Nearly three-quarters of companies have been affected by internal information security incidents, according to the IT Security Risks Survey 2015 conducted by Kaspersky Lab and B2B International.
The worldwide survey of more than 5,500 IT specialists also found that the largest single cause of confidential data losses consists of employees (42 percent).
The survey also reported cases of accidental data leaks (28 percent) and intentional leaks of valuable company data (14 percent).
In addition to data leaks, internal threats included the loss or theft of employee mobile devices, with 19 percent of respondents confirming that they had lost a mobile device containing corporate data at least once a year.
"One of the most concerning stats from this survey is the fact that 73 percent of companies have been affected by internal information security incidents," Andrey Pozhogin, senior product marketing manager at Kaspersky Lab North America, told eWEEK. "This is concerning to me because that high number indicates businesses are not doing enough to educate their employees on the important role they play in an organization’s IT security strategy."
Pozhogin noted that, in addition, another survey Kaspersky had released found the average cost to recover from a cyber-attack is $551,000 for enterprises and $38,000 for small businesses.
"Those incredibly high numbers should serve as a wake-up call to businesses of all sizes to not only improve IT security by implementing effective cyber-security technology and strategies to help prevent external attacks, but also to devote more resources toward educating employees about cyber-security to prevent internal security incidents from affecting the organization," he said.
The survey found that 15 percent of organizations encountered situations where company resources, including finances, were used by employees for their own purposes.
The losses caused by these incidents exceeded the damage caused by confidential data leaks for enterprises, the report found.
Small and midsize businesses lose up to $40,000 on average from fraudulent activity by employees, while the figure for enterprises exceeds $1.3 million.
"Organizations continue to expand their IT infrastructure, adding new components to help business operations. This expansion adds new vulnerabilities and threat vectors into the IT environment and, as a result, it may be difficult for employees to keep pace with rapidly changing IT environments and evolving threats," Pozhogin said. "With proper and consistent cyber-security training in place, employees will be able to not only keep pace with new technology and evolving threats targeting those systems or devices, but will also be better equipped to play the important role they have in keeping a business safe from cyber-security incidents."