Safetica Blogs

Insider Risk Is Becoming Everyday Work Risk

Written by Sample HubSpot User | Jul 1, 2026 5:13:56 PM

What the latest data suggests security leaders should watch.

Most security leaders don’t need another reminder that insider incidents happen. What’s easier to miss is how quietly the risk surface is shifting: less “someone did something obviously malicious,” and more “routine work patterns moving data through channels your policies didn’t anticipate.”

The scale of that human layer is well established. Verizon’s 2025 Data Breach Investigations Report puts the human element in roughly 60% of breaches, a figure that has held steady for years. The more useful question is where that everyday exposure is now concentrated.

Safetica’s Data Protection Trends report analyzes aggregated, anonymized signals across Safetica-protected environments in H2 2025, and four patterns stand out.

 

1. Risk lives in the tools people use every day

More than 60% of blocked activity and policy violations (roughly three in five) occurred in ordinary channels: web apps, email, and instant messaging, driven by normal work behavior rather than malicious intent. That reframes insider risk from “rare incident” to “routine path.” If the majority of risky movement happens where collaboration happens, prevention isn’t only about the perimeter or the endpoint; it’s about consistent, context-aware controls across the surfaces where work actually gets done.

A useful leadership question: are our policies role-aware and context-aware enough to tell legitimate collaboration apart from risky movement, without blanket disruption?

 

2. Data loss has moved beyond documents

If you still picture data loss as “files leaving the org,” the AI trend is a wake-up call. ChatGPT-related blocks surged 86% from Q3 to Q4, and free-form text and screenshots, not classic office documents, climbed the list of most-blocked content types. Data-in-use, the pasted text and images that never take the shape of a protected file, is becoming the center of gravity.

Teaser finding: in Q4, ChatGPT alone accounted for about one in five blocked AI interactions (20.1%) in our data, a sign that AI risk is consolidating around a few dominant, general-purpose tools rather than sprawling across many.

Independent research points the same way. LayerX’s 2025 Enterprise AI report found that roughly 45% of employees use generative AI at work and about 77% of those users have pasted company data into chatbots, most through personal, unmanaged accounts that never touch corporate controls. Earlier Cyberhaven analysis found around 11% of content pasted into ChatGPT was confidential.

The implication for CISOs: AI governance can’t live only in a policy PDF. It has to account for how free-form inputs and outputs actually behave.

 

3. Users adapt faster than static controls

Many teams know the “policy whack-a-mole” feeling: lock one path, watch activity move elsewhere. The data quantifies it. Use of encrypted-messaging apps climbed past 64% in Q4 as a share of risky-app activity. When a channel is blocked, users often don’t stop; they switch, shifting their exposure from email and networks to the web, cloud, and messaging.

That’s why measurement has to be cross-channel (email, web, chat, cloud, and USB) rather than siloed. And the goal isn’t to block everything; it’s to reduce risky movement without pushing people into workaround behavior.

That balance is the practical meaning of Protect More. Disrupt Less.

 

4. Most insider risk is behavioral, not exceptional

Email remains a primary early-warning surface: it triggered 72% of threat-level warnings in H2 2025. But the takeaway isn’t “focus only on email.” It’s that most of this risk is the accumulation of small, repeated data-handling decisions made quietly across the workforce, not a handful of dramatic, malicious acts.

Teaser finding: external USB accounted for 36.1% of unusual-activity triggers in Q4 (+7.7% quarter over quarter), a reminder that a channel many teams consider “solved” is still a meaningful behavioral signal, often a workflow escape hatch when collaboration feels slow.

The external picture backs this up. Cyberhaven research attributes about 15.6% of insider exfiltration to removable media, and Proofpoint notes USB drives remain a leading exfiltration path in parts of Europe. The 2025 Ponemon/DTEX Cost of Insider Risks report frames the intent question plainly: negligent employees are behind roughly 53% of insider incidents.

Repetitive USB or copy behavior can signal intent, but far more often it signals friction. Both are worth investigating; neither fits a simple “malicious insider” profile.

 

A short checklist for security leaders

If you want to turn the above into a concrete internal conversation, five questions worth asking this quarter:

  1. Where is sensitive-data pressure rising for us: email, web apps, IM, cloud, or USB?
  2. Are our policies role-aware and context-aware enough to separate legitimate collaboration from risky movement?
  3. Do we have coverage for “data-in-use” behaviors, such as pasted text, screenshots, and free-form AI inputs?
  4. Are we watching for channel switching? If we block email, do we catch the same pattern moving to chat?
  5. What’s our posture on AI tools and encrypted channels? Are they governed as data-handling workflows, or treated as just another website category?

Read the full report

The full Safetica Data Protection Trends report includes the complete data tables, quarter-over-quarter breakdowns, and visuals behind these patterns. Download the report.