South African organisations are facing a growing insider cyber risk problem, and the latest warning is clear: the threat is no longer just outside the firewall, it is often sitting at the desk next to you. According to Mimecast’s State of Human Risk research for 2026, local companies have seen a 46% increase in insider cyber risk compared with 2025, slightly above the global average of 44%. Even more concerning, 63% of South African companies believe insider-driven data loss will keep rising, despite spending more on security tools and controls.
That disconnect between investment and outcome is now forcing security teams to rethink their priorities. For years, many businesses treated insider risk as a fringe issue — something to deal with after a breach, a resignations wave or a messy disciplinary case. But in South Africa, where economic pressure, unemployment and workplace restructuring remain part of the daily business landscape, the threat has shifted into the mainstream.
The reality is that insider incidents are not always the result of a sophisticated criminal plot. In many cases, they begin with a staff member who feels squeezed financially, undervalued professionally or exposed by a looming retrenchment. That can create a dangerous mindset: if data has value, why not take it first? It is a warped form of self-protection, but one that security leaders are seeing more often.
What makes the problem harder to manage is that many employees do not always see their actions as harmful in the moment. Some justify taking information by telling themselves it is harmless, or that they are merely copying what they helped build. Others believe the consequences will be minor, especially when companies quietly handle insider abuse through mutual separation agreements or non-disclosure agreements rather than visible legal or disciplinary action.
That approach can backfire. If workers see serious misconduct being wrapped up behind closed doors, the message is that there are no real consequences. Internally, that can weaken trust in corporate controls. Externally, it can embolden others who believe they can leave with data and settle the matter later.
South Africa’s insider cyber risk is being fuelled by a younger workforce
A major part of the current insider cyber risk story is generational. Mimecast’s research suggests that Gen Z and younger millennials are more likely to be approached by outsiders seeking confidential information, and are also more open to sharing it when the opportunity arises. Cash remains the biggest motivator for close to half of those willing to take part.
That matters in South Africa because the country’s biggest employers — especially banks, telecoms operators, financial services groups and business services firms — rely heavily on younger staff. These employees are digitally fluent, highly mobile and shaped by online culture in ways that older corporate security models were never designed to handle.
Gen Z and younger millennials have grown up in an environment where visibility is often rewarded. Social media has normalised over-sharing, and many have watched influencers and creators turn personal content into income. In the workplace, that mindset can blur the line between what belongs to the employee and what belongs to the employer.
Customer lists, contacts, pricing files, strategy papers and even AI models are increasingly being treated by some workers as personal assets rather than company property. For staff who move jobs often, the temptation to take data along can be strong. In a high-churn labour market, every exit becomes a potential leak.
As we’ve reported before, this is where South African firms need to pay closer attention to the human side of security. Technical controls matter, but people still remain the easiest path in. The challenge is not just stopping theft at the endpoint; it is also understanding why a worker might be tempted to move information, and what the business can do to reduce that pressure.
A fast-emerging concern is that AI models are now becoming a target in their own right. Unlike a single spreadsheet, a trained model represents years of investment, experimentation and intellectual capital. It is, in effect, the organisation’s competitive brain. If an insider takes it to a competitor, the loss is not just data — it is capability, experience and market advantage.
That changes the way companies should think about protection. AI models and the training datasets behind them need to be treated as crown jewels, with tightly controlled access and strict export permissions. Monitoring should also be built into MLOps and DevOps pipelines so that suspicious movement can be spotted early. If businesses are developing machine learning systems, they cannot afford to protect only the output and ignore the assets that created it.
The rise of insider cyber risk also means companies must stop treating it as a narrow IT problem. It belongs on the board risk register and should be owned at executive level. Security teams need to combine behavioural indicators with HR data and organisational context, especially during periods of restructuring, acquisitions, leadership changes, disciplinary processes and employee exits.
Offboarding remains one of the most obvious weak points. In a high-attrition environment, access rights should shrink as employees move roles and be fully revoked when they leave. Too many organisations still have the basics wrong, leaving former staff with lingering credentials, broad permissions or access to systems they no longer need.
Leadership behaviour matters too. If restructures are handled badly, or if uncertainty is allowed to spread unchecked, the emotional temperature inside the business rises fast. Clear communication, respectful process and visible consequences for serious abuse are essential. People will always react to fear and frustration, but companies should not make it easier for them to rationalise theft.
The stakes are rising because the modern insider threat is no longer limited to copying files onto a USB drive or emailing a customer database to a personal account. It is part of a broader ecosystem of economic anxiety, weak loyalty, digital fluency and new technology that can make stolen knowledge more valuable than ever before. In that environment, South African companies need to move beyond old assumptions. The human risk is now the front line, and ignoring it will only make the next breach more expensive.