South African organisations, already navigating a tough economic climate, are facing another significant drain on their resources: the persistent and costly loss of sensitive data.
While external threats grab headlines, new research reveals that a significant number of these damaging incidents originate from within.
The 2025 Data Security Report from Fortinet and Cybersecurity Insiders shows that while many security leaders are adopting smarter strategies and securing stronger budgets, data loss continues to climb.
This trend is particularly alarming in South Africa, where SABRIC recently reported that digital banking fraud cases more than doubled in a year, with losses hitting over R1,4-billion.
Globally, the picture is just as concerning. Seventy-seven percent of organisations reported at least one insider-related incident in the past 18 months, with 58% experiencing six or more. The question is, why are these incidents still happening at such a high rate?
The gap is in the tools. Most organisations rely on some form of data loss prevention (DLP), but many of these legacy solutions were built for simpler, perimeter-driven environments. They often lack visibility into how employees interact with data – especially in SaaS and generative AI tools – and they miss the context that separates accidents from actual risk.
Spending more, securing less
According to the report, 72% of organisations boosted their budgets for insider risk and data protection last year, with more than a quarter reporting significant increases.
Yet, with INTERPOL confirming that South Africa suffered the highest number of ransomware detections on the continent (17 849), it is clear that investment alone is not solving the problem.
Nearly half of organisations globally still suffered substantial financial losses, often in the millions of dollars per incident. Despite aggressive changes, the problem continues to worsen.
The issue isn’t a lack of investment. It’s an over-reliance on tools that weren’t built for today’s risks.
Where traditional DLP falls short
Traditional DLP tools were designed to prevent regulated data from leaving an organisation. They are largely perimeter-focused and compliance-driven, scanning structured data on-premises because threats were primarily viewed as external.
Today’s reality is different. Sensitive data, including intellectual property, is continually created and shared across cloud services, SaaS platforms, and AI tools.
Analysts move entire customer datasets into spreadsheets. Engineers share design files with contractors. Employees paste confidential data into AI assistants. This activity is normal – and critical to productivity – but each step carries risk.
Traditional DLP solutions fall short because they:
- Lack visibility: 72% of organisations cannot see how employees interact with sensitive data.
- Miss the context behind data at risk: Nearly half of all incidents are caused by negligence or error, not malice.
- Operate in silos: Endpoint, email, and network DLPs rarely work together, creating gaps in enforcement.
- Take too long to deliver value: Three in four organisations wait weeks or months after deployment for meaningful insight.
The result is more alerts, less clarity, and a false sense of control.
The shift to behaviour and context
Knowing a file was sent is useless without context. Today’s security leaders need to know who sent it, why, and whether the action fits normal behaviour. Without that clarity, security teams are left drowning in alerts that don’t tell the whole story.
That is why security leaders say next-generation DLP solutions must provide:
- Behavioural analytics (66%) to distinguish errors from malicious activity and flag abnormal behaviour.
- Day-one visibility (61%) so insights arrive immediately and inform smarter policy.
- Shadow AI and SaaS oversight (52%) to close gaps where sensitive data often flows unnoticed.
Modern DLP platforms must connect individual events into risk narratives, enabling teams to identify patterns, prioritise risks, and act with confidence. This marks a shift from static enforcement to behaviour-aware visibility that shows what’s happening and why it matters.
The real stakes
Data loss transcends compliance checklists; it is a direct business risk that affects revenue, trust, and long-term viability.
Nearly half of organisations reported direct financial losses from insider-driven incidents. Forty-one percent estimated losses of $1–10 million for their most significant incident, and 9% reported losses above $10 million. Forty-three percent suffered reputational damage, while 39% experienced operational disruption. In sectors critical to the South African economy, like mining, finance, and manufacturing, a single leaked dataset or design file can wipe out years of investment and erase a competitive edge.
Many organisations still run a patchwork of tools – often anchored on legacy DLP – that fails to fit today’s complex environments and creates unnecessary complexity for security teams.
The way forward
The report is clear: security teams are implementing smarter approaches and winning executive support, but organisations are still experiencing damaging insider risk incidents at an unacceptable rate. The likely culprit is an over-reliance on legacy data loss prevention solutions that haven’t evolved with today’s complex environments.