Employees Become SA’s Biggest Cyber Threat

No photo availableByStaff Writer
5 min read
According to Mimecast’s State of Human Risk research, 63 per cent of South African companies expect insider‑driven data losses to increase

South Africa experienced a 46 per cent increase in insider cyber risk in 2026, surpassing the global average of 44 per cent. What’s more, 63 per cent of South African companies surveyed expect insider‑driven data losses to increase as growing numbers of disgruntled employees are resorting to stealing valuable corporate data, while some are even being recruited on the dark web.

“Your employees are being headhunted, not for jobs, but for your data,” warns Heino Gevers, senior director of technical support at Mimecast South Africa. “Over the past two to three years, insider threats in South Africa have moved from being a side‑issue in security strategies to a central concern, and local leaders expect it to worsen, not stabilise.”

According to Mimecast’s State of Human Risk research, 63% of South African companies expect insider‑driven data losses to increase, despite investing in more tools and controls, prompting industry leaders to question their focus.

“Underlying pressures that drive corporate espionage and data theft are intensifying in South Africa. Economic stress, high unemployment and repeated waves of restructuring are pushing more employees into a defensive, ‘look after myself first’ mindset, where taking data feels like insurance rather than a crime,” Gevers explains.

Gevers points out that the core psychological driver is not always sophisticated cybercrime, but rather survival.

“People often don’t fully grasp the gravity of what they are doing, showing a maladaptive response, where their reaction is disproportionate to the situation, but feels justified in the moment. The problem is further fuelled by big companies frequently paying their problems away with mutual separation agreements and NDAs rather than taking insiders through visible disciplinary or legal processes,” he says.

Younger generations see data as career capital  

The report has also uncovered that Gen Z and Millennial employees are approached more often and are more willing to share confidential information, with nearly half citing cash as their primary motivator.

“Many of the country’s largest employers including banks, telcos, financial services and big business services, are staffed heavily by younger workers. This matters because their digital habits and expectations are very different,” Gevers notes. “Gen Z and younger Millennials have grown up normalising over‑sharing online. Their role models are YouTubers and influencers and their income and visibility are often tied to how much they put out into the world. That mindset carries into the workplace, where data feels like currency, and the boundary between ‘my work’ and ‘the company’s IP’ is blurry.”

According to Gevers, customer lists, contact books, pricing sheets, strategies, even AI models and training data are often seen as part of younger workers’ personal toolkits. In addition, their high‑churn rate means more exits, which in turn means more opportunities for data to walk out the door.

 

AI quickly becoming the new currency of espionage 

A trend evolving as quickly as the technology itself is that AI models are now a core espionage target.

“Stealing a well‑trained model is not like copying a single spreadsheet. It compresses years of data collection, domain expertise and experimentation into one artefact. Move that model to a competitor and you don’t just leak information, you export the organisation’s competitive brain. In a market where skills are scarce and people are anxious about their careers, it is easy for insiders to rationalise taking ‘their’  models with them – even though they legally and ethically belong to the company,” he explains.

Action plan for the next 12 to 24 months 

While business leaders and CISOs cannot eliminate insider risk, Gevers says they can manage it far better than most are currently doing.

In the first instance, Gevers says leaders must treat insider risk as a business risk, not an IT glitch.

“Put it on the risk register, assign executive ownership, and have regular reporting that blends behavioural signals with HR and organisational context. Focus especially on inflection points including restructures, acquisitions, leadership changes, performance processes and exits,” he says.

Second, leaders should fix the joiner–mover–leaver lifecycle. In a high‑attrition environment, offboarding is where an outsized portion of risk sits and Gevers says access must shrink as roles change, and must be properly revoked on exit.

Third, leaders should look to rebuild the social contract. This means communicating layoffs and major changes clearly and respectfully and being willing to pursue visible consequences for serious insider abuse.

“People will always act out of fear and frustration. As leaders, it’s our job to lower the emotional temperature, while disabusing any impression that there are no real repercussions,” he adds.

Finally, Gevers advises leaders to classify and protect AI models and key datasets as crown jewels. There must also be a clear limit to who can access and export them by building monitoring into MLOps and DevOps pipelines so exfiltration attempts are visible early.

“Insider-as-a-Service in South Africa is not an abstract concept, it is the logical outcome of economic anxiety, high churn, fading loyalty, and powerful new tools sitting in the hands of people who feel they have little to lose. Organisations have to respond on the human as well as the technical front,” he says.

 

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co