Your Complete Insider Threat Defence Action Plan: From Assessment to Implementation
What We’ve Learned This Week
This week, we explored a uncomfortable truth: 57% of school data breaches are caused by insiders, often using techniques so basic that only 5% required sophisticated skills. We’ve seen Matthew Lane extract $2.85 million from PowerSchool after breaching data for 62 million students. We’ve watched Trevor Graves operate a grade-change business from his dorm room for four months. We’ve examined how Vice Society leaked 500GB of school data, and how Blacon High School was closed for five days after a ransomware attack.
The consistent lesson across every case: insider threats succeed because of fundamental security failures that any organization can address.
Today, we bring it all together with your complete action plan.
The Reality of Your Situation
Let’s start with brutal honesty about where you probably are:
If you’re like most small businesses:
-
Some employees have admin access who shouldn’t
-
Multi-factor authentication isn’t enabled everywhere
-
You’re not sure who has access to what
-
Passwords are either too complex (and written down) or too simple
-
You have backups but haven’t tested restoration recently
-
Your incident response plan is “we’ll figure it out when something happens”
-
Security training consists of “don’t click suspicious links”
The good news: Every one of these is fixable. None requires unlimited budget or dedicated security staff. All can be addressed with focused effort over 90 days.
Your Implementation Framework
We’re going to build your insider threat defence using a layered approach, starting with the most impactful changes that require the least effort.
-
Layer 1: Foundation (Week 1) - The Non-Negotiables
These are the absolute minimum security measures. If you do nothing else, do these.Action 1: Enable Multi-Factor Authentication
Time Required: 2-4 hours for initial setup Cost: Free (included with most business platforms) Impact: Prevents the majority of credential-based attacks
Specific Steps:
Enable MFA on email (Microsoft 365, Google Workspace)
Admin portal > Security > MFA settings
-
Require for all users
-
Use app-based authentication (not SMS where possible)
-
Enable MFA on cloud services
Cloud storage (Dropbox, OneDrive, Google Drive)
-
Collaboration tools (Slack, Teams)
-
Financial systems (Xero, QuickBooks)
-
Communicate to team
“We’re improving security with two-step verification”
-
Provide simple setup instructions
-
Be available for questions during rollout
Resources:
-
Microsoft MFA setup guide: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication
-
Google 2-Step Verification: https://support.google.com/accounts/answer/185839
Action 2: Audit User Access
Time Required: 2-3 hours Cost: Free Impact: Reduces attack surface by removing unnecessary access
Specific Steps:
- Create access inventory spreadsheet with columns:
User name
-
Systems they can access
-
Permission level (user/admin)
-
Business justification
-
Last access review date
-
For each user, ask:
Do they need access to this system for their current role?
-
Is admin access necessary, or would user access suffice?
-
When did we last verify this access is still needed?
-
Remove unnecessary access immediately
Start with admin privileges
-
Then address system access for former employees
-
Finally, remove access to systems not needed for current role
-
Document decisions
Why certain access was removed
-
Why certain access was retained
-
When next review is scheduled
Template: Download our Access Audit Spreadsheet at [your website]
Action 3: Test Your Backups
Time Required: 1-2 hours Cost: Free Impact: Ensures you can recover from ransomware or data loss
Specific Steps:
- Identify your most critical data:
Customer database
-
Financial records
-
Current projects
-
Attempt restoration:
Select a non-critical file from each backup
-
Follow your restoration procedure
-
Verify the restored file opens and is usable
-
Document results:
What worked?
-
What failed?
-
How long did restoration take?
-
What improvements are needed?
-
If restoration fails:
This is your top priority to fix
-
Consider this a critical business risk
-
Implement proper backup immediately
Critical Point: Backups you haven’t tested are backups you don’t have.
-
Layer 2: Enhancement (Weeks 2-4) - Building Capability
Once foundation is solid, add these capabilities.Action 4: Implement Password Manager
Time Required: 4-6 hours for setup and initial training Cost: £3-8 per user per month Impact: Eliminates password-related security failures
Recommended Solutions:
**Keeper **(From £1.83/user/month This is the one I use.
-
1Password for Business (£7-8/user/month): Excellent user experience, strong security
-
Bitwarden (£3-4/user/month): Open source, budget-friendly, solid features
-
Dashlane Business (£5-6/user/month): Good balance of features and price
Implementation Steps:
- Choose solution based on:
Budget
-
Ease of use for your team
-
Integration with existing tools
-
Admin setup:
Create organizational account
-
Configure security policies
-
Set up user groups
-
Enable MFA for password manager itself
-
User onboarding:
Install browser extensions and apps
-
Import existing passwords
-
Generate new strong passwords for critical systems
-
Practice using password manager for common tasks
-
Gradual rollout:
Week 1: Email passwords
-
Week 2: Cloud service passwords
-
Week 3: Business application passwords
-
Week 4: Shared/team passwords
Success Metric: No passwords written down anywhere within 30 days
Action 5: Establish Activity Monitoring
Time Required: 3-4 hours for initial setup Cost: Free (using existing platform tools) Impact: Enables detection of unusual or unauthorized activity
For Microsoft 365:
- Enable audit logging:
Compliance Center > Audit > Start recording
-
Retain logs for 90 days minimum
-
Set up alerts:
Unusual login locations
-
Mass file downloads
-
Admin privilege changes
-
Failed login attempts (>5 in 1 hour)
-
Create review schedule:
Weekly review of alerts
-
Monthly review of admin activity
-
Quarterly comprehensive audit
For Google Workspace:
- Enable audit logging:
Admin Console > Reporting > Audit
-
Configure log retention
-
Set up alert center:
Security > Alert Center > Rules
-
Configure for suspicious activity
-
Review schedule:
Daily check of alerts
-
Weekly detailed review
-
Monthly pattern analysis
Resources:
-
Microsoft 365 Alert Policies: https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies
-
Google Workspace Security Center: https://support.google.com/a/answer/9320190
Action 6: Separate Admin Accounts
Time Required: 2-3 hours Cost: Free Impact: Limits damage from compromised accounts
Implementation:
-
Identify users who need admin access (should be minimal)
-
Create separate accounts:
Regular account: firstname.lastname@company.com
-
Admin account: admin.firstname.lastname@company.com
-
Configure usage:
Regular account for daily work
-
Admin account only for administrative tasks
-
Different passwords for each (managed by password manager)
-
Train admins:
When to use which account
-
How to switch between accounts
-
Why this protects everyone
Example:
-
Noel Bradford uses: noel.bradford@company.com for email and daily work
-
For admin tasks, he uses: admin.noel.bradford@company.com
-
If his regular account is compromised, attacker doesn’t get admin access
Layer 3: Maturity (Weeks 5-8) - Advanced ProtectionBuild on foundation and enhancement with sophisticated controls.
Action 7: Implement Network Segmentation
Time Required: 4-8 hours (may require IT consultant) Cost: £300-800 for equipment, £500-1000 for consultant if needed Impact: Limits what attackers can access even if they breach perimeter
Basic Segmentation:
Separate guest WiFi
No access to internal resources
-
Internet only
-
Different SSID and password
-
IoT/device network
Printers, cameras, smart devices
-
Isolated from business network
-
Internet access only
-
Main business network
Employee workstations
-
Standard access controls
-
Restricted network
Financial systems
-
Sensitive data servers
-
Limited to authorized users/devices
Equipment Needed:
-
Business-grade router with VLAN support (£200-400)
-
Managed switches if needed (£100-300)
-
Professional configuration (£500-1000 if outsourcing)
ROI: Even if one device is compromised, segmentation prevents lateral movement
Action 8: Establish Data Classification
Time Required: 6-10 hours Cost: Free to £500 for small team training Impact: Ensures appropriate protection for sensitive data
Classification Scheme:
Public: Can be freely shared
-
Marketing materials
-
Public website content
-
Published reports
Internal: For company use only
-
General business communications
-
Non-sensitive project documents
-
Internal procedures
Confidential: Restricted access, business impact if disclosed
-
Customer data
-
Financial information
-
Business strategy documents
Restricted: Highest sensitivity, significant harm if disclosed
-
Personal employee data
-
Banking credentials
-
Trade secrets
-
Legal documents
Implementation:
-
Document classification scheme
-
Train staff on classifications
-
Label documents appropriately
-
Configure access controls based on classification
-
Regular audits of classified data
Tools:
-
Microsoft Information Protection (included in many M365 plans)
-
Google Drive labels and permissions
-
Document management systems with classification features
Action 9: Deploy Endpoint Detection and Response (EDR)
Time Required: 4-6 hours for deployment Cost: £3-8 per device per month Impact: Detects and responds to threats on devices
Recommended EDR Solutions for SMBs:
-
Microsoft Defender for Endpoint (£4-6/device/month): Integrated with Windows
-
SentinelOne (£5-8/device/month): Strong detection, autonomous response
-
CrowdStrike Falcon (£6-8/device/month): Cloud-native, excellent threat intelligence
Key Features to Ensure:
-
Real-time threat detection
-
Behavioral analysis
-
Automated response capabilities
-
Centralized management console
-
Integration with existing security tools
Deployment Steps:
-
Choose solution based on budget and technical capability
-
Deploy agents to all devices (workstations, laptops, servers)
-
Configure detection policies
-
Set up alerting and response workflows
-
Train team on responding to alerts
Layer 4: Optimization (Weeks 9-12) - Continuous ImprovementFinal layer focuses on testing, refining, and sustaining security posture.
Action 10: Conduct Tabletop Exercise
Time Required: 2-3 hours Cost: Free Impact: Validates incident response procedures, identifies gaps
Scenario Planning: Create realistic scenarios based on this week’s case studies:
Scenario 1: Credential Compromise
“An employee’s laptop was stolen with saved passwords”
-
What do we do?
-
Who needs to be notified?
-
How do we prevent further access?
-
How do we investigate extent of compromise?
Scenario 2: Insider Data Theft
-
“Monitoring alerts show an employee downloaded 200 customer files after receiving job offer from competitor”
-
How do we respond?
-
What evidence do we preserve?
-
What are legal obligations?
-
How do we prevent further data loss?
Scenario 3: Ransomware Attack
-
“Monday morning, systems are encrypted with ransom note”
-
Who do we call?
-
How do we restore operations?
-
Do we have backups we can trust?
-
What do we tell clients?
Exercise Structure:
-
Gather key stakeholders (30 min)
-
Present scenario (15 min)
-
Team discussion and decision-making (60 min)
-
Document lessons learned (30 min)
-
Update procedures based on findings (following week)
Action 11: Implement Security Awareness Program
Time Required: 2 hours setup, 30 min/month per employee ongoing Cost: £10-30 per user per year for training platform Impact: Reduces human error and creates security-aware culture
Platform Options:
-
KnowBe4 (£20-30/user/year): Comprehensive, industry leader
-
NINJIO (£15-25/user/year): Engaging video-based training
-
Cofense PhishMe (£10-20/user/year): Phishing-focused
Training Topics:
-
Month 1: Password security and MFA
-
Month 2: Recognizing phishing
-
Month 3: Social engineering awareness
-
Month 4: Data handling and classification
-
Month 5: Physical security
-
Month 6: Incident reporting
-
Repeat cycle with advanced topics
Beyond Platform Training:
-
Monthly security tips in company newsletter
-
Simulated phishing exercises (monthly)
-
Security success stories shared
-
Security questions encouraged and answered
Action 12: Establish Metrics and Reporting
Time Required: 3-4 hours initial setup, 1 hour monthly maintenance Cost: Free Impact: Enables measurement of security posture and improvement
Key Metrics to Track:
Access Control:
-
Number of users with admin access
-
Time to revoke access for departing employees
-
Percentage of accounts with appropriate access level
-
Frequency of access reviews
Authentication:
-
Percentage of accounts with MFA enabled
-
Failed authentication attempts per month
-
Password manager adoption rate
-
Accounts using weak passwords
Monitoring:
-
Security alerts generated per month
-
Average time to investigate alerts
-
Incidents detected vs incidents missed
-
Alert false positive rate
Data Protection:
-
Backup success rate
-
Time to restore from backup
-
Data classification coverage
-
Encryption compliance rate
Incident Response:
-
Number of incidents per month
-
Average time to detect incidents
-
Average time to contain incidents
-
Incidents resolved without external help
Monthly Dashboard Template: Create simple dashboard showing:
-
Overall security posture score (from Saturday’s assessment)
-
Trend lines for key metrics
-
Open action items
-
Recent incidents and lessons learned
Budget Guidance
Let’s address the elephant in the room: cost. Here’s realistic budget breakdown for 20-person business:
Year 1 Investment
-
Essential (Can't Skip):
Multi-factor authentication: £0 (included with existing services)-
Password manager: £960-1,920/year (£3-8/user/month × 20 users × 12 months)
-
Backup solution: £1,200-3,600/year (£5-15/user/month × 20 users × 12 months)
-
Essential Total: £2,160-5,520/year
Recommended (Should Do):EDR solution: £1,440-3,840/year (£6-16/device/month × 15 devices × 12 months) -
Security awareness training: £300-600/year (£15-30/user/year × 20 users)
-
Network equipment: £500-1,000 (one-time)
-
Recommended Total: £2,240-5,440/year
Advanced (Nice to Have):Email security: £1,200-2,400/year -
SIEM solution: £2,400-6,000/year
-
Cyber insurance: £1,500-3,000/year
-
Advanced Total: £5,100-11,400/year
Total First Year Budget:**Minimum:** £2,160 (essential only) -
Recommended: £4,400-10,960 (essential + recommended)
-
Comprehensive: £9,500-22,360 (all layers)
Context: Compare to average cost of data breach for SMBs: £25,000-100,000+
-
Per Employee Cost:
**Minimum:** £108/employee/year (£9/month)-
Recommended: £220-548/employee/year (£18-46/month)
-
Comprehensive: £475-1,118/employee/year (£40-93/month)
Ongoing Annual Costs (Year 2+)After initial investment, ongoing costs decrease:
Software licenses: £3,900-11,360/year
-
Managed services (if used): £3,000-12,000/year
-
Training and awareness: £300-600/year
-
Equipment refresh (amortized): £500-1,000/year
Annual Total: £7,700-24,960 (£385-1,248 per employee)
Resource Library
Here are specific resources mentioned throughout the week:
-
Official Guidance
ICO Insider Threat Guidance: [https://ico.org.uk/for-organisations/ ](https://ico.org.uk/for-organisations/)-
NCSC Small Business Guide: https://www.ncsc.gov.uk/collection/small-business-guide
-
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
Tools and Platforms**Password Management:**
Keeper https://www.keepersecurity.com/en_GB/pricing/business-and-enterpr
-
1Password for Business: https://1password.com/business
-
Bitwarden: https://bitwarden.com/products/business/
-
Dashlane Business: https://www.dashlane.com/business
**Multi-Factor Authentication: **
-
Microsoft Authenticator: Free in app stores
-
Google Authenticator: Free in app stores
Backup Solutions:
-
Acronis Cyber Protect: https://www.acronis.com/en-gb/products/cyber-protect/
-
Veeam Backup: https://www.veeam.com
**Security Awareness Training: **
-
KnowBe4: https://www.knowbe4.com
-
NINJIO: https://ninjio.com
-
Cofense: https://cofense.com
Endpoint Detection:
-
Microsoft Defender for Endpoint: https://www.microsoft.com/en-gb/security/business/endpoint-security/microsoft-defender-endpoint
-
SentinelOne: https://www.sentinelone.com
-
CrowdStrike: https://www.crowdstrike.com
Professional Services**If You Need Help:**
Find CREST-certified security firms: https://www.crest-approved.org
-
Cyber Essentials certification: https://www.ncsc.gov.uk/cyberessentials/overview
-
Local IT security consultants: [Check reviews and certifications]
Learning Resources**Free Training:**
NCSC Free Courses: https://www.ncsc.gov.uk/training
-
Microsoft Security Training: https://learn.microsoft.com/en-us/training/browse/?terms=security
-
Google Security Training: https://cloud.google.com/security/training
Podcasts:
-
The Small Business Cyber Security Guy (shameless plug!)
-
Security Now
-
Darknet Diaries
Communities:
-
UK Cyber Security Council: https://www.ukcybersecuritycouncil.org.uk
-
Information Security Forum: https://www.securityforum.org
Common Implementation Challenges
Challenge 1: "Users Will Complain About MFA"**Reality:** Initial resistance is normal, but fades quickly.
Solutions:
Emphasize protection of their data, not just company data
-
Use user-friendly MFA methods (biometrics, push notifications)
-
Provide clear setup instructions
-
Be available for support during rollout
-
Remember devices to reduce friction
Timeline: Resistance typically drops to near-zero within 2 weeks
-
Challenge 2: "We Don't Have Budget"
**Reality:** You have budget; it's a prioritization question.Solutions:
Start with essential layer (£2,160-5,520/year for 20 people)
-
Compare to cost of one data breach (£25,000-100,000+)
-
Implement free measures first (MFA, access audits, backup testing)
-
Spread costs across quarters
-
Consider cyber insurance that may offset some costs
Perspective: You’re spending less per employee than their monthly coffee budget
-
Challenge 3: "We Don't Have Time"
**Reality:** You don't have time NOT to do this.Solutions:
Use our phased approach (Foundation Week 1, then build gradually)
-
Leverage existing tools (most platforms include security features)
-
Outsource what you can’t do internally
-
Remember Blacon High School lost 5 days to ransomware
Time Investment:
-
Foundation layer: 6-10 hours (one workday)
-
Enhancement layer: 15-25 hours (spread over month)
-
Maturity layer: 20-30 hours (spread over two months)
-
Total: 41-65 hours over 90 days
Challenge 4: "Our Team Isn't Technical"**Reality:** These solutions are designed for non-technical users.
Solutions:
Modern security tools prioritize user experience
-
Provide simple, clear instructions
-
Hands-on training for new tools
-
Choose solutions with good support
-
Build security champions within team
Remember: If Year 11 students can hack systems, your team can use security tools
-
Challenge 5: "We'll Do It Later"
**Reality:** Later never comes, and threats don't wait.Solutions:
Set specific dates in calendar NOW
-
Assign responsibility to specific people
-
Track progress in regular business reviews
-
Remember: 82% of schools experienced cyber incidents
Action: Block time this week for foundation layer implementation
The 90-Day Transformation
Here’s what your organization will look like after implementing this plan:
-
Week 1 (Foundation)
**Starting State:**Passwords on sticky notes
-
No MFA
-
Unknown access levels
-
Untested backups
End State:
-
MFA protecting email and cloud services
-
Access rights audited and appropriate
-
Backups tested and confirmed working
-
Clear security baseline established
Week 4 (Enhancement)**Starting State:**
Basic foundation in place
-
Still reactive security posture
-
Limited visibility into activity
End State:
-
Password manager eliminating weak passwords
-
Activity monitoring detecting unusual behavior
-
Separate admin accounts limiting risk
-
Proactive security posture developing
Week 8 (Maturity)**Starting State:**
Good security practices established
-
Some advanced controls missing
-
Incident response untested
End State:
-
Network segmentation limiting attack surface
-
Data classified and appropriately protected
-
EDR detecting and responding to threats
-
Advanced security controls operating
Week 12 (Optimization)**Starting State:**
Strong technical controls
-
Untested incident response
-
Security awareness variable
End State:
-
Incident response tested and refined
-
Security awareness program active
-
Metrics tracking continuous improvement
-
Sustainable security culture established
Your Personal Action Checklist
Print this and check off as you complete:
-
This Week (Foundation)
Enable MFA on email-
Enable MFA on cloud services
-
Audit user access rights
-
Remove unnecessary access
-
Test backup restoration
-
Document backup procedures
This Month (Enhancement)Implement password manager -
Migrate all passwords to manager
-
Set up activity monitoring
-
Configure security alerts
-
Create separate admin accounts
-
Train admins on proper usage
This Quarter (Maturity)Implement network segmentation -
Establish data classification scheme
-
Deploy EDR solution
-
Configure and tune EDR
-
Conduct tabletop exercise
-
Update procedures based on exercise
This Year (Optimization)Launch security awareness program -
Establish security metrics dashboard
-
Conduct quarterly access reviews
-
Test incident response procedures
-
Review and update security strategy
-
Plan next year’s security improvements
Measuring Success
How do you know if this is working? Track these outcomes:
-
Security Metrics Improvement
Admin accounts reduced by >50%-
MFA adoption at 100%
-
Security alerts investigated within 24 hours
-
Backup restoration time <4 hours
-
Incident detection time <24 hours
Business OutcomesZero successful credential-based attacks -
Reduced incident response time
-
Improved regulatory compliance
-
Lower cyber insurance premiums
-
Enhanced customer trust
Cultural IndicatorsEmployees report security concerns proactively -
Security questions asked in planning meetings
-
Security mistakes reported and learned from
-
Security seen as enabler, not obstacle
-
Leadership models security best practices
The Continuous Improvement Cycle
Security isn’t a destination; it’s a journey. After completing the 90-day plan:
-
Monthly
Review security metrics-
Investigate all alerts
-
Update access permissions
-
Test backup restoration
-
Send security awareness update
QuarterlyComprehensive access audit -
Security training refresh
-
Tabletop exercise
-
Vendor security review
-
Update risk assessment
AnnuallyComplete security posture reassessment (use Saturday's framework) -
External penetration testing
-
Incident response simulation
-
Review cyber insurance
-
Update security strategy and roadmap
Final Thoughts: From School Lessons to Business Protection
This week, we’ve learned from schools experiencing 57% of breaches from insiders, from Matthew Lane’s $2.85 million breach affecting 62 million students, from Trevor Graves operating undetected for four months, from Vice Society’s devastating attacks, and from Blacon High School’s five-day closure.
Every case taught us that insider threats succeed because of basic security failures: weak passwords, excessive access, poor monitoring, inadequate backups, and lack of preparation.
But every case also showed us what works: multi-factor authentication stops credential attacks cold. Access controls limit what insiders can reach. Monitoring enables detection. Backups enable recovery. Preparation reduces panic.
The difference between organizations that survive insider threats and those that don’t isn’t budget or technical sophistication. It’s willingness to take action.
You now have:
-
Understanding of the threat (Monday’s post)
-
Knowledge of human factors (Tuesday’s post)
-
Personal perspective from reformed hacker (Wednesday’s post)
-
Technical solutions that work (Thursday’s post)
-
Real-world case studies (Friday’s post)
-
Assessment framework (Saturday’s post)
-
Complete implementation plan (today’s post)
The only thing missing is action.
Your Commitment
If you’re serious about protecting your business from insider threats, make this commitment:
-
This Week:
I will enable MFA on email and cloud services-
I will audit user access and remove unnecessary permissions
-
I will test my backups to ensure they work
This Month:I will implement a password manager -
I will establish activity monitoring
-
I will create separate admin accounts
This Quarter:I will deploy additional security layers -
I will test my incident response
-
I will build security awareness
This Year:I will maintain continuous improvement -
I will measure security posture progress
-
I will build sustainable security culture
The Bottom Line
If Year 11 students can bypass school security with basic techniques, and 82% of schools experience cyber incidents, your business is vulnerable unless you take deliberate action to protect it.
The good news: protection doesn’t require unlimited budget, dedicated security staff, or complex enterprise solutions. It requires focus, commitment, and systematic implementation of proven controls.
You have the knowledge. You have the plan. You have the resources.
The only question remaining is: will you act?
Start today. Enable MFA. Audit access. Test backups. Then build from there.
Your business, your employees, and your customers are depending on it.
Sources
| Source | Article |
|---|---|
| Information Commissioner’s Office | Insider threat of students leading to increasing number of cyber attacks in schools |
| Reuters | Massachusetts student to plead guilty over PowerSchool data breach and $2.85m extortion |
| PowerSchool | Notice of United States data breach |
| US Department of Justice | Former student sentenced for damaging University of Iowa computer network |
| The Register | UK school shuts after ransomware attack, devices rebuilt |
| Blacon High School | Closure notice and update following cyber incident |
| Center for Internet Security | 2025 K-12 cybersecurity report |
| NCSC | Small Business Guide to Cyber Security |
| Microsoft Learn | Set up multi factor authentication |
| Google Support | Turn on 2 Step Verification |