Soliloquy around a consistent monitoring approach

Over the last few months, many articles in the specialized press or on various blogs have reported the increase of cyber attacks. Indeed, in 2017, it was noted that attacks in the cyber domain have increased by more than 20%. It is clear that, for any organization, the security of information systems must be considered as a capital issue of governance, or even survival in certain situations.
In a previous interview, I have already had the opportunity to say that, in my opinion, the threat will not change much in the long term, but that it will become more and more subtle and frequent. However, sometimes I get the unpleasant feeling that the attackers are almost always “outside”, that they are “motivated or even experts” (at least, for some people).
Stop! Let’s stop for a moment on this feeling (legitimate or not, it doesn’t matter at this point). Is there any possibility that the threat comes from inside the organization that I manage? Well… yes… and why not? History (with a big H) is full of examples on this subject; and not only in the IT environment.
Do you honestly think that an employee does not take advantage of a flaw in your system to deny service for example (for fun or revenge), to facilitate the exfiltration of information or vital data (without your knowledge), to take note of data he does not need to know, etc.? Of course, here I am referring to the employee with bad intentions as well as the one who acts inadvertently or by coercion (involuntary or not).

Anectode – One day, after reporting a vulnerability and indicating the availability of an update, an administrator told me that the risk was almost non-existent (sic) since the exploitation was only possible by having an access inside his organization.

No!!!!! He can’t say that. This would mean that the security of its information system is based on the assumption “no risk from inside”… In terms of IS, security can clearly not rely on assumptions.
From my point of view, the problem was approached backwards (although I would probably have come to the same conclusion, that there was no absolute need for an immediate update). Indeed, this person should have simply checked whether this vulnerability was applicable or not (in this case, in the anecdote above, it would have been enough just to check if a certain option was enabled). This qualification could therefore have indicate whether this vulnerability could have consequences on its IS, measure the possible impact and thus predict the application (immediate or deferred) of the update.
It is certain that closing our eyes is the best way not to see danger or problems coming. However, today, this vision (completely disconnected from reality), that everyone is nice, that the bad guy in the story is always outside the organization, is no longer acceptable in my opinion. Yes, the risk can be internal! Let’s not underestimate the unhappy, clumsy or even manipulated employee. Do not focus solely on the external threat forgetting the internal one.
Isn’t it said that the best wine comes in old bottles? A threatening agent will clearly not try to complicate his life, he can also potentially exploit a very old vulnerability because it has not been patched for example.
Be careful and don’t get paranoid. I’m not saying we should be suspicious of everyone. However, it is the duty of every IS administrator to have a clear vision of his system and to ensure a relative security to all the users by actively and methodically monitoring vulnerabilities on the components of his information system. Security is not an option but I admit that it is not a sinecure either.
It is therefore important for an administrator to know precisely the components of his information system, to monitor vulnerabilities, to qualify security vulnerabilities and to implement patches (as soon as they are available).
In conclusion, I hope I have convinced you of the importance of the application of updates to your system, but I don’t forget either that traceability also plays an essential role in the administration of an information system. To conclude, security is certainly a matter of compromise, but it must, above all, be structured and well thought-out.