printer friendly version

Rise in malicious insider threat reports

Leslie Nielsen.

Mimecast has released its 9th annual State of Human Risk Report, revealing that 46% of SA organisations reported an increase in malicious insider incidents over the past year, matching the 46% of SA organisations reporting a rise in negligent incidents for the first time. This parity marks a fundamental shift in enterprise security, where intentional employee betrayal rivals accidental mistakes as a primary security concern.

Organisations worldwide reporting increases in malicious insider concerns jumped nearly 10 percentage points over two years, from 33% in 2024 to 42% in 2026. The study of 2,500 IT security and IT decision-makers across nine countries also quantifies the financial toll: organisations experience an average of six insider-driven incidents per month at an estimated cost of $13,1 million per incident, while 66% expect insider-related data loss to increase over the next 12 months.

The study explored dozens of facets of securing human risk, and some of the other key findings from the worldwide study include:

• AI threat preparation lags despite inevitable attacks: 69% of security leaders say AI attacks against their organisation are inevitable within 12 months, yet 60% are not fully prepared.

• Critical coordination gap undermines defences: Just 28% of respondents coordinate security training with continuous monitoring. This critical coordination gap undermines defences, leaving people-focused and technology-focused initiatives disconnected.

• Expanding attack surface meets inadequate native security: As threats expand across email, collaboration platforms, and internal communications, 38% of organisations remain reliant solely on native security controls – tools that 64% of respondents acknowledge are not up to the task. 

• Governance failures create a regulatory time bomb: 91% face challenges maintaining governance and compliance over communications data, while 59% lack confidence in quickly locating data to meet regulatory or legal requirements.

"Insider risk has become one of the most consequential and underestimated threats facing organisations today, not just because of the data loss it causes, but because attackers are increasingly exploiting insiders as a deliberate entry point to bypass perimeter defences entirely," said Mimecast CISO, Leslie Nielsen. "The data shows both careless mistakes and deliberate actions driving incidents in equal measure. Rather than trying to manage human behaviour, organisations need adaptive controls that identify high-risk actions and adjust protections in real-time, creating friction when someone accesses data they should not, regardless of whether they have valid credentials. As AI makes it easier for insiders to exfiltrate data at scale, security must meet users at the point of risk."

AI: The accelerant

The attack surface is rapidly expanding as employees work across email, GenAI platforms, and collaboration tools, yet security strategies have failed to keep pace. Native security controls are falling short: 38% of SA organisations rely on them exclusively for collaboration tools, even as 62% admit these controls are insufficient against modern threats.

At the same time, AI is emerging as a force multiplier for both external attackers and malicious insiders. 60% of SA security leaders say AI attacks are inevitable within 12 months. Yet, worldwide, 60% of organisations are not fully prepared. Attackers use AI to recruit insiders, craft convincing social engineering attacks, and automate reconnaissance.

An overwhelming 92% of SA organisations face challenges maintaining governance and compliance over communications data, limiting their ability to detect, investigate, and respond to incidents effectively. Moreover, 52% of SA organisations also lack confidence in quickly locating data to meet regulatory or legal requirements – a regulatory time bomb as compliance requirements intensify.

Fragmented defences, coordinated threats

A dangerous irony undermines defence efforts: 55% of SA organisations find security tool integration too complicated, while attackers face no such constraints. Modern attack chains seamlessly combine CAPTCHA-protected phishing, embedded JavaScript, and legitimate remote management tools, exploiting the gaps between disconnected security controls.

Worldwide, only 28% of organisations combine both regular security awareness training and continuous monitoring. This means when a high-risk user is identified through behavioural analytics, that intelligence does not automatically trigger coordinated responses across access controls, data loss prevention, and monitoring systems.

However, those who successfully integrate are reporting dramatic benefits. In SA, organisations achieve faster threat remediation (56%), comprehensive visibility (47%), and improved compliance readiness (46%). The challenge is not whether integration delivers value; it is that most organisations remain constrained by tool sprawl, unable to correlate threats across email, collaboration platforms, and data repositories.

Coordinating for human risk

Organisations can no longer treat their communication channels, collaboration platforms, and employee behaviours as isolated security concerns, nor rely on native controls that were never designed to stop human-targeted attacks at scale. Addressing human risk means meeting people where they are, in their inboxes, their workflows, and their daily decisions, with a holistic strategy that spans the full threat landscape.

The solution requires coordinated action across four dimensions:

1. Integrated visibility across all communication and collaboration channels.

2. Behavioural analytics and security behaviour management that identify high-risk users and anomalous activity patterns, while driving measurable change in how employees respond to threats.

3. Data governance and protection that safeguards sensitive information regardless of where it resides or how it moves.

4. Coordinated response that connects people-focused and technology-focused security controls.

Organisations that address these requirements will detect and prevent insider threats before costly breaches occur. Those that maintain fragmented approaches will see security spending rise, while protection effectiveness declines.

Download the 2026 State of Human Risk Report

Share this article:

Further reading: