Stop treating internal and external threats like they’re different things

Survey shows strong focus on business risk, but technological controls are also needed to stop external attackers who use internal credentials with impunity

Credit: ID 97979443 © Alexander Yakimov |

Security professionals need to stop thinking about cybersecurity threats as being internally or externally focused and understand that the two forms of attack are intrinsically related, a cybersecurity expert has advised in the wake of survey findings suggesting Australian executives see internal threats as the biggest perceived threat to information security.

A recent straw poll, conducted by security consultancy Content Security amongst attendees at AISA’s recent Australian Cyber Conference 2018, found that 29 percent of respondents believe internal threats will be the biggest attack threat through the end of 2019.

That was well ahead of those concerned about privileged account exploitation (20 percent), ransomware (18 percent), and zero-day threats (17 percent) – but CEO and co-founder Louis Abdilla warned that categorising the threats risks glossing over the interconnectedness of those threats.

“In today’s security landscape, the distinction between inside and outside cyber threat no longer matters,” he explained.

“This is because attackers are actively seeking to pose as legitimate insiders. They do this by stealing and exploiting privileged accounts – the same credentials used to manage and run an organisation’s IT infrastructure.”

The survey also queried attendees on their proposed plans for security investments, with 52 percent of businesses saying they would spend at least $500,000 on cybersecurity and breach prevention next year.

Fully 28 percent named SIEM and security operations centres (SOCs) as the most critical technology investment over the next 12 months, with multi-factor authentication (23 percent) and vulnerability management (21 percent) also showing strongly.

And while this level of investment confirmed that businesses are investing in cybersecurity protections as a business priority, fully 45 percent said they were aligning their compliance efforts to either ISO 27001 or NIST risk-management frameworks; by contrast, just 1 in 10 said they were following the guidelines of the Australian Signals Directorate’s Essential Eight strategies, which are more technically prescriptive.

The increasing prevalence of business-focused strategy frameworks has been reflected in a push to deliver more, and more comprehensive, privacy frameworks that position data management and privacy as a business risk rather than an esoteric IT issue.

The new notifiable data breach (NDB) scheme and EU general data protection regulation (GDPR) have this year tightened reporting requirements around data breaches, no doubt influencing the investment in risk-focused security platforms.

The coming year will lend further weight to growing privacy obligations, with tighter new privacy regulations in California adding to the chorus of pro-privacy voices.

New obligations, such as the Australian Prudential Regulation Authority (APRA) push to make boards responsible for an organisation’s information security, will add further pressure to this trend.

However, Abdilla warns, the blurring distinction between internal and external compromises means the right balance is not to focus exclusively on business risk or technological controls, but a bit of both as appropriate for the environment.

“With more Australian organisations looking to increase their maturity, security frameworks and standards provide a foundation to develop a strong cyber security strategy,” Abdilla said. “Ultimately, we should always encourage good security habits and train employees on best practices and how to spot common attacks.”

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags cyberattacksinternal threatexternal threatbreach preventioncybersecurity

More about AISAAustralian Prudential Regulation AuthorityContent SecurityEUISOPrudential

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by David Braue

Latest Videos

More videos

Blog Posts