South Africa experienced a 46% increase in insider cyber risk in 2026, surpassing the global average of 44%. What is more, 63% of South African companies surveyed expect insider-driven data losses to increase as a growing number of disgruntled employees resort to stealing valuable corporate data, while some are even being recruited on the dark web.
“Your employees are being headhunted, not for jobs, but for your data,” warns Heino Gevers, senior director of technical support at Mimecast South Africa. “Over the past two to three years, insider threats in South Africa have moved from being a side-issue in security strategies to a central concern, and local leaders expect it to worsen, not stabilise.”
According to Mimecast’s State of Human Risk research, 63% of South African companies expect insider-driven data losses to increase, despite investing in more tools and controls, prompting industry leaders to question their focus.
“Underlying pressures that drive corporate espionage and data theft are intensifying in South Africa. Economic stress, high unemployment and repeated waves of restructuring are pushing more employees into a defensive, ‘look after myself first’ mindset, where taking data feels like insurance rather than a crime,” Gevers explains.
Gevers points out that the core psychological driver is not always sophisticated cybercrime, but rather survival.
“People often do not fully grasp the gravity of what they are doing, showing a maladaptive response, where their reaction is disproportionate to the situation, but feels justified in the moment. The problem is further fuelled by big companies frequently paying their problems away with mutual separation agreements and NDAs rather than taking insiders through visible disciplinary or legal processes,” he says.
Younger generations see data as career capital
The report also uncovered that Gen Z and Millennial employees are approached more often and are more willing to share confidential information, with nearly half citing cash as their primary motivator.
“Many of the country’s largest employers, including banks, telcos, financial services and big business services, are staffed heavily by younger workers. This matters because their digital habits and expectations are very different,” Gevers notes. “Gen Z and younger Millennials have grown up normalising oversharing online. Their role models are YouTubers and influencers, and their income and visibility are often tied to how much they put out into the world. That mindset carries into the workplace, where data feels like currency, and the boundary between ‘my work’ and ‘the company’s IP’ is blurry.”
According to Gevers, customer lists, contact books, pricing sheets, strategies, even AI models and training data are often seen as part of younger workers’ personal toolkits. In addition, their high churn rate leads to more exits, which in turn creates more opportunities for data to walk out the door.
AI becoming the new currency of espionage
A trend evolving as quickly as the technology itself is that AI models are now a core target in espionage.
“Stealing a well-trained model is not like copying a single spreadsheet. It compresses years of data collection, domain expertise, and experimentation into a single artefact. Move that model to a competitor, and you do not just leak information, you export the organisation’s competitive brain. In a market where skills are scarce, and people are anxious about their careers, it is easy for insiders to rationalise taking ‘their’ models with them – even though they legally and ethically belong to the company,” he explains.
Action plan for the next 12 to 24 months
While business leaders and CISOs cannot eliminate insider risk, Gevers says they can manage it far better than most are currently doing. In the first instance, Gevers says leaders must treat insider risk as a business risk, not an IT glitch.
“Put it on the risk register, assign executive ownership, and have regular reporting that blends behavioural signals with HR and organisational context. Focus especially on inflexion points including restructures, acquisitions, leadership changes, performance processes and exits,” he says.
Second, leaders should fix the joiner–mover–leaver lifecycle. In a high-attrition environment, offboarding is where an outsized portion of risk sits, and Gevers says access must shrink as roles change and must be properly revoked on exit.
Third, leaders should look to rebuild the social contract. This means communicating layoffs and major changes clearly and respectfully, and being willing to pursue visible consequences for serious insider abuse.
“People will always act out of fear and frustration. As leaders, it is our job to lower the emotional temperature, while disabusing any impression that there are no real repercussions,” he adds.
Finally, Gevers advises leaders to treat AI models and key datasets as crown jewels to be classified and protected. There must also be a clear limit on who can access and export them, built into MLOps and DevOps pipelines so that exfiltration attempts are visible early.
“Insider-as-a-Service in South Africa is not an abstract concept; it is the logical outcome of economic anxiety, high churn, fading loyalty, and powerful new tools sitting in the hands of people who feel they have little to lose. Organisations have to respond on the human as well as the technical front,” he says.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version