Insider-driven data loss surges despite rising DLP investment

A recent report by Fortinet has identified a continued rise in data loss incidents linked to insiders, despite increased data security budgets and more sophisticated risk management practices at organisations worldwide.

The 2025 Data Security Report, produced by Fortinet in partnership with Cybersecurity Insiders, found that while security leaders are modernising their approaches and channelling more funding into combating insider risks and data protection, data leaks are persisting and even rising in frequency. The research reveals that 77 per cent of organisations experienced at least one insider-related incident in the past 18 months, with 58 per cent suffering six or more such incidents.

Rising spend, rising losses

The study detailed that 72 per cent of organisations increased their budgets for insider risk and data protection last year, with more than a quarter noting significant increases. This investment came alongside the adoption of new tools and programmatic strategies designed to reduce risk exposure. However, the findings showed that 41 per cent of organisations lost millions to insider-driven data loss events, highlighting that higher expenditure alone is not curbing the problem.

The issue isn't investment. It's reliance on tools that weren't built for today's risks.

According to the report, many organisations continue to depend on legacy data loss prevention (DLP) solutions originally designed for simpler, perimeter-based IT environments. These older tools focus on compliance-driven data scanning in structured, on-premises settings and are not able to address the level of visibility and contextual understanding required for today's distributed workforces and cloud-centric operations.

Limitations of legacy DLP

The research outlined several shortcomings of traditional DLP tools. Chief among them is the lack of visibility: 72 per cent of organisations are unable to clearly observe how employees interact with sensitive information, especially across cloud, SaaS, and AI platforms. Additionally, these tools often fail to differentiate between accidental error and malicious intent, with nearly half of all insider incidents being attributed to negligence or human error.

The report also highlighted the inefficiency of siloed systems, where endpoint, email, and network DLP solutions do not integrate, leading to more alerts but less clarity. Security teams frequently wait weeks or even months after deploying these systems before gaining meaningful insights, contributing to a sense of false security while genuine risks remain unabated.

The result is more alerts, less clarity, and a false sense of control.

Shifting focus to behaviour

The report advocates for a new approach to data loss prevention, one that leverages a deeper level of behavioural analytics and contextual awareness. According to Fortinet's survey, 66 per cent of security leaders identified behavioural analytics as crucial for distinguishing genuine human error from potentially malicious activity. Additionally, 61 per cent called for solutions that deliver day-one visibility, and 52 per cent emphasised the need for oversight of shadow AI and SaaS activities, which are typical vectors for unnoticed data exposure.

This shift would enable modern DLP platforms to build risk narratives by connecting disparate events, allowing security teams to identify trends, prioritise threats, and act with greater confidence. The report asserts that such platforms move beyond static, rule-based enforcement towards behaviour-aware systems capable of showing not just what is happening, but also why it matters.

What today's security leaders need from their DLP tools is context. It's not enough to know that a file was sent. You need to know who sent it, why, and whether the action fits normal behaviour. Without that clarity, security teams are left drowning in alerts that don't tell the whole story.

Business impact

The consequences of insider-driven data loss extend beyond compliance failures. Nearly half of the surveyed organisations reported direct financial losses, with 41 per cent estimating between USD $1 million and USD $10 million lost during their most significant incident. Nine per cent reported losses of over USD $10 million. Alongside financial repercussions, 43 per cent of organisations noted reputational damage, while 39 per cent encountered operational disruptions. The report specifically notes that in sectors such as biotechnology and manufacturing, the stakes can include the loss of years of investment and competitive advantage in the market.

Despite these challenges, many organisations continue to operate a collection of tools anchored by legacy DLP solutions that do not integrate well with modern cloud, SaaS, and AI environments, increasing complexity and overhead for security teams.

Path forward

The report concludes that while more organisations are adopting smarter data security approaches and receiving increased support from leadership, the ongoing prevalence of insider-driven incidents is likely due to an over-reliance on outdated DLP technologies. The findings indicate a strong need for platforms that integrate DLP with insider risk management, providing real-time, behaviour-aware visibility across all enterprise data environments.

Programs will keep evolving, but real progress depends on choosing platforms that deliver answers, not just alerts.