The state of human risk in 2026: what's your data worth?

Insider risk isn’t some vague threat off in the distance. It’s a very real and measurable force shaping the security landscape for organizations today. And data from Mimecast found that it doesn’t even take a lot of people for insider risk to have catastrophic results. In fact, only 8% of employees account for 80% of security incidents at a company. 

The high concentration of risk among such a small cohort of people points to a severe imbalance. Whether these incidents are unintentional or not, organizations are facing costly data leaks and breaches. The State of Human Risk 2026 report, just released from Mimecast, found that malicious insiders have grown as a concern by nearly 10% for IT leaders over the past two years. But what do we mean by 'malicious'? 

It helps to think about this in two distinct categories. The first is nation state actors, sophisticated, hard to detect, and difficult to neutralize before they become a serious threat. The second is disgruntled employees, more detectable and more manageable, if caught in time. Disgruntlement itself has three defining components: a person must feel anger, victimization, and blame, essentially the belief that you did this to me. That grievance can be directed at an organization or a specific individual. The critical tipping point is what we call a maladaptive response, a reaction that is disproportionate to a perceived slight, whether through over-correction or withdrawal, from either the individual or the organization around them.

What motivates employees to share information they are not supposed to? Mimecast surveyed 1,000 U.S. adults in February of 2026 to dive deeper into answering that question. Our data showed some interesting generational differences, specifically with whom they’d be willing to share information with and what data they feel they truly own. 

Insider risk poses a hefty price tag

Results from our consumer survey show 15% of employees have intentionally shared confidential information outside of their organization. At first glance, that may not seem like a huge number. 

But consider the financial stakes. The State of Human Risk 2026 report uncovered that a single insider-driven incident has an estimated cost of $13.1M. Even one person, let alone 15% of employees, carries the potential for a multi-million-dollar disaster. That's not a rounding error. That's an existential risk for many organizations.

Who is asking employees for company data? 

Roughly one in five survey respondents (21%) admitted they’ve been approached by an external individual or group asking them to share non-public company information. Of this respondent group, here’s a breakdown of who they received these asks from:

• Competitor – 9%
• Former co-worker – 8%
• Current co-worker – 8%
• Third-party vendor or partner – 8%
• Recruiter – 7%
• Anonymous individual – 6%
• Someone claiming to represent a government – 5%
• Journalist – 4%
• Business development representative – 3% 

What's striking here is the diversity of sources. Threats aren't just coming from shadowy external actors, they come from recruiters, colleagues, and partners who are already part of an organization's trusted network. As data continues to expand and evolve, organizations need to move beyond perimeter defenses and lean into continuous behavioral monitoring.  

Higher insider risk lies with younger age groups 

Millennial and Gen Z-aged respondents show a higher number of people who were approached to share company data and who engaged in willingly sharing the information requested.

This isn't just a behavioral trend—it reflects a growing economic reality. Gen Z employees, specifically, have become ideal targets in the growing insider-as-a-service economy, where bad actors essentially “rent” an employee who then may monetize access or execute “scorched earth” departures. Think of it as cybercrime-as-a-gig-economy: lower barrier to entry, higher potential payoff for attackers.

With the threat of increasing layoffs and ongoing economic instability, younger employees may often be more motivated to find a survival strategy. How organizations approach their security frameworks must take this into account.

Getting [data] rich: the company information employees find most valuable to take with them

In our consumer survey, we asked respondents: If you were leaving your job (voluntarily or not) how valuable do you think the following types of data would be? 

The top categories reveal a telling pattern: employees are most drawn to data that gives them a personal competitive advantage, or that could be used as leverage. The fact that "information that could hurt employer" ranks among the top five should be a wake-up call for organizations with disengaged or at-risk employees. 

Understanding the psychology behind insider risk

The most important question organizations should be asking isn't "how do we lock down our data?" It's "what motivates employees to share or take it in the first place?" 

Every generation, every individual, can have a different idea of what is or isn’t appropriate. Consider that entire generations have grown up on social media platforms that actively reward sharing personal information with likes, followers, and validation. Much like seatbelts were once seen as unnecessary, even intrusive, before becoming second nature, we are only now beginning to build a culture around safer digital habits. If people had understood earlier the risks of broadcasting their lives online, would they have made different choices about their digital footprint? That question matters beyond the personal, because the habits employees form in their public lives don't stay there. 

The same instinct to share freely online can carry directly into the workplace, blurring the lines around what feels safe to pass along. And in a cruel irony, the very public persona someone has built up over years on the internet may be exactly what made them a target in the first place. 

What incentivizes people to share company information?

When it comes to incentives, there are very clear offers and rewards that motivate employees to share or take data outside of their company.

• 39% say a cash payout is what incentivizes them most
• 28% say they’d do it to help out a past colleague
• 25% would share information if it could lead to a new job opportunity or referral

Generationally, the contrast is sharp: 

Younger employees are primarily motivated by financial gain, while Baby Boomers are more likely to act out of loyalty to former colleagues.  But here's something intelligence professionals have long understood: it's never really about the money. It's about what the money represents. For some that means freedom, for others security, stability, or recognition. Understanding what a person truly craves is far more revealing than surface-level motivation.

This is why a single security awareness message will never resonate across all age groups. Organizations need tailored strategies that speak to deeper human needs, not just generational stereotypes. That starts with culture: attracting people who share your values, communicating those values consistently, and being clear about the consequences of acting outside them. Most people are mostly good, but stress and uncertainty change behavior in predictable ways. The problem is that most people are never taught how to navigate uncertainty. Like any skill, it can be learned, but you cannot build that muscle memory overnight. 

The scenarios driving employees to share or take information 

Self-protection and preservation appear to be the name of the game for what motivates employees to share or take company information. But let's name it more plainly: this is survival behavior. When people feel their livelihood, reputation, or future is under threat, they operate less like loyal team members and more like civilians caught in a conflict zone, where trust erodes and every person is ultimately looking out for themselves. The data reflects exactly that:

• 54% are either somewhat or very likely to share or take company information to protect themselves and their careers
• 45% say if they don’t like company leadership or direction, they’d be likely to do this
• 41% would be likely to take or share information if they thought a layoff was coming/their job was in jeopardy, or they were experiencing financial hardship
• 40% are somewhat or very likely do it if they didn’t like their boss
• 38% say if their company was acquired or if they were already planning to leave, they’d be likely to do share or take information

The thread running through all of these scenarios is emotion: fear, frustration, and financial anxiety. Companies that aren’t considering the psychology and emotion behind why employees engage in this behavior are missing a crucial element that should be driving security strategies. 

Insider risk demands a new security playbook 

The data makes one thing unmistakably clear: insider risk exposure isn't evenly distributed, and neither are the motivations behind it. A one-size-fits-all security approach will miss the mark, and the mark worth aiming for isn't elimination. Like operational, financial, or reputational risk, insider risk cannot be fully eliminated. It can, however, be managed, and managed well, as part of a sound business strategy.

Organizations need to move toward adaptive, people-centered strategies, ones that combine behavioral insight, targeted training, and real-time monitoring to surface risk early. That means understanding who in your organization is most vulnerable, what would motivate them to act, and when the risk is highest. Layoffs, acquisitions, and leadership changes are all inflection points worth watching closely. 

The risk doesn't stop when an employee logs off or walks out the door. Every service account left running, every API key never rotated, every AI agent deployed with excessive permissions is a manifestation of human risk that outlasts the human who created it. Organizations that are serious about insider risk need to account not just for what their people do, but for what their people leave behind.

Addressing insider risk is not just smart business strategy, it is the right thing to do for the humans who place their trust in your organization every day. The organizations that treat it that way, investing in culture, communication, and continuous monitoring in equal measure, will be far better positioned to reduce impact before damage is done.

Ready to continue the conversation? Download The State of Human Risk 2026 report for the complete data set and actionable recommendations for your security strategy.