A new report claims that the cost of insider security incidents has surged 20% in two years, reaching an average of US $19.5 million per organization annually, with no sign that the alarming figure is flattening.

That is one of the findings of the "Cost of Insider Risks Global Report" for 2026 from the Ponemon Institute and DTEX, which claimed that the main culprit is not malicious employees.

According to the study, which polled 8,750 IT practitioners at 354 organizations that had experienced one or more material insider-related incidents, the average annual cost of insider risk security incidents was US $16.2 million in 2023, rising to $17.4 million, and now $19.5 million.

On average, each company suffered 25 such incidents per year.

Of the 7,490 incidents reported from the study group in 2025, 53% were caused by negligent or mistaken employees. In other words, ordinary people make ordinary mistakes.

As Infosecurity reports, that category alone accounts for US $10.3 million of the average annual loss for each company, up 17% year-on-year.

Malicious insiders, by comparison, are costing US $4.7 million per year according to the report.

The difference in the figures is easy to explain: negligence is far more frequent than malice.

According to the report, shadow AI is the fastest-growing reason for this insider negligence. Workers across industries are sharing internal documents, source code, legal materials, and strategy plans with AI tools without approval or proper safeguards.

Meanwhile, AI-powered meeting assistants are generating records of sensitive internal discussions and sometimes leaving them publicly accessible.

The driver for this appears to be well-intentioned employees attempting to get more work done at speed, unaware that they may be exposing company secrets.

The study reports that some 92% of organizations acknowledge that AI has fundamentally changed how their staff handles information, and yet only 18% have formally integrated AI governance into their insider risk programs.

The good news is that investment is improving response times. As insider risk budgets have grown from 8.2% of IT security spend in 2023 to 19% in 2025, the average time to contain a breach (stopping or limiting damage once an insider incident has been identified) has decreased from 86 days to 67 days.

That, of course, is still far from ideal. The report notes that incidents resolved within 30 days average US $14.2 million per year, while those that drag past 90 days average US $21.9 million. Currently, only 13% of incidents are contained within 30 days.

With costs rising 20% in two years and the shadow AI problem still largely being poorly governed (if governed at all), the gap between organizations with mature programs and those without is only going to get wider.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.