Security Experts:

Network Security - Inside Out or Outside In?

This month has been a big one in terms of new research and survey data, including AlgoSec’s State of Network Security 2013 as well as Verizon’s 2013 Data Breach Investigations Report, among others. These reports take different approaches that eventually all point back to the same area – how to better secure your network and information from all of the bad stuff out there in the world.

Our survey findings asked security and network operations professionals their opinions on a variety of questions around greatest risk, greatest security management challenges, etc. Verizon’s report analyzes thousands of reported breaches. While there are many great data points in both of these, one where these reports diverge is around insider vs. outside threats.

Verizon’s report notes that a whopping 92% of breaches are perpetrated by outsiders while 14% are committed by insiders, 1% implicated by business partners and 7% involving multiple parties. So clearly external threats are the greatest risk right?

According to the State of Network Security 2013 findings, almost 63% of respondents identified “insider threats” as the greatest organizational risk. Breaking this down a bit, employees accidentally jeopardizing security through data leaks or similar errors ranked as the greatest concern for 40.5% of this year’s survey respondents, while malicious insider threats ranked second, with nearly a quarter of respondents listing it as their greatest risk. More than two-thirds of respondents further expressed concern that allowing employees to “bring your own device” increased the risk of security breaches.

Biggest Security Threat Survey

Source: The State of Network Security 2013, AlgoSec, April 2013

So which report is correct? And how should we as security practitioners use information from these reports and others to better plan our defenses? Here are five things to consider before you try to answer these questions:

1. It should be noted that these findings and analysis are based on different methodologies – analysis of reported threats and opinion-based data from security professionals. And as with any report, even if unintended, there is almost always some bias built in.

2. Threats are coming from inside and outside the corporate walls, due to human error and/or malicious activity with many different motives. The prioritization of this may be different in each organization, but threats from both ends are real and must be accounted for. Think about what information is highly valuable in your organization and go from there.

3. It’s not simply a matter of the quantity of attacks, one should also take into consideration the potential for inflicting serious damage – An insider is someone who by nature has more access because they are “trusted”.

4. The Verizon report notes that “… a growing segment of the security community adopted an ‘assume you’re breached’ mentality”. This is something I wrote about on SecurityWeek last year and which is how you should look at your network and security approach before you add on more tools.

There are plenty more considerations, but at the end of the day (does the day EVER end for a security pro?!), you must determine what makes the most sense for your organization. Understand your organization’s risk appetite and understanding/willingness of the company to change its culture and become more security-sensitive. Look for ways to improve security without slowing down the pace of business. And of course let the debate and discussion continue!  

Related: Most Attacks Are External, But Never Underestimate The Insider Threat

view counter
Nimmy Reichenberg is the VP of Marketing and Strategy for AlgoSec, a solution provider for Network Security Policy Management. Nimmy began his career as a security software engineer and has spent the last 10 years working with organizations across the world to address their security needs, focusing mainly on mobile device management and network security. He holds a B.Sc. in Computer Science and an MBA from Tel Aviv University.