Technical Defences Against Insider Threats: Solutions That Actually Work
Beyond the "Don't Get Hacked" Advice
Let's be honest: most cybersecurity advice for small businesses falls into two categories. Either it's so basic it's useless ("use strong passwords!"), or it's so enterprise-focused it's impractical ("implement a Security Information and Event Management system with behavioral analytics!").
When the ICO reports that 57% of school data breaches are caused by insiders, and only 5% required sophisticated techniques, what small businesses need is practical, implementable security that addresses real threats without requiring a dedicated security team or a massive budget.
So here's the technical guidance you can actually use, tested in real environments, scaled for businesses with 5 to 50 employees, and focused on preventing the insider threats that are actually happening, not theoretical nation-state attacks.
Foundation Layer: Multi-Factor Authentication
If I could mandate one security control for every small business, it would be multi-factor authentication (MFA). Not because it's perfect, but because it renders so many common attacks completely ineffective.
Remember those students who were guessing passwords or finding them written down? MFA stops that cold. Even if they get the password, they won't have the second factor.
What MFA Actually Costs You
Here's what surprised many business owners: MFA is essentially free now.
Microsoft 365: MFA is included in all business plans
Google Workspace: MFA is included as standard
Most cloud platforms: Free MFA for all users
Third-party authenticators: Free apps like Microsoft Authenticator, Google Authenticator, or Authy
The real cost isn't money, it's the time investment:
Initial setup: 2-4 hours for a small team
User training: 15-30 minutes per person
Ongoing management: Minimal once established
Implementation That Won't Drive Users Mad
The reason MFA gets resistance is usually because it's implemented poorly. Here's how to do it right:
1. Use the right MFA method for your context:
Biometric authentication (fingerprint, face recognition) for mobile devices
App-based authentication codes for regular use
SMS codes only as a backup (less secure but better than nothing)
Hardware keys for highest-security accounts (admin access, financial systems)
2. Set sensible frequency:
Don't require MFA every single time for trusted devices
Do require MFA for new devices, new locations, or sensitive actions
Consider 30-day "remember this device" for regular users
3. Have clear recovery procedures:
What happens when someone loses their phone?
How do you handle emergency access?
Who can reset MFA credentials?
Real-World Example: The Architecture Firm
I worked with an architecture firm of 15 people who resisted MFA because "it would slow down client presentations." We implemented app-based MFA with trusted device memory. After the initial setup, users logged in once per month per device. The total additional time cost: about 30 seconds per employee per month.
Six months later, they caught an attempted breach when someone tried to access their system from Romania using stolen passwords. MFA blocked it completely. The owner told me: "Best 30 seconds per month we ever invested."
Access Control: The Principle of Least Privilege
The ICO found that 97% of credential theft incidents in schools were student-led. Students had access to systems, found or guessed additional credentials, and escalated their privileges. The pattern is identical in business environments.
What Least Privilege Actually Means
Every user should have the minimum access required to do their job. Not the maximum access you think they might someday possibly need. The minimum.
Practical application:
Regular employees: Standard user accounts with no admin rights
Managers: Access to team resources, not company-wide systems
Finance team: Access to accounting systems, not HR records
IT support: Elevated privileges only when needed, through separate accounts
The Two-Account Rule for Admins
Anyone who needs administrative access should have two accounts:
Regular account for everyday work (email, documents, browsing)
Admin account for administrative tasks (system changes, user management)
When the University of Iowa student Trevor Graves planted hardware keyloggers to capture passwords, he was looking for privileged credentials. If his targets had been using separate admin accounts only for administrative tasks, his harvest would have been far less valuable.
How to Implement This Without Chaos
Start with an access audit:
List all your systems and data repositories
Document who currently has access to what
Ask: "Does this person need this access for their current role?"
Remove access that isn't currently necessary
Document why remaining access is justified
Then establish a review schedule:
Monthly: Review admin and privileged accounts
Quarterly: Review all user access
When someone changes roles: Immediate access review
When someone leaves: Immediate access revocation
Password Management: Solving the Human Memory Problem
The ICO found passwords written on bits of paper in 2025. If your response is "that's terrible security!", you're right. If your response is "just tell people to remember better passwords!", you're missing the point.
Humans cannot reliably remember dozens of unique, complex passwords. Forcing them to try just results in:
Written-down passwords
Reused passwords
Predictable patterns ("Password123" becomes "Password124" next month)
Password reset fatigue
The Password Manager Solution
A business password manager solves this completely:
Users remember one strong master password
All other passwords are randomly generated and stored securely
Passwords are automatically filled where needed
Sharing credentials (when necessary) happens securely
Business-appropriate solutions:
1Password for Business (£7-8 per user per month)
Bitwarden for Business (£3-4 per user per month)
Dashlane Business (£5-6 per user per month)
Keeper Business (£3.75-6 per user per month)
For a 20-person business, you're looking at £60-160 per month. Compare that to the cost of one data breach, or even the productivity loss from password reset requests.
Implementation Reality Check
When I suggest password managers, I often hear: "But what if the password manager gets hacked?"
Valid concern. Here's the reality:
The alternative is passwords on sticky notes or reused across systems
Good password managers use end-to-end encryption
A breach of the password manager is less likely and less damaging than the ongoing risk of poor password practices
It's not about perfect security. It's about dramatically better security than the current situation.
Activity Monitoring: Knowing What's Normal
You can't protect what you can't see. But "monitoring" doesn't mean installing surveillance software that tracks every keystroke. It means understanding normal patterns and being alerted to abnormal ones.
What to Monitor (And How)
1. Login Activity:
Unusual login times (why is someone accessing systems at 3 AM?)
Unexpected locations (why is this account logging in from Romania?)
Failed login attempts (is someone trying to guess passwords?)
Most business platforms include this natively:
Microsoft 365 has Azure AD sign-in logs
Google Workspace has security dashboard and alerts
Most cloud platforms have access logs
2. Data Access Patterns:
Unusual volume of file downloads
Access to systems someone doesn't normally use
Mass data exports or deletions
3. Privilege Changes:
Who's granting new access rights?
Are admin accounts being used appropriately?
When was the last time someone's access was reviewed?
The Alert Fatigue Problem
The challenge with monitoring isn't lack of data, it's too much data. If you're getting 50 alerts per day, you'll ignore all of them.
How to avoid alert fatigue:
Start with high-priority alerts only:
Admin account used from new location
Large data download by non-technical user
Access from blacklisted IP addresses
Establish baselines:
What's normal for your business?
Document expected patterns
Alert on significant deviations
Review and refine:
Weekly review of alerts for first month
Monthly review thereafter
Adjust thresholds based on false positive rate
Real-World Example: The Marketing Agency
A 12-person marketing agency implemented basic activity monitoring using their existing Microsoft 365 tools. They set up alerts for:
Login from new countries
Download of more than 50 files in one session
Admin account access outside working hours
Three months in, they received an alert: an employee account had downloaded 200+ client files at 11 PM on a Friday. Investigation revealed the employee was leaving for a competitor and taking client work with them. Because they caught it immediately, they could:
Revoke access before more data was taken
Document the breach for legal action
Inform affected clients promptly
Cost of the monitoring: zero pounds (used existing tools). Value of early detection: potentially hundreds of thousands in prevented losses.
Backup Security: Your Last Line of Defense
When PowerSchool was breached and the attacker accessed 62 million student records, the company had to pay $2.85 million. But they could pay because they had recoverable systems. Many breached organizations don't have that option.
The 3-2-1 Backup Rule
Even with all other security measures, you need resilient backups:
3 copies of your data
2 different storage types
1 copy off-site
Backup-Specific Insider Threat Considerations
Insiders who want to cause damage will often target backups. Protect them:
1. Separate backup credentials:
Backup systems should use different credentials than production systems
Backup access should be strictly limited
Consider append-only backups that can't be deleted
2. Air-gapped backups:
At least one backup should be completely disconnected from the network
Offline backups can't be encrypted by ransomware
Physical media stored off-site provides ultimate protection
3. Test restoration regularly:
Backups you haven't tested are backups you don't have
Monthly restoration tests for critical systems
Document restoration procedures
Budget-Friendly Backup Solutions
Cloud backup services: £5-15 per user per month (Backblaze, Carbonite, IDrive)
NAS devices for local backup: £200-500 one-time cost
Offsite rotation: External drives + bank safety deposit box
Network Segmentation: Limiting Blast Radius
Even if an insider (or external attacker using compromised credentials) gains access to one system, network segmentation prevents them from accessing everything.
Practical Segmentation for Small Businesses
You don't need enterprise-grade VLANs and complex firewall rules. Start simple:
1. Separate guest WiFi:
Visitors should never access your internal network
Guest network should have internet only, no internal access
2. IoT device isolation:
Security cameras, smart devices, printers on separate network
These devices are often insecure and could be compromise points
3. Critical system separation:
Accounting/financial systems on restricted network segment
Only finance team access from specific devices
Implementation Example
A small law firm with 8 employees implemented basic segmentation:
Employee devices on main network
Guest WiFi completely separate
Finance server restricted to three accounting team workstations
Network printer on its own VLAN
Cost: £300 for a business router with VLAN support, 4 hours IT consultant time for setup. Result: Even if employee device is compromised, attacker can't reach financial systems.
Privileged Access Management (PAM)
Remember Trevor Graves and his "pineapple" keyloggers? He was specifically targeting privileged credentials. PAM systems prevent this by:
1. Just-in-Time Access:
Admin rights granted only when needed
Automatic expiration after task completion
Full audit trail of elevated access
2. Session Recording:
Record what happens during privileged sessions
Review capabilities for suspicious activity
Evidence for investigations
3. Credential Vaulting:
Privileged credentials stored in encrypted vault
Check-out system for access
Automatic password rotation
PAM for Small Business Reality
Enterprise PAM solutions cost tens of thousands. But small business alternatives exist:
CyberArk SMB Edition
Keeper Secrets Manager
ManageEngine Password Manager Pro
Or start simpler:
Separate admin accounts with different passwords
Password manager for shared credentials
Audit log review for admin activities
The Technology Stack That Actually Works
Here's a realistic technology stack for a 20-person business to address insider threats:
Essential (Total: ~£200-400/month):
Multi-factor authentication (free with existing platforms)
Password manager (£60-80/month)
Cloud backup service (£100-200/month)
Basic activity monitoring (free with existing tools)
Recommended (Additional £150-300/month):
Email security gateway
Endpoint detection and response (EDR)
Security awareness training platform
Advanced (Additional £200-400/month):
Security information and event management (SIEM)
Privileged access management
Data loss prevention (DLP)
Notice what's not on this list: expensive hardware, dedicated security staff, or complex enterprise solutions. These are cloud-based, manageable tools that address real threats.
The Human Element of Technical Controls
Technology alone won't stop insider threats. Every technical control needs human elements:
Clear policies explaining why controls exist and how to use them properly
Regular training that's practical and relevant, not just compliance theatre
Incident response procedures so everyone knows what to do when something goes wrong
Cultural support where security is everyone's responsibility, not just IT's problem
Your Implementation Roadmap
Week 1: Quick Wins
Enable MFA on email and cloud platforms
Audit current user access
Set up basic login monitoring alerts
Month 1: Foundation
Implement password manager
Remove unnecessary access rights
Establish backup verification schedule
Quarter 1: Maturity
Deploy activity monitoring
Implement network segmentation
Create incident response procedures
Year 1: Optimization
Regular access reviews become routine
Advanced monitoring and alerting
Continuous improvement based on lessons learned
The Bottom Line
When students can bypass school security with basic techniques, and 82% of schools experience cyber incidents, the message is clear: if your small business security is weaker than a school's, you're in trouble.
But you don't need enterprise-grade solutions. You need appropriate, well-implemented controls that address actual threats. The technical solutions exist. They're affordable. They work.
The question isn't whether you can afford to implement these controls. It's whether you can afford not to.
Tomorrow, we'll look at real-world case studies and lessons learned from businesses that experienced insider threats, and what they did about it.
| Source | Article |
|---|---|
| Information Commissioner's Office | Insider threat of students leading to increasing number of cyber attacks in schools |
| Center for Internet Security | 2025 K-12 Cybersecurity Report |
| Microsoft Learn | Microsoft Entra MFA availability and licensing |
| Google Workspace Admin Help | Turn on 2-Step Verification for your users |
| ESFA, Department for Education | ESFA Update for Further Education, 24 July 2024 |
| Microsoft Entra ID | Sign-in logs overview |
| Reuters | Massachusetts hacker to plead guilty over PowerSchool data breach |
