2025 Insider Risk Report: The hidden cost of everyday actions - Intelligent CISO

2025 Insider Risk Report: The hidden cost of everyday actions Mark Bowen | 21 October, 2025 Insider risk is emerging as one of the most costly and complex cybersecurity challenges, driven largely by human error and the growing use of unsanctioned digital tools. David Lorti, Product Marketing Director, Fortinet, outlines how organisations can move beyond traditional DLP solutions towards behaviour-aware, AI-driven strategies that enhance visibility, reduce data loss and strengthen overall resilience. Insider risk has become one of the most pressing cybersecurity challenges. Unlike external bad actors using compromised credentials, insider risks are often woven into daily workflows, frequently resulting from employee negligence such as sending a sensitive data file via email, uploading information to personal cloud storage or using unsanctioned SaaS or Generative AI tools. To better understand how organisations are adapting, Fortinet partnered with Cybersecurity Insiders to conduct a global survey of IT and security professionals. The resulting 2025 Insider Risk Report revealed that while insider-driven data loss is now a common occurrence, many organisations have yet to evolve their programmes to address the issue. Incidents are frequent and costly The survey found that 77% of organisations experienced insider-related data loss over the last 18 months, with 21% reporting more than 20 incidents during that period. For many, insider incidents are not isolated events but recurring challenges that drain resources and erode trust. The financial impact is significant. Forty-one percent of respondents reported that their most serious insider incident cost between US$1 million and US$10 million, while another 9% reported losses even higher. These costs include immediate remediation and downtime as well as regulatory penalties and reputational damage. Perhaps most revealing, the majority of incidents (62%) stemmed from human error or compromised accounts rather than intentional misconduct. The data shows that the greatest risk often comes from ordinary employees making small but consequential mistakes. Traditional DLP is no longer enough While insider risk programmes are becoming a budget priority, their maturity is lagging behind the rate of risk. Nearly three-quarters (72%) of security leaders admitted they lack full visibility into how users interact with sensitive data across end-points, SaaS applications and Generative AI tools. Traditional DLP tools are often at the core of this challenge. Once the cornerstone of data protection, they are losing effectiveness in today’s hybrid environments. Fewer than half of respondents reported that their DLP tools meet current needs, citing limited behavioural context due to the lack of visibility into user interactions with sensitive data as the primary gap. This lack of context leads to a false sense of security: alerts fire off, dashboards fill with activity, but without visibility into user behaviour, teams are left guessing which actions are risky and which are routine. Understanding what’s being exposed The report also revealed the types of sensitive data most often at risk. Customer records (53%) and personally identifiable information (47%) topped the list, followed by business-sensitive plans (40%), user credentials (36%) and intellectual property (29%). For industries that depend heavily on innovation such as manufacturing, technology and biotech, exposure of intellectual property can have lasting consequences. Even a single incident, such as an employee copying proprietary designs into a public Generative AI prompt, can erode years of competitive advantage. The critical takeaway is that most insider incidents are not malicious breaches but rather small oversights that accumulate. Everyday behaviour such as sharing documents, experimenting with Generative AI tools or uploading to personal cloud storage creates opportunities for data loss that legacy controls cannot interpret in context. How organisations are responding The good news is that organisations are responding. Seventy-two percent of those surveyed reported that their budgets for insider risk programmes are increasing. More importantly, they are investing in capabilities that combine visibility, analytics and automation to identify risk before data leaves the environment. The report outlines five practices common to more mature programmes: • Establish visibility early – ensure that monitoring across users, devices, SaaS and Generative AI begins at deployment, not months later. • Analyse behaviour, not just movement – go beyond file transfers to detect unusual access patterns or misuse of sensitive data. • Extend protection to everyday tools – email, collaboration apps and personal cloud accounts remain the most common points of egress. • Align security and governance teams – shared workflows between security, IT, HR and legal teams enhance detection and response capabilities. • Adopt adaptive controls – replace static enforcement with automated, context-aware policies that respond to behaviour in real time. Organisations following these steps report stronger detection, fewer false positives and improved collaboration across departments. The shift to behaviour-aware security The report also shows a clear movement towards behaviour-aware, AI-ready platforms that integrate insider risk management with data protection. Two-thirds (66%) of respondents cited real-time behavioural analytics as a top priority for their next-generation solutions. This shift reflects a broader mindset change: insider risk is not just a compliance issue but a dynamic security problem that demands context. By understanding why data is being accessed—not just what is being moved—organisations can take targeted action to prevent harm before it occurs. Benchmark and build next steps The 2025 Insider Risk Report provides a valuable benchmark for understanding where organisations stand when it comes to managing insider risk. It also highlights practical ways to strengthen insider risk management programmes without disrupting productivity. From addressing visibility gaps to re-evaluating DLP strategies, the report provides a roadmap for striking a balance between user freedom and effective data protection.