Cyber threats have become a daily reality for businesses in 2026, with a common reason suggested being surging geopolitical tensions driving rates of state-sponsored attacks.
But while international threat actors in hostile states are legitimate concerns, recent research suggests a far greater risk faced by businesses comes from the inside.
In its latest annual State of Human Risk report, network security company Mimecast examined the human-led cyber threats that are most plaguing British businesses.
Its survey of 2,500 IT security and decision makers has revealed that the scale to which insider incidents cost businesses.
Negligence, malice and the cost of insider incidents
Mimecast’s research found that between direct threats from insiders, credential misuse and user-driven error, the majority of security incidents come in some way from inside a company.
Between both negligent and malicious insider activity, the risk report revealed a 45% rise among UK businesses over the past 12 months.
According to the research, these incidents cost on average £9.6m, with organisations experiencing six insider incidents per month.
Part of the problem, as suggested by Mimecast’s chief marketing officer Nikki Cosgrove, is that insider risk concentrates across a workforce.
The group’s research found that 8% of employees are responsible for 80% of an organisation’s security risk.
“The organisations that understand that stop applying identical controls to everyone and start building programmes that can distinguish between the careless, the compromised, and the malicious,” Cosgrove said.
While neither form of insider security risk is desirable, it is also concerning that Mimecast has found that malicious incidents are rising to the same rate as negligent ones.
“For a long time, security teams told themselves insider risk was mostly accidental. A careless click. A misdirected file. Someone who didn’t know better. That story no longer holds.”
What are businesses doing wrong?
Part of the problem is simple preparedness. Mimecast research found that only 22% of organisations train their employees to spot cyber-attacks on an ongoing basis, and only 33% combine regular security awareness training with continuous monitoring for policy violations.
Beyond this, Cosgrove pointed out a common fault in a typical business’s approach to tackling these kinds of threats.
“They treat insider risk as a solely technical problem. It isn’t. It’s a people problem that happens to have technical symptoms,” she said.
“What changes the trajectory of an insider risk programme isn’t the technology. It’s whether the organisation is willing to ask why someone became a risk in the first place.”
This could be down to financial pressure, disengagement or even coercion and Cosgrove claimed these real drivers of risk leave behavioural signals long before anything can be seen in a threat alert.
The organisations building genuine capability here are treating those signals as early warning intelligence, not background noise.
The role of regulation
Interestingly, Mimecast noted that the existing regulatory architecture needed to meet these challenges is already for the most part in place.
Between GDPR, the Data Protection Act and the incoming Cyber Resilience Bill, there is already a framework with real authority.
“The problem isn’t that we lack regulation. It’s that the guidance was written for a threat model that no longer reflects how incidents actually unfold,” said Cosgrove.
“What policymakers need to grapple with is how fundamentally the threat has changed.”
Today, data loss can happen across email, collaboration tools, cloud platforms and even via AI systems and agents and it happens at a speed that manual processes are not fit for.
“Regulation that only contemplates the human insider is already outdated,” Cosgrove said.
“What’s needed are governance standards that cover both, with clear requirements for automated detection when sensitive data moves inappropriately, and real-time controls that don’t depend on someone being in the loop.”
