Mimecast’s ninth annual State of Human Risk Report reveals that 46% of SA organisations reported an increase in malicious insider incidents over the past year – matching the 46% of local organisations reporting a rise in negligent incidents for the first time.
This parity marks a fundamental shift in enterprise security where intentional betrayal by employees rivals accidental mistakes as a primary security concern.
Organisations worldwide reporting increases in malicious insider concerns jumped nearly 10 percentage points over two years from 33% in 2024 to 42% in 2026.
The study of 2 500 IT security and IT decision makers across nine countries also quantifies the financial toll: organisations experience an average of six insider-driven incidents per month at an estimated cost of $13,1-million per incident, while 66% expect insider-related data loss to increase over the next 12 months.
The study explored dozens of facets of securing human risk and some of the other key findings from the worldwide study include:
- AI threat preparation lags despite inevitable attacks – 69% of security leaders say AI attacks against their organisation are inevitable within 12 months, yet 60% are not fully prepared.
- Critical coordination gap undermines defenses – Just 28% of respondents coordinate security training with continuous monitoring. This critical coordination gap undermines defenses, leaving people-focused and technology-focused initiatives disconnected.
- Expanding attack surface meets inadequate native security – As threats expand across email, collaboration platforms, and internal communications, 38% of organisations remain reliant solely on native security controls – tools that 64% of respondents acknowledge are not up to the task.
- Governance failures create regulatory time bomb – 91% face challenges maintaining governance and compliance over communications data. 59% lack confidence in quickly locating data to meet regulatory or legal requirements.
“Insider risk has become one of the most consequential and underestimated threats facing organisations today, not just because of the data loss it causes, but because attackers are increasingly exploiting insiders as a deliberate entry point to bypass perimeter defenses entirely,” says Mimecast CISO Leslie Nielsen.
“The data shows both careless mistakes and deliberate actions driving incidents in equal measure. Rather than trying to manage human behaviour, organisations need adaptive controls that identify high-risk actions and adjust protections in real-time, creating friction when someone accesses data they shouldn’t, regardless of whether they have valid credentials.
“As AI makes it easier for insiders to exfiltrate data at scale, security must meet users at the point of risk.”
AI the accelerant across an expanding attack surface
The attack surface is rapidly expanding as employees work across email, GenAI platforms, and collaboration tools – yet security strategies have failed to keep pace.
Native security controls are falling short: 38% of South African organisations rely on them exclusively for collaboration tools, even as 62% of them admit these controls are insufficient against modern threats.
At the same time, AI is emerging as a force multiplier for both external attackers and malicious insiders. 60% of South African security leaders say AI attacks are inevitable within 12 months.
Yet, worldwide 60% of organisations are not fully prepared. Attackers use AI to recruit insiders, craft convincing social engineering attacks, and automate reconnaissance.
Governance, visibility and the compliance time bomb
Ninety-two percent of South African organisations face challenges maintaining governance and compliance over communications data, limiting their ability to detect, investigate, and respond to incidents effectively.
Fifty-two percent of respondents also lack confidence in quickly locating data to meet regulatory or legal requirements – a regulatory time bomb as compliance requirements intensify.
Fragmented defenses, coordinated threats
A dangerous irony undermines defense efforts: 55% of South African organisations find security tool integration too complicated, while attackers face no such constraints.
Modern attack chains seamlessly combine CAPTCHA-protected phishing, embedded JavaScript, and legitimate remote management tools, exploiting the gaps between disconnected security controls.
Worldwide, only 28% of organisations combine both regular security awareness training and continuous monitoring. This means when a high-risk user is identified through behavioural analytics, that intelligence doesn’t automatically trigger coordinated responses across access controls, data loss prevention, and monitoring systems.
However, those who successfully integrate are reporting dramatic benefits. In SA, organisations achieve faster threat remediation (56%), comprehensive visibility (47%), and improved compliance readiness (46%).
The challenge isn’t whether integration delivers value – it’s that most organisations remain constrained by tool sprawl, unable to correlate threats across email, collaboration platforms, and data repositories.
The path forward: Co-ordinating for human risk
Organisations can no longer treat their communication channels, collaboration platforms, and employee behaviours as isolated security concerns, nor rely on native controls that were never designed to stop human-targeted attacks at scale.
Addressing human risk means meeting people where they are – in their inboxes, their workflows, and their daily decisions – with a holistic strategy that spans the full threat landscape.
The solution requires coordinated action across four dimensions:
- Integrated visibility across all communication and collaboration channels.
- Behavioural analytics and security behaviour management that identify high-risk users and anomalous activity patterns while driving measurable change in how employees respond to threats.
- Data governance and protection that safeguards sensitive information regardless of where it resides or how it moves.
- Co-ordinated response that connects people-focused and technology-focused security controls
Organisations that address these requirements will detect and prevent insider threats before costly breaches occur. Those that maintain fragmented approaches will see security spending rise while protection effectiveness declines.
You can download the 2026 State of Human Risk Report here.