Defending Against Attacks: Insiders vs. Outsiders

I saw this article this morning pointing to a study showing that, contrary to popular current believe, attacks from outsiders pose a greater risk than attacks from insiders.  If you read through the comments you’ll find a lot of people that share the same ideas as I do.  This study doesn’t really seem to be all that valid and seems to make more of a terminology change than anything.  What do you consider an insider versus an outsider?  It seems the study has classified insiders as direct employees.  There’s phrases that make is sound like contracts that have been given access were classified as “outsiders” even though we have given them trust.  I would argue that anyone who has been granted any level of access to an internal system is an insider.

I also think their numbers are a bit off for a few other reasons.  One reason being the people taking the survey may not be giving honest responses.  Another possiblity is not accounting for an attack by an outsider that required insider help.  Many attacks from the outside require somone on the inside downloading and installing an executable or clicking a link in an email.  These are almost always accidental, but I would still classify this as an internal attack, or an external attack that required internal assistance or something like that.

In any case, there are at least a few things any smart small business should do to protect against threats…

  1. Implement a good firewall to keep direct external attacks out of your important internal systems.  There should be no direct access from the public network to any business critical and or sensitive data.  This may require implementing a VPN for any external employees, but these systems are becomming much more affordable.
  2. Train your employees on general security practices.  Teach them how to avoid getting viruses by following some email best practices (don’t click on any executable attachments, etc).  Teach them about social engineering and how to deal with it.  Things like that.
  3. Install Anti-Virus software with on-access scanning on all personal desktops/laptops.

Obviously, there are many more things you can and maybe should do, but I would consider the three above definite requiremetns that will greatly reduce your risk of attacks.

About these ads

2 Responses to Defending Against Attacks: Insiders vs. Outsiders

  1. WHBaker says:

    With all due respect, I don’t believe you read the report on which the article was based. The articles have been fairly obscure and light on coverage. First, this wasn’t a survey. It was based on first-hand forensic investigations of actual data breaches. Secondly, the class you say was classified as “outsiders” (non-direct employees that have trust) were not classified as outsiders. They were partners (contractors, vendors, etc) and accounted for 39% of breaches. Thirdly, attacks like those you mention above involving multiple parties were described and accounted for in the report. The report certainly isn’t free of bias (this is mentioned in the report) but to call it invalid based on an article is very presumptuous.

  2. itatsmallbiz says:

    Thank you for your thoughts. You are correct in that I did not completely read through the report, thought I had read a decent amount of it including how the data was gathered. However, I had been checking out several other reports related to this subject and many of them were based on surveys and I just got my reports mixed up when I made that comment. I know the report did have a group classified as “partners”, and that is great that they separated them from the outsiders, yet I feel several people covering the report are still referring to that group more as “outsiders” than insiders and thus the comment. So yes, you are correct, questioning the “validity” of the report was probably not the correct wording I was looking for. I was going more for questioning exactly how much it applied to my target audience, the small business IT Manager. So I probably should have addressed the “applicability” instead of the “validity”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: