When it comes to understanding the privacy landscape of an enterprise a question that often gets debated is that between insider and outsider threats and which presents a greater risk to the organization. James Howard presents a wonderful point of view on this, here is an excerpt from his views on this

  • Insiders are harder to detect because they are familiar faces – their actions are more easily explained away (accidental/innocent activity, for example)
  • Insiders know what the valuable data is, and where it is stored.  They might abuse their access to steal data (i.e., metaphorically, they use their key to open the safe and make off with the jewels — no break-in, and the loss is harder to detect).
  • Insiders are more familiar with policies, procedures and controls, and are more able to exploit weaknesses.
  • Insiders might engage in accidental activity (non-malicious) that results in loss — my favorite thought experiment is to lead people through the scenario of a typical millennial (tech savvy but unfamiliar with risk) unhappy with corporate-issued tools goes out and self-provisions solutions outside of formal channels, introducing risk and vulnerabilities.
  • Insiders are also able to cause damage if they have an ideological difference with management (that line between being a legitimate whistle-blower vs being a hacktivist)
  • Most security programs spent all their resources on perimeter security since that is where leadership perceives the threats to be. And from a public point of view, the press loves to talk about external attacks.  Internal attacks are covered up as much as possible.  
  • No one wants to question the motivation and actions of employees — that’s too awkward.  This is evident in how in mature organizations as well, for example, implementing a password expiration policy,  is often viewed as burdensome and unnecessary
  • If you were planning an orchestrated attack on a company, one of the first things you would do is to try and find an insider you can be turned to help further the attack.  There is an acronym that law enforcement uses to map the motivation of insiders who turn:
    • M.I.C.E.
      • Money 
      • Ideology
      • Coercion
      • Ego
  • Actual exploitations sometimes combine — e.g., small payoffs lead the asset to where they are in too deep (becoming coercion)
  • Since insiders are so vulnerable and so easily exploited, one can hypothesize that any serious external threat has an insider component

Therefore, when discussing whether insider or outsider threat is more serious, he concludes its t’s the insider every time