Why insider risk is rising and how behavior-aware security helps organizations get ahead of the challenge
By David Lorti, Product Marketing Director, Fortinet
Insider risk has become one of the most pressing cybersecurity challenges. Unlike external bad actors using compromised credentials, insider risks are often woven into daily workflows, frequently resulting from employee negligence, such as sending a sensitive data file through email, uploading information to personal cloud storage, or using unsanctioned SaaS or GenAI tools.
To better understand how organizations are adapting, Fortinet partnered with Cybersecurity Insiders to conduct a global survey of IT and security professionals. The resulting 2025 Insider Risk Report reveals that while insider-driven data loss is now a common occurrence, many organizations haven’t yet fully evolved their programs to address this issue.
Incidents Are Frequent and Costly
The survey found that 77% of organizations experienced insider-related data loss over the last 18 months, with 21% reporting more than 20 incidents during that period. For many, insider incidents are not isolated events but recurring challenges that drain resources and erode trust.
The financial impact is significant. Forty-one percent of respondents reported that their most serious insider incident cost between $1 million and $10 million, while another 9% reported losses even higher. These costs include immediate remediation and downtime as well as regulatory penalties and reputational damage.
Perhaps most revealing, the majority of incidents (62%) stemmed from human error or compromised accounts rather than intentional misconduct. In fact, the data shows that the greatest risk often comes from ordinary employees making small but consequential mistakes.
Traditional DLP Is No Longer Enough
While insider risk programs are becoming a budget priority, their maturity is lagging behind the rate of risk. For example, nearly three-quarters (72%) of security leaders admit they lack full visibility into how users interact with sensitive data across endpoints, SaaS applications, and GenAI tools.
Tools with traditional DLP solutions are often at the core of this challenge. Once the cornerstone of data protection, traditional DLP tools are losing effectiveness in today’s new hybrid environments. In fact, fewer than half of respondents reported that their DLP tools meet current needs, with many citing limited behavioral context due to the lack of visibility into user interactions with sensitive data as the primary gap.
This lack of context leads to a false sense of security: Alerts fire off, dashboards fill with activity, but without visibility into user behavior, teams are left guessing which actions are risky and which are routine.
Understanding What’s Being Exposed
The report also reveals the types of sensitive data most often at risk. Customer records (53%) and personally identifiable information (47%) top the list, followed by business-sensitive plans (40%), user credentials (36%), and intellectual property (29%).
For those industries that especially depend on innovation, such as manufacturing, technology, and biotech, the exposure of intellectual property can have lasting consequences. Even a single incident, such as an employee copying proprietary designs into a public GenAI prompt, can erode years of competitive advantage.
The critical takeaway is that most insider incidents are not malicious breaches but rather small oversights that add up. Everyday behavior, such as sharing documents, experimentation with GenAI tools, or uploading to personal cloud storage, creates opportunities for data loss that legacy controls simply can’t interpret in context.
How Organizations Are Responding
The good news is that organizations are responding. Seventy-two percent of those surveyed reported that their budgets for insider risk programs are increasing. More importantly, they’re investing in capabilities that combine visibility, analytics, and automation to identify risk before data leaves the environment.
The report outlines five practices common to more mature programs:
- Establish visibility early. Ensure that monitoring across users, devices, SaaS, and GenAI begins at deployment, not months later.
- Analyze behavior, not just movement. Go beyond file transfers to detect unusual access patterns or misuse of sensitive data.
- Extend protection to everyday tools. Email, collaboration apps, and personal cloud accounts remain the most common points of egress.
- Align security and governance teams. Shared workflows between security, IT, HR, and legal teams enhance detection and response capabilities.
- Adopt adaptive controls. Replace static enforcement with automated, context-aware policies that respond to behavior in real time.
Organizations that follow these steps report stronger detection, fewer false positives, and improved collaboration across departments.
The Shift to Behavior-Aware Security
The report also shows a clear movement toward behavior-aware, AI-ready platforms that integrate insider risk management with data protection. Two-thirds (66%) of respondents cited real-time behavioral analytics as a top priority for their next-generation solutions.
This shift reflects a broader mindset change: Insider risk is not just a compliance issue but a dynamic security problem that demands context. By understanding why data is being accessed, not just what is being moved, organizations can take targeted action to prevent harm before it occurs.
Benchmark and Build Next Steps
The 2025 Insider Risk Report provides a valuable benchmark for understanding where your organization stands when it comes to managing insider risk. It also highlights practical ways to strengthen insider risk management programs without disrupting productivity.
From addressing visibility gaps to reevaluating DLP strategies, the report provides a roadmap for striking a balance between user freedom and effective data protection.
Download the full report to explore key insights, industry trends, and real-world recommendations from security leaders worldwide.