I consider the “unwitting insider” threat to be more destructive than the intentional external attacker who is trying to break the system’s defenses.
A system is only as strong as its weakest link, and irrespective of the cutting-edge security technology, and razor-sharp security analysts, the entire system can be compromised by a bored employee who clicks on a phishing link.
In terms of system access, the employee is already inside the system, logged in with access to every database and folder on the Active Directory, as well as access to various resources (digital and physical). It is easier for a malicious hacker to social engineer him into handing in information, than to try and break through high-end firewalls, and get past intrusion detection systems. Also, a hacker who does his homework would know which employee to target based on their position and social behavior and has a higher likelihood of success of gaining access to exactly what he wants, than navigating the digital security world and attempting to break through the maze of technology. While attempting to break into a system through technology hacking, a hacker needs to be stealthy with his attempts of repeated attacks. Many intrusion and incident detection software are intelligent enough to nose out patterns and raise alarms. However, when targeting a susceptible human, one can use social engineering skills to directly perpetrate into restricted territory.
According to a news article in The Chicago Tribune, one of the world’s infamous hackers Kevin Mitnick was sought out by the Government for security advice. He advised against “focusing too much on technical protections at the expense of simpler safeguards”. He was quoted as saying “I was so successful in social engineering that I rarely had to resortMitnicktechnical attack”.
Reference
Top Hacker Gives Senate Panel Tips On Computer Security. (2000, March 03). Retrieved from http://articles.chicagotribune.com/2000-03-03/news/0003030163_1_kevin-mitnick-infamous-computer-hacker-computer-security