Biggest Risks for Businesses – Internal or External? The Results May Surprise You

With the recent news about the Equifax data breach (among others) still top of mind for much of the U.S., businesses both large and small need to be highly aware of and concerned about the state of their cyber security.

As we tune in with increased interest to the various discussions between security experts and business leaders, many are left wondering what extra security tactics they should be focused on to hinder or prevent attacks coming from the outside. Tightening up security to protect against external threats is only part of the battle. Sometimes the greatest risks are inside your company already.

The root cause for attacks

While the breaches caused by malicious external attacks - those coming from hackers trying to steal data or execute ransomware - dominate the headlines, there are other, less publicized security compromises happening every day. An infographic from Digital Guardian shows that a combination of internal factors and external threats is the most likely cause of a security breach.

Last year, the 2016 Cost of a Data Breach Study by the Ponemon Institute found that out of all the incidents studied, nearly half were criminal or malicious in nature. The other (slightly larger) half were almost equally split between system glitches (including both IT and business process errors) and human error (negligent employees and contractors). The takeaway for business leaders should be that you are just as likely to experience a security breach from someone/something that is already within your network as you are from an external threat.

This might come as a surprise to many, and with inside threats posing such a great risk, it is easy for company leaders to make hasty decisions that negatively impact a company's internal culture. Before instilling fear or pointing fingers, consider the following:

  • Insider threats are hard to distinguish from regular work.
  • It can be easy for employees to cover their actions.
  • Because of the above, these threats can go undetected for years.
  • It can be extremely difficult to prove guilt.

Does this mean all of your employees are out to get you? No, however it does mean that you should be aware of the types of insider risks your business faces, along with the threats from the outside.

Types of insider risks

The most common internal risks are:


Accidental insider risks are when employees and staff don't observe cyber security best practices or aren't aware of these practices. This can be anything from clicking on a link in a phishing email or downloading a program that's actually malware in disguise.

According to the Verizon 2016 Data Breach Incident Report, 30% of security incidents are accidental.


Similar to the above, negligent risks are when employees and staff circumvent your security policies. Again, this isn't exactly to be malicious, but in many cases, it's so they are able to use programs that might be prohibited from your offices. This could from using social networking platforms or using unsecured Cloud applications, both which can open your business up to cyber security risks.


These attacks we are all familiar with from news coverage, however, they might be happening inside of your organization instead of outside. Attacks like these include espionage, financial gain, and even revenge.

How do companies combat this?

Now that you know some of the risks that come from inside your company, you should begin learning about ways in which to combat them.

Both accidental and negligent risks can easily be countered by focused training for all employees - yes, even your business leaders - to increase awareness of your security policies and recommended cyber security practices. This helps to give both employees and company leaders the tools and knowledge they need to keep themselves safe online.

With the growing culture of BYOD (bring your own devices) in the workplace, making sure your employees are aware of cyber security dangers is crucial. Simply telling employees what they can and can't do is not enough, they must also understand why these things are a concern. This will lead to better decision making as new threats emerge.

Cyber security policies within your organization are extremely important in combating malicious insider attackers. Having active network monitoring and management will ensure that you know which employees have network access, and that former employees no longer have access to applications and sensitive data.

Your security policies should also cover devices that are employee owned. You might be thinking specifically about smartphones, but tablets, laptops, 2-in-1 devices, and even smart watches can be  connected to your network, and can be carrying sensitive data when they leave the office.

For some companies, the overall complexities of security can be overwhelming, especially as cyber criminals are devising even better ways of executing attacks. We recommend having a conversation with a trusted IT partner (such as InfoSystems) to help your company leaders assess risk factors, draft security policies, and implement cyber security solutions.