Mimecast releases State of Human Risk Report
Mimecast released its ninth annual State of Human Risk Report, which documented parallel increases in malicious and negligent insider incidents and highlighted mismatches between employee-focused awareness efforts and deployed technical controls.
The report presented operational figures: organizations that reported rises in malicious insider concerns increased from 33% in 2024 to 42% in 2026, and respondents reported an average of six insider-driven incidents per month with an estimated cost of $13.1 million per incident.
Survey findings addressed defensive gaps and attack techniques, noting that 60% of security leaders were not fully prepared for AI-enabled threats, 38% of organizations relied only on native security controls for collaboration tools while 64% judged those controls insufficient, and 65% found security tool integration too complicated to correlate threats across channels.
Mimecast commissioned Vanson Bourne to survey 2,500 IT security and IT decision makers in November and December 2025; all respondents worked at organizations with more than 250 employees and more than 250 email users. Geographic coverage included the United States (500), United Kingdom (300), Germany (300), France (300), Spain (200), Italy (200), South Africa (200), Singapore (250), and Australia (250), and the survey listed sectors covered such as financial services, healthcare, IT/technology/telecoms, manufacturing, retail, public sector, energy/utilities, business services, construction, consumer services, and media/entertainment.
“Insider risk has become one of the most consequential and underestimated threats facing organizations today, not just because of the data loss it causes, but because attackers are increasingly exploiting insiders as a deliberate entry point to bypass perimeter defenses entirely,” said Mimecast CISO Leslie Nielsen. “The data shows both careless mistakes and deliberate actions driving incidents in equal measure. Rather than trying to manage human behavior, organizations need adaptive controls that identify high-risk actions and adjust protections in real-time, creating friction when someone accesses data they shouldn't, regardless of whether they have valid credentials. As AI makes it easier for insiders to exfiltrate data at scale, security must meet users at the point of risk.”
Survey respondents said 66% expected insider-related data loss to increase over the next 12 months, and 69% of security leaders said Artificial Intelligence (AI) attacks were inevitable within 12 months.