Key Takeaways
- Internal threats now constitute 57 % of all cyber incidents, surpassing external attacks for the first time.
- Employee misuse has risen from 29 % to 45 %, while traditional hacking remains steady at about 31 %.
- Shadow IT and the use of unapproved tools by frustrated workers expose sensitive data to public applications.
- Attackers increasingly target insiders, exploiting routine employee behavior rather than relying solely on sophisticated external exploits.
- End‑point devices (laptops, smartphones, etc.) are involved in more than half (53 %) of incidents, and identity‑based attacks have climbed from 10 % to 17 % in roughly a year.
- Simple security hygiene—tightening access controls, enforcing least‑privilege principles, and deploying multi‑factor authentication (MFA)—can dramatically reduce the internal attack surface.
- Organizations must treat insider risk as a core component of their cybersecurity strategy, not just an ancillary concern.
The Shift from External to Internal Threats
Recent findings from Orange Cyberdefense reveal a striking change in the threat landscape: internal threats now account for 57 % of all security cases, up from 47 % less than a year ago. For the first time ever, insider‑related incidents outweigh external attacks, which have remained relatively stable at around 31 %. This inversion signals that organizations can no longer focus exclusively on perimeter defenses; they must also look inward to understand how their own employees, whether intentionally or inadvertently, contribute to risk.
Employee Misuse as a Growing Driver
The report highlights that employee misuse—ranging from careless handling of data to deliberate policy violations—has jumped from 29 % to 45 % of incidents. While not all misuse is malicious, its impact can be as severe as a sophisticated external breach, especially when attackers leverage these policy workarounds as entry points. Senior Security Researcher Carl Morris notes that “employee misuse can be just as damaging as a sophisticated breach,” underscoring the need for companies to treat insider behavior with the same rigor they apply to external threats.
Shadow IT and the AI Adoption Challenge
A significant contributor to the rise in internal risk is the proliferation of shadow IT—unsanctioned applications and services that employees adopt to meet immediate needs, particularly as organizations grapple with deploying AI tools effectively. Frustrated workers often turn to consumer‑grade apps, inadvertently feeding confidential information into platforms lacking enterprise‑grade security controls. This behavior expands the attack surface beyond what traditional IT governance can monitor, creating blind spots that attackers readily exploit.
Insider Targeting by External Actors
Hackers are shifting tactics, increasingly focusing on company insiders rather than attempting to breach hardened perimeters. By exploiting everyday employee actions—such as clicking phishing links, using weak passwords, or sharing credentials—attackers gain footholds without needing to develop complex, zero‑day exploits. This trend means that even modest lapses in employee vigilance can serve as convenient gateways for external adversaries, blurring the line between internal and external threat vectors.
End‑points: The Primary Battlefield
Endpoint devices remain a focal point of compromise, with workers’ laptops, smartphones, and other devices implicated in more than half (53 %) of all incidents. The mobility and diversity of these devices make them attractive targets; once compromised, they can provide attackers with direct access to corporate networks, data stores, and privileged credentials. Strengthening endpoint protection—through regular patching, device encryption, and robust endpoint detection and response (EDR) solutions—is therefore essential to curbing insider‑related risk.
The Surge in Identity‑Based Attacks
Identity attacks have shown a notable uptick, rising from 10 % to 17 % over roughly a year. Compromised credentials allow attackers to masquerade as legitimate users, bypassing many traditional defenses that rely on perimeter authentication. The increase suggests that adversaries are finding success in harvesting passwords, reusing leaked credentials, or exploiting weak authentication practices, further amplifying the danger posed by insider negligence or credential sharing.
Practical Steps to Mitigate Internal Risk
Orange Cyberdefense advises organizations to acknowledge that many threats now originate from within and to act accordingly. Key measures include:
- Tightening access controls and enforcing least‑privilege principles to limit what each employee can see and do, thereby shrinking the attack surface.
- Implementing multi‑factor authentication (MFA) across all critical systems, which dramatically reduces the likelihood that stolen credentials alone will grant access.
- Monitoring and managing shadow IT through approved‑app catalogs, cloud access security brokers (CASBs), and user‑behavior analytics to detect unsanctioned tool usage.
- Conducting regular security awareness training that emphasizes phishing resistance, password hygiene, and the risks of data sharing via unauthorized channels.
- Deploying endpoint protection platforms (EPP) and EDR tools to detect malicious activity on devices in real time.
- Utilizing identity‑governance solutions to oversee credential lifecycle, enforce strong password policies, and flag anomalous login patterns.
By integrating these controls into a holistic security program, companies can address the internal threat surge without sacrificing agility or innovation.
Conclusion: Redefining the Security Paradigm
The data from Orange Cyberdefense makes it clear that the cybersecurity battlefield has shifted inward. Internal threats now outpace external ones, driven by employee misuse, shadow IT, and increasingly sophisticated insider targeting by adversaries. End‑points and identity weaknesses remain the most exploited vectors, but they also offer the most actionable points of defense. Organizations that proactively tighten access, embrace MFA, curb unsanctioned tool use, and educate their workforce will be best positioned to mitigate this evolving risk. In an era where the line between insider and outsider continues to blur, a balanced, vigilant approach—one that treats internal risk with the same seriousness as external attacks—is essential for lasting resilience.