Most security leaders don’t need another reminder that insider incidents happen. What’s easier to miss is how quietly the risk surface is changing: less “someone did something obviously malicious,” and more “normal work patterns moving sensitive data through new channels.”
Safetica’s latest Data Protection Trends report looks at aggregated, anonymized observations across Safetica-protected environments. The data points to a shift that many teams feel anecdotally but rarely get to quantify: data exposure is increasingly embedded in routine workflows: productivity suites, web apps, messaging, AI tools, screenshots, and removable media.
1) The battleground is shifting into trusted productivity ecosystems
One of the clearest trend signals is where blocked activity is growing. In H2 2025, the biggest quarter-over-quarter growth in blocked activity came from Microsoft sites (+6.1%) and Google sites (+4.4%).
This matters because it changes the problem statement:
- If risk pressure is rising in “trusted” ecosystems, a strategy built primarily on blocking external apps is incomplete.
- The question becomes: How is sensitive data moving through “approved” tools in ways your policies don’t anticipate?
- Are policies role-aware and context-aware enough to distinguish legitimate collaboration from risky movement?
- Can you apply consistent rules across where work actually happens (browser, web apps, cloud storage, email, chat)?
For CISOs, that often translates into a governance and control challenge, not a tooling challenge:
- Are policies role-aware and context-aware enough to distinguish legitimate collaboration from risky movement?
- Can you apply consistent rules across where work actually happens (browser, web apps, cloud storage, email, chat)?
2) AI is no longer a niche channel, it’s consolidating into mainstream workflows
AI tool usage is often discussed as a sprawl problem (“too many apps”). The report suggests a different dynamic: consolidation around dominant general-purpose platforms.
In Q4 2025, ChatGPT represented 20.1% of blocked AI tool activity (+9.3% QoQ) and Read.ai reached 15.4% (+10.6% QoQ).
Two practical implications:
- AI governance can’t live only in policy documents.
When usage concentrates in a few tools, enforcement and education can become more targeted—but only if you know which workflows and data types are actually entering those tools. - “Data-in-use” becomes the center of gravity.
AI interactions are often free-form text and pasted content. That’s different from traditional DLP assumptions that start with a file object and metadata.
A useful leadership question to ask internally:
- Do we treat AI tools as “another website category,” or as a data handling workflow with specific input/output behaviors to govern?
3) Data loss is moving beyond documents toward text and screenshots
If you still think of DLP primarily as “documents leaving the org,” the file extension trends are a wake-up call.
In Q4 2025, .txt became the #1 blocked file extension (17.5%, +5.1% QoQ) and .png (screenshots) rose to #2 (15.7%, +4.0% QoQ).
That shift is important because it often reflects behavior like:
- copying sensitive data into plain text for quick transfer
- using screenshots to bypass restrictions on copy/paste or downloads
- “repackaging” information so controls don’t recognize it as a protected document type
- controls designed around traditional office documents can lag behind how people actually move information today.
This isn’t about banning screenshots. It’s about recognizing a pattern:
A practical response is to review whether you have visibility into:
- copy/paste patterns
- screenshot capture behavior in high-risk roles
- repeated attempts across multiple channels (web → email → chat → USB)
4) USB is back as a behavioral signal, not a legacy nuisance
Many orgs treat USB as solved (block it broadly, allow by exception, move on). The report suggests it’s still a meaningful behavior signal.
External USB accounted for 36.1% of unusual activity triggers in Q4 (+7.7% QoQ).
Separately, external USB also rose as a policy violation channel (the Q4 policy violations section highlights external USB increasing quarter-over-quarter).
What to take from this:
- USB isn’t just an old-school exfil path—it’s often a workflow escape hatch when collaboration feels slow or blocked.
- Repetitive USB activity can indicate intent, but it can also indicate friction. Both are worth investigating.
If you allow USB in parts of the org, it may be worth treating it as a privileged channel with:
- Tighter role-based permissions
- Stronger monitoring for unusual volume/frequency
- Explicit rules for sensitive categories, not blanket policies
5) Violations cluster in the tools people use every day
The report’s policy violation breakdown underscores the “everyday work” thesis:
Top policy violation channels in Q4 were:
- Web apps (20.6%)
- Email (20.5%)
- Instant messaging (19.8%)
This is useful because it reframes insider risk from “rare incidents” to “routine paths.” If the majority of violations are web/email/chat, then prevention isn’t just about perimeter or endpoint locks; it’s about consistent controls across collaboration surfaces.
6) When controls tighten, users adapt — channel switching is measurable
Many security teams experience “policy whack-a-mole”: lock down one path, see activity move elsewhere. The report quantifies this in dynamic triggers:
IM triggers rose +8.5% QoQ in Q4, while email dropped -10.7% QoQ, suggesting pressure migrating into real-time messaging channels.
This is one of the most operationally important insights in the report, because it implies:
- Measurement should be cross-channel (email + web + chat + cloud + USB), not siloed.
- The objective isn’t “block everything.” It’s “reduce risky movement without forcing users into workaround behavior.”
That’s the heart of “Protect More. Disrupt Less.” in practice.
7) Threat warnings still start in email but the ecosystem around it is changing
Even with all the channel shifts, email remains a major early warning surface:
- Email represented 72.2% of threat-level warning path types in Q4.
The takeaway isn’t “focus only on email.” It’s:
- Email remains a primary signal source,
- While the broader risk surface is expanding into web apps, IM, AI tools, and encrypted messaging.
That combination, stable signal in one channel, rising pressure in others, is exactly why many teams struggle with visibility and prioritization.
A practical checklist for CISOs and security practitioners
If you want to turn the above into a concrete internal conversation, here are five questions worth asking this quarter:
- Where is sensitive data pressure rising in our environment?
(Email? Web apps? IM? Cloud drive? USB?) - Are our policies role-aware and context-aware?
Can we distinguish legitimate collaboration from risky movement without blanket disruption? - Do we have coverage for “data-in-use” behaviors?
Pasted text, screenshots, free-form AI inputs, repetitive attempts across channels. - Are we monitoring for channel switching?
If blocking email causes a move to chat, do we catch the same risk pattern? - What’s our posture on encrypted channels and remote access tools?
The report highlights encrypted messaging as the dominant risky app category in Q4 (64.4%, +15% QoQ).
Read the full Data Protection Trends Report
If you’d like the full data tables, breakdowns, and visuals, you can download the complete Safetica Data Protection Trends (Q3–Q4 2025) report here: https://safetica.com/resources/safetica-data-protection-trends
And if you’re joining our live walkthrough on June 24, we’ll detail the findings of the report.
Register here -https://attendee.gotowebinar.com/register/3938053082523625310