Insider threats represent a latent risk to all organizations, whether they are large companies or SMEs. Insiders, the individuals with privileged access to the assets of organizations, can compromise their proper functioning and cause serious consequences that can be direct—such as financial—or indirect—such as reputational. Insider incidents can have a negative impact on SMEs, as their resources are often limited, making it paramount to implement adequate cyber security measures. Despite its indisputable relevance, the empirical study of insider incidents from a criminological point of view has received little attention. To understand their nature and extent, along with the cyber security measures that control them, in this paper we conducted an exploratory study using a survey methodology among a panel of 496 Dutch SME entrepreneurs and managers. Quantitative analyses serve to understand the prevalence and incidence of three types of insider incidents described in the literature: malicious, negligent, and well-meaning; to determine their frequency through the analysis of poly and repeat victimization; and to examine how they are related to the adoption of cyber security measures by SMEs. Additional qualitative analyses provide a deeper understanding of the outcomes, impact and cost of the most serious incidents. The results show that although the prevalence of insider incidents is relatively low among Dutch SMEs, few organizations report a disproportionate number of incidents that often entail serious consequences. A regression model shows that there are cyber security measures related to both higher and lower incident likelihood. The implications of these findings for the cyber security policies of SMEs are discussed.