The root cause of internal security incidents are often down to flaws in legitimate software, says Kaspersky Lab
Organisations are rightly concerned at the threat hazard posed by outside malware, but it seems that security risks within legitimate software applications is often responsible for internal cyber-security incidents.
According to a new study from Kaspersky Lab, which surveyed 2,895 IT professionals around the world, flaws in existing software are the leading cause of internal IT security threats. The software vulnerabilities are leading to multiple forms of exploits including data breaches.
Alexander Erofeev, chief marketing officer at Kaspersky Lab, defines internal incidents as those caused by internal reasons: vulnerabilities in software inside the company infrastructure and mistakes made by employees.
“Some internal incidents result in data loss, but not always,” Erofeev said. “For example, out of 39 percent of companies which reported incidents involving vulnerabilities, only 10 percent experienced sensitive data loss.”
The study also found that of those organisations with internal security incidents, nearly 15 percent experienced the loss of non-sensitive data. Only 14 percent had no data loss at all as a result of a vulnerability incident.
In contrast, Erofeev explained that external incidents include malware attacks, distributed denial of service (DDoS) attacks, spam and network intrusion. He noted that external incidents can also result in data loss, but not always.
“The main difference between external and internal incidents is the reason behind them,” Erofeev said. “It could be unknown cyber-criminals with an external incident or company employees with an internal incident.”
The incidence of software vulnerabilities leading to internal security issues is variable around the world. The highest incident rate is in Russia, at 51 percent, while Japan had the lowest rate, at 29 percent. North American organisations fell right in the middle of the pack, at 38 percent.
Beyond identifying the risks from internal security threats, Erofeev said that the same survey provided some unexpected information about how companies perceive daily malware discovery rates.
Kaspersky estimates that 100,000 to 250,000 new malware samples are discovered daily; 90 percent of respondents to the Kaspersky study did not correctly identify the current malware rate.
“That suggests that companies seriously underestimate current threats and need to pay far greater attention to IT security issues because the number of threats is growing significantly,” Erofeev said.
Despite average losses from targeted cyber-attacks costing $2.4 million (£1.5m), 40 percent of companies are only making significant investments into IT security after suffering an attack, Erofeev said. In fact, 28 percent of companies believe that the financial costs of cyber-crime will work out to be less than the cost of upgrading their IT systems to prevent an attack in the first place, he added.