Insider Risk for SMEs: You Don’t Have to Be Hacked to Lose Data

Most SMEs picture cybersecurity as hackers, malware, phishing emails, or criminals trying to break in. That risk is real - but not the only one.

The numbers are a warning sign

Cifas research published in 2026 found that 13% of UK employees said they had sold company login details or knew someone who had. It surveyed 2,000 UK employees aged 18+ in companies with 1,000+ employees. The same research found that 13% said selling system access was justifiable. Cifas also reported that 24% believed it was acceptable to secretly work for a competitor.

For SME owners, the lesson is simple: data can be exposed through accounts, permissions, devices, shared files, supplier access, or old logins that should have been removed.

This is not about blaming employees

That does not mean every employee is a threat. Most people are honest and want to do the right thing.

But trust alone is not a security control. Passwords get reused. Files are shared with the wrong person. Contractors receive too much access. Former employees keep accounts too long. In some cases, access is misused because of money, pressure, revenge, or personal advantage.

Malwarebytes adds the cyber angle: compromised employee credentials can become a route into company systems, customer data, and internal assets.

What SMEs should control first

The answer is not paranoia. It is management.

A working cybersecurity and ISMS approach helps SMEs control access before it becomes a data breach.

You cannot remove insider risk completely - but you can stop ignoring it.

Trust people. Control access. Verify what matters.

Once you treat access as a business risk, not just an IT issue, you can start managing it properly.

Sources

• Cifas: One in eight workers (13%) admit to selling company logins, Cifas research reveals
• Cifas Workplace Fraud Trends 2025
• Malwarebytes: 1 in 8 employees have sold company logins or know someone who has