Insider threats are coming back in a consequential way.
According to the State of Human Risk Report from Mimecast, 42% of organizations have experienced an increase in malicious insider incidents over the past year, with 42% also reporting a rise in negligent incidents for the first time.
The report further found that organizations experienced an average of six insider-driven incidents per month at an estimated cost of $13.1 million per incident. Additionally, 66% of the 2,500 surveyed IT security and IT decision-makers expect insider-related data loss to increase over the next 12 months.
“Insider risk has become one of the most consequential and underestimated threats facing organizations today, not just because of the data loss it causes, but because attackers are increasingly exploiting insiders as a deliberate entry point to bypass perimeter defenses entirely,” Mimecast CISO Leslie Nielsen said in announcing his company’s research results.
“The data shows both careless mistakes and deliberate actions driving incidents in equal measure,” he added. “Rather than trying to manage human behavior, organizations need adaptive controls that identify high-risk actions and adjust protections in real-time, creating friction when someone accesses data they shouldn’t, regardless of whether they have valid credentials. As AI makes it easier for insiders to exfiltrate data at scale, security must meet users at the point of risk.”
The state of insider threats today as technologies, tactics, and motivations evolve
Insider threats continue to fall into two broad camps. On one side is the malicious insider who knowingly acts with the intent to harm. On the other side is a member of the organization whose impacting actions may be accidental or negligent, or in some cases manipulated by a malicious outsider.
According to Forrester Research’s 2025 Security Survey, 22% of data breaches in the prior 12 months were the result of internal incidents. Some 47% were due to abuse or malicious intent, 32% were due to inadvertent misuse or an accident, and 21% involved both.
These categories cover a wide swath of activities, says Joseph Blankenship, vice president and research director at Forrester. For example, a nonmalicious insider may accidentally email protected data to someone not authorized to have it or mistakenly allow public access to a database. A disgruntled employee may actively circumvent security controls to steal sensitive information to post to embarrass the organization.
Although those scenarios have been around for years, new technologies, tactics, and motivations are evolving to drive, manipulate, and enable insiders, security leaders say.
“My background is in the intelligence community, where we studied insider threat through a well-established lens: ego, ideology, and economics. Those motivations haven’t changed. What’s changed is the operating environment and who/what qualifies as an insider,” says Chris Cochran, field CISO and vice president of AI security at the SANS Institute.
“It’s no longer just employees. It’s contractors, fraudulent hires who gained access through identity fraud, and now AI agents operating with persistent, privileged access,” he says. “A misconfigured agent is a superuser that never sleeps. A compromised agent is an adversary with legitimate credentials moving at machine speed. If it has trusted access and can act on data, it’s an insider, witting or unwitting.”
The shift to remote work, Cochran adds, also removed physical and psychological barriers to insider risks. “Downloading data to a personal device doesn’t feel like espionage, and that trivialization is the risk,” he says. “Layer on economic pressure: While companies freeze hiring and suppress raises, and you have a recipe for witting insider threat at scale.”
Niel Harper, executive coach and strategic advisor at Octave Digital and a board member with governance association ISACA, points to the growth of social media as another factor spurring insider threats today.
Social media platforms, he says, give external threat actors information they can use to bribe, trick, or entice insiders to do their bidding. “They provide a treasure trove of information for threat actors, and a threat collective can easily conduct open-source intelligence to help them understand who is susceptible to blackmail or becoming a mercenary,” he explains.
In such incidents, Blankenship says malicious actors often coach insiders on how to get around security controls and evade detection.
Employees today are also more tech savvy and have greater access to powerful digital tools, including AI, and thus are more capable of finding ways around security controls, experts say.
“The average staffer can now become a really high-risk threat actor,” says Harper, who is also chief trust officer at Hugo and a former CISO, including at the international police organization Interpol.
Moreover, AI itself can become an insider threat, Harper adds, explaining that agents can go rogue or be programmed to do so. “So AI has changed the paradigm when it comes to insider threats,” he adds.
Meanwhile, the modern work environment has created new scenarios that increase the insider threat risk, Harper says.
For example, he says the rise in the use of contractors and outsourced providers as well as people working multiple jobs can up the opportunities for both malicious and nonmalicious incidents, as does remote work, due in part to the distributed nature of digital access for such workers.
Hacktivism against companies, polarization, ideological divisions, economic pressures, and fears of job loss are also driving up insider risk today, Harper adds.
Some of these dynamics have enabled malicious actors to land work within companies to then become insider threats, says Errol Weiss, CSO at Health-ISAC. These malicious actors, who are often from North Korea, obfuscate their identities and locations so they can be hired for legitimate roles, typically in IT. The common MO is to work for as long as possible to earn money to send back to North Korea while also laying the groundwork to launch some type of attack when their employers uncover their true identities. “They’re monetizing their exits by stealing data or extorting their employers on their way out,” Weiss explains.
Additionally, threat actors are becoming more aggressive in their attempts to get insiders to do their dirty work, says Lina Dabit, executive director of the CISO office at Optiv Canada. They’re paying rewards to people willing to harass targeted individuals or provide personal information, such as a personal email or family members’ names. And they’re setting up honeypots, such as romance scams, to gain leverage over insiders.
“We’ve always had malicious insiders, but now we have coerced insiders,” Dabit says. “I think it’s just a matter of time before a threat actor shows up at someone’s home or someone’s children’s school.”
At the same time, technology has made it easier to facilitate such illicit activities, she and others say. In addition to threat actors using social media and other online sources to cull data they can use to entice or coerce insiders, they’re also using the dark web to connect with insiders willing to help. A 2026 Accenture Cyber Intelligence executive summary, titled “Rising dark-web enabled insider risk,” highlighted a 69% increase in insiders offering their access to hackers in 2025 compared to 2024 and a 127% surge in hackers recruiting insiders compared with 2022.
“The world is different and more dangerous than it has ever been,” warns Dabit, a former unit commander with the Cybercrime Investigative Team of the Royal Canadian Mounted Police. “Do not make assumptions that threat actor groups will fit into neat little boxes like nation-state, organized crime, hacktivism, etc. Collaboration between nation state and organized threat groups, whether intentional or simply opportunistic, [is happening and there is a] blurring between organized crime, nation-state, and hacktivism. Newer groups are not adhering to reputational norms, [and the threat environment] has become a no-holds barred approach and nothing is off the table.”
Shifting to proactive defense
Organizations must be on the lookout for insider threats, Dabit and others advise.
“And you need mechanisms in place to look for it,” Blankenship says, highlighting the various security technologies that can detect behaviors such as unusual or unauthorized attempts to access data and systems that could indicate an insider threat. Those, of course, are in addition to all the security and data protection controls considered standard today, he adds.
Dabit also advises security leaders to have a plan for how to respond if they suspect or catch an insider either inadvertently or maliciously causing harm.
And he advises CISOs to work with the chief legal officer and the head of HR to identify employees who could be insider threats — such as those who are about to be laid off or are disgruntled.
Harper recommends regular employee background checks, with more rigorous ones for executives and workers with access to sensitive information or systems.
Cochran says most security teams have work to do to meet the insider threats that exist today.
“Many of the CISOs I speak with don’t feel very confident they can detect an insider threat before serious damage occurs,” he says. “What needs to change is a shift from reactive, technically focused programs to integrated ones that fuse behavioral signals with technical telemetry, and critically, organizations need to extend insider risk frameworks to non-human/ agentic identities with the same rigor they’d apply to a human employee.”
No Responses