Insider threats among Dutch SMEs: Nature and extent of incidents, and cyber security measures

Published date01 December 2023
AuthorAsier Moneva,Rutger Leukfeldt
Date01 December 2023
Subject MatterArticles
Insider threats among Dutch
SMEs: Nature and extent of
incidents, and cyber security
Asier Moneva and Rutger Leukfeldt
Netherlands Institute for the Study of Crime and Law Enforcement
(NSCR), Amsterdam, Netherlands; Centre of Expertise Cyber Security,
The Hague University of Applied Sciences, The Hague, Netherlands
Insider threats represent a latent risk to all organisations, whether they are large companies or
Small or Medium-sized Enterprises (SMEs). Insiders, the individuals with privileged access to the
assets of organisations, can compromisetheir proper functioningand cause serious consequences
that can be directsuchas nancia lor indirectsuch as reputational. Insiderincidents can have
a negativeimpact on SMEs, as their resources are oftenlimited, making it paramountto implement
adequatecyber security measures.Despite its indisputablerelevance,the empirical study ofinsider
incidents froma criminological point of view has received little attention.This paper presents the
results of an exploratory study that aims to understand the nature and extent of three types of
insider incidentsmalicious,negligent, and well-meaningandhow they are related to the adop-
tion of cybersecurity measures.Tothat end, we administereda questionnaire amonga panelof 496
Dutch SME entrepreneurs and managers and analysed the results quantitatively and qualitatively.
The results show that although the prevalence of insider incidents is relatively low among
Dutch SMEs,few organisationsreport a disproportionatenumber of incidentsthat often entail ser-
ious consequences. A regression model shows that thereare cyber security measures related to
both higher andlower incident likelihood.The implications of these ndingsfor the cyber security
policies of SMEs are discussed.
Insider threats, insider incidents, insiders, SMEs, organisations, cyber security
Date received: 2 August 2022; accepted: 15 February 2023
Corresponding author:
Asier Moneva, Netherlands Institute for the Study of Crime and Law Enforcement (NSCR), De Boelelaan 1077, 1081
HV Amsterdam, Netherlands.
Journal of Criminology
2023, Vol. 56(4) 416440
© The Author(s) 2023
Article reuse guidelines:
DOI: 10.1177/26338076231161842
The increasing digitisation of business means that organisations and among them, especially
Small and Medium-sized Enterprises (SMEs), must face cyber security challenges that often
overwhelm them. Cyber threats can be external, when they originate outside the organisation,
or internal, when they originate inside. Due to privileged access to information, the latter are
arguably the most dangerous (e.g., CERT National Insider Threat Center, 2019). To protect
against insider threats, SME managers must consider a myriad of cyber security solutions to
develop a strong cyber security culture that is tailored to the organisations needs and resources
and encourages secure behavior among its employees (Bada & Nurse, 2019). However, little is
known about how the adoption of these cyber security measures in SMEs relates to insider vic-
timisation, as few criminological studies have addressed this issue (Williams et al., 2019), espe-
cially outside the Anglosphere. This paper presents an exploratory study using a survey design
about the nature and extent of insider threats affecting Dutch SMEs and how these threats relate
to the adoption of cyber security measures.
Some international gures illustrate the complex cyber security landscape faced by organi-
sations. In the 2021 edition of the United Kingdom (U.K.) Cyber Security Breaches Survey,
39% of businesses reported cyber security incidents in the past year (Johns, 2021), down
7% on the previous year (Johns, 2020)probably due to the pandemic (Buil-Gil et al.,
2020; Kemp et al., 2021). These incidents had a mean cost of £8,460 per business. Data
from the Canadian Survey of Cyber Security and Cybercrime indicates that, in 2019, 21%
of all businesses reported being impacted by cyber security incidents (Statistics Canada,
2020). This affected 18% of the small businesses and 29% of medium-sized businesses. In
the Netherlands, a report by the CPB Netherlands Bureau for Economic Policy Analysis, indi-
cates that 48% of Dutch companies experienced a cyber security incident in 2018 (Overvest
et al., 2019). According to two reports based on two different online surveys, in the case of
Dutch SMEs, this gure was 29% in 2013 (Veenstra et al., 2015) and 19% between 2016
and 2017 (Notté et al., 2019). Although it seems that, in general, larger companies report
more incidents (Johns, 2021), they also have more resources and therefore probably better
detection tools and reporting mechanisms (Buil-Gil et al., 2021). One of the reasons why esti-
mates of cyber victimisation in companies may differ is that the denitions of cybercrime,
cyber-attack, or cyber security incident are neither clear nor consistent across studies and
may include different crime measures. Such differences may also be masked by a large dark
gure among SMEs (Statistics Canada, 2020; van de Weijer et al., 2021; Veenstra et al., 2015).
A Delphi study involving 129 cyber security experts in Spain suggests that government,
large enterprises, and public cyber security institutions are aware that SMEs are not prepared
to defend against cyber security threats (Del-Real & Díaz-Fernández, 2022). These ndings
align with survey data from other countries. Although most SMEs in the United Kingdom,
Canada, and the Netherlands adopt basic cyber security measures such as having up-to-date
antivirus software and rewalls, it appears that they are still unprepared to respond adequately
to many cyber security incidents. In fact, only 13% of small and 36% of medium-sized com-
panies in the United Kingdom train their employees in cyber security, and 19% and 42%
respectively have evaluated their response to such situations (Johns, 2020, 2021). In
Canada, less than half of the businesses that reported using Internet of Things devices assessed
their security (Statistics Canada, 2020). Although Dutch companies are increasingly adopting
cyber security measures, such as two-factor authentication and log le creation, SMEs have yet
Moneva and Leukfeldt 417

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT