The importance of evaluating an organization’s vulnerability to attack from the inside is virtually self-evident. With the exception of the very small organization, hired workers are basically strangers a company pays to complete a task. Even when background tests are performed and references are checked, there is simply no guarantee that the people tasked with handling and processing sensitive data won’t steal or misuse it.
The higher the privilege level of the user means that there is more trust that is put in that person and the more danger that is incurred by the organization. For that, organizations usually spend a significant amount of money on security controls and processes created to control access to their data assets and IT infrastructure.
Sadly, most organizations do not test these same systems and processes unless they are in a regulated industry such as banking or they have been the victim of an insider attack. Even worse, many organizations assign the task of testing the controls to highly privileged workers, who really pose the greatest risk. In order for a company to truly understand how vulnerable it is to attack it from inside, it must have an independent third party test its internal controls.