I saw this article this morning pointing to a study showing that, contrary to popular current believe, attacks from outsiders pose a greater risk than attacks from insiders. If you read through the comments you’ll find a lot of people that share the same ideas as I do. This study doesn’t really seem to be all that valid and seems to make more of a terminology change than anything. What do you consider an insider versus an outsider? It seems the study has classified insiders as direct employees. There’s phrases that make is sound like contracts that have been given access were classified as “outsiders” even though we have given them trust. I would argue that anyone who has been granted any level of access to an internal system is an insider.
I also think their numbers are a bit off for a few other reasons. One reason being the people taking the survey may not be giving honest responses. Another possiblity is not accounting for an attack by an outsider that required insider help. Many attacks from the outside require somone on the inside downloading and installing an executable or clicking a link in an email. These are almost always accidental, but I would still classify this as an internal attack, or an external attack that required internal assistance or something like that.
In any case, there are at least a few things any smart small business should do to protect against threats…
- Implement a good firewall to keep direct external attacks out of your important internal systems. There should be no direct access from the public network to any business critical and or sensitive data. This may require implementing a VPN for any external employees, but these systems are becomming much more affordable.
- Train your employees on general security practices. Teach them how to avoid getting viruses by following some email best practices (don’t click on any executable attachments, etc). Teach them about social engineering and how to deal with it. Things like that.
- Install Anti-Virus software with on-access scanning on all personal desktops/laptops.
Obviously, there are many more things you can and maybe should do, but I would consider the three above definite requiremetns that will greatly reduce your risk of attacks.