The risk of insider threats compared to outsider threats is an ongoing debate, though more companies are taking notice of the risks that insiders can pose to the company's data security today than in the past. Historically, the data breaches that make the news are typically carried out by outsiders. While these breaches can cost hundreds of thousands of dollars (often millions more), outsider threats are generally the threats that have been addressed with traditional security measures. It's the threats that originate from inside that are much more difficult to prevent and detect using one-size-fits-all security measures.
Just one of the reasons that insider threats are more difficult to prevent stems from the fact that insiders don't always threaten the company's data security intentionally. In fact, many data breaches resulting from insider threats are completely unintentional. To combat these risks, as well as the insider threats originating from those who do have malicious intent, a holistic approach to security is essential in the modern threat landscape – one that adequately addresses not only insider and outsider threats, but effectively manages both unintentional and intentional threats posed by those within your organization.
To gain more insight into the threats posed by insiders vs. outsiders and how companies can effectively mitigate these risks, we asked a panel of data security pros to answer this question:
"What's more of a threat to a company's data security: insiders or outsiders?"
Find out what our experts had to say below.
Meet Our Panel of Data Security Experts:
Joseph Steinberg
Joseph Steinberg is a cybersecurity expert and entrepreneur who founded the information security companies, Green Armor Solutions and SecureMySocial. He invented several popular cybersecurity technologies in use today, writes a column on cybersecurity for Inc., and is the author of several books on information security.
"In general, the greatest data security risk is posed to organizations by..."
Insiders, as they have access to sensitive information on a regular basis, and may know how that information is protected. If they want to steal it or leak it they can usually do so with far greater ease than outsiders. Furthermore, insiders may also accidentally leak data or otherwise put it at risk – something that outsiders typically cannot do. Whether by attaching the wrong file to an email being sent, oversharing on social media, losing a laptop or USB drive, or through some other mistake, insiders can put an organization's data at risk with little effort.
Policies and technology can help address this risk, but without it, problems are likely to occur. Also, from a practical standpoint, any sizeable organization is likely to have some employees who are unhappy at work – meaning that there may be people who have access to data and who have a motive for leaking it. Of course, there are exceptions to this rule – certain military systems that can be accessed only by people who have passed robust background checks and whose lives depend on one another, and which are constantly being bombarded by outside attacks, may be more at risk of being breached by an outsider than of having an insider intentionally cause a data leak. Data leaks originating from mistakes, however, are still a serious concern and are obviously more likely to occur as the result of an insider's actions than from those of an external party.
Braden Perry
Braden Perry is a regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry, LLC. Mr. Perry has the unique tripartite experience of a white collar criminal defense and government compliance; investigations attorney at a national law firm; a senior enforcement attorney at a federal regulatory agency; and the Chief Compliance Officer of a global financial institution.
"I work with a number of vendors on data breaches. Generally, there's more of a threat by..."
Rogue insiders. There's not much, besides compartmentalization and monitoring, that you can do if an insider wants to reach data. For outsiders, most attacks compromise legitimate websites to deliver malicious payloads which can then reach data. This can usually be prevented. While no single strategy fits all, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for response, actively monitoring centralized host and networks, and including enhanced monitoring to detect known security events is a must. With a well-oiled cyber policy, you can mitigate outsiders significantly.
Drew Farnsworth
Drew has been working in the Data Center Design industry for over ten years, currently with Green Lane Design. He has experience with uninterruptable power systems, N+N distribution, and redundant generator systems. Drew also works in systems administration, JAVA programming, and ISO 27001/9001 investigation and analysis.
"The threats that pose the greatest risk to companies come from..."
Insiders, who are far more likely to access sensitive information without evidence of intrusion. I am a data center infrastructure consultant. My company does work with several $1B+ companies. Insiders are without a doubt a greater threat to security. Employees may not even intend to compromise security, but the simple installation of a USB drive can introduce an exploit. Internal employees can create easily crackable passwords or leave their laptops on trains. Even worse, internal exploits are much more difficult to detect because the users are authenticated on the domain. External attacks, meanwhile, must exploit an outward facing connection, which often has much deeper security. The tools for purely external attacks such as SQL injection and DDoS are limited in their scope. These attacks usually do not compromise all data on a network. Internal attacks, on the other hand, can copy a large numbers of files without anyone having any knowledge of the source of the attacks.
Spencer Coursen
Spencer Coursen is the President of Coursen Security Group. He is an expert security advisor, threat assessment consultant, and protective intelligence strategist who is dedicated to reducing risk and preventing violence. His systems and strategies help corporations, non-profit organizations, schools, and at-risk public figures ensure the certainty of safety for all involved.
"According to a recent report, 58% of all security incidents can be attributed to..."
Insider threats. The most significant obstacle for a company to overcome is employee complacency. In most corporate environments, upwards of 80% of employees are unable to articulate any real understanding of IT-security related issues and are most likely to introduce a virus through an NSFW download, accept malware through a phishing exploit, introduce a corrupted mobile device (BYOD) to the corporate network, or engage in some sort of inadvertent human error which may result in a threat to data security (not updating security settings, using simple passwords, doing secure work on public wifi, etc.).
Outside actors take full advantage of these insiders' vulnerabilities. This is exactly what happened with the Target data breach. In this example, the hackers stole the username and password of an authorized vendor. This gave them unlimited access the Target network without triggering any alarms or raising any suspicion.
Hackers are no longer breaking in through back doors which may trigger alarms. Today they are stealing the keys of authorized users and walking right through the front door.
Andrew Whitmer
Andrew Whitmer is a Research Analyst at SecureState specializing in web application security and wireless penetration testing. Prior to SecureState, he was a Special Operations Linguist and Team Leader with the U.S. Army.
"Unfortunately there is no universal answer. The answer depends in part on..."
The company, its line of business, its employees, and the defenses it has in place already.
For instance, if a company operates a department with high turnover wherein the employees have access to sensitive data and aren't thoroughly vetted (e.g., with background checks), then that company may face more risk from insider threats.
If a company is known to have access to sensitive data (for instance, a financial institution), and they have a large external presence but thorough internal segmentation, auditing, and employee vetting, they may face a larger outsider threat.
The best answer is for a company to conduct a threat assessment, ideally before launching any comprehensive new security initiatives. That way they can be sure that their security program is properly prioritized such that it addresses the most significant or likely threats first.
It also depends on how the company chooses to define insider and outsider threat – for instance, if an employee falls for a phishing scam, is that considered an outsider threat, because that's where the attack originated? Or do they consider it an insider attack, because the employee ultimately granted access and the appropriate defensive measures need to be implemented internally (whether they're additional training or technical controls)?
Marc Weaver
databasable is an IT consultancy firm that provides database administration support and specializes in moving your databases and applications into the cloud. Founded by Marc Weaver in 2015, databasable uses his vast employment experience from large financial institutions in London, Sydney, and New York.
"Obviously a data security breach from an outsider will result in..."
Bad publicity, angry customers, legal issues, and loss of reputation. However, I believe this type of intrusion to be less than the threat from insiders.
An insider with malicious intent who works for your organization has already bypassed the majority of your security features without having to do anything other than log on to their desktop. This is compounded by the fact that due to cost cutting or poor management, employees often have multiple responsibilities that give them elevated access to sensitive data which results in a conflict of interest. For example, a developer who is also providing application support.
And not all data security threats occur due to malicious intent. I've witnessed the occurrence of numerous data issues due to mistakes made by people who are permitted to have access to the data in question.
All of this points to insiders being a greater threat than outsiders, even though the actual breach or end result may be less severe than an external breach.
Lloyd Marino
Mr. Marino is a “Tech Whisperer,” a true master at translating and communicating byzantine technical processes that elude even the savviest business minds into language they can grasp. The clientele for Mr. Marino’s critical message and services consists of the heaviest hitters in the interconnected worlds of business, finance, technology, government, NGO, and the military. Mr. Marino is equally conversant in the languages of business and technology, therefore senior executives on both the management and tech sides of today’s completely data-dependent marketplace regularly call on him to solve complex, data-driven problems.
"The biggest threat to a company's security is absolutely from..."
INSIDERS!!!!
It all starts with us: we who run the companies are those ultimately responsible. We can teach our children not to take candy from strangers, but when it comes to educating our employees on the importance of data security and the importance of protecting the corporation, we seem to not take it seriously. Not even as seriously as locking our doors at night before we go to bed. What gives? To keep the outsiders OUT, we need to keep the insiders IN – involved, that is. Involved with understanding the importance of data security.
Christos K. Dimitriadis
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, is chair of ISACA’s Board of Directors and group director of Information Security for INTRALOT. He has been working in the area of information security for 14 years, having run technology transformation projects and developed innovation frameworks. He has received innovation awards from the European Lotteries Association, and the John W. Lainhart IV award for major contributions to ISACA’s common body of knowledge. He has served ISACA as international vice president for three terms, has been a member of the Board of Directors for four terms, chaired the Knowledge Board, the External Relations Committee, the COBIT for Security Task Force, and has been a member of the Relations Board, Academic Relations Comittee, Journal Editorial Committee and Business Model for Information Security Workgroup. Dimitriadis has also served as a member of the Permanent Stakeholders Group (PSG) of the European Network and Information Security Agency (ENISA) for 2012-2015. He holds a diploma in Electrical and Computer Engineering and a Ph.D. in Information Security.
"When comparing the risks of insider threats vs. outsider threats..."
The answer to this question depends on the threat model of each enterprise, but usually the response is both.
There are a number of insider threats related to data leakage (accidental or on purpose), fraudulent action through an integrity breach, loss of availability, or business continuity as a result of insider mistakes or deliberate action. In general, insider threats can cause significant business impact, not only because of the privileges that employees have over information technology but also because the company theoretically has its employees under its control, being responsible for their actions, in contradiction to external threats.
External threats, including cyber threats, are an evolving type of threat requiring organizations to improve their cyber security capability and ensure that the appropriate framework and especially cyber security skills are present. There is a third category with increasing importance. Those are the partners, services providers, and subcontractors of a company. In this category, the line between internal and external is sometimes barely visible. In any case, enterprises have to ensure that their threat model includes this category and take the necessary measures to mitigate the related risks.
Steve Durbin
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was Senior Vice President at Gartner.
"As data breaches increase, many will be the result of..."
Insider threats. In fact, the insider threat is unlikely to diminish in the coming years and will be a major threat to businesses. Efforts to mitigate this threat, such as additional security controls and improved vetting of new employees, will remain at odds with efficiency measures. More insiders with malicious intent will emerge as more people place their own ethics and perceptions above those of their employers.
The insider threat has certainly intensified as people have become increasingly mobile and hyper-connected. Nearly every worker has multiple, interconnected devices that can compromise information immediately and at scale: impact is no longer limited by the amount of paper someone can carry. Simultaneously, social norms are shifting, eroding loyalty between employers and employees.
At the ISF, we believe that there are three categories of insider behavior: Malicious, Negligent and Accidental.
MALICIOUS
Malicious behaviors require a motive to harm plus a conscious decision to act inappropriately. Examples include copying files before taking a job with a competitor, leaking confidential information, sabotaging networks, or using work privileges for personal benefit.
NEGLIGENT
Negligent behaviors do not have a motive to harm, but do have a conscious decision to act inappropriately. The act is usually well-intentioned – such as using unauthorized services or devices to save time, increasing productivity, or enabling mobile working – and the behavior often comes with the knowledge that the action is bypassing a control or circumventing policy. Despite the lack of malicious intent, negligent insiders are knowingly accepting risks that are outside the organization's risk appetite.
ACCIDENTAL
Accidental behaviors have no motive to harm and no conscious decision to act inappropriately. Emailing information to the wrong people, opening malicious attachments, and publishing private data on public servers can all happen accidentally.
The first time someone behaves in one of these ways, it could be considered accidental; however, repeated accidental behavior may also be considered negligent.
Managing risk posed by the insider threat should extend across all three types of risky behavior. Once the risk is assessed, immediate results can come from applying technical and management controls and from aligning roles, responsibilities, and privileges throughout the employment life cycle.
But that alone is not enough. Organizations must nurture a culture of trust, one where the organization can trust its insiders – and insiders can trust the organization in return. Organizations with a high level of exposure to insider risk should expand their insider threat and security awareness programs.
Organizations must understand where and how they are trusting their insiders – and must augment technical and management controls by helping people to become more worthy of the trust placed in them. Equally, organizations should foster a culture that makes the organization worthy of trust in return.
Beau Adkins
Beau Adkins is the co-founder and CTO of Light Point Security, which provides software that allows users to browse the web with no threat of infection. Before starting Light Point Security, Beau was an employee for the National Security Agency.
"In my experience, the biggest threat to a company's data is posed by..."
Insiders. However, they are most often not deliberately a threat. Outsiders are the ones who have bad intentions, but they don't have access. Network restrictions are usually strong enough to keep them out. So instead they focus their efforts on tricking unsuspecting insiders into opening the doors for them. And once inside, they are indistinguishable from the insiders.
Employee web browsing is one of the most used pathways to accomplish this. Outsiders set up a website capable of exploiting any computer that browses to it, then they send emails to the insiders that entice them to click a link to that site. Most employees will not take the bait, but it just takes one person to give in to curiosity and click the link.
Malicious outsiders are very good at this. They can craft emails that look like they are from someone within the company and reference projects or people that the recipient knows. It can be very difficult to tell these emails are not legitimate. With a little perseverance, it's just a matter of time before someone clicks.
Because of this, efforts to protect the company from malicious outsiders can only go so far. Companies today must prioritize protecting against threats from their own insiders. One employee clicking the wrong link doesn't have to put the whole company at risk.
Michael Edelberg
Michael Edelberg is the Co-founder and Chief Digital Officer of Viable Operations / Bespoke Digital Solutions.
"We see this issue with many clients. The most disconcerting and troublesome threat is the..."
Insider threat. While the outside threat vectors continue to change, a multi-layered cybersecurity approach works best. It's the inside threat that you can control a bit better. Governance, for example, dictates who has access to such confidential information. There should be strict limits on third-party access to your systems. While no threat can be 100% eliminated, you have a higher chance of success with protocols in place that minimize any damage that can be done from an internal source. Of course, an inside threat also needs to be addressed by education. Sometimes an employee may unwittingly use improper procedures when accessing the company system from a remote location; these are addressable issues. Finally, BDR (Backup/Disaster/Recovery) must be in place for the inevitable.
Ian Trump
Ian Trump, CD, CPM, BA, is an ITIL certified Information Technology (IT) consultant with 20 years’ experience in IT security. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF MP Reserves and retired as a Public Affairs Officer in 2013. His previous contract was managing IT projects for the Canadian Museum of Human Rights. Currently, Ian is Security Lead at LogicNow working across all lines of the business to define, create, and execute security solutions to promote a safe, secure Internet for businesses worldwide.
"The perspective of threat when it comes to insider malicious activity, or mistakes vs. the ever present outside threat from cyber criminals, is..."
Inappropriately placed in the IT security or IT operations department. There is no question that the insider threat is by far the most devastating in access to a large volume of potentially available or sensitive data. One only needs to examine the likes of Snowden to see such ramifications of the insider threat. The crux of the issue is that the insider threat is generally viewed as an organizational failure: human resources, management, executive, and IT departments are all responsible in some way for the actions of an "insider" threat. Perhaps IT bears some responsibility to "detect" the malicious activity – if the technical tools are implemented and the department is vigilant and empowered to detect and mitigate the activity. Malicious insider activity is typically driven by some sort of ideological or psychological departure from the organization's mission or values. Although devastating, the detection of this situation is generally the responsibility of organizational management, not IT.
In terms of an outside threat, this is more comfortably placed in the realm of IT. In larger organizations, IT’s responsibility is defined by maintaining confidentiality, integrity, and availability of IT systems. With the trust of employees, a system of onboarding, and management engagement, IT traditionally (and rightly feels) the need to focus on the external threat. A robust IT security department has implemented a layered defense including proactive, reactive, and detective technologies to keep the unauthorized out of systems. Given the tempo and sophistication of external attacks, the insider attack or insider mistake is not expected or anticipated, and all too often not detected. An external data breach seems more appropriate to place squarely on the shoulders of IT.
A data breach is a data breach, and although consequences for insider activity could be more severe, the discussion illustrates the nature of the organization's problem. A mature IT security or IT operations department needs to construct their defenses to address a betrayal or mistake by an insider, but remain vigilant against external threats. Architecture and tool sets must be flexible and capable of looking inside and outside the organization to detect and mitigate threats to data security.
RELATED READING: Cybersecurity Awareness Kit
Gordon Rapkin
Gordon Rapkin has more than 35 years of experience as an executive in the software industry. Prior to joining Archive Systems, where he served as CEO for six years before the company's recent acquisition by Access Information Management, he was president and chief executive officer of Protegrity, a leader in enterprise data security management. He also previously held executive positions at Transcentive, Inc., Decision*ism, Inc., and Hyperion Software, helping guide each company through consecutive years of growth.
"The biggest threat to an enterprise's security is..."
Ultimately, outsiders are more likely to act in a malicious way with a company’s data, but the source of the greatest risk is nearly always the insiders. Outside bad-actors are constantly looking for weaknesses to exploit, and the greatest vulnerability is typically careless or misguided actions by insiders. When insiders fail to be vigilant about protecting the fort, they fall victim to phishing schemes or social engineering attacks, or they open emails they don’t recognize, or they access corporate systems while sitting in an internet café, or any one of the myriad of careless behaviors that create vulnerabilities. It is the insiders that provide opportunities for outsiders to storm the gates and cause damage.
Lois Barker
Lois Barker works in Information Technology Support for bb7, a product development firm. She co-developed and works to continually update and uphold bb7's security policies and procedures. Further, she is a Security Analyst and a certified Digital Forensics Analyst. Lois holds an IT Network Specialist Degree from Waukesha County Technical College.
"The biggest threat to a company's data security is..."
Insiders, for several reasons. First and foremost, employees are human and humans make mistakes. Employees accidentally share passwords, store them in insecure places and/or use the same password for different services. Once one password is cracked, you can guarantee it won't take long to crack other passwords.
Data is not just stolen through hacking; data can be stolen through theft on company grounds. We all know smoking is bad for our health, but it's also bad for data security. The outdoor communal smoking section at a facility is a little known threat. It can be an easy way for an outsider to gain access to the building. Most employees entering the building will hold the door for the person behind them – only because they saw them in the same smoking section.
Employees not only know what data exists in an organization, but they also know how it is kept. Without strong security measures in place, a disgruntled employee may share that information with a competitor. Insiders also have access to sensitive data. If Sally from accounting takes her laptop to a coffee house and connects to the WiFi network, and a hacker is on the same network – the hacker has access to her data.
Insiders know more about an organization than outsiders; they can share (intentionally or unintentionally) information with outsiders. It is important to develop, uphold, and continually update a strong internal security policy to educate employees and mitigate risk.
Charles J. Borrero, ESQ
Mr. Borrero holds a J.D. from Georgetown University Law Center (magna cum laude) and CompTIA Security+ and Certified Information Privacy Technologist (IAPP) certifications. He has served as Chief Counsel at the Privacy Office of the Department of Homeland Security, Assistant to the General Counsel at the Office of Inspector General at the Department of Homeland Security, and as an Associate at Goodwin Procter LLP. He has clerked at the Southern District of California & Northern District of California and The District of Columbia & Ninth Circuit Court of Appeals. He is admitted to the Bar in NY, CA, MA, and DC. He is now the Principal at Data Breach Legal.
"Quantitatively, what are termed insider breaches are..."
In the minority of major breaches – ranging from 10-25% of breaches (depending on the specific reporting source). Despite being in the minority, such breaches can be particularly devastating, because insiders know where the goods are (both profit and network-wise) and where the bodies are buried.
However, these numbers don't tell the whole story, as the insider breach category does not capture a significant fraction of instances of inside assist or insider negligent acts at fault for what is otherwise ostensibly an outside hack. For example, some suspect intentional inside assistance in the Ashley Madison and Sony Pictures hacks. But more broadly, the vast majority of major breaches are now occurring due to an initial spear-phishing attack. These attacks exploit the naivety and lack of training of employees to trick them into effectively opening a door for digital intruders. In this sense, arguably, the majority of breaches today actually originate inside a company (wittingly or unwittingly), though are not called insider breaches. Breaches through a contractor or other service provider (as was the case in the Wyndham Hotels, Target, and Home Depot breaches) are another common type of major breach that defies clear inside vs. outside categorization.
In sum, breaches that occur without at least a negligent action by an insider are actually relatively rare. On the bright side, policies and controls that deal with this reality in an open-eyed manner (e.g., employee security training and organizational infosec policy; fine-grained access controls; or comprehensive network monitoring) can considerably improve the breach vulnerability situation. Just as importantly, making an appropriate infosec plan with seasoned experts can help address the negligence factor – welcome news for organizations rightly concerned about liability in every-more-common class action privacy lawsuits and regulatory enforcement actions.
Dan Weiske
Daniel is the owner of IT Federal Services LLC. Dan has 15+ years of IT experience encompassing system integration, architecture design, and cyber security. He has a BS in Information Technology, an MS in Computer System Security, and several security industry certifications including CISSP, CISA, CAP, and NSA-IAM.
"The largest threat to an organization is not really internal or external forces..."
More explicitly, it is how authorized access is maintained and monitored. Just looking at one sequence of attacks may prevent full awareness of overall organizational risk regarding what resources and data are accessed and by whom. External attacks rely on vulnerabilities of the systems to gain access to internal system controls. While this may be profitable, hackers will always go for the easy methods of gaining access by capturing privileged credential access. How do you ultimately stomp out the threat of both internal and external resources? Break the chain in the complete cycle of the given attack.
Sergio Galindo
Sergio Galindo has over 26 years of professional management experience, 18 of them in the financial industry. He currently occupies the role of President and Chief Operating Officer at GFI Software, a company that builds affordable and easy-to-use IT solutions that enable businesses to discover, manage, and secure their networks.
"It would be very easy to point the finger and say that..."
Insiders are more of a threat to a company’s data security than outsiders are or vice versa. The truth is that security is more of a process rather than a one-time solution, and when protecting a company’s data assets it is important to consider both insiders and outsiders.
For businesses this is a never-ending battle. With outsider threats companies need to protect themselves from the unknown, constantly filling holes in the wall, yet with insider threats they need to focus their efforts on keeping their employees from shadow IT, making sure they don’t go where they aren’t supposed to.
The best approach is to implement different layers of security. When it comes to insiders, start with background checks, implement a policy of least privilege, and review and revoke data access privilege regularly. Implement role based access control for access to any key data, this, while ensuring there is logging, capturing both successes and failures. Using data loss prevention software, businesses can filter internet traffic, prevent critical data from being mailed offsite, and protect end-points from being used maliciously.
As for outsiders, a solid patch management strategy and a periodic vulnerability assessment are one of the best lines of defense against outside attackers, but again it is important to have different layers of security. Anti-virus solutions, network behavior analysis, and log monitoring are just a few of the options available.
John Luludis
John Luludis cofounded Superior Technology Solutions, based in Pearl River, New York, in December of 2009. Prior to his start at Superior, Luludis served as the Senior Vice President of global shipping provider, DHL and as the Director of IT Operations for both the car and truck divisions at Volvo.
"While a significant amount of effort is usually placed on protecting sensitive company information from outsiders..."
Organizations are most vulnerable to the careless and unstructured handling of sensitive information from the inside. Companies will go through great lengths in securing their corporate applications and infrastructure. However, the porting of information from these protected environments – in a distributed manner, to many other computing devices including laptops, phones, the cloud, and to devices outside of the company’s domain – creates the greatest threat to data security. Organizations need to establish and continuously evolve their information security policies to address the access, handling, communication, and storage of corporate information to minimize this risk.
Ondrej Krehel
Ondrej Krehel, CISSP, CEH, CEI, EnCE, is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He's the former Chief Information Security Officer of Identity Theft 911, the nation's premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters, from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal, and The New York Times, among many others.
"Very often, it is hard to define and distinguish between an insider vs. outsider..."
It depends on the company's nature of business and the composition of its workforce.
It is important to understand the context and the meaning. In the case of an insider vs. an outsider, it's important to understand what those threats are – where there is an overlap, where there are differences between them, and what the ultimate impact is.
That said, insiders are the biggest threat to a company's data. Insiders can be a threat both intentionally and unintentionally. Insiders will always be a bigger threat as they already have physical access and potentially more. A malicious admin is more dangerous than a group of sophisticated hackers simply because they already have the keys to the kingdom. On top of that, users are also a major source of unintentional damage, such as unplugging the wrong server or misconfiguring backups. Internal users can also be bribed or otherwise coerced into such actions as well. Or maybe they bring in threats as well. This is why social engineering is the biggest source of compromise, since it relies on human weakness.
Christopher Burgess
Christopher Burgess is the CEO, President and co-founder of Prevendra. He is an author, speaker, advisor, consultant, and advocate for effective security strategies, be they for your company, home, or family.
"The most serious threat to a company's data security is the..."
Insider threat, which comes in two forms:
The malevolent insider is the greatest threat to any company as these individuals are operating from a position of trust and natural access. This natural and authorized access allows the insider to operate within the protected area of the enterprise or company. If they confine their activities to only that which they have natural access, it increases the likelihood that their activity (theft of information) will not be detected. Their motivations are varied as to why they may break trust, with greed and revenge being the primary motivators. The identification and cultivation of these individuals by the unscrupulous competitor or the nation state intelligence apparatus is ongoing.
The careless insider is exactly that: careless. Those who know they are bending/breaking the rules will bypass the processes and procedures by taking shortcuts. They may create a shadow-IT capability, where they collaborate via a social network with their colleagues because the internal infrastructure doesn't provide them with the same ease of use. With these individuals, convenience trumps security and their convenience may be front and center. Others within this category may be the doctor who downloads all his patient's information to his laptop so that it is always at the ready and doesn't know to also encrypt that data or the individual who is asked to dispose of company confidential information and instead of shredding or otherwise disintegrating the information, they dispose of it in a recoverable manner. Or as one police department learned following a Macy's Thanksgiving Day parade, their shred was used as confetti (see: Sensitive Data on Parade: A look at the Macy's Thanksgiving Parade).
K Royal
K Royal is the Vice President, Assistant General Counsel, and serves as the Privacy Officer for CellTrust. An attorney and compliance professional with 20 years of experience, K is skilled in privacy law, breach management, and compliance and was recently honored as the ACC's 2015 Robert I. Townsend, Jr. Member of the Year.
"The biggest threat to a company's data security is..."
A combination of both insider and outsider threats. The biggest gap in privacy and data protection today is our tendency towards capturing data electronically without protecting it. We back it up, recover it, and never delete it – and we still do not encrypt in transmission and in storage. Let's use enterprise mobility as an example. As more and more companies begin implementing a Bring Your Own Device (BYOD) policy, corporate privacy and security are put at risk. Employees are using their own mobile devices for both work and personal use, and engaging in behavior that could potentially put companies in jeopardy, if not properly monitored. While most companies use security applications for email, they are still lacking security for voice and text communication, two features used regularly by the younger generation. Without security, privacy cannot exist.
James Goodnow
James Goodnow is a brilliant, creative, compassionate attorney and a technology aficionado in Phoenix, Arizona who's been named one of America's Techiest Lawyers by the ABA Journal, the official publication of the American Bar Association. Apple actually selected him as the first lawyer to be featured in one of its commercials, and also spotlighted him and his colleagues on Apple.com. Additional media coverage can be viewed at LegalCommentator.com.
"Much like an old-time bank heist from the movies, a well-executed inside job will always..."
Wreak the most havoc and inflict the most pain. Access to proprietary information, passwords, and more is always going to be the most dangerous.
If you look at reports of last summer's huge Sony hack, there is now credible evidence that it was the work of people inside the company with knowledge of where the security weaknesses were.
Those weaknesses were then fed to outside people with the technical skill to pull off the hack. Most companies employ security measures and have policies in place such as shutting off network access to disgruntled employees they are terminating while the process is taking place in order to avoid potential tampering, which can be devastating.
What do you do? In the words of Ronald Reagan, 'trust but verify' your insiders' backgrounds and actions before handing over the digital keys to your systems.
Dan Foote
Dan Foote is CEO and President of DanTech Services, Inc., an Anchorage, Alaska based Managed Services Provider. Dan has over 15 years of experience in the IT industry and works with small to medium sized businesses to protect their technology infrastructure, data, and users with a layered approach to security. He is an author and a presenter covering topics such as cyber security, business continuity, and cloud computing options. Taking away the business owner's anxiety is a major deliverable that DanTech Services provides its customers.
"While companies do much to protect themselves from external threats, it's..."
Internal systems and users that pose the greatest risk to a company's data. Whether through complacency, ignorance, or misplaced trust, it's what happens inside our networks that can cause the release of malware or a data breach.
With complacency, even a knowledgeable user may open an email that might as well be laced with cyanide. Firewalls and antivirus are not enough to protect from zero-day threats that can be born in an email attachment. Should a user expect an email from some unknown fax system? Not likely, yet the complacent user ignores the training about opening attachments, and CryptoWall 3.0 or a similar variant is just that easily unleashed on the computer and network. That email may even use the address of a trusted client or sender, yet the havoc it wreaks can cost thousands of dollars or create unrecoverable data – which may cost you your business.
Ignorance can be even scarier. The belief that a computer or computer network is protected because of a firewall and antivirus while at the same time ignoring the need to ensure that operating system and software updates are kept current, will likely result in more victims as many of the malware threats circulating on the internet today can be prevented by removing the vector of an out-of-date system. The list of software applications that require updating also includes making sure an antivirus program is kept current. Or maybe someone has simply installed a file sharing program that puts proprietary or private information out on the internet with a less-than-reputable vendor?
Misplaced trust may be the worst. We want to believe in the people we hire to work in our businesses. Yet what if one goes rogue? What if an employee gets upset or disillusioned enough that greed, spite, anger, or a malevolent response becomes their motive for stealing data or causing other damage? Would you even know – unless the proper measures are in place to protect that data?
Outside threats are ever present, constant, and do pose a danger. All businesses that connect to the internet are at risk from the thousands of 'bots and crawlers that have no concern about the size of a business or where it's located. And without the proper protections, the chaos that would ensue would be formidable. It's possible, though, to prevent these external forces from corrupting your security and data. What's on the inside – that's another matter. Does your business have the layers of protection in place to protect your systems? Do these layers include training? Use policies? Application control? Security and network audits and assessments? Does your IT manager have a C-level position? How about a realistic budget?
There are a number of questions posed when it comes to data security and your company's ability to protect it. Working with a trusted advisor that knows and understands your business and systems is a start. Taking IT security seriously – no matter the size of your business – is paramount.
Jonathan Klein
As President of MicroStrategy, Jonathan leads the Usher enterprise security business. He is quite interested in the topic of cybersecurity and believes that we must take decisive steps to combat the growing threat from hackers around the world. Existing solutions such as passwords, security questions, physical badges, and keys are outdated and ineffective, and Jonathan believes that governments as well as corporations of all sizes in all industries must aggressively embrace new and innovative technologies to stay ahead of the cyber threat.
"The biggest threat comes from..."
Insiders. Any combination of the following can result in a major data breach: Internal IT mistakes, e.g., improper system setup such as using default network settings; lack of day-to-day employee vigilance, e.g., using the word 'password' as a login credential for the sake of convenience; and malicious employees, e.g., leveraging their level of access permissions to exfiltrate sensitive data for economic or ideologic reasons.
Most security measures, including authentication, access control, and device management, are built to keep outsiders out. Malicious insiders are also harder to spot – their behaviors rarely indicate malicious intent, making it unclear that the breach stemmed from the inside. That said, we're seeing more big data-driven approaches looking at human behavior to build models that might detect malicious insiders. We'll see if anyone succeeds in that space.
Bill Ho
Bill Ho is CEO of Biscom, a leading edge document delivery solution company that enables firms to share and store documents securely. Bill has over 20 years of experience in cybersecurity and has worked closely with various companies in the healthcare, financial services, government, and legal spaces.
"There will always be external threats to a company’s network and there are..."
Good tools available to help protect against those threats. But internal targets are often the softest targets and unlike a technology solution, people make different decisions and judgement calls, especially around social engineering attacks. So, it’s critical to ensure every employee is well versed and trained in security best practices, understands the threat landscape, and can identify and avoid these targeted attacks.
Bruce McCully
Bruce McCully is the founder and CEO of Dynamic Edge, Inc. and a national expert in the areas of computer security and business technology. He began his career in computer networking over 17 years ago, providing IT solutions to businesses in Southeast Michigan and Tennessee.
"By far the biggest threat posed to companies' data security is from..."
Internal risks. First and foremost, I’ve found that internal data breaches are the biggest threat to businesses. I’m sure you’ve heard the expression that your greatest asset is your greatest liability. I whole-heartedly agree with this. In most, if not all cases, your employees make your business what it is. They add more value to your business than any machine. But with this value also comes an incredible liability. Whether the breach was caused by an employee using software that wasn’t secure or having some malicious intent, people internal to the organization can cause the most damage and put an organization at the most risk for any type of data breach.
Employees can sometimes be too human for their own good. One such human employee accidentally deleted 15 years of law firm data. You might ask, do they really need all those files? What good are they? Actually, for many sectors with strict governmental regulations – HIPPA, SEC, state bar associations, your own client policy on file retention – file preservation is critical to the health of your business. Even with the best of intentions, the loss of 15 years of data, which ended up being tens of thousands of documents, with a value of 10 million dollars in man-hours, were gone in nearly a split second. What made matters worse is that this employee didn’t even realize that anything was wrong. It took nearly a year for the law firm to realize that 15 consecutive years of data from 1989 to 2004 were missing. These folks didn’t realize anything was wrong until they really needed one of those missing files.
Now imagine the same scenario, but with a disgruntled employee destroying or corrupting important data. Perhaps the firm would not be held as accountable with negligence, but their name would have been equally toxic to anyone seeking legal representation. Does anyone leave your company? Is it always on good terms? What if someone deleted just 500 files? What if one of those files was really important? You might not realize it was gone until it was too late. I don’t want to harp on employees too much; my team members are the life of my business. All contribute to making the company better, and I think of them as my friends and family. But at some point, you have to consider the possibility that one of them may – with an intention or not – cause a very big problem, a disaster that could ultimately cost you your business and them their livelihoods. Businesses need to make sure that they have ALL of their data backed up regularly and should regularly check that cloud-stored data is complete and secure. They should also make sure to limit employee vulnerabilities by limiting their ability to download or install programs on their workstations.
Inigo Merino
Inigo Merino is the Founder and CEO of Cienaga Systems. He has been with Cienaga since its inception as the driving force behind both business and technology development efforts.
Prior to Cienaga, Inigo served as a Vice President in Deutsche Bank Group’s Chief Operating Office, where he led Cyber Security, Incident Response, Computer Forensics, and Legal Discovery matters in the Americas. Earlier, he built and managed award-winning Software Development, Incident Response / Forensics, and Information Security teams at Merrill Lynch, after having held the role of Senior Information Security Architect covering Merrill’s initiatives in Electronic Commerce and Electronic Banking. Inigo started his professional career as a Lead Developer at AT&T Laboratories and has held roles as Research Assistant in the field of Computer Learning and as Teaching Assistant in Computer Science at Georgetown University.
"Having better understood the risks posed by insiders, industries at the forefront of cybersecurity (such as large financial services firms and defense contractors) have long carried multi-year efforts to wrangle this problem. The vast majority of organizations, however, and in particular those in the SMB segment, continue to..."
Implement security strategies geared exclusively towards outsider threats, ignoring the risk posed by insiders.
Industries at the forefront of security understand that insiders present a very clear threat because they have legitimate access to company information, and because it is difficult to ascertain their intentions at any point in time. So for instance, a network administrator who becomes disenchanted with his management could copy and publish the organization’s secrets online. A sales person can sell the customer list to disclose non-public deal information to his or her employer's competitors. An employee with physical access to a facility can disconnect a server or burn down a data center. Even a waiter can store customer credit cards in a hand held swipe device.
However, the majority of organizations, and certainly most enterprises in the SMB segment still struggle to set up security programs that properly deal with the outsider threat, let alone the much more complex insider threat. 'Stranger danger' still prevails as the primary motivator to security today across these enterprises. At Cienaga Systems we interact a great deal with managed solutions providers, many of whose customers are in the SMB hospitality industry, for example. While most of their customer organizations implement firewalls and whatever basic encryption PCI requires, they lack the organizational and security maturity to understand the risks posed by insiders, so few to none implement additional security controls, and much less, security monitoring or appropriate procedural controls.
Furthermore, SMBs are mostly underserved by cyber security vendors that tackle advanced threats, such as insider threats. Having focused primarily on fortune 1000 firms, these vendors offer solutions which require dedicated hardware, complex configuration and administration, and long deployment cycles, which ultimately translate into prohibitive price tags, making advanced threat detection unreachable to these smaller businesses.
In summary, although SMBs amount to a relatively large proportion of GDP vis a vis large cap companies, they appear to lack the appetite, funding, and maturity to properly deal with insider threats. As a result, these organizations lack the visibility necessary to manage this risk properly. For these reasons, even though the insider threat has become better understood in recent years, insiders still pose the most significant risk for employers today.
Jonathan Pollard
Jonathan Pollard is a competition lawyer based in Fort Lauderdale, Florida. He has a nationwide practice representing both plaintiffs and defendants in non-compete and trade secret litigation.
"The biggest threat to any company's data security is..."
Insiders, hands down. With respect to external threats, you can take certain steps to secure your data and minimize the risk of an external attack (malware, hackers, etc.). You can never be 100% safe but you can have a very high confidence interval. Internal threats are a totally different ballgame. In an organization of any size, the internal threat takes on two dimensions. First, negligence by insiders leading to a data breach. You can combat this to some extent through training and various safeguards. A second and more difficult problem is an insider going rogue. In all of the prior threat scenarios, corporate actors are trying to protect the data but failing for whatever reason (external attack, malware, negligence, etc.). But when an insider goes rogue, the threat is of a fundamentally different nature. For instance, suppose an insider who has access to critical data decides to steal that data and go to an industry rival. On a technical level, it is almost impossible to guard against that threat. You minimize that threat through thoughtful hiring. And if it happens, you immediately go into damage control mode and get an injunction.
Zack Schuler
Zack Schuler is the Founder & CEO of Ninjio, an I.T. Security Awareness company that trains corporate end users on security awareness using 3-4 minute animated episodes based on actual security breaches, that are released every 30 days. Ninjio was built to help stop the 95% of security breaches due to human error by increasing awareness of internal employees and aiding them in safe use of personal and mobile computing.
"Security threats come in all shapes and sizes..."
Internal threats can be particularly harmful due to the potential misappropriation of trade secrets and intellectual property. However, in most cases, internal attacks aren't executed in collaboration with enemies of the state, but rather internal employees trying to obtain financial gain. External threats usually go after larger data sets that have a likelihood of compromising the customers of the organization that was breached. This results in credit card, identity information, or other PII (Personally identifiable information) going to the hackers. This is particularly harmful to the company due to the loss of reputation, potential lawsuits, and the significant cost in making the situation right with their customers. Many external attacks are phishing attacks in which the hacker relies on human error for successful execution. Considering the large, ever-increasing number of external breaches that impact everyday Americans, if I had to pick, I would say that today external breaches are more threatening to a company's data security.
Jeff Senn
Jeff Senn provides strategic leadership that supports the technical preeminence of MAYA Design and its R&D efforts. He previously led MAYA’s Engineering Group, specializing in designing architectures, software, and hardware for computing systems. Jeff also managed the development of Visage, a powerful data exploration, navigation, and visualization system that led to a spin-off company bought by General Dynamics. Before MAYA, Jeff worked for Carnegie Mellon University (CMU) where he designed a vision-tracking laboratory and developed data collection and analysis tools.
"The bigger threat to data security is..."
Insiders. Outsiders are a somewhat fixed threat; there is little one can do short of unplugging the internet and locking the door. Insiders may sometimes be malicious, but more often than not, they are simply careless or even reckless. Employees trying to do their jobs may make mistakes due to misunderstanding, lack of training, or lacking sufficient time for attentive action. Some of this threat can be mitigated through the use of training and tools to support good security practices. The most insidious threat is a longer-term one. That is, the presence of poorly designed procedures or products that cause employees to choose between security and productive work. These situations are pretty much guaranteed to eventually lead to problems. Mitigating this sort of situation requires a commitment on the part of management to provide users with well-designed tools that are both highly usable and safe in terms of data security.
Paul Kubler, CISSP, CCNA, Sec+, ACE
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He's a former employee at Boeing, in the Global Network Architecture division, the nation's largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
"When it comes to a company's data security..."
Insiders are a threat from two angles, that of an intentional purpose and that of unintentional circumstance. Insiders will always be a bigger threat as they already have physical access to said information and potentially more. A malicious admin is more dangerous than a group of sophisticated hackers simply because they already have the keys to the kingdom. On top of that, users are also a major source of unintentional damage, such as unplugging the wrong server or misconfiguring backups. Internal users can also be bribed or otherwise coerced into such actions as well. Or maybe they bring in threats as well. This is why social engineering is the biggest source of compromise; it relies on the human weakness of insiders. The lack of awareness and proper alertness could, in fact, be the opportunity that hackers look for when planning a breach.
Stu Sjouwerman
Stu Sjouwerman is the CEO of KnowBe4, the world's most popular integrated platform for awareness training combined with simulated phishing attacks.
"The biggest threat to a company's data security comes from..."
Insiders. You can have all the technology solutions in place, yet one user clicks on a link that they shouldn't or falls prey to a spear phishing email spoofing your CEO, and poof! There goes 46 million dollars. Even top-level companies like Ubiquity can fall prey to what the FBI termed Business Email Compromise or CEO fraud. 91% of all data breaches are caused by phishing – an internal threat.
Jayson Street
Jayson is an Infosec Ranger at Pwnie Express, a well known conference speaker, and author of the book Dissecting the hack: The F0rb1dd3n Network. Pwnie Express provides continuous visibility throughout the wired/wireless/RF spectrum, across all physical locations including remote sites and branch offices, detecting 'known-bad,' unauthorized, vulnerable, and suspicious devices. Learn more about Jayson, and his role as the Pwnie Infosec Ranger here.
"The biggest threat to the enterprise is..."
Consider both the malicious, out-for-revenge employee and the well-intentioned, yet uneducated employee, and it might be the latter that is the most difficult for a company to detect since the behavior goes under the radar of traditional network security products.
Employees are constantly circumventing security policies. The most notorious is the amount of connected personal devices they bring in to work, often under the guise of enhanced productivity, whether that means more work or watching more cat videos on Facebook. What they don't realize is they are unknowingly compromising company security because each of those devices is now a pathway for attack.
While the industry has been aware of insider threats for a long time, we are just starting to grasp the idea that knowing all the devices on or even around the corporate network is half the battle. Companies need to start focusing on people and devices who already have direct access to company data, sometimes unknowingly. Fortifying external defenses won't protect a company if insiders don't realize their iPhone has now become an open door to customer financial data.
Paul Kraus
Paul Kraus is the President and CEO of Eastward Breach Detection, which delivers enterprise-grade active breach detection technology, made easy to use and cost-effective for any size enterprise.
"The most substantial risk to a company's data security is from..."
By far, the insider threat! A few examples can easily highlight this. First of all, common misconfigurations of overly-complicated web-based applications or internet-facing infrastructure are all too common. Compounding this by hiring un-vetted contractors or consultants to configure these systems, workers whose skills or intent are unfortunately only known after the fact, can make a company’s critical systems easy picking for even the most unsophisticated hacker.
No conversation on this topic can omit mobile devices and laptops. With new mobile devices and mobile-enabled laptop users accessing networks everyday, organizations need to understand which applications are accessing their network and running on/through it. Companies need to move past the legacy ideology that Apple iOS products are safe while Android and Windows are the only petri dishes of malware. All operating systems are proven vehicles for attack. Add to this the threat of shared and weak passwords on internal systems, and you have a situation where the things we thought were safe (password protection, Apple iOS) are posing huge and often times unaudited risks.
You have to dig no further than the news-worthy breaches – Target, Home Depot, and Office of Personal Management – to see that IT and Security Professionals’ concerns need to change. The insider threats are often the enablers of external threats, and if left under-appreciated, more companies will make the nightly news – for all the wrong reasons.
JP Zhang
JP Zhang is the Founder of SoftwareHow, a blog about helping you solve common problems related to computers and digital devices, with no-nonsense software tools and actionable how-to tips.
"Having worked for two software companies (one with 1000+ employees, the other with only 20) involved in data security, I am confident to say that..."
99% of malicious attacks or data theft in a company, whether big or small, comes from inside people, either directly or indirectly.
There are two key reasons why insiders pose the biggest threat to a company's data security:
1. Incomplete corporate management easily exposes sensitive data to unauthorized employees who could leverage the data to achieve personal purposes. This happens more in startups and SMBs.
2. For established companies that have sound, yet robust data infrastructure, it’s very hard for outsiders to attack due to the nature of security systems. In most of the data disaster cases that claim to be conducted by outsiders, the motive is actually to obtain credentials from insiders within that company.
Jessica Geary
Jessica Geary previously worked at the educational startup Decoded, teaching professionals about hacking, coding, and data. She's currently working as a digital media specialist at Maxus for Barclaycard.
"The biggest threat to data security is certainly..."
Naïve insiders who aren't clued up on simple ways to make their companies (and their own) data secure. We hear everyday that weak passwords are making employees vulnerable, which is true, but I believe employees need to be trained in the subtle art of social engineering, the signs and signals of a hacker who is already in the email system posing as your boss desperately in need of that master password. Data security is very seldom just a technical issue, but a very human one that takes a shift in company culture to tackle.
Stewart Rose
Stewart Rose is the president and founder of ThreatReady, a data security company that helps organizations protect themselves by establishing a culture of cyber awareness.
"The greatest threat to a company's data security is..."
Inside people. Just last year, more than 95% of cyber breaches occurred because of human error. Attacks target specific employees, job titles, and types of information, and they are often cleverly disguised, so people inadvertently reveal sensitive information as they go about their jobs. Cybersecurity is a people problem, and employee missteps are leading to disastrous results.
Greg Kelley
Greg Kelley is CTO for Vestige, Ltd., a company the performs computer forensic services and data breach response for organizations.
"In my experience, the biggest threat to a company's data security is posed by..."
Insiders. They already have an upper hand on the outsiders; they are inside of the organization. An insider does not have to deal with getting through a firewall and potentially creating network noise in doing so. An insider will usually know where the important data resides. Quite often, that insider will have the proper security rights to the data as well, an advantage over an outsider. To further assist in their theft, insiders are often not monitored to the extent that IT security will monitor an outside attack. Even if an insider is being actively monitored, it is difficult for IT to determine whether or not the accessing of a document or copying it to a USB drive is for legitimate purposes or nefarious purposes, especially when those documents are regularly used by the insider. Typically, insider theft is only detected once the insider leaves the company. Outside threats have the advantage, usually, of anonymity, but for all the reasons previously mentioned, insiders are more of a threat to data security.
Dr. Frank Breitinger
Dr. Frank Breitinger is an Assistant Professor of Computer Science at the Tagliatela College of Engineering at the University of New Haven, CT department). His research is carried out in the University of New Haven Cyber Forensics Research and Education Group (UNHcFREG, part of the Tagliatela College of Engineering at UNH), where he also acts as an co-director.
"Over the years several studies have been published on the risks posed by insiders vs. outsiders..."
For instance, Verizon's 2008 Data Berach Investigation report analyzed 500 breaches, where 73% were outsiders and 18% insiders. A newer study (Verizon Data Breach Investigation Report 2014) showed similar results, with 72% of the breaches involving outsiders and 25% insiders. While this seems like common sense, it is a fact the amount of damages caused by insiders is higher.
Analyzing some facts, this makes total sense. While outsiders are larger in number, insiders have way more power as they are (1) familiar with the system (e.g., they know where data is stored) and (2) can avoid several layers of defense (e.g., there is no firewall).
One should keep in mind that internal does not necessarily include an active adversary. As pointed out by Verizon 2014, a significant amount of breaches are miscellaneous errors (positing private data accidentally, or sending information to the wrong recipients), insider and privilege misuse, and physical theft and loss (i.e., USB devices or laptops). This was also pointed out by riskbasesecurity.com (2013) who reported that besides the 71% of outsiders there are 9% inside-malicious, 11% inside-accidental, 4% inside-unknown.
Michael Fimin
Michael Fimin is an accomplished expert in information security and the CEO and co-founder of Netwrix, the IT auditing company providing software that maximizes visibility of IT infrastructure changes and data access. Netwrix is based in Irvine, CA.
"It is hard to estimate risk insiders and outsiders pose to data integrity. However..."
I would say insider threat is commonly a more serious issue just because companies are not properly prepared. Insider threat is often disregarded in security strategies due to personal relationships with employees built on trust, underestimated value of assets, lack of knowledge about security, and so on. Also, many do not realize that insiders are not only current employees with malicious intentions, but also partners, contractors, and former staff – anyone who has ever been granted access to your network. What can companies do to minimize insider threat? Here are 6 important steps:
- Realize that as long as you have any data you are a potential target, regardless of company size and industry.
- Establish internal security policies and controls that are regularly updated. Be proactive; don't wait for a breach to happen.
- Educate employees about security policies, threats, and their personal responsibility in maintaining security. Damage is not always done intentionally – it can be a result of a simple human mistake.
- Monitor all activities in your IT network, including those of privileged users. You have to know who has access to what and what changes are made to critical systems and data, as well as who did it and when. This will help you detect potential threats, take necessary actions, rollback unwanted changes, and investigate if necessary.
- Limit access to only the information people need to do their work to avoid the risk of an account hijack. Even if employees (or partners and contractors) are trustworthy and show no intention to compromise the data, they could become a target simply because they have access.
- Make sure passwords are changed regularly and inactive accounts are disabled. These simple measures are often forgotten, but can strengthen security.
Benjamin Brooks
Ben is a Research Analyst with SecureState specializing in IT policy, wireless technologies, and mobile security. Prior to SecureSatate, he was the Leading Chief Petty Officer with the U.S. Navy.
"According to the 2015 Verizon DBIR, the threat from..."
External sources is the highest based upon statistical probability of nearly 80%. That being said, the employee with intimate knowledge of the system's interworkings will have the greatest success in achieving the breach and compromising critical components or data. Bottom line: While the statistical probability is greater that the breach will come from an external source, the internal attack can cause the most damage because of the insider's intimate knowledge of systems, data locations, and processes. Fortunately, the trend of attacks form within is very low. Both should be protected against as a matter of overall risk to the company, rather than simply an IT problem.
Tim Estes
Tim Estes founded Digital Reasoning in 2000, focusing first on military/intelligence applications and, in recent years, on financial markets and clinical medicine. Tim's academic work at the University of Virginia focused in the areas of philosophy of language, mathematical logic, semiotics, epistemology, and phenomenology.
"Companies face the biggest threat to data security from..."
Insiders pose more of a threat because there are many ways to protect against outsiders, while the challenge with insiders, who are colleagues or trusted third parties – employees, partners, contractors – is that they work alongside us and have legitimate, indeed necessary access to the very systems or information that requires protection. Since it would be impractical for access to be routinely blocked, there is a pressing need to gauge the difference in intent that separates the innocuous majority from those with malicious objectives. In the absence of being able to read minds, our ability to defend against the insider threat is very limited. All too often someone's hidden agenda only becomes apparent long after any theft or damage has taken place.
Additionally, clues that can lead to an insider threat are often present with an organization's information, but those committing crime and fraud will usually take time to adjust records and cover their tracks. In many cases, the technology used to protect these organizations are used again them. The best evidence of this usually lies within the unstructured human communication of documents, emails, chats, and other messages. Criminals often code or conceal their activities within this information, knowing that if their activities and intent go undetected by the internal systems, they'll continue to be trusted and will have access to the tools they need to continue their criminal activity.
Sharon Polsky
Sharon Polsky is a data protection and privacy specialist and a Privacy by Design Ambassador who is passionate about the importance of effective data protection and information risk management. With over 30 years of firsthand experience advising governments and organizations across North America, Sharon takes a practical approach to privacy, access, and information security trends, laws, and emerging technologies. Polsky is President and CEO of AMINA Corp.
"The question of whether the bigger threat to information is from within or outside an organization is..."
A perpetual chicken-and-egg question. You can look at any number of statistics that claim 70, 80 or even 90 percent of data problems are caused inside.
In more than 30 years of advising government and private sector organizations about data privacy and protection compliance, I have seen that the source of every data risk and problem is employees, executives, suppliers, or partners inside the organization who either did something or neglected to do something, and that allowed a vulnerability to occur. Whether through curiosity, malice, or good intentions, the people inside an organization who have access to its systems and information are inevitably the biggest risk.
Why?
- Because training and awareness about privacy and digital diligence – from the c-suite to the loading dock – is essential to understand whether and how your role and actions affect data and security, but that training is perpetually inadequate across government and private sector organizations.
- Because organizations allocate security and training budgets based on an inadequate understanding of the business risks and compliance requirements of privacy laws, trends and technologies, and therefore are poorly prepared to effectively safeguard data within their environment.
- Because there’s little continuity between roles and departments, so that a single data element can pass through many hands, yet nobody knows what the other is doing with (or to) the data and that fractured approach increases risk that the data will be mishandled, mislaid, or misappropriated.
- Because most insider attacks go unreported, and that makes vendor claims for controls very attractive. It’s unrealistic to expect anyone to make correct procurement or hiring decisions if they don’t understand the problem, the risk, the law, or the technology.
Perhaps more than anything else, because it’s not a technology problem; it’s a human nature problem. The computers and technology are just tools; it’s what people do with (or to) the tools that is the problem. It’s no different than cars: they’re not a problem when drivers know what to do and what not to do. But without that knowledge it’s easy to make the wrong move, react improperly, or to cause damage or injury – whether out of curiosity, malice, or good intentions.
Andy Feit
Andy Feit is Head of the Threat Prevention Product Line for Check Point with overall responsibility for strategy, positioning, and go-to-market activities. Before joining Check Point, he was a co-founder and CEO of Enlocked, an email security company focused on small- to mid-size businesses. He has also held several executive positions at information management software companies including MarkLogic, Verity, Quiver, Inktomi, and Infoseek, as well as serving as director and principal analyst for market research firm Gartner.
"If we look at recent large-scale breaches, the majority of those involved an attack from..."
External sources. That said, insider threats are responsible for many breaches and the reality is that it is not always as clear as inside vs. outside. For example, if an external organization was looking to gain access to data and bribed a system admin or DBA to provide a password or access to a system, but then the attack was executed by external hackers, how would you attribute this?
Other grey areas exist. For example, contractors or consultants. If they have signed confidentiality agreements and are given access to data, what if they ultimately keep data they needed access to in order to complete their tasks and use it improperly? Was this an insider or external attack?
In general, as both network and endpoint security continue to improve, the use of these hybrid techniques is likely to increase. It is important for organizations to ensure they have proper controls, audit, and protection in place to be able to detect and trace insider threats.
Dr. Brandon A. Allgood
Dr. Brandon A. Allgood is the CTO and Co-Founder of Numerate, Inc. Brandon currently manages Numerate's software engineering team and is responsible for the development of the company's drug design technology platform and its technical vision. He is also a strategic advisor at Lanza techVentures, where he provides technical insights.
"In terms of threats to a company's data security..."
Both insiders and outsiders are a data security threat. In reality it depends on the publicly facing digital surface area as to whether insiders or outsiders are more of a threat. For B2C businesses the surface area is likely quite expansive, out of necessity. It also means that the company likely has a lot of customer data, which is often sold as a commodity on the dark web. In addition, the rise of ransom attacks puts companies – companies that may not think their data is all that interesting to external parties – at risk. Likely more so, because they don't think what they have is worth anything. In this case, I would argue that external threats are a larger problem. They are more unpredictable and harder to anticipate. Insiders can be more controlled with proper security measures. The key there is proper security measures. In my experience, many businesses don't have proper security because, if not implemented properly, they often run counter to productivity and employee morale.
In a B2B business the greater threat are insiders. The greatest insider threat in this situation depends on a company's business model and how the data is gathered and consumed. In many cases, the threat is the insider within the customer business. You have very little control over them. You can only control their access to the data in your system through software measures and contractual agreements.
Another source of insider threats for both B2B and B2C companies are the non-technical staff (and contractors, such as lawyers) that need some level of access to the data. In this case, it is generally not a malicious threat, more often just unawareness. Proper training for staff is required and secure practices can be achieved. But it is much harder to train and control external contractors that have access to data on their own systems.
Greg Mancusi-Ungaro
Greg Mancusi-Ungaro is responsible for developing and executing the BrandProtect market, marketing, and go-to-market strategy. A passionate evangelist for emerging technologies, business practices, and customer-centricity, Greg has been leading and advising world-class marketing initiatives, teams, and organizations for more than twenty-five years. Prior to joining BrandProtect, Greg served in marketing leadership roles at ActiveRisk, Savi Technologies, Sepaton, Deltek, Novell, and Ximian, building breakthrough products and accelerating business growth. He is a co-founder of the openSUSE project, one of the world's leading open source initiatives.
"Both inside and outside threats pose credible risks to enterprises and organizations, but they each create..."
Very different security requirements. In the end, the human costs of inside threats make it crucially important that a firm do everything it can to identify likely threat actors and monitor their activities, while the business costs of outside threats can literally cause a company to have to close its doors.
Inside threats – either employees or trusted parties with an axe to grind – have many different origins and expressions. Employees can feel under pressure after reorganizations, after transfers, if an expected raise or promotion does not come through, or any of a number of other office situations. Insiders can also face external circumstances which make them feel desperate – a change in the status of a relationship, unexpected expenses, or health-related issues, for example. Responsibility for inside threat monitoring is usually shared by HR, Security, and IT teams. Increasingly, security teams are also using external cyber activity monitoring tools in an effort to unearth online activities – posts, rants, and tweets – that might indicate that a threat is imminent.
Outside threats – cyber threats enacted by third parties that never touch an enterprise's firewall – are much more common than insider threats. On the surface, they can almost seem inconsequential. What does it really matter if a third party registers a similar domain? Or if a few customers fall prey to a phishing email? Taken individually, these small incursions may not have significant costs, but taken collectively, outside threats like these can have a profound impact. In some cases, the criminals merely want to generate false charges on a credit card or empty a bank account. But many times, the criminals are probing the public for information that can eventually be used in social engineering or other schemes that can rip an enterprise wide open. The overall market costs of millions and millions of compromised accounts or personal records are enormous, and the reputational costs to the trusted company (whose identity has been used to trick the public) or the companies that are eventually targeted in a major cybercrime cannot be measured. Once a customer is lost, it is very difficult to recapture them.
