If “insiders” are defined as the organization’s employees, “outsiders” must be everyone else, right, all those who are not on the payroll? In reality from any single organization’s perspective, a huge variety and number of people qualify as outsiders.
‘We’ are completely outnumbered by ‘them’.
Leading on from August’s awareness coverage of insider threats, it’s time now to explore the information-related threats from outside the organization – both threatening outsiders and external threats that don’t involve malicious people, or indeed people, at all.
The scope of September's NoticeBored security awareness and training module includes external events, incidents, accidents and challenges that aren’t deliberate, targeted attacks by specific people or groups – supply chain interruptions, cloud service failures and Internet drop-outs for example are external threats to the business, as are more general, widespread or social issues such as climate change, infectious disease outbreaks and natural disasters. We call these “outside threats”.
For completeness, the threats and risks arising from “inbetweenies” – neither insiders nor outsiders - were mentioned last month and are brought up again this month. We’re talking about contractors, consultants, professional advisors, interns, temps and others. Perhaps at some future point we should explore the inbetweeny threats in more depth.
By the way, the A-to-Z guide to outsider threats turned out to be 12 pages as predicted. It was a bit of a rush to prepare such a detailed awareness paper at the end of the month but I'm glad we did; I'm still thinking about offering it as a threat catalog to guide anyone trying to identify and understand their outsider threats. Google finds a number of threat catalogs already but none I have found so far cover "outsider threats" as well as ours does. But then I wrote it, so I'm biased. I should probably let it cool off for a while, and maybe I should add "insider threats" as well to complete the set.