For the first time in the dataset's history, security incidents originating inside organisations outnumber those driven by external attackers — internal incidents hit a 57% share, up from 47% eleven months earlier, while hacking held flat at 31%.
Analysis of 139,000 triaged security events, gathered by Orange Cyberdefense between October 2024 and August 2025, shows that internal incidents have overtaken external ones as the dominant source of enterprise security alerts. The shift is primarily driven by employee misuse: behaviours such as Shadow IT adoption, unapproved software workarounds, and web access outside policy boundaries now account for 45% of all confirmed incidents, up from 29% a year earlier.
Misuse in this context is rarely malicious. Employees bypass protocols for convenience, adopt tools their IT teams haven't sanctioned, or stretch their access privileges for what seem like practical reasons in the moment. The problem, Orange Cyberdefense argues in its Security Navigator 2026 report, is that these patterns create predictable entry points that external attackers are beginning to exploit deliberately.
A complicating factor in the numbers: the growing deployment of Extended Detection and Response (XDR) tools, which some analysts characterise as over-sensitive, can flag routine employee behaviour as suspicious. Not every internal incident in the dataset represents a confirmed breach. That said, Orange Cyberdefense notes the aggregate trend holds regardless of how many individual flags are reclassified.
Alongside the misuse figures, the data shows a material shift in which assets are affected. End-user devices — mobiles and laptops — are now involved in around 53% of all incidents, up from 39% the prior year. Account and identity-related incidents climbed from 10% to 17%. Taken together, the pattern suggests attackers are targeting the human-device-credential surface rather than perimeter infrastructure.
The breakdown by organisation size reveals an unexpected symmetry. Small businesses (43% of their incidents attributable to misuse) and large enterprises (45%) were the worst affected by internal threats. At opposite ends of the scale, the problem has different roots: smaller organisations tend to have fewer access controls and broader per-employee permissions; larger ones face the challenge of scale, where monitoring employee behaviour across thousands of users and systems becomes harder to sustain. Medium-sized businesses diverge from both — hacking accounts for 47% of their incidents compared with 31% attributed to misuse, suggesting their size makes them attractive external targets while their internal access management is tighter than that of smaller firms.
This data tells us that, while a hacker bypassing a firewall remains a concerning threat, the greatest threat to businesses today is their own employees bypassing policies in their daily work. While not inherently malicious, employee misuse can be just as damaging as a sophisticated breach, especially given that attackers are increasingly turning policy workarounds into external entry points. Improving cyber hygiene from the ground up – by boosting cyber literacy, investing in skills and awareness and putting additional measures in place, like MFA, for account access – organisations can begin to turn back this tide.
The full Security Navigator 2026 report is available from Orange Cyberdefense at https://www.orangecyberdefense.com/uk/security-navigator
