While malware is a potential hazard for all organizations, security risks within legitimate software applications often lead to internal cyber-security incidents at companies around the world.
Flaws in existing software are the leading cause of internal IT security threats, according to a new study from Kaspersky Lab, which surveyed 2,895 IT professionals around the world. The software vulnerabilities are leading to multiple forms of exploits including data breaches.
Alexander Erofeev, chief marketing officer at Kaspersky Lab, defines internal incidents as those caused by internal reasons: vulnerabilities in software inside the company infrastructure and mistakes made by employees.
"Some internal incidents result in data loss, but not always," Erofeev said. "For example, out of 39 percent of companies which reported incidents involving vulnerabilities, only 10 percent experienced sensitive data loss."
The study also found that of those organizations with internal security incidents, nearly 15 percent experienced the loss of nonsensitive data. Only 14 percent had no data loss at all as a result of a vulnerability incident.
In contrast, Erofeev explained that external incidents include malware attacks, distributed denial of service (DDoS) attacks, spam and network intrusion. He noted that external incidents can also result in data loss, but not always.
"The main difference between external and internal incidents is the reason behind them," Erofeev said. "It could be unknown cyber-criminals with an external incident or company employees with an internal incident."
The incidence of software vulnerabilities leading to internal security issues is variable around the world. The highest incident rate is in Russia, at 51 percent, while Japan had the lowest rate, at 29 percent. North American organizations fell right in the middle of the pack, at 38 percent.
Beyond identifying the risks from internal security threats, Erofeev said that the same survey provided some unexpected information about how companies perceive daily malware discovery rates.
Kaspersky estimates that 100,000 to 250,000 new malware samples are discovered daily; 90 percent of respondents to the Kaspersky study did not correctly identify the current malware rate.
"That suggests that companies seriously underestimate current threats and need to pay far greater attention to IT security issues because the number of threats is growing significantly," Erofeev said.
Despite average losses from targeted cyber-attacks costing $2.4 million, 40 percent of companies are only making significant investments into IT security after suffering an attack, Erofeev said. In fact, 28 percent of companies believe that the financial costs of cyber-crime will work out to be less than the cost of upgrading their IT systems to prevent an attack in the first place, he added.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.