Your Complete Insider Threat Defence Action Plan: From Assessment to Implementation

These are the absolute minimum security measures. If you do nothing else, do these.

Action 1: Enable Multi-Factor Authentication

Time Required: 2-4 hours for initial setup
Cost: Free (included with most business platforms)
Impact: Prevents the majority of credential-based attacks

Specific Steps:

1. Enable MFA on email (Microsoft 365, Google Workspace)

   • Admin portal > Security > MFA settings

   • Require for all users

   • Use app-based authentication (not SMS where possible)

2. Enable MFA on cloud services

   • Cloud storage (Dropbox, OneDrive, Google Drive)

   • Collaboration tools (Slack, Teams)

   • Financial systems (Xero, QuickBooks)

3. Communicate to team

   • "We're improving security with two-step verification"

   • Provide simple setup instructions

   • Be available for questions during rollout

Resources:

• Microsoft MFA setup guide: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication

• Google 2-Step Verification: https://support.google.com/accounts/answer/185839

Action 2: Audit User Access

Time Required: 2-3 hours
Cost: Free
Impact: Reduces attack surface by removing unnecessary access

Specific Steps:

1. Create access inventory spreadsheet with columns:

   • User name

   • Systems they can access

   • Permission level (user/admin)

   • Business justification

   • Last access review date

2. For each user, ask:

   • Do they need access to this system for their current role?

   • Is admin access necessary, or would user access suffice?

   • When did we last verify this access is still needed?

3. Remove unnecessary access immediately

   • Start with admin privileges

   • Then address system access for former employees

   • Finally, remove access to systems not needed for current role

4. Document decisions

   • Why certain access was removed

   • Why certain access was retained

   • When next review is scheduled

Template: Download our Access Audit Spreadsheet at [your website]

Action 3: Test Your Backups

Time Required: 1-2 hours
Cost: Free
Impact: Ensures you can recover from ransomware or data loss

Specific Steps:

1. Identify your most critical data:

   • Customer database

   • Financial records

   • Current projects

2. Attempt restoration:

   • Select a non-critical file from each backup

   • Follow your restoration procedure

   • Verify the restored file opens and is usable

3. Document results:

   • What worked?

   • What failed?

   • How long did restoration take?

   • What improvements are needed?

4. If restoration fails:

   • This is your top priority to fix

   • Consider this a critical business risk

   • Implement proper backup immediately

Critical Point: Backups you haven't tested are backups you don't have.

Once foundation is solid, add these capabilities.

Action 4: Implement Password Manager

Time Required: 4-6 hours for setup and initial training
Cost: £3-8 per user per month
Impact: Eliminates password-related security failures

Recommended Solutions:

• Keeper (From £1.83/user/month This is the one I use.

• 1Password for Business (£7-8/user/month): Excellent user experience, strong security

• Bitwarden (£3-4/user/month): Open source, budget-friendly, solid features

• Dashlane Business (£5-6/user/month): Good balance of features and price

Implementation Steps:

1. Choose solution based on:

   • Budget

   • Ease of use for your team

   • Integration with existing tools

2. Admin setup:

   • Create organizational account

   • Configure security policies

   • Set up user groups

   • Enable MFA for password manager itself

3. User onboarding:

   • Install browser extensions and apps

   • Import existing passwords

   • Generate new strong passwords for critical systems

   • Practice using password manager for common tasks

4. Gradual rollout:

   • Week 1: Email passwords

   • Week 2: Cloud service passwords

   • Week 3: Business application passwords

   • Week 4: Shared/team passwords

Success Metric: No passwords written down anywhere within 30 days

Action 5: Establish Activity Monitoring

Time Required: 3-4 hours for initial setup
Cost: Free (using existing platform tools)
Impact: Enables detection of unusual or unauthorized activity

For Microsoft 365:

1. Enable audit logging:

   • Compliance Center > Audit > Start recording

   • Retain logs for 90 days minimum

2. Set up alerts:

   • Unusual login locations

   • Mass file downloads

   • Admin privilege changes

   • Failed login attempts (>5 in 1 hour)

3. Create review schedule:

   • Weekly review of alerts

   • Monthly review of admin activity

   • Quarterly comprehensive audit

For Google Workspace:

1. Enable audit logging:

   • Admin Console > Reporting > Audit

   • Configure log retention

2. Set up alert center:

   • Security > Alert Center > Rules

   • Configure for suspicious activity

3. Review schedule:

   • Daily check of alerts

   • Weekly detailed review

   • Monthly pattern analysis

Resources:

• Microsoft 365 Alert Policies: https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies

• Google Workspace Security Center: https://support.google.com/a/answer/9320190

Action 6: Separate Admin Accounts

Time Required: 2-3 hours
Cost: Free
Impact: Limits damage from compromised accounts

Implementation:

1. Identify users who need admin access (should be minimal)

2. Create separate accounts:

   • Regular account: firstname.lastname@company.com

   • Admin account: admin.firstname.lastname@company.com

3. Configure usage:

   • Regular account for daily work

   • Admin account only for administrative tasks

   • Different passwords for each (managed by password manager)

4. Train admins:

   • When to use which account

   • How to switch between accounts

   • Why this protects everyone

Example:

• Noel Bradford uses: noel.bradford@company.com for email and daily work

• For admin tasks, he uses: admin.noel.bradford@company.com

• If his regular account is compromised, attacker doesn't get admin access

Build on foundation and enhancement with sophisticated controls.

Action 7: Implement Network Segmentation

Time Required: 4-8 hours (may require IT consultant)
Cost: £300-800 for equipment, £500-1000 for consultant if needed
Impact: Limits what attackers can access even if they breach perimeter

Basic Segmentation:

1. Separate guest WiFi

   • No access to internal resources

   • Internet only

   • Different SSID and password

2. IoT/device network

   • Printers, cameras, smart devices

   • Isolated from business network

   • Internet access only

3. Main business network

   • Employee workstations

   • Standard access controls

4. Restricted network

   • Financial systems

   • Sensitive data servers

   • Limited to authorized users/devices

Equipment Needed:

• Business-grade router with VLAN support (£200-400)

• Managed switches if needed (£100-300)

• Professional configuration (£500-1000 if outsourcing)

ROI: Even if one device is compromised, segmentation prevents lateral movement

Action 8: Establish Data Classification

Time Required: 6-10 hours
Cost: Free to £500 for small team training
Impact: Ensures appropriate protection for sensitive data

Classification Scheme:

Public: Can be freely shared

• Marketing materials

• Public website content

• Published reports

Internal: For company use only

• General business communications

• Non-sensitive project documents

• Internal procedures

Confidential: Restricted access, business impact if disclosed

• Customer data

• Financial information

• Business strategy documents

Restricted: Highest sensitivity, significant harm if disclosed

• Personal employee data

• Banking credentials

• Trade secrets

• Legal documents

Implementation:

1. Document classification scheme

2. Train staff on classifications

3. Label documents appropriately

4. Configure access controls based on classification

5. Regular audits of classified data

Tools:

• Microsoft Information Protection (included in many M365 plans)

• Google Drive labels and permissions

• Document management systems with classification features

Action 9: Deploy Endpoint Detection and Response (EDR)

Time Required: 4-6 hours for deployment
Cost: £3-8 per device per month
Impact: Detects and responds to threats on devices

Recommended EDR Solutions for SMBs:

• Microsoft Defender for Endpoint (£4-6/device/month): Integrated with Windows

• SentinelOne (£5-8/device/month): Strong detection, autonomous response

• CrowdStrike Falcon (£6-8/device/month): Cloud-native, excellent threat intelligence

Key Features to Ensure:

• Real-time threat detection

• Behavioral analysis

• Automated response capabilities

• Centralized management console

• Integration with existing security tools

Deployment Steps:

1. Choose solution based on budget and technical capability

2. Deploy agents to all devices (workstations, laptops, servers)

3. Configure detection policies

4. Set up alerting and response workflows

5. Train team on responding to alerts

Final layer focuses on testing, refining, and sustaining security posture.

Action 10: Conduct Tabletop Exercise

Time Required: 2-3 hours
Cost: Free
Impact: Validates incident response procedures, identifies gaps

Scenario Planning: Create realistic scenarios based on this week's case studies:

Scenario 1: Credential Compromise

• "An employee's laptop was stolen with saved passwords"

• What do we do?

• Who needs to be notified?

• How do we prevent further access?

• How do we investigate extent of compromise?

Scenario 2: Insider Data Theft

• "Monitoring alerts show an employee downloaded 200 customer files after receiving job offer from competitor"

• How do we respond?

• What evidence do we preserve?

• What are legal obligations?

• How do we prevent further data loss?

Scenario 3: Ransomware Attack

• "Monday morning, systems are encrypted with ransom note"

• Who do we call?

• How do we restore operations?

• Do we have backups we can trust?

• What do we tell clients?

Exercise Structure:

1. Gather key stakeholders (30 min)

2. Present scenario (15 min)

3. Team discussion and decision-making (60 min)

4. Document lessons learned (30 min)

5. Update procedures based on findings (following week)

Action 11: Implement Security Awareness Program

Time Required: 2 hours setup, 30 min/month per employee ongoing
Cost: £10-30 per user per year for training platform
Impact: Reduces human error and creates security-aware culture

Platform Options:

• KnowBe4 (£20-30/user/year): Comprehensive, industry leader

• NINJIO (£15-25/user/year): Engaging video-based training

• Cofense PhishMe (£10-20/user/year): Phishing-focused

Training Topics:

• Month 1: Password security and MFA

• Month 2: Recognizing phishing

• Month 3: Social engineering awareness

• Month 4: Data handling and classification

• Month 5: Physical security

• Month 6: Incident reporting

• Repeat cycle with advanced topics

Beyond Platform Training:

• Monthly security tips in company newsletter

• Simulated phishing exercises (monthly)

• Security success stories shared

• Security questions encouraged and answered

Action 12: Establish Metrics and Reporting

Time Required: 3-4 hours initial setup, 1 hour monthly maintenance
Cost: Free
Impact: Enables measurement of security posture and improvement

Key Metrics to Track:

Access Control:

• Number of users with admin access

• Time to revoke access for departing employees

• Percentage of accounts with appropriate access level

• Frequency of access reviews

Authentication:

• Percentage of accounts with MFA enabled

• Failed authentication attempts per month

• Password manager adoption rate

• Accounts using weak passwords

Monitoring:

• Security alerts generated per month

• Average time to investigate alerts

• Incidents detected vs incidents missed

• Alert false positive rate

Data Protection:

• Backup success rate

• Time to restore from backup

• Data classification coverage

• Encryption compliance rate

Incident Response:

• Number of incidents per month

• Average time to detect incidents

• Average time to contain incidents

• Incidents resolved without external help

Monthly Dashboard Template: Create simple dashboard showing:

• Overall security posture score (from Saturday's assessment)

• Trend lines for key metrics

• Open action items

• Recent incidents and lessons learned

• Multi-factor authentication: £0 (included with existing services)

• Password manager: £960-1,920/year (£3-8/user/month × 20 users × 12 months)

• Backup solution: £1,200-3,600/year (£5-15/user/month × 20 users × 12 months)

• Essential Total: £2,160-5,520/year

• EDR solution: £1,440-3,840/year (£6-16/device/month × 15 devices × 12 months)

• Security awareness training: £300-600/year (£15-30/user/year × 20 users)

• Network equipment: £500-1,000 (one-time)

• Recommended Total: £2,240-5,440/year

• Email security: £1,200-2,400/year

• SIEM solution: £2,400-6,000/year

• Cyber insurance: £1,500-3,000/year

• Advanced Total: £5,100-11,400/year

• Minimum: £2,160 (essential only)

• Recommended: £4,400-10,960 (essential + recommended)

• Comprehensive: £9,500-22,360 (all layers)

Context: Compare to average cost of data breach for SMBs: £25,000-100,000+

• Minimum: £108/employee/year (£9/month)

• Recommended: £220-548/employee/year (£18-46/month)

• Comprehensive: £475-1,118/employee/year (£40-93/month)

After initial investment, ongoing costs decrease:

• Software licenses: £3,900-11,360/year

• Managed services (if used): £3,000-12,000/year

• Training and awareness: £300-600/year

• Equipment refresh (amortized): £500-1,000/year

Annual Total: £7,700-24,960 (£385-1,248 per employee)

• ICO Insider Threat Guidance: https://ico.org.uk/for-organisations/

• NCSC Small Business Guide: https://www.ncsc.gov.uk/collection/small-business-guide

• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework

Password Management:

• Keeper https://www.keepersecurity.com/en_GB/pricing/business-and-enterpr

• 1Password for Business: https://1password.com/business

• Bitwarden: https://bitwarden.com/products/business/

• Dashlane Business: https://www.dashlane.com/business

Multi-Factor Authentication:

• Microsoft Authenticator: Free in app stores

• Google Authenticator: Free in app stores

Backup Solutions:

• Backblaze: https://www.backblaze.com/business-backup.html

• Acronis Cyber Protect: https://www.acronis.com/en-gb/products/cyber-protect/

• Veeam Backup: https://www.veeam.com

Security Awareness Training:

• KnowBe4: https://www.knowbe4.com

• NINJIO: https://ninjio.com

• Cofense: https://cofense.com

Endpoint Detection:

• Microsoft Defender for Endpoint: https://www.microsoft.com/en-gb/security/business/endpoint-security/microsoft-defender-endpoint

• SentinelOne: https://www.sentinelone.com

• CrowdStrike: https://www.crowdstrike.com

If You Need Help:

• Find CREST-certified security firms: https://www.crest-approved.org

• Cyber Essentials certification: https://www.ncsc.gov.uk/cyberessentials/overview

• Local IT security consultants: [Check reviews and certifications]

Free Training:

• NCSC Free Courses: https://www.ncsc.gov.uk/training

• Microsoft Security Training: https://learn.microsoft.com/en-us/training/browse/?terms=security

• Google Security Training: https://cloud.google.com/security/training

Podcasts:

• The Small Business Cyber Security Guy (shameless plug!)

• Security Now

• Darknet Diaries

Communities:

• UK Cyber Security Council: https://www.ukcybersecuritycouncil.org.uk

• Information Security Forum: https://www.securityforum.org

Reality: Initial resistance is normal, but fades quickly.

Solutions:

• Emphasize protection of their data, not just company data

• Use user-friendly MFA methods (biometrics, push notifications)

• Provide clear setup instructions

• Be available for support during rollout

• Remember devices to reduce friction

Timeline: Resistance typically drops to near-zero within 2 weeks

Reality: You have budget; it's a prioritization question.

Solutions:

• Start with essential layer (£2,160-5,520/year for 20 people)

• Compare to cost of one data breach (£25,000-100,000+)

• Implement free measures first (MFA, access audits, backup testing)

• Spread costs across quarters

• Consider cyber insurance that may offset some costs

Perspective: You're spending less per employee than their monthly coffee budget

Reality: You don't have time NOT to do this.

Solutions:

• Use our phased approach (Foundation Week 1, then build gradually)

• Leverage existing tools (most platforms include security features)

• Outsource what you can't do internally

• Remember Blacon High School lost 5 days to ransomware

Time Investment:

• Foundation layer: 6-10 hours (one workday)

• Enhancement layer: 15-25 hours (spread over month)

• Maturity layer: 20-30 hours (spread over two months)

• Total: 41-65 hours over 90 days

Reality: These solutions are designed for non-technical users.

Solutions:

• Modern security tools prioritize user experience

• Provide simple, clear instructions

• Hands-on training for new tools

• Choose solutions with good support

• Build security champions within team

Remember: If Year 11 students can hack systems, your team can use security tools

Reality: Later never comes, and threats don't wait.

Solutions:

• Set specific dates in calendar NOW

• Assign responsibility to specific people

• Track progress in regular business reviews

• Remember: 82% of schools experienced cyber incidents

Action: Block time this week for foundation layer implementation

Starting State:

• Passwords on sticky notes

• No MFA

• Unknown access levels

• Untested backups

End State:

• MFA protecting email and cloud services

• Access rights audited and appropriate

• Backups tested and confirmed working

• Clear security baseline established

Starting State:

• Basic foundation in place

• Still reactive security posture

• Limited visibility into activity

End State:

• Password manager eliminating weak passwords

• Activity monitoring detecting unusual behavior

• Separate admin accounts limiting risk

• Proactive security posture developing

Starting State:

• Good security practices established

• Some advanced controls missing

• Incident response untested

End State:

• Network segmentation limiting attack surface

• Data classified and appropriately protected

• EDR detecting and responding to threats

• Advanced security controls operating

Starting State:

• Strong technical controls

• Untested incident response

• Security awareness variable

End State:

• Incident response tested and refined

• Security awareness program active

• Metrics tracking continuous improvement

• Sustainable security culture established

• Enable MFA on email

• Enable MFA on cloud services

• Audit user access rights

• Remove unnecessary access

• Test backup restoration

• Document backup procedures

• Implement password manager

• Migrate all passwords to manager

• Set up activity monitoring

• Configure security alerts

• Create separate admin accounts

• Train admins on proper usage

• Implement network segmentation

• Establish data classification scheme

• Deploy EDR solution

• Configure and tune EDR

• Conduct tabletop exercise

• Update procedures based on exercise

• Launch security awareness program

• Establish security metrics dashboard

• Conduct quarterly access reviews

• Test incident response procedures

• Review and update security strategy

• Plan next year's security improvements

• Admin accounts reduced by >50%

• MFA adoption at 100%

• Security alerts investigated within 24 hours

• Backup restoration time <4 hours

• Incident detection time <24 hours

• Zero successful credential-based attacks

• Reduced incident response time

• Improved regulatory compliance

• Lower cyber insurance premiums

• Enhanced customer trust

• Employees report security concerns proactively

• Security questions asked in planning meetings

• Security mistakes reported and learned from

• Security seen as enabler, not obstacle

• Leadership models security best practices

• Review security metrics

• Investigate all alerts

• Update access permissions

• Test backup restoration

• Send security awareness update

• Comprehensive access audit

• Security training refresh

• Tabletop exercise

• Vendor security review

• Update risk assessment

• Complete security posture reassessment (use Saturday's framework)

• External penetration testing

• Incident response simulation

• Review cyber insurance

• Update security strategy and roadmap

• I will enable MFA on email and cloud services

• I will audit user access and remove unnecessary permissions

• I will test my backups to ensure they work

• I will implement a password manager

• I will establish activity monitoring

• I will create separate admin accounts

• I will deploy additional security layers

• I will test my incident response

• I will build security awareness

• I will maintain continuous improvement

• I will measure security posture progress

• I will build sustainable security culture