Intentional betrayal by employees now rivals accidental mistakes as a leading security risk for organisations, signalling a significant shift in enterprise security threats, according to cyber security and risk management company Mimecast.
The company released findings from its ninth annual State of Human Risk Report, based on a survey of 2 500 IT security and decision-makers across the US (500), the UK (300), Germany (300), France (300), Spain (200), Italy (200), SA (200), Singapore (250) and Australia (250).
According to the report, 46% of organisations in SA reported an increase in malicious insider incidents over the past year. The same proportion reported a rise in negligent insider incidents.
Globally, the number of organisations reporting increased malicious insider concerns rose from 33% in 2024 to 42% in 2026.
Mimecast estimates organisations experience an average of six insider-driven incidents per month, at an estimated $13.1 million per incident, while 66% expect insider-related data loss to increase over the next 12 months.
Although the company does not have specific national statistics for SA, it reported in January 2026 that eight out of 10 cyber security leaders in the country expect data loss from insider threats to increase over the next year. Insider threats account for about 22% of all data breaches.
The research also found that 69% of security leaders globally believe AI-driven attacks on their organisations are inevitable within the next 12 months, yet 60% say they are not fully prepared.
At the same time, 38% of organisations globally rely solely on native security controls to protect e-mail and collaboration platforms, even though 64% of respondents say these tools are insufficient. The same pattern is reflected in SA, where 38% rely only on native controls and 62% say the tools are not up to the task.
Compliance struggle
Despite widespread concern about human-related security risks, organisations are struggling to enforce compliance. The report found that 91% face challenges ensuring employee compliance with security policies, while 96% acknowledge gaps in their protection.
However, only 28% of organisations combine regular security awareness training with continuous monitoring for policy violations – two measures considered foundational to managing human risk.
This disconnect leaves organisations exposed. While 71% expect collaboration-tool attacks to have a business impact in 2026, many continue relying on the same limited controls.
Commenting on the findings, Heino Gevers, senior director of technical support at Mimecast SA, said many organisations treat training and monitoring as separate programmes.
“What was also interesting from the report findings was that of all the respondents, only 28% highlighted that they were doing co-ordinated training with technical monitoring. What that means is that 72% of the organisations effectively run these two kinds of components completely as separate programmes. In our opinion, this is not a people problem, it’s an architectural problem,” he said.
Gevers noted that a small group of users is responsible for most incidents.
“Now if you consider that 8% of users in organisations are mainly responsible for 80% of the incidents, which is of course very easy to identify and address, so to speak, it means that the blanket training treats everyone the same. The generic way of doing awareness training these days is everybody, once a month or once a quarter, gets a video to watch or a survey to do.”
Leslie Nielsen, CISO at Mimecast, said insider threats are increasingly exploited by attackers.
“Insider risk has become one of the most consequential and underestimated threats facing organisations today, not just because of the data loss it causes, but because attackers are increasingly exploiting insiders as a deliberate entry point to bypass perimeter defences entirely,” he said.
“The data shows both careless mistakes and deliberate actions driving incidents in equal measure. Rather than trying to manage human behaviour, organisations need adaptive controls that identify high-risk actions and adjust protections in real-time.”
Gevers added that identifying where risk exists inside organisations is critical, particularly as communication channels expand. “Today’s workplaces operate across multiple communication channels, and now generative AI adds further complexity. AI has evolved to the point where it is almost impossible for users to identify traditional phishing signals such as bad grammar or generic greetings. You simply cannot train your way out of that problem.”
Adaptive security controls that respond to risk exposure are therefore essential, he said.
“As one South African healthcare provider noted in the report, no matter how much you train employees, someone will always click a malicious link. There will always be that 8%. Training alone is not sufficient. Controls must meet people where they are.”
Worrying trend
From a South African perspective, Gevers said the findings highlight a worrying trend.
Survey participants in the country indicated they did not view tool sprawl or artificial intelligence adoption as major challenges. However, 56% of South African respondents – 15 percentage points higher than the global average of 41% – reported an increase in account takeovers over the past year.
“This suggests a false sense of security. It is not necessarily denial; organisations may simply not be detecting or recognising the problem as frequently as they should,” he said.
Attacks targeting employees are increasing across communication channels. Globally, 53% of respondents reported a rise in phishing attempts, 48% saw more business e-mail compromise attacks, and 45% reported an increase in collaboration-tool attacks.
The report notes that employees are often trained to treat suspicious external e-mails with caution, so attacks delivered through internal messaging platforms may be more successful.
“If a message appears to come from a CEO via a collaboration platform such as Slack or Teams, employees are less likely to suspect impersonation,” Gevers said.
To address these risks, Mimecast recommends organisations focus on four key areas:
- Integrated visibility across communication channels.
- Behavioural analytics to identify high-risk users.
- Stronger data governance and protection.
- Co-ordinated responses that combine human-focused and technology-based security controls.
Organisations that implement these measures will be better positioned to detect and prevent insider threats before costly breaches occur, the company said.
Share