Insider vs. Outsider Data Security Threats: What’s the Greater Risk?

As data breaches increase, many will be the result of Insider threats. In fact, the insider threat is unlikely to diminish in the coming years and will be a major threat to businesses.

Steve Durbin, Managing Director of ISF.

The risk of insider threats compared to outsider threats is an ongoing debate, though more companies are taking notice of the risks that insiders can pose to the company’s data security today than in the past. Historically, the data breaches that make the news are typically carried out by outsiders. While these breaches can cost hundreds of thousands of dollars (often millions more), outsider threats are generally the threats that have been addressed with traditional security measures. It’s the threats that originate from inside that are much more difficult to prevent and detect using one-size-fits-all security measures.

Just one of the reasons that insider threats are more difficult to prevent stems from the fact that insiders don’t always threaten the company’s data security intentionally. In fact, many data breaches resulting from insider threats are completely unintentional. To combat these risks, as well as the insider threats originating from those who do have malicious intent, a holistic approach to security is essential in the modern threat landscape – one that adequately addresses not only insider and outsider threats, but effectively manages both unintentional and intentional threats posed by those within your organization.

To gain more insight into the threats posed by insiders vs. outsiders and how companies can effectively mitigate these risks, we asked a panel of data security pros to answer this question:

“What’s more of a threat to a company’s data security: insiders or outsiders?”

Steve Durbin, Managing Director of ISF believes the insider threat is unlikely to diminish in the coming years and will be a major threat to businesses. Efforts to mitigate this threat, such as additional security controls and improved vetting of new employees, will remain at odds with efficiency measures. More insiders with malicious intent will emerge as more people place their own ethics and perceptions above those of their employers.

The insider threat has certainly intensified as people have become increasingly mobile and hyper-connected. Nearly every worker has multiple, interconnected devices that can compromise information immediately and at scale: impact is no longer limited by the amount of paper someone can carry. Simultaneously, social norms are shifting, eroding loyalty between employers and employees.

At the ISF, we believe that there are three categories of insider behavior: Malicious, Negligent and Accidental.

MALICIOUS

Malicious behaviors require a motive to harm plus a conscious decision to act inappropriately. Examples include copying files before taking a job with a competitor, leaking confidential information, sabotaging networks, or using work privileges for personal benefit.

NEGLIGENT

Negligent behaviors do not have a motive to harm, but do have a conscious decision to act inappropriately. The act is usually well-intentioned – such as using unauthorized services or devices to save time, increasing productivity, or enabling mobile working – and the behavior often comes with the knowledge that the action is bypassing a control or circumventing policy. Despite the lack of malicious intent, negligent insiders are knowingly accepting risks that are outside the organization’s risk appetite.

ACCIDENTAL

Accidental behaviors have no motive to harm and no conscious decision to act inappropriately. Emailing information to the wrong people, opening malicious attachments, and publishing private data on public servers can all happen accidentally.

The first time someone behaves in one of these ways, it could be considered accidental; however, repeated accidental behavior may also be considered negligent.

Managing risk posed by the insider threat should extend across all three types of risky behavior. Once the risk is assessed, immediate results can come from applying technical and management controls and from aligning roles, responsibilities, and privileges throughout the employment life cycle.

But that alone is not enough. Organizations must nurture a culture of trust, one where the organization can trust its insiders – and insiders can trust the organization in return. Organizations with a high level of exposure to insider risk should expand their insider threat and security awareness programs.

Organizations must understand where and how they are trusting their insiders – and must augment technical and management controls by helping people to become more worthy of the trust placed in them. Equally, organizations should foster a culture that makes the organization worthy of trust in return.