A new Mimecast study has found that malicious insider incidents are now rising at the same rate as negligence-based incidents, with 42% of organizations reporting an increase in each over the past year. It is the first time the two figures have been level, marking a significant shift in how enterprise security threats are evolving.
“The data shows both careless mistakes and deliberate actions driving incidents in equal measure,”
said Mimecast CISO Leslie Nielsen.
The findings are alarming not only because insider threats are inherently more dangerous than incidents of negligence, but also because they come at a time when the broader threat landscape is intensifying. AI-powered attacks, expanding collaboration surfaces, and fragmented security controls are all adding pressure.
By the Numbers: What the Data Actually Shows
The headline figure is striking enough, but the details behind it make for even more sobering reading. The share of organizations reporting an increase in malicious insider concerns has jumped nearly ten percentage points in just two years, rising from 33% in 2024 to 42% in 2026.
Organizations experiencing insider-driven incidents report an average of six such events per month, at an estimated cost of $13.1 million per incident. This increase adds substantial cost to their security posture. With 66% of respondents expecting insider-related data loss to rise over the next 12 months, the numbers are only expected to worsen.
The report also highlights how AI is accelerating the problem. Attackers are using AI to recruit insiders, automate reconnaissance, and craft highly convincing social engineering campaigns that can turn an otherwise loyal employee into an unwitting or willing threat actor. Sixty-nine percent of security leaders say AI-powered attacks against their organization are inevitable within the next 12 months, yet 60% admit they are not fully prepared.
Compounding this is a visibility problem. Ninety-one percent of organizations face challenges maintaining governance and compliance over communications data, while 59% lack confidence in their ability to quickly locate data when faced with a regulatory or legal request. This lack of governance not only exposes them to potential fines but also limits their ability to detect, investigate, and respond to insider incidents effectively.
Why Insider Threats Hit Differently
Understanding the scale of the problem is one thing. Understanding why it is so damaging is another.
Unlike external attackers who must first breach a perimeter, malicious insiders already have what every attacker wants: authorized access. They know the systems, where sensitive data resides, and how to move through an organization without triggering immediate suspicion. That authorized access makes them extremely difficult to detect and costly to remediate.
The data underscores this reality. According to a 2023 IBM report, malicious insider breaches took an average of 308 days to identify and contain. While the global average for all breaches was already high, insider breaches cost an average of $4.9 million—about 9.6% above the global average for all breach types.
This is the core issue with the rise in insider threats. By the time an organization realizes a breach has occurred, the damage is often done: data exfiltrated, compliance obligations breached, and remediation costs spiraling.
As Nielsen put it:
“Insider risk has become one of the most consequential and underestimated threats facing organizations today—not just because of the data loss it causes, but because attackers are increasingly exploiting insiders as a deliberate entry point to bypass perimeter defenses entirely.”
The Road Ahead: Closing the Gap Between Awareness and Action
The Mimecast report makes clear that awareness of the insider threat problem must be followed by action.
Right now, only 28% of organizations combine regular security awareness training with continuous behavioral monitoring. Yet these are the two most essential components of a human risk strategy. This gap means that when a high-risk user is identified through behavioral analytics, that intelligence does not automatically trigger coordinated responses across access controls, data loss prevention, and monitoring systems.
The good news is that companies integrating those pillars see results. Forty percent of organizations that successfully connect their security tools report faster threat remediation, improved visibility, and stronger compliance readiness, according to the report. The blueprint exists, the challenge is execution.
As insider threats continue to rise and AI lowers the barrier for both external attackers and malicious employees, the organizations that will fare best are those moving beyond perimeter thinking. When the threat is already authenticated, already trusted, and already inside, detection requires smarter behavioral controls, tighter data governance, and security systems that work together.
With the Mimecast study showing insider threats on a sharp upward trajectory, the window to get ahead of the problem is narrowing.
