Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.
Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have.
In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher.
Coinbase isn't a naive startup. They're one of the most security-conscious companies in the world. Their firewall didn't fail. Their perimeter didn't fail. Their people did — not through malice, but through human vulnerability to financial pressure.
This is the cyber risk most small businesses never see coming. Not because it's new — it's been the dominant threat vector for years. But because the entire security industry has spent decades selling perimeter protection, and the conversation about what happens inside the perimeter has never caught up.
The three employees who are costing you the most
The outdated picture of the insider threat is a disgruntled employee deliberately stealing files on their way out the door. That person exists — but they represent only a fraction of the real risk. The Ponemon Institute's 2025 research identified three distinct insider threat profiles, and the most expensive one is the one nobody is talking about.
The Negligent Employee
55% of incidents — Ponemon 2025The Compromised Insider
20% of incidents — Ponemon 2025The Malicious Insider
25% of incidents — Ponemon 2025Why your firewall can't help you here
The firewall was designed to stop unauthorized access. It does that job reasonably well. But the insider threat — in all three of its forms — operates entirely within authorized access. The negligent employee who pastes client data into an AI tool is using their authorized credentials on their authorized device. The attacker operating through a compromised account has a valid username and password. The malicious insider is accessing files they have every right to access.
This isn't a criticism of firewalls — perimeter security is necessary and important. The problem is when it becomes the primary investment and the conversation stops there. Seventy-two percent of organizations lack full visibility into how employees interact with sensitive data, according to Fortinet's 2025 Insider Risk Report. More than half report they don't have adequate tools to monitor insider risk. The perimeter is defended. The inside is dark.
The AI multiplier — why this is getting worse, fast
The rise of AI tools has significantly amplified every category of insider threat. The negligent employee now has dozens of powerful AI tools at their fingertips — tools that are useful, free, and actively encouraged for productivity. The problem is that those tools process whatever they're given. Client contracts. Strategy documents. Employee records. Financial projections. The data flows out through an interface that looks like a productivity tool and functions like an unmonitored data transfer.
Verizon's 2025 Data Breach Investigations Report found that 15% of employees were routinely accessing generative AI systems on corporate devices — with 72% of those accounts linked to non-corporate emails, placing them entirely outside company monitoring. This isn't shadow IT in the old sense of an employee using a personal Dropbox. It's an employee feeding your most sensitive business data to an external AI system, under terms of service you've never read, with data retention policies you've never evaluated.
And on the other side of the equation, AI is making it dramatically easier to recruit and manipulate insiders. The Coinbase case involved direct financial recruitment. But AI-powered spear phishing — personalized, convincing, indistinguishable from legitimate communications — is now being used to socially engineer employees into becoming unwitting insiders, handing over credentials or taking actions that open access without ever knowing they've done anything wrong.
What actually catches insider threats
The good news is that insider threats — especially negligent and compromised ones — leave behavioral signals. The bad news is that most SMBs have no system to read them. Here's what actually works:
Access control and least privilege — reduce the blast radius
The single most effective structural control. If employees only have access to what they need for their specific role, a compromised or negligent insider can only expose what they can reach. Audit access quarterly. Remove permissions that have accumulated over time. Treat admin access as a privilege that requires active justification, not a default that comes with seniority.
Behavioral monitoring — watch for the signals
Large data downloads outside normal hours. Access to files unrelated to an employee's role. Login from an unusual location or device. Emails to personal accounts containing attachments. These behavioral anomalies are visible signals that something is wrong — if anyone is looking. Most SMBs aren't looking.
AI tool policy — name the approved tools, retire the rest
Create a short approved list of AI tools with appropriate data protections. Make it easy for employees to use approved tools and clearly communicate the risk of unapproved ones. The goal isn't to ban AI — it's to ensure that when your employees use it, your client data isn't going somewhere you've never evaluated. Most SMBs have no AI tool policy at all.
Offboarding as a security event — not an HR formality
Third-party credentials and departed employee accounts remain active long after projects end or employment concludes. Every active account belonging to someone who no longer works for you is an unmonitored access point. Treat every departure as a security event: revoke access on the final day, audit what was accessed in the preceding weeks, recover devices before the person leaves.
Training that reflects the actual threat — not 2015's version of it
Employees with consistent, simulation-based security training are 7 times less likely to fall for phishing, according to Cofense research. But training that focuses only on spotting typos in emails is obsolete. Modern security training needs to cover AI tool risk, social engineering, credential hygiene, and clear reporting channels — including a culture where employees feel safe reporting mistakes without fear of punishment.
The reframe every SMB owner needs
The question "are we secure?" almost always gets answered by pointing at the firewall, the antivirus, and the password policy. Those things matter. But they answer the wrong question. The right question is: "If one of our employees made a mistake — or had their credentials stolen — right now, what could an attacker reach, and how quickly would we know?"
For most small businesses, the honest answer is: almost everything, and not for 81 days.
That's not a technology failure. It's a visibility failure. The organizations that handle insider threats well aren't necessarily the most technically sophisticated — they're the ones with the clearest picture of who has access to what, the earliest signal when something looks wrong, and the fastest response when it does.
Your firewall is working exactly as designed. The question is what's happening on the other side of it — on your payroll, on your devices, behind your trusted login screens. That's where the real risk lives. And that's where the real investment needs to go.
See what's exposed on your perimeter — before an attacker uses it to get inside. Veriti Spottr's beta is free.
Join the free beta →
Comments
Post a Comment