Who is the Enemy? Internal vs. External Cyber Threats
Data is every organization’s most critical asset. It is also a point of defense and a prized target for all kinds of electronic criminals. Typically, every organization faces two types of cyber threats; threats from within and threats from outsiders. This is why data breaches are reaching alarming levels, with 46 data records stolen per second.
There is an ongoing debate on the risk of internal threats against external cybersecurity threats. Historically, news broadcasts have always focused on sophisticated external attacks, which is why a good number of organizations only focus on outside threats.
However, internal threats are potentially more dangerous as the danger is also always present. Therefore, understanding the differences between external and internal attacks is essential to safeguard our data assets against all sides and attacks.
What are Internal Threats?
As humans, it is pretty hard for us to harm ourselves. That is why it is always difficult to believe that internal cybersecurity threats exist, but they do. Most times, when internal data is exposed, it leaks from an employee or staff.
Even though it might seem doubtful, an employee would want to expose the company’s data and ruin them willingly. Yet, most cases of insider threats are accidental.
A notable example of an insider threat occurred years before 2020 when two General Electric employees stole trade secrets to gain business advantage. Subsequently, General Electric lost several tenders to the competitor business founded by those employees. However, after several years of investigation, the insiders were convicted and sentenced and will pay $1.4 million in restitution to General Electric. Investigations showed that the GE employees had downloaded the files with trade secrets from the company servers after convincing a system’s administrator to give them access to data they were not supposed to have.
Insider threats also increase because of the growing number of devices used by employees for their work-related activities. For instance, remote work is on the rise, further producing a gaping security loophole, alongside the already compounding issues fostered by BYOD policies. Employees often install third-party apps to boost their productivity, creating new security risks as sensitive data could be spread across many applications.
How Internal Threats Differ from Internal Attacks
However, the majority of internal events occur mistakenly or accidentally. For instance, an employee may copy information from an entire database into an email for troubleshooting purposes and accidentally include the wrong email addresses in the recipient’s list. Other times, it might be deliberate, resulting in large portions of database breaches.
A notable example of an insider cyber incident occurred in 2019 when a security researcher uncovered a publicly accessible Microsoft customer support database with over 250 million entries aggregated over 14 years. The database contained emails, support cases, details, IP addresses of customers, notes made by Microsoft support teams, and customers’ geographical location. The database was open to the public for about a month, but Microsoft closed the breach on the same day the researcher reported it. Fortunately, the leaked data contained no personally identifiable information, and so, Microsoft suffered no penalties or fines. Investigations showed Microsoft employees misconfigured a new version of Azure security rules, causing the accidental leak. Nevertheless, if the leak had happened after the California Consumer Privacy Act was established in January 2020, Microsoft would have paid a $750 fine per individual resulting in millions of dollars.
Generally, potential internal cybersecurity threats and attacks include:
- Data sharing through public domains or 3rd party people
- Unauthorized downloading of sensitive data on personal storage drives
- Unauthorized data transfer using personal cloud storage accounts
- Social engineering where attackers manipulate employees into giving up confidential data
- Physical theft of company equipment
- Abuse of employee privileges to access sensitive company data for personal and malicious motives.
The Dangers of External Threats
Cybercriminals carry out external threats. Unlike what we find in pictures and newsprint, these criminals do not get their faces covered with a black mask. They might just be lying on their bed and constantly bombarding attacks towards our system, looking for a way in. These criminals that carry out these eternal attacks can be patiently launching thousands of attacks per second on our system until they are granted access into our system.
Before now, attackers used trial and error basis, but many are getting sophisticated and may even understand how most people operate. All they need to do is to keep trying through actions such as – phishing, malware, ransomware, DDoS attack, Malvertizing – until they break into our systems. Other methods external attackers may use include:
- Hacking through security loopholes
- Ransomware and malware
- Physical theft of devices that can offer unauthorized user access
- 3rd-party apps
- Malicious USB drops.
Although many external attackers might get to work immediately, there is also a danger that they might remain inside and unnoticed as they deduct sensitive information over a long period. By the time we discover them, they have caused severe damages.
There are also instances where external threats begin from the inside. For example, spear phishing is exceptionally effective because hackers deceive or trick an employee into clicking a malicious link or downloading an attachment that hands over control to the outsider.
External threats are more common and mostly surpass the number of internal threats. So, it is vital to set up measures to keep the external threats from our network and websites. Our wall of defense against external threats can be made formidable by hiring a professional and experienced cyber-security firm that would carry out proper penetration testing.
How External threats differ from External Accidents
Organizations may accidentally provide room for external attacks through unprecedented situations. For instance, a heavy storm in one country might cut off powers to a server that stores software licenses for other servers.
Because the licenses are unavailable, database backup software may not function as it should, leaving the database exposed to irreversible corruption.
Internal Threats vs. External Threats: Differences & Similarities
No matter the case, the consequences of these internal and external cybersecurity threats are similar. Like internal threats, external cybersecurity threats aim at stealing crucial information using malicious tools and strategies—common malware for this purpose; phishing, worms, Trojan horse viruses, and many others. However, there are also other notable differences we need to know to prepare adequately.
1. Attacker identity and access
Although external and internal threats share the same purpose of harming our network or website, the attacker’s identity is the fundamental difference between both forms of attack.
Internal threats work from within the organization. They might be a present or former employee, contractor, or even a business associate. Because they are trusted members of the organization, they already have more access to the company’s network, website, system, or data than any external attacker. Internal attackers have more advantages than external attackers because they have the opportunity, motive, and means. In contrast, external attackers often have the only motive.
External cybersecurity threats may also be limited to what they can access outside the company’s data network. Therefore, they must successfully bypass or disable outer defenses to access data available in a non-privileged database.
Internal threats also vary in level according to the privilege level of the perpetrator. However, such attackers may generally have access to information, but the information they can access is potentially sensitive and can only be accessed using legitimate log-in details.
Many internal threats seem to focus on getting sensitive data from the organization or access employee information for recruiting purposes.
There have been cases of disgruntled employees maliciously accessing servers and crucial information to use such data against the company. These employees may also access confidential data to work for outside intelligence or with the home to sell for cash.
Most external threats towards companies are targeted at customer’s data. The personal information of customers has a prize attached to them on the dark web. So, cyber-criminals would attempt accessing them to exchange for money.
There are also occasions where cyber-criminals may constantly launch external cybersecurity threats to corporations and governments for specific reasons. For instance, cybercrime groups like Anonymous regularly launch attacks on governments to teach a moral or social lesson.
External attacks are always malicious, with disrupting service, vandalism, and theft as the attainable goals. In contrast, internal attacks may not always be cruel. There are also external attacks having internal components where employees may have no idea about their actions. In such instances, the person’s ignorance or negligence alongside poor internal security policies and measures might cause unintentional or unexpected database breaches. This might expose weaknesses to external attackers giving them room to circumvent and further cause harm to the organization.
3. Social Engineering
These are occasions where attackers may manipulate personnel into creating or revealing security weaknesses, which can serve as both internal and external threats. For instance, these attackers, also called social engineers, may call victims pretending to be technical support to gain sensitive information or install malicious programs. They might also visit the offices physically and leave behind official-looking physical media containing malware for victims to find.
They can also visit restricted areas pretending to have lost their identification card or validation token. Circumventing all such threats starts with rigorously training employees about password confidentiality and security protocols. It is also important to enforce those protocols.
Preparing Against All Internal and External Threats
Preparing against all forms of security threats is an absolute must, no matter the size or focus of an organization. We must have a cybersecurity strategy that can handle the weaknesses and tackle internal and external cybersecurity attacks. This does not undermine the fact that protecting against all potential threats is impossible. In reality, many cloud data breaches today are a combination of both internal and external threats.
Nevertheless, we must never relent in establishing and maintaining a state-of-the-art cybersecurity infrastructure against all sites and networks.
Taking precautions against external threats starts with a strong firewall and IPS protection on the network parameters. However, preventing internal threats is a more challenging task and requires considerable policy changes.
Below, we have listed several parameters in creating a digital security checklist to safeguard against threats, especially internal security threats. Therefore, to combat internal attackers, we need to focus on these vital security practices
- Ensure that all the essential measures to boost security are intact. These basic measures are intelligent firewall, email security, and antivirus programs. Avoid using public Wi-Fi, and encrypt information to share over networks.
- Establish a log management platform that unifies all logs and correlates with uncovering threats and raising alerts.
- Implement an Intrusion Detection System that will vigilantly monitor against all suspicious activities by users. These systems may also reprogram firewalls to guard against possible intrusion.
- Internal security threats must also have a top-down fashion as internal attackers can come from any level of the organization.
- Stop the unlimited access to sensitive documents. There should be a hierarchy in terms of access amongst employees. Senior employees should have more rights than lower employees. And employees should have access to only information that is required for them to carry out their tasks.
- Real-time awareness and monitoring of user roles and levels of access to vulnerable information.
- Stay proactive with Identity Management systems that will monitor high-risk or suspicious user activities by detecting and correcting circumstances that present security risks or go outside compliance requirements.
- Create safety policies for leaving or terminated employees with privileges. It helps mitigate risks of break-ins or theft due to negligent behavior or from disgruntled employees.
- Implementing robust cybersecurity risk management to protect valuable data.
- Ensure employees receive up-to-date training on cybersecurity procedures and policies. They should also be actively involved with the security procedures of the organization.
- Create recovery plans in the occasion of an intrusion.
- Regularly consult with dependable cyber-security experts to carry out a stringent vulnerability assessment and penetration tests to uncover weaknesses in systems and networks.
We must also remember that no two companies or situations are alike, especially when considering the kind of threats they might likely face. Consider the case of Whitehead Nursing Home, when an employee took home an unencrypted work laptop that was stolen later in a home burglary resulting in the exposure of 46 employees and 29 patients. The nursing home was fined 15,000 pounds by the Information Commissioner’s Office (ICO) for negligence in a data breach.
How about the case of the City of Calgary, Alberta, when an employee accidentally leaked the personal information of 3,700 employees in June 2016? According to investigations, the employee had sent the information through email while trying to request technical assistance.
Therefore, we must carefully evaluate all kinds of threats that are unique to our different work environments. Beyond that, we must never underrate any form of threat but take on a balanced and holistic approach to security to address internal or external threats.
No two threats are alike. We need the complete picture of all risks to implement the right tools and security measures. In the end, we can achieve a well-oiled cyber policy, which is critical to protecting our valuable data assets.