For most business owners and executives, cybersecurity can feel like a game of roulette. No one is ever quite sure when an attack could occur. In reality, the sources of cyberattacks are sometimes more predictable than many might think. Here is one rule of thumb on which business leaders can rely: Their most vulnerable cybersecurity penetration points – their employees – walk out the door every night. Employees are the most susceptible points because they are often unaware of (and perhaps even untrained regarding) how their actions could put the company at risk for a cyberattack.

Internal vs. External Cybersecurity Penetration Points

A cybersecurity penetration point is any place where an unauthorized user can see or gain access to data. Cybersecurity penetration points fall into two main categories: internal and external. Most organizations focus on external penetration points, which are directly exposed to the Internet or to a third-party network. Examples of external cybersecurity penetration points might include:

  • email servers,
  • websites,
  • file transfer protocol (FTP) sites,
  • wireless access points, and
  • mobile devices.

By contrast, internal cybersecurity penetration points exist within the network. For example, a missing security patch could leave a network drive open to attack.

Usually, human error or malfeasance turns these technical vulnerabilities into actual threats. Much like the old-fashioned con game, cybercriminals use social engineering techniques to manipulate users into revealing information (such as usernames and passwords) or installing unauthorized software. These techniques can range from dropping an infected thumb drive in a company lobby to convincing an insider to click on a malicious link in a deceptive phishing or whaling email.


Whereas phishing emails are often sent to a wide variety of recipients, whaling emails are typically targeted at CEOs and other “big fish” at an organization.

Once inside the network, hackers often move around with relative ease because internal security is usually more relaxed than external security. This is understandable since an organization’s team members need to collaborate to conduct business efficiently. However, the possible magnitude of an insider threat warrants a closer look at internal controls—especially in small and mid-sized businesses that may lack the financial resources to recover from a devastating attack. Consider the following insight from Douglas Thomas, director of counterintelligence operations and investigations at Lockheed Martin Corporation

[1]: “[A] large diverse company with an insider threat will cause great harm to them… but they’ll probably survive because it is large and diverse. But if you’re a small company or a medium-sized company, you could very well go bankrupt.”

Managing the Insider Threat

According to the Computer Emergency Response Team (CERT) Division of the Software Engineering Institute (SEI), organizations should address insider threats through a combination of policies, procedures, and technologies.

Following are just a few of the CERT Division’s recommended best practices for mitigating intellectual property theft, IT sabotage, and fraud:

1. Know your assets

2. Consider the possibility of threats from insiders and business partners in enterprise-wide risk assessments.

3. Clearly document and consistently enforce policies and controls.

4. Incorporate insider threat awareness into periodic security training for all employees.

5. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.

6. Anticipate and manage negative issues in the work environment.

Properly Prepare with Cybersecurity Training

Technical controls are only as strong as the actions that humans take to implement those controls. According to a Cisco study on data leakage, 46% of employees admit to transferring work files to home computers, which are often either unprotected or not maintained at the organization’s standards.

If businesses misunderstand the significance of an internal threat, then they may not implement the training that employees need to recognize and protect against cyber risks. Every person at an organization must recognize his or her responsibilities to identify, prevent, detect, respond to, and recover from cyber threats. Training techniques, such as role-playing different scenarios (receiving a ransomware message, for example), helps underscore the potential ramifications of the decisions that people make every day.

Strengthen the Human Firewall

Your organization’s success in the cybersecurity realm depends on the actions of your people. No matter how much money your business invests in firewalls or other perimeter defense mechanisms, a single choice by one person who becomes a victim of a social engineering attack can bring down that entire system. Contact CRI’s cybersecurity specialists for help identifying and testing internal and external penetration points.


[1] Lockheed Martin and Information Security Media Group. (2015) “Insider Threat: The Risk of Inaction.”