The debate continues about outsider vs. insider attacks. Which are more prevalent? Which are more costly?
A recent survey conducted by SCO Magazine and sponsored by Deloitte, claims that:
58 percent of attacks are caused by outsiders and only 21% by insiders. At the same time, however, 33% view the insider attacks to be more costly than outside attacks, compared to 25% in 2010.
Now one might think that it’s in Deloitte’s interest to promote the growing threat of insider attacks because it’s an audit firm. However, I found this statistic to be interesting:
The authors noted that the public may not be aware of the number of insider events or the level of the damage caused because 70% of insider incidents are handled internally without legal action.
In my view, the difference between an outsider and an insider attack is narrowing if you define an insider as one who has authorized access. This is due to the increasing prevalence of botnet attacks which steal credentials. Thus an outsider becomes an insider. Of course, if the definition is based on the identity type of the attacker the difference between outsider and insider is clearer.
Therefore when planning your security defenses, it’s critically important to use an approach which starts with identifying the attacker types and their objectives. That’s why I like the SANS 20 Critical Security Controls for Effective Cyber Defense.