When most people hear “insider threat”, they picture a disgruntled employee deliberately sabotaging systems or stealing client databases. That happens, but it is rare. The insider risks we actually see in small businesses are far more ordinary – and far more common.
An ex-employee who still has access to email three weeks after leaving because nobody disabled their account. A team that shares one password for the office PC. Someone copying client files to a USB drive so they can work from home over the weekend. A staff member emailing a spreadsheet to the wrong person by mistake.
Most insider incidents are not malicious. They are the result of gaps in systems – no proper offboarding process, weak access controls, or people doing what seems easiest at the time. Your staff are not the enemy. But the way access is managed in many small businesses creates risks that are completely avoidable.
What “insider threat” actually means for a small business
Corporate security training talks about insider threats as if they are spies and saboteurs. For a small business, the reality is much simpler.
An insider threat is any risk to your data or systems that comes from someone with legitimate access – or someone who used to have access and still does because nobody turned it off.
The scenarios we actually see:
- Someone leaves the business (resignation, dismissal, end of contract). Their email account, OneDrive access, and shared drive permissions are still active weeks later because the IT offboarding checklist does not exist or was not followed.
- Staff share passwords for convenience. One person leaves. Everyone else still uses the same password. The person who left can still access those systems.
- An employee copies files to their personal email or a USB drive. Often this is innocent – they want to finish work at home. But once business data leaves your systems, you have lost control of it.
- Admin access is given to everyone because it was easier during setup. The receptionist, the bookkeeper, and the sales team all have full administrator rights on the server or cloud account. If any of those accounts are compromised, an attacker has the keys to everything.
Most of these are not deliberate attacks. They are what happens when access controls are loose and offboarding is informal or non-existent. The problem is not bad people. The problem is systems that make it easy for things to go wrong.
The most common insider risks we see
From our support work with Cape Town businesses, these are the gaps that create the most risk.
Ex-employees still accessing systems
This is the single most common issue. Someone leaves – resignation, retirement, redundancy. IT offboarding either does not happen, or it happens slowly. We have seen ex-employees still receiving company email two months after leaving. They still have access to shared drives, OneDrive, Teams, and any systems that used their work email as a login.
Why this happens: Small businesses often do not have a checklist. The manager knows the person has left, but nobody tells IT (or the person managing logins) immediately. By the time someone thinks to disable the account, weeks have passed.
Shared passwords between staff
One login for the office PC. One password for the accounting software. One admin account that three people use. This is extremely common in businesses where IT systems grew organically without planning.
The problem: when one person leaves, changing that password affects everyone else. So it does not get changed. The person who left can still access those systems indefinitely.
Staff using personal email or USB drives for work files
Someone needs to work from home. They email a client list to their Gmail account. Or they copy files to a USB drive. Usually this is not malicious – it is someone trying to get work done. But once that data is outside your business systems, you cannot control where it goes.
Under POPIA, if personal information ends up on an unencrypted USB drive that gets lost, or on a personal email account that gets hacked, you have a data breach on your hands.
Admin-level access given to everyone
During setup, giving everyone admin rights is easier. Nobody has to call IT when they need to install something or change a setting. But admin access means full control – installing software, accessing all files, changing security settings, adding or removing user accounts.
If a staff member with admin access clicks a phishing link and their account is compromised, an attacker now has admin access to your systems. This is how ransomware spreads across networks.
Offboarding: the gap most small businesses miss
When someone leaves your business, what actually happens to their IT access?
In many small businesses, the answer is: nothing, or not enough, or not quickly enough.
What needs to happen on the day someone leaves (or the day before, if you know in advance):
- Disable their account immediately
Their email, OneDrive, Microsoft 365 access, VPN access, remote desktop access – all of it needs to be turned off. Not next week. That day.
- Revoke access to shared drives, cloud services, and apps
If they had access to shared folders on a server, cloud storage (Dropbox, Google Drive), accounting software, CRM systems, or any third-party tools, remove that access now.
- Change any shared passwords they knew
If the person who is leaving knew the WiFi password, the office PC password, or any other shared credentials, those need to be changed. Yes, this is inconvenient. It is also necessary.
- Redirect their email
Clients and suppliers will still send emails to that person’s address for weeks after they leave. Set up email forwarding to their manager or the person taking over their work so nothing gets missed.
- Recover company devices
Laptop, phone, tablet, security token, access card – anything that belongs to the business needs to be returned. If the device has business data on it and you cannot get it back, you need to know immediately so you can take action (remote wipe if the device was managed).
The reality: Most small businesses have no offboarding checklist. When someone leaves, there is a conversation between the manager and the departing employee, paperwork gets signed, and that is it. The IT side gets forgotten or delayed. This is where insider risks happen – not because of malice, but because of gaps.
If your business does not have an IT offboarding checklist, you need one. If you use managed IT support, offboarding should be part of the service – you tell us someone is leaving, we follow the checklist.
Access controls: the principle of least privilege
“Least privilege” is IT jargon for a simple idea: give people access to what they need for their job, and nothing more.
The receptionist does not need admin access to the file server. The sales team does not need access to HR records. The bookkeeper does not need access to the managing director’s email. If someone does not need access to do their job, they should not have it.
Why this matters:
- It limits the damage if any account is compromised. If a phishing attack gives an attacker access to a sales person’s account, and that account only has access to the CRM and shared sales files, the attacker cannot get into payroll data or financial records.
- It reduces the risk of honest mistakes. If someone does not have access to confidential files, they cannot accidentally email them to the wrong person.
- It makes offboarding simpler. If access is tightly controlled, you know exactly what someone had access to and what needs to be revoked.
How to apply this in practice:
Microsoft 365 makes this straightforward. User roles let you assign permissions based on what someone actually needs. Shared folders on OneDrive or SharePoint can be restricted to specific people or teams. You do not need expensive software – you just need to set it up properly and review it occasionally.
The key is to start with the default position of “no access” and only grant what is needed, rather than starting with “everyone can see everything” and hoping people only look at what they should.
POPIA and employee data
POPIA (the Protection of Personal Information Act) applies to employee data just as much as it applies to client data.
If an insider incident exposes employee personal information – payslips, ID numbers, tax certificates, medical records, disciplinary records – you have the same obligations as if client data was breached. Under POPIA Section 22, if there is a breach involving personal information, you must notify the Information Regulator and the affected individuals.
This means:
- Employee records need the same protection as client records. Access controls, secure storage, proper backup, encryption where appropriate.
- An ex-employee who still has access to HR systems weeks after leaving is a data breach waiting to happen.
- If someone copies the payroll spreadsheet to a USB drive and loses it, that is a POPIA breach involving employee personal information.
The practical upside: the steps you take to prevent insider risks (access controls, offboarding, monitoring) are the same steps POPIA requires for data protection. You are not doing extra work – you are meeting your legal obligations and reducing business risk at the same time.
Read more about POPIA compliance and your IT setup
What you can do about this
Insider risk is not about catching bad actors. It is about closing the gaps in your systems so that honest mistakes do not become breaches and ex-employees cannot access what they should not.
Start with these:
- Create an IT offboarding checklist
Write down every step that needs to happen when someone leaves. Who disables the account? When does it happen? Who checks that access has been revoked? Who recovers devices? Make it a checklist and follow it every time someone exits the business.
- Audit who has access to what
Go through your shared drives, cloud accounts, and software logins. Who can see what? Does everyone who has access actually need it? Remove access for people who have left. Restrict access for people who do not need it.
- Stop sharing passwords
Every person should have their own login. If you are using one shared admin account for the office PC or accounting software, stop. Set up individual user accounts with appropriate permissions.
- Enable multi-factor authentication on all accounts
MFA is not just protection against external attacks. It also limits the damage if someone who has left the business still knows a password. Without the second factor (which is usually tied to a device you have recovered or a phone number you have disabled), the password alone is not enough.
- Review access regularly
At least once a year, go through the list of who can access what. People change roles. Responsibilities shift. Access that was appropriate six months ago may not be appropriate now. If you use managed IT, this should be part of routine maintenance.
If your business handles particularly sensitive information, consider:
- Audit logging so you can see who accessed what and when. This is available in Microsoft 365 with the right licensing.
- Data loss prevention policies that block people from copying certain types of files to USB drives or sending them outside the business.
- Conditional access policies that require certain files or systems to only be accessed from specific devices or locations.
None of this requires a security team or enterprise-level tools. It is all achievable with standard business software set up properly and a bit of discipline around access management.
Not sure where your access controls stand?
If you are not certain who can access what in your business, or if offboarding has been informal until now, a quick review can show you where the gaps are.
Talk to us about your security and access setup
Or get in touch directly:
Call: 087 820 5005
WhatsApp: 081 526 1626
Need to tighten access controls or set up proper offboarding? See how our managed security services help
0 Comments