Insiders do not present a cyber threat -15 Dangerous Cybersecurity Myths - Day 14

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link to register now.

Myth Number 14 - Insiders do not present a cyber threat   

Now, today, as we continue the series, we're going to explore myth number fourteen: "Insiders do not present a cyber threat.” I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe".

  • Let's explain the thinking behind the myth that insiders do not present a cyber threat. When I speak about “insiders”, I am referring to the people who work for the business. The thinking behind this myth goes as follows: “I need to worry about all the faceless cybercriminals who are out there operating on the dark web. They're really the only threat actors I need to worry about.” A 'threat actor' is somebody whose behaviour makes them a cyber threat to your business. The feeling being expressed here is: “I don't need to worry about internal people. I only need to worry about these external anonymous cybercriminals who are attacking everybody”.

  • The second view I often hear expressed is: “My staff do not represent a cyber threat to my business because I trust my staff. They’ve been with me for years”. A lot of small business owners might feel that the staff that they've had employed for several years would represent a great asset to the business and that there is no cyber threat from these people. And while that's true in most cases, it does not allow the business owner or manager to ignore the insider threat possibility.
  • And a third point I often hear is: “I have good controls in my business, and I would know if anybody was doing anything to put my business at risk of cyber fraud or cyber threat.” It is true that small business owners tend to have a very good idea of what's going on in their business and tend to be optimistic about their ability to control risks in their business. However, even the best controls can be circumvented by a dedicated cybercriminal and if that cybercriminal happens to be a business insider, the threat is all the greater.

 A Dangerous Myth

The myth that insiders do not present a cyber threat is dangerous because it ignores entirely the possibility of an insider generated cyber incident. Your employees know the business intimately, especially employees that have been with the business for several years. They will know the strengths and weaknesses of all of the controls in the business and know the business intimately. They are in positions of trust and sadly, that means that a dishonest employee would be in the ideal position to circumvent whatever controls the business owner has put in place.  

Truth Number 14 - the insider cyber threat from people with an intimate knowledge of the business cannot be ignored

So, let's look at the truth behind this myth, which is that the insider cyber threat from people who have intimate knowledge of the business cannot be ignored.

  • The reality is that insiders are frequently involved in cyber incidents. The insider threat features prominently in most reports in Ireland and the UK that are carried out on cyber incidents by the government,  law enforcement authorities or by the insurance industry,. Insurers’ reports reveal data on claims that they have seen in cyber insurance policies. These reports indicate that insider threats are an important aspect of total cybercrime.
  • As we've said, already, insiders have an intimate knowledge of the business, they will be in positions of trust, and they are very best placed people to get around any control system that the owner puts in place.
  • And finally,  people can be the greatest strength of a small business and in general, people are its greatest strength. However, people can also be the greatest weakness. Trust must be earned over a period of time, but it cannot be given blindly even to long term employees. Even when trust is given, internal controls still need to be in place to detect any cyber activity that is unusual.

So, this is Truth Number 14. The insider threats from people who have intimate knowledge of your business cannot be ignored.

Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.