Organisations are rightly concerned at the threat hazard posed by outside malware, but it seems that security risks within legitimate software applications is often responsible for internal cyber-security incidents.
According to a new study from Kaspersky Lab, which surveyed 2,895 IT professionals around the world, flaws in existing software are the leading cause of internal IT security threats. The software vulnerabilities are leading to multiple forms of exploits including data breaches.
Alexander Erofeev, chief marketing officer at Kaspersky Lab, defines internal incidents as those caused by internal reasons: vulnerabilities in software inside the company infrastructure and mistakes made by employees.
The study also found that of those organisations with internal security incidents, nearly 15 percent experienced the loss of non-sensitive data. Only 14 percent had no data loss at all as a result of a vulnerability incident.
In contrast, Erofeev explained that external incidents include malware attacks, distributed denial of service (DDoS) attacks, spam and network intrusion. He noted that external incidents can also result in data loss, but not always.
“The main difference between external and internal incidents is the reason behind them,” Erofeev said. “It could be unknown cyber-criminals with an external incident or company employees with an internal incident.”
The incidence of software vulnerabilities leading to internal security issues is variable around the world. The highest incident rate is in Russia, at 51 percent, while Japan had the lowest rate, at 29 percent. North American organisations fell right in the middle of the pack, at 38 percent.
Beyond identifying the risks from internal security threats, Erofeev said that the same survey provided some unexpected information about how companies perceive daily malware discovery rates.
Kaspersky estimates that 100,000 to 250,000 new malware samples are discovered daily; 90 percent of respondents to the Kaspersky study did not correctly identify the current malware rate.
“That suggests that companies seriously underestimate current threats and need to pay far greater attention to IT security issues because the number of threats is growing significantly,” Erofeev said.
Despite average losses from targeted cyber-attacks costing $2.4 million (£1.5m), 40 percent of companies are only making significant investments into IT security after suffering an attack, Erofeev said. In fact, 28 percent of companies believe that the financial costs of cyber-crime will work out to be less than the cost of upgrading their IT systems to prevent an attack in the first place, he added.
Are you a security guru? Try our quiz!
Originally published on eWeek.
Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…
Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC
Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…