Smaller organisations are often more vulnerable to the insider threat compared to larger ones. Inadequate or absent policies for protecting sensitive data and infrastructure, blurred lines of responsibility for information security and informal attitude to dealing with credentials such as administrative logins are some of the most common causes.
The damage that can be caused by an employee, intentionally or accidentally, can be severe. However, even a very small organisation can introduce a number of simple and inexpensive controls which will go a long way towards limiting the scope and scale of such incidents.
Do you disable user access to your systems as part of your employee leaving policy? Who in your organisation can alter or delete or render inaccessible your systems or data? Should these functions be better controlled? Are your data backups similarly exposed?