South African organisations are reporting higher rates of malicious insider activity than the global average, with nearly half saying deliberate data theft by employees has increased over the past year, according to Mimecast’s latest State of Human Risk Report.
The annual study, which surveyed 2 500 IT security and IT decision-makers across nine countries — including 200 in South Africa — found that 46% of local respondents reported a rise in malicious insider incidents. That compares with a global average of 42%, which itself represents a sharp jump from 33% two years ago.
The trend isn’t only limited to global organisations. In South Africa, organisations also reported a rise in malicious insider activity over the past year (46%) — matching, for the first time, those experiencing increases in accidental or negligent incidents (46%).
Heino Gevers, senior director of technical support at Mimecast, told TechCentral in an interview that South African organisations are “certainly not prepared” to deal with the expanding attack surface driven by the widespread adoption of collaboration and generative AI tools.
“From a South African perspective, a lot of the respondents have highlighted that they are certainly not prepared to deal with the expansion in what we like to call the attack surface explosion,” said Gevers.
While traditional insider threats involve the theft of financial records or trade secrets, Gevers warned that the theft of AI models represents an emerging and poorly understood risk — particularly as South African companies move their AI strategies from pilot to production.
AI threat
An AI model, he explained, distils far more than raw data. It encapsulates a company’s intellectual property, strategy and competitive advantage in a form that is immediately usable by a competitor or bad actor. Yet most organisations lack the tools to detect when models are being exfiltrated.
“It’s a new type of threat. AI models incorporate such meaningful information — it’s outside of the normal data theft,” said Gevers. “Most organisations do not have the technology or the means to detect when these models are being stolen or exfiltrated. It is certainly going to be a new type of insider threat that we’re not used to or certainly not prepared to deal with.”
Read: The AI fraud crisis your bank is not ready for
He added that many South African companies are moving AI into production without even having usage policies in place — a significant gap given the risks involved.
The report also highlights what Mimecast calls the “recognition/action gap”: organisations are investing in security awareness training but failing to connect it with technical controls that can act on the intelligence.
Globally, just 28% of organisations combine regular security awareness training with continuous monitoring. In practice, this means that when behavioural analytics flag a high-risk user, that intelligence does not automatically trigger coordinated responses across access controls, data loss prevention and monitoring systems.
Gevers said South African organisations are particularly exposed. “We are very good at awareness. But where we fall short is overlapping the technical controls with the human controls. In other words, they don’t inform one another.”
He gave a practical example: an employee whose role gives them legitimate access to sensitive data begins downloading information after hours or sharing files in collaboration tools like Teams or Slack in ways they hadn’t before. Without integrated systems that assign risk scores and trigger automated responses, that behavioural shift goes undetected until damage is done.
This is especially acute in a market experiencing significant workforce volatility. Gevers noted that specialists who build AI models in South Africa often develop the entire system end to end — the model, the security architecture, the strategy. When they leave, they take deep institutional knowledge with them, and many organisations lack proper offboarding processes to manage that risk.
“In that part of the South African market, our companies do not do very well at the moment,” he said.
The report found that 91% of organisations globally face challenges maintaining governance and compliance over communications data. In South Africa, 52% of respondents said they cannot locate communication data quickly enough to meet regulatory or legal requirements — a vulnerability that could prove costly in the event of a breach investigation.
‘Underprepared’
“It means we are very much underprepared to deal with a particular situation like a breach,” said Gevers.
The study also found that 38% of organisations globally rely solely on native security controls for collaboration tools, even though 64% of respondents acknowledge those controls are inadequate. Gevers said native controls were “designed to deal with a technology problem” and have not kept pace with the need to identify and respond to human behavioural risk.
Read: US orders diplomats to fight foreign data sovereignty rules
Globally, organisations experience an average of six insider-driven incidents per month at an estimated cost of US$13.1-million per incident, the report found. Mimecast does not provide a South Africa-specific figure, though Gevers said the local impact likely exceeds the global average given the concentrated nature of the market.
“We only have a few major players in banking, telecoms, the mining space, and of course the retail sector. Losing any form of proprietary information through a breach is quite significant,” he said. “It’s not a one-solve-and-we-move-on situation.”
Two-thirds of respondents globally expect insider-related data loss to increase over the next 12 months.
Mimecast commissioned research firm Vanson Bourne to conduct the survey of 2 500 IT security and IT decision-makers across nine countries in November and December 2025. All organisations surveyed had more than 250 employees. – © 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.