processes for Users Reduce Breach Risk
Technology alone can’t protect against insider threats, but for task-saturated SMBs, Touhill says that simplifying processes is critical because complexity is the bane of security. “If processes are complex for the user, they’ll find a different way,” he said. This leads to short-term problems like unreported IT issues and longer-tail worries such as shadow IT.
Touhill’s advice is to “make it simple for users and complex for attackers.” This means using tools capable of intelligent threat detection and automatic reporting and underpinning them with robust cyberinsurance policies. Companies should have legal counsel review all policies to ensure there are specific remedies for likely risks and no “escape clauses” for providers to avoid action.
3. A Trained Workforce Makes Life Harder for Hackers
Despite technology, the greatest threat to SMBs could be the humanity of employees. Touhill says that the “wetwear” of human brains represents the easiest access point for potential attackers. There’s a reason phishing attacks and business email compromise remain prevalent — social engineering techniques work. Here, training is essential. A workforce trained to understand cyber risks and consequences “reduces your attack surface.”
Additionally, Touhill recommends that SMBs include at least three “wingmen” on their risk management team: a banker, a lawyer and an accountant. Why? Bankers can help businesses get referrals to well-regarded MSSPs. A lawyer can help get the best insurance to meet the business’s risk posture. Finally, an accountant can help conduct a cost-benefit analysis and quantify your risk. Investing in their expertise reduces the risk of staff task saturation and helps secure key processes. In-house staff, meanwhile, require regular training to help them identify potential email scams and avoid obvious credential attacks.
Touhill makes it clear — there’s no way to eliminate the threat of insider attacks. But adopting a zero-trust infosec model informed by well-sourced technology, simplified processes and secured staff behaviors can significantly reduce the risk of SMB inside jobs.