Employee misuse has overtaken external hacking as the leading cause of cyber security incidents, signalling a sharp shift as organisations face growing risks from within their own workforce.

Analysis from Orange Cyberdefense of more than 139,000 security events between 1 October 2024 and 31 August 2025 found that internally-driven incidents rose from 47% to 57% in 11 months.

Employee misuse was the main driver, climbing from 29% to 45% of confirmed incidents, while hacking remained steady at 31%. Much of the misuse is not malicious, but involves staff by-passing security protocols through shadow IT, web access misuse or abuse of privileged accounts, creating opportunities for attackers.

End-user devices such as laptops and mobiles were involved in 53% of incidents, up from 39%, while account-related incidents rose from 10% to 17%, suggesting attackers are increasingly exploiting employee behaviour and identity vulnerabilities.

Smaller firms and large enterprises were similarly affected by misuse at 43% and 45% respectively, reflecting either limited controls or operational complexity. Medium-sized firms saw more hacking, at 47% of incidents, compared with 31% linked to misuse.

Carl Morris, senior security researcher at Orange Cyberdefense, said: “While not inherently malicious, employee misuse can be just as damaging as a sophisticated breach, especially given that attackers are increasingly turning policy workarounds into external entry points. Improving cyber hygiene from the ground up – by boosting cyber literacy, investing in skills and awareness and putting additional measures in place, like MFA, for account access – organisations can begin to turn back this tide.”

---