The Top Privacy Risks Scale-Ups Overlook (and How to Fix Them Before They Cost You)

The most common privacy risks for scale-ups aren’t technical failures, they’re operational ones.

Access that hasn’t been revoked. Staff who haven’t finished training. Suspicious activity that doesn’t get reported. These are the gaps that create risk - not just for compliance, but for cyber insurance too.

They don’t always lead to a breach, but when they do, they’re difficult to defend. Especially if the controls you had on paper don’t match what actually happened. From an insurance standpoint, that mismatch between what you say you do and what actually happens is one of the biggest reasons claims are challenged or denied.

To unpack where things go wrong (and how to fix them), we sat down with two experts who see these risks from different sides: Kayleigh Logan-Cleghorn, Lead DPO at Trust Keith, who works closely with scaling companies to manage privacy day to day, and Josh X, Insurance Product Manager at Capsule, who sees how those same risks play out in claims.

Risk One - Social Engineering

What’s a Social Engineering Attack (and Why Scale-Ups Are Targeted)

Social engineering attacks are one of the most common causes of privacy incidents in scale-ups. It doesn’t rely on sophisticated tools or technical exploits - just a convincing story, a well-timed message, and a human who’s unsure what to do next.

The goal is simple: get someone to hand over access, credentials, or sensitive data by pretending to be someone trustworthy. That might look like a supplier chasing a payment, someone senior requesting a file, or a system asking you to “verify your login.”

It’s increasingly common in scale-ups, where fast onboarding, high trust, and stretched teams can create the perfect conditions for an attacker to slip through.

Why Social Engineering Keeps Happening in Scale-Ups

Social engineering works because people act before they’re ready. It’s not usually carelessness; it’s pressure, uncertainty, or a lack of context. Someone joins, gets access before they’ve finished onboarding, and doesn’t yet know what to question or flag. They want to be helpful, not difficult. And they don’t always feel confident asking whether something looks right.

“These attacks rely on people feeling under pressure. You get someone who’s new, hasn’t had training, and doesn’t know what ‘suspicious’ looks like.”

- Kayleigh, Lead DPO

From Josh’s side, the consequences are familiar: leaked credentials, exposed data, and insurance claims where the root cause is simply someone trying to do the right thing - without the tools or support to do it safely.

“There’s a human at the centre of every one of these claims. Usually someone who just didn’t know what to do, and didn’t feel confident asking.”

- Josh, Insurance Product Manager

How to Prevent Social Engineering in Your Scale-Up

The best way to prevent social engineering attacks is to create space for people to pause, especially when something feels urgent.

These attacks work because someone feels pressure to act quickly. The request looks important. It’s come from someone senior. And in that moment, it feels easier to go along with it than to question it. People don’t want to mess up or be the blocker, and that’s what attackers are counting on.

“This isn’t just about tick-box data protection training,” Kayleigh explained. “It’s about giving people enough context to act with confidence, and a culture that makes it easy to speak up.”

That culture is what separates a near miss from an incident. It’s not just about MFA or user access reviews, it’s about making it normal to double check, escalate, or ask: does this feel right?

“It’s rarely a tech failure,” said Josh. “It’s a process failure. Or a cultural one.”

From an insurance perspective, these kinds of process failures are exactly what underwriters flag as preventable. If a claim arises and there’s no evidence of staff training, reporting routes, or incident handling, it’s far harder to justify cover - and claims are often denied on the grounds of insufficient controls.

Social Engineering Red Flags to Watch For

🚩 Staff acting on urgent requests without a way to verify them
🚩 Processes that rely on people making judgment calls without context - like paying invoices as they come in, without a clear approval process or second check in place
🚩 Little to no training, or low-quality training that doesn’t actually help staff spot and respond to these kinds of risks
🚩 A culture where pushing back or asking questions feels uncomfortable
🚩 No clear channel for reporting something that “feels off”

Risk Two – Access Management

What Happens When Access Management Goes Wrong

When someone changes role, leaves the business, or moves teams, their access doesn’t always change with them. And that’s where the risk starts.

In fast-growing companies, offboarding isn’t always immediate or thorough. Systems are missed. Accounts are left open. People hold onto access they no longer need, or shouldn’t have had in the first place. And in that gap, sensitive data stays exposed.

Whether it’s a well-meaning ex-employee downloading something for their “portfolio” or someone acting with intent, the damage is the same: data ends up somewhere it shouldn’t.

Why Access Management  Risks Keep Slipping Through

No one sets out to ignore offboarding; it just gets deprioritised. Sometimes IT and HR don’t have a joined-up process. Sometimes there’s a grace period. Or the assumption that if someone’s left, they’ve probably logged out.

Kayleigh put it simply: “If someone’s been let go, they shouldn’t still be able to access their email. But it’s more common than you think.”

From Josh’s perspective, the issue is about timing. “Access shouldn’t be removed next week. It needs to happen before the decision’s even communicated, otherwise you’ve already missed the window.”

From an insurance standpoint, delayed offboarding is one of the most common causes of denied claims. If someone downloads data after leaving and you can’t show when their access was revoked, it’s nearly impossible to prove you took ‘reasonable precautions’ - a key condition in most policies.

How to Prevent Access Management Risks Before They Slip Through

The key is having a clear, robust and  practical policy for access control, and making sure it’s actually followed. That means knowing who should have access to what, when it should be granted, and exactly how it should be removed.

Offboarding can’t sit with one person or team - it needs to be a shared, coordinated process between HR, IT, and privacy. It also needs to happen fast.

“You want to get to a point where, when someone leaves, you already know exactly what they had access to, and you can shut it down without a scramble,” said Kayleigh.

And if someone is leaving under difficult circumstances, that timing matters even more.

“Insiders are the most expensive kind of attacker,” Josh explained. “And in almost every case, they had access they shouldn’t have, for longer than they should’ve had it.”

Insurance providers now routinely check for offboarding controls and audit logs. If you can’t demonstrate that access was properly managed, it’s not just a security gap, it’s a coverage risk.

Access Control Red Flags to Watch For

🚩 Offboarding steps handled manually or inconsistently
🚩 HR and IT not fully aligned on timing or scope
🚩 Shared logins or group accounts that aren’t centrally tracked
🚩 Delays in revoking access after resignations, terminations, or team changes
🚩 No clear audit trail of who had access to what, and when

Risk Three – Phishing

What Makes Phishing Such a Common Privacy Threat

Phishing attacks are one of the most well-known cyber threats, and still one of the most effective. It’s how attackers most commonly gain access to systems, steal credentials, or plant malicious software, often by impersonating a known contact or service.

The method is simple: send an email or message that looks legitimate and urgent enough to prompt a quick response. All it takes is one person clicking the wrong link, entering their login, or downloading a file, and the attacker is in.

In a privacy context, this can lead to exposed personal data, compromised mailboxes, or unauthorised access to internal systems. And for scale-ups, those incidents often become reportable or claimable.

Why Phishing Still Works, Even in Security-Aware Teams

Phishing works because it’s designed to feel familiar and immediate. Messages mimic tools people use every day - Slack, DocuSign, Google Workspace - and they prey on urgency. You’re told something’s wrong and that you need to fix it now.

“It’s not about whether someone knows what phishing is,” said Kayleigh. “It’s whether they’re in the right headspace to spot it. You see something during a busy day and click before you think.”

Josh added that phishing claims often follow a predictable pattern. “There’s usually no system in place to help the person pause. No second step. Just: ‘click here to fix it,’ and they do.”

How to Prevent Phishing in Scale-Ups

The most effective defences are layered. That means strong technical controls, like MFA, link scanning, and access limits - alongside practical training and clear reporting processes.

“People need to feel confident flagging something, even if it turns out to be nothing,” said Kayleigh. “You want to create an environment where that’s normal, not a hassle.”

Josh noted that insurers look for clear evidence of anti-phishing controls. If there’s nothing in place or nothing tested, it’s a red flag.

“You can’t eliminate phishing risk entirely,” he said. “But you can show that when something does get through, you’re set up to catch it quickly and contain the damage.”

In insurance terms, this is where many businesses fall short. When they can’t produce records of training, simulated tests, or incident response logs, it undermines their ability to claim. A missing paper trail can turn a minor incident into an uninsured loss.

Phishing Red Flags to Watch For

🚩 No MFA or weak password policies on key systems
🚩 Staff unsure how or where to report suspicious emails
🚩 No filtering tools to catch phishing before it hits inboxes
🚩 Phishing simulations not run or tested regularly
🚩 Over-reliance on spam filters or endpoint tools
🚩 A culture where people feel nervous about flagging false positives

Key Takeaways: How to Reduce Privacy Risks in Your Scale-Up

If you’re scaling fast, privacy risk isn’t about one big breach, it’s about small gaps that go unnoticed until they turn into a problem. 

Here are Kayleigh and Josh’s key takeaways:

• Make privacy operational, not optional - Privacy shouldn’t be something people have to remember to do, it should be built into how they work: onboarding flows, offboarding checklists, and part of your everyday conversations when running and building your business.. 

“If your process relies on someone remembering to do the right thing under pressure, it’s not a process”

- Kayleigh, Lead DPO

• Ensure training is engaging and genuinely relevant to the audience by tailoring it to the privacy risks most applicable to their roles  - Generic training won’t cut it. People need to see what risk actually looks like in their role. 

“Make it specific, and repeat it. Once a year isn’t enough.”

- Josh, Insurance Product Manager

• Know your controls, and prove they work - It’s not enough to say you have controls, you need to be able to show them working. Logs. Reviews. Tests. Audits. 

“If a claim comes in, insurers want to know not just what was on paper, but what actually happened”

- Josh, Insurance Product Manager

• Create a culture where people flag things early - A reporting process isn’t enough if people feel awkward using it. Build a culture where asking questions is normal.

“Where someone can say, ‘this feels off’ without worrying about blame, that pause is what stops these incidents from becoming claims” 

- Kayleigh, Lead DPO

Struggling with Data Protection? Get Free, Practical Advice from Real Experts

Every month, our data protection experts run a webinar session covering the privacy issues that scale-ups face every day. They’ll walk you through real-world challenges, share actionable advice, and answer your questions live.

About the experts

Kayleigh Logan-Cleghorn – Lead DPO @ Trust Keith

Kayleigh is the Lead DPO at Trust Keith, where she leads a team of privacy experts dedicated to helping customers manage data compliance with confidence.

Joshua X - Insurance Product Manager @ Capsule

Joshua X (Yes, that’s really his surname! Not an X-Men alias, a kiss, or a witness protection situation) works at Capsule, a B-Corp certified insurance brokerage, where he helps the fast-growing, innovative businesses of tomorrow find the right insurance today.