63% of companies in South Africa have been affected by internal information security incidents, and the largest single cause of confidential data losses are employees. These are the findings of a joint study of information security of businesses conducted by Kaspersky Lab and B2B International in 2015, among over 5,500 IT specialists from 26 countries around the world, including South Africa.

In a statement issued by Kaspersky the IT security solutions firm said as a company's IT infrastructure expands, so does the threat landscape.

"New components add new vulnerabilities. The situation is aggravated by the fact that not all employees – especially those with no specialist IT knowledge – can keep pace with a changing IT environment. As a result, the company is exposed to not only external threats but also internal threats that come from employees."

According to the Kaspersky B2B International survey 21% of companies around the globe affected by internal threats lost valuable data that subsequently had an effect on their business.

The study also reported cases of accidental data leaks (18%) and intentional leaks of valuable company data (9%). In addition to data leaks, internal threats include the loss and theft of employees' mobile devices. 19% of respondents confirmed that they lost a mobile device containing corporate data at least once a year.

"Another important factor is that of staff fraud. 21% of those surveyed locally encountered situations when company resources, including finances, were used by employees for their own purposes. The percentage may be low, but the losses caused by these incidents can be substantial," Kaspersky added.

"It's no secret that a security solution alone is not enough to protect a company's data. And the results of this study confirm that," comments Konstantin Voronkov, Head of Endpoint Security, Kaspersky Lab. "What's required is an integrated multi-level approach powered by security intelligence. It should include employee education, the use of specialised solutions and the introduction of security policies, such as restricting access rights."

Kaspersky Lab recommends that the issue of comprehensive security should not be neglected, as reliable multi-level protection can prevent a company from incurring additional costs not only from external but also internal security incidents.

"In particular, technology that protects against phishing attacks, encryption, protection of mobile devices, virtual infrastructures and financial transactions all provide reliable targeted security for the individual nodes of a corporate IT infrastructure. And the implementation of various security policies together with specialist services such as incident investigations, independent evaluations of a company's IT infrastructure and staff training will minimise the risk of threats," the security company adds.