Insider or Outsider - Does it Matter?
Much noise is made about the risks associated with insider threats versus outsider threats, but why?
Defenses for outsider threats are easier to visualize; a hardened perimeter, strong authentication, and monitoring for unusual activity seem logical if you’re trying to “keep the bad guys out." Insider threats are viewed as more difficult to detect and defend against. Here, the focus tends towards access control, authorization, and (often) device control. Inside attackers are typically trusted users, outsider attackers can be individuals or, increasingly, malware.
If your goal is to protect your data from misuse or exfiltration, does it really matter whether the attacker is inside or outside your organization? In either case, there is an attempt to use or move data in a way that should not be allowed. The best defense must consider the worst-case scenario: an attack by a user, or someone posing as a user, with legitimate access to the data. This could be a system administrator, a senior executive, an engineer or, to extend this to common outsider (cyber) threats, a “user” could also be legitimate or malicious software.
This sounds like a massive challenge. However, by focusing on securing the data itself, multiple attack vectors are addressed. Data that carries security with it will prevent unauthorized use, whether the attack is from inside or outside the organization. It will recognize legitimate actions by other systems and prevent unknown or unauthorized applications from copying or moving data offsite. It will automatically encrypt sensitive data that leaves the internal network (when allowed) and block actions that put data at risk.
The outsider attack is a serious threat. However, if you can protect data from a determined, malicious insider, defending against many outside attacks comes for free.