You know, the longer I'm at this, I see more and more effort thrown at developing security and one thing remains the same - you've got a user sitting at a machine with network access and the ability to execute code, and sometimes you can trick that user into executing code. I guess the bigger the company, the more users which means more targets/chances.
For decades I've been told that security through obscurity is no security at all, but in the back of my mind, I think it might be the best thing I've got going for me working at a small place. Though I should say, that's far from being our only security - we do work at it too.
Obscurity, by itself, may be an ineffective security strategy, but it does provide an additional layer on top of other layers of security to improve things, overall. There's a Spafford quote on this, but I'm failing to find it. Let's just pretend it's like what I said, but more eloquent.
The best approach is to assume there's a renegade employee constantly trying to screw the company over. Granularity of permissions should be set to minimize the blast radius to the absolute minimum they need to do their job.
Part of what I do first at any new employer is ask myself the question, "if I wanted to burn all of this to the ground, how would I do it?" I generally don't share the fact that I'm going through this little thought experiment with my management, but it helps triage what's currently "broken", and gives me a clearer focus on what needs to be fixed.
If I'm thinking about it, I can be assured that someone with differing motivations likely already has, or soon will be thinking about the same.
This approach is possible but increases the complexity of your problem by enormous amounts. I know of only a very tiny number of companies that have an active goal of preventing rogue insider threats in a serious way. And the solutions do meaningfully inhibit developer productivity.
For decades I've been told that security through obscurity is no security at all, but in the back of my mind, I think it might be the best thing I've got going for me working at a small place. Though I should say, that's far from being our only security - we do work at it too.