I almost fell out of my chair when word of the following story reached my Bloglines account: Study: Rethink the Outsider Threat. I published my thoughts on the prevalence of external threats in my first book, and I reiterated those thoughts recently. Now I appear to have some outside help. From the article:
The report took data from the Department of Justice Computer Crime and Intellectual Property Section's network intrusion and data-theft prosecutions between 1999 and 2006. (See How Much Does a Hack Cost?) Phoenix Technologies commissioned the report, but the data came from DOJ cases...
Outside attackers committed 79 percent of the crimes where user accounts were infiltrated[,] and former employees were the perpetrators in 21 percent of these types of breaches. And overall, 57 percent of attackers had no relationship with the victim organizations, 22 percent were former employees, 14 were current employees, and 7 percent had a customer or supplier relationship or similar "connection" to the victimized organization. (comma added, emphasis added)
Where's the 80% myth now? Gone, except in the minds of people who cling to it. I don't expect to see it disappear overnight. Please, if you want to repeat the 80% myth, at least cite a source. (You won't be able to find anything authoritative, just reports citing each other in a circular manner.)