The latest State of Human Risk report from Mimecast shows that 42 percent of organizations have reported an increase in malicious insider incidents over the past year, matching the 42 percent reporting a rise in negligent incidents for the first time.
The study of 2,500 IT security and IT decision makers across nine countries also quantifies the financial toll of insider incidents. Organizations experience an average of six insider-driven incidents per month at an estimated cost of $13.1 million per incident, while 66 percent expect insider-related data loss to increase over the next 12 months.
A worrying 69 percent of security leaders say AI attacks against their organization are inevitable within 12 months, yet 60 percent are not fully prepared. Just 28 percent of respondents say they coordinate security training with continuous monitoring.
As threats expand across email, collaboration platforms, and internal communications, 38 percent of organizations remain reliant solely on native security controls — tools that 64 percent of respondents acknowledge are not up to the task.
“Insider risk has become one of the most consequential and underestimated threats facing organizations today, not just because of the data loss it causes, but because attackers are increasingly exploiting insiders as a deliberate entry point to bypass perimeter defenses entirely,” says Mimecast CISO Leslie Nielsen. “The data shows both careless mistakes and deliberate actions driving incidents in equal measure. Rather than trying to manage human behavior, organizations need adaptive controls that identify high-risk actions and adjust protections in real-time, creating friction when someone accesses data they shouldn’t, regardless of whether they have valid credentials. As AI makes it easier for insiders to exfiltrate data at scale, security must meet users at the point of risk.”
The report also finds 91 percent of organizations face challenges maintaining governance and compliance over communications data, limiting their ability to detect, investigate, and respond to incidents effectively. 59 percent lack confidence in quickly locating data to meet regulatory or legal requirements.
You can get the full 2026 State of Human Risk Report from the Mimecast site.
Image credit: artursz/depositphotos.com
