Your employees are being headhunted — not for jobs, but for your data.
South Africa have experienced a 46% increase in insider cyber risk in 2026 compared to 2025, according to Mimecast’s State of Human Risk research, surpassing a global average of 44%. More telling still, 63% of South African companies expect insider-driven data losses to keep rising, despite mounting investment in tools and controls. That gap between spend and outcome is forcing security leaders to ask whether they are looking in the right place.
Over the past two to three years, insider threats in South Africa have moved from a side issue in security strategies to a central concern. Local leaders expect the problem to worsen, not stabilise.
The pressures driving corporate espionage and data theft are intensifying. Economic stress, persistent unemployment and repeated waves of restructuring are pushing more employees into a defensive, look-after-myself-first mindset, where taking data starts to feel like insurance rather than theft. The core driver is often not sophisticated cybercrime but survival.
People frequently don’t grasp the gravity of what they are doing. They show a disproportionate response that feels justified in the moment. The problem is reinforced by large companies that prefer to settle insider abuse quietly through mutual separation agreements and non-disclosure agreements, rather than visible disciplinary or legal processes. The signal that gets sent — internally and externally — is that there are no real consequences.
Data as career capital
The Mimecast research also points to a generational shift. Gen Z and millennial employees are approached more often by outside parties looking to obtain confidential information, and are more willing to share it when they are. Cash is the primary motivator cited by close to half of those willing to engage.
That matters because South Africa’s largest employers — banks, telecommunications operators, financial services groups and large business-services firms — are heavily staffed by younger workers. Their digital habits and expectations are different.
Read: Hype or not, Mythos is a wake-up call for South African CISOs
Gen Z and younger millennials have grown up normalising over-sharing online. Their role models are influencers and creators whose income and visibility are tied to how much they put out into the world. That mindset carries into the workplace, where data feels like currency, and the boundary between “my work” and “the company’s intellectual property” is blurry.
Customer lists, contact books, pricing sheets and strategy documents — and increasingly AI models and the data used to train them — are seen by some employees as part of a personal toolkit. Higher churn rates among younger workers mean more exits, which in turn mean more opportunities for data to walk out the door.
A fast-evolving trend is that AI models are themselves becoming a primary espionage target.
Stealing a well-trained model is not the same as copying a single spreadsheet. It compresses years of data collection, domain expertise and experimentation into a single artefact. Move that model to a competitor, and the leak isn’t just information — it’s the organisation’s competitive brain. In a market where skills are scarce and people are anxious about their careers, it is easy for insiders to rationalise taking “their” models with them, even though they legally and ethically belong to the company.
This shifts what needs to be protected, and how. AI models and the datasets that produced them should be classified and protected as crown jewels. Access and export rights need to be tightly limited, with monitoring built into the MLOps and DevOps pipelines — the systems used to develop, deploy and maintain machine learning models — so exfiltration attempts are visible early.
Business risk
Insider risk cannot be eliminated, but it can be managed far better than most organisations are managing it now. Four steps stand out for the next 12 to 24 months:
- First, treat insider risk as a business risk, not an IT problem. Put it on the risk register, assign executive ownership, and report on it with a blend of behavioural signals, HR data and organisational context. Pay particular attention to inflection points: restructures, acquisitions, leadership changes, performance processes and exits.
- Second, fix the joiner-mover-leaver lifecycle. In a high-attrition environment, offboarding is where an outsized share of risk sits. Access must shrink as roles change and be properly revoked on exit.
- Third, rebuild the social contract. Communicate restructures and major changes clearly and respectfully. Be willing to pursue visible consequences for serious insider abuse rather than settling everything quietly. People will always act out of fear and frustration; leadership’s job is to lower the emotional temperature without leaving the impression that there are no real repercussions.
- Fourth, protect the AI estate. Models and key training datasets should sit in the same risk category as source code, customer data and financial systems. They are increasingly the target.
TCS | Werner Lindemann on how AI is rewriting the infosec rulebook
Insider-as-a-service in South Africa is not an abstract concept. It is the logical outcome of economic anxiety, high churn, fading loyalty and powerful new tools sitting in the hands of people who feel they have little to lose. The technical defences matter, but the harder work — and the more decisive — is on the human side.
- The author, Heino Gevers, is senior director of technical support at Mimecast South Africa
Get breaking news from TechCentral on WhatsApp. Sign up here.
