But amid the data included one subset of information likely to challenge both conventional wisdom and vendor sales pitches is the information Verizon collected about the impact of insider threats. While its experts would never discount the very real possibility of damage inflicted by insiders, Verizon illustrated with its breach data that external attackers made up the bulk of the action within cases involving breached information -- by a wide margin.
"When you look at the sheer volume of the attackers, it really shows that certainly an organization is going to have more outsiders than insiders, no matter what," says Suzanne Widup, senior analyst on Verizon's RISK Team and one of the report's authors. "Just with the sheer number of possible actors, that's going to be the case forever. But that doesn't negate the fact that insiders can do damage."
[Think insiders can't hurt your firm? Think again. See 8 Egregious Examples Of Insider Threats.]
The DBIR showed that by volume of breach occurrences at Verizon customers, 92 percent involved external parties while 14 involved internal. The two numbers total more than 100 because there are a number of situations where both external and internal partners work in concert, either on purpose or with insiders ignorant of their contributions.
"A lot of them are the organized crime groups that are recruiting the people to do credit card skimming, which happens quite a bit. But it can also be things like a banking institution having its tellers compromised by someone outside to be able to take the bank account data out," Widup says. "They'll go after people who don't necessarily have a lot of organizational power, but who've got access to the data that they want, and that's what matters."
Regardless of that overlap, the big disparity between the volume of breaches analyzed by the DBIR involving external threats compared to internal runs contrary to infosec pros' perceived risk. Recent straw polls among security professionals that show them spending spend quite a bit of time worrying about the damage insiders could inflict on their operations. In fact, last week a report out by firewall management firm AlgoSec showed that 64.5 percent of information security and information technology professionals rated insiders as their greatest security risk.
"We stand behind the fact that, at least from a perception standpoint, the security community is more concerned about insider threats," says Nimmy Reichenberg, vice president of marketing and business development for AlgoSec, who says the appearance of contradiction could stem from a number of factors.
Tops on that list is the possible impact of an undetected insider incident, which could be much more disastrous, though less likely to happen, than an undetected external event. When malicious insiders get away with their crimes, they are much more likely to do a lot more damage than a flurry of external hackers could, he says.
"You've got hackers all over the world, scanning ports, trying to get in, but how successful are they, and how much damage do they really do?" he says. "That isolated, once-in-a-blue-moon internal threat can potentially be much more dangerous because it's not a blind or semiblind hacker trying to probe their way into your network. It's a person who knows the ins and outs of your organization trying to do the damage." Plus, the types of incidents insiders can trigger reach far beyond the typical theft of personally identifiable information tracked by DBIR statistics. Even Verizon tipped its hat to that by also analyzing relevant data from its partners CERT and G-C Partners later in its report. Within that data set of 47,000 overall security incidents, insiders made up a bigger chunk of the ratio of responsible parties, with 69 percent involving insiders and 31 percent involving external. However, among those, Verizon reported that most of them were insiders acting carelessly rather than maliciously.
According to Widup, security professionals shouldn't get too wrapped up in the debate of who's the bigger risk. Instead of who is doing it, the risky action and the ability to detect that action is really what matters, she says.
"It shouldn't matter who is doing it -- if you can detect it quickly enough, you have a better chance of containing the breach or at least mitigating it quickly," she says. "The bottom line is to make sure you can detect it and make sure that for however long it takes you to detect things on average, your logs go back at least that far."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message