Internal vs External Risk

Discussion Week One: Internal of External?
Using a search engine such as Google, search the web for articles from reputable sources published within the past 6 months that report risks from inside the organization as opposed to external risks. Include the following topics in your response:
How do the authors of this article perceive this issue?
Is insider risk changing?
What factors are affecting this change?

While external threats are as everpresent as ever, the internal threats to a company are changing. In some cases they are changing faster than a companies information technology department can keep up with.

As Cindy Waxer writes in an ITSecurity.com article, “Believe it or not, most big company security break-ins involve your employees” (2007). Cindy says that Forrester Research has estimated that security breaches where an internal employee is involved account for nearly 85%. Clearly the sheer volume of internally caused security breaches poses huge risk for companies. Interestingly though, four of the top five internal threats are the result of unintentional actions. Phishing, stolen laptops, missed patches and even internal email make the list. The only intentional threat is that of a disgruntled employee. It seems that Cindy is trying to point out the fact that proper user education and security policy, like anti phishing training and standard laptop encryption can mitigate many of the internal threats. It seems that lack of training and security policy are making it easier for users to cause unintentional harm. Before everyone had the Internet at his or her desk it was a bit harder to spread viruse and malware, now all one has to do is open an email and BAM, viruses and malware galore (Waxer, 2007).

Andy Leung writing for Computerworld Hong Kong Daily focuses in on the growing external risks from vendor code. It is very hard to keep all of the network devices up to date with security patches, but there are tools that can mitigate the risks. As Andy Leung writes, “The UAC solution ensures endpoint equipment is compliant with a set of pre-defined security policies and denies rights for non-compliantdevices” (2007). As more and more people continue to take work devices home and abroad it becomes harder to control updating software. What the Unified Access Control does is prevent any device that is not up to patch standards from accessing the internal network. Andy Leung cites a Gartner study finding that, “even the most secure enterprises probably only control around 80 percent of their connecting devices” (2007). The rise of the BlackBerry and being able to VPN into the corporate office from home with a laptop has changed the way that a company has to protect its network. Not only do threats have to be addressed outside the network, but also threats from devices brought into the network. A parent might let their child use their work laptop and unwittingly expose the company network to a virus. The risk is external becoming internal (Leung, 2007).

Rick Cook, writing for CIO.com writes about how the majority of threats used to be external, “however, an increasing number of attacks are attempting to bypass the firewall and antivirus programs by coming at the corporation from unsecured angles. While external threats are as virulent as ever and need to be guarded against with firewalls and other defenses, it is more important to pay attention to internal weaknesses” (2007). Cook focuses more on the technology that enables internal threats. The number one most common threat according Cook is the USB drive. Cook cites a test done by Secure Network Technologies, USB drives with malware were left in the parking lot and within hours many of them had been plugged into company computers. Other common threats include, P2P file sharing software, unsecured wireless access points, modems, and even media files. Cook has pointed out that insider risk has changed dramatically. Again, with the internet at nearly every desk anyone can unwittingly infect the corporate network with malware and viruses (Cook, 2007).
Like it or not, insider risk is changing. The online environment has many more people using the internet and falling victim to malware and viruses. Malicious software can be hidden on just about anything now, from email to USB drives to funny videos. Luckily, a majority of the risk can be mitigated through sound security policy, education, and technical controls.

References:
Cook, Rick. (2007) “Securing the Endpoints: The 10 Most Common Internal Security Threats.” CIO.com. Retrieved October 08, 2007 from <http://www.cio.com/article/120101/Securing_the_Endpoints_The_Most_Common_Internal_Security_Threats>

Leung, Andy. (2007) “External threats vs internal risks: a comprehensive approach.” Computerworld Hong Kong Daily. Retrieved October 08, 2007 from <http://www.cw.com.hk/computerworldhk/Daily+News/External-threats-vs-internal-risks-a-comprehensive/ArticleStandard/Article/detail/420726?contextCategoryId=8231>

Waxer, Cindy. (2007) “The Top 5 Internal Security Threats.” ITSecurity.com. Retrieved October 08, 2007 from <http://www.itsecurity.com/features/the-top-5-internal-security-threats-041207/>