Threat intelligence data from Orange Cyberdefense revealed a significant shift in the cybersecurity landscape; for the first time, incidents originating from inside organisations have overtaken external incidents.
Analysing over 139,000 triaged security events between 1st October 2024 to 31st August 2025, Orange Cyberdefense found that internal incidents surged from a 47% share to 57% in just 11 months.
According to the company, a significant driver of this is employee misuse, which has risen from 29% to 45% of all confirmed incidents over this period.
Hacking VS misuse
By contrast, hacking remained at 31%, largely unchanged from 2024.
Misuse is often not malicious, but rather a case of employees circumventing security protocols; this can take the shape of Shadow IT, such as unapproved software workarounds or web access misuse or it can be through the abuse of privilege access and controls.
Crucially, all of this activity can play to the advantage of attackers.
This shift suggests that, for many organisations, the immediate risk is not only a hacker cracking their firewalls, but an employee bypassing a policy.
It’s also worth noting that the rise in internal threats is not always down to employees bypassing policies.
The company highlighted that organisations are increasingly deploying Extended Detection and Response (XDR) tools, which many analysts describe as ‘trigger-happy’ and can often flag false positives from day-to-day employee behaviour that can appear malicious.
Attackers shift to device and identity exploitation
Regardless of whether these incidents are confirmed breaches or technical false positives, this internal activity mostly involves employee endpoint hardware.
The data reveals that end-user devices such as mobiles and laptops are now the most impacted assets, involved in around 53% of all incidents – up from 39% from the year prior.
Furthermore, account incidents, relating to identity and credential access, also climbed from 10% to 17%.
The company said that collectively, that the data suggests that attackers are increasingly aware of the patterns of misuse that employees fall into and are on the hunt to exploit these behaviours.
Employee misuse – The great leveller
Interestingly, the organisation sizes worst hit by cybersecurity incidents involving misuse are small businesses (43%) and large enterprises (45%).
For both, this is likely due to how internal access works at their relative scale, creating the same challenge but at opposite sides of the spectrum.
The company explained that small businesses often have fewer resources and less restrictive policies, granting employees more access than required and increasing the likelihood of mistakes or malicious activity.
In larger organisations, the sheer volume of employees and systems makes it easier for insider misuse to slip past even strong security measures.
By contrast, medium-sized businesses tend to deal with far more hacking incidents, which account for 47% of their incidents compared with 31% attributed to misuse.
While these firms’ headcounts may be at a ‘sweet spot’ for managing internal access, they still occupy an attractive space for attackers; they often hold more valuable access than small businesses, but without the advanced security systems of large enterprises.
“The greatest threat to businesses today is their own employees”
Carl Morris, Senior Security Researcher at Orange Cyberdefense commented: “This data tells us that, while a hacker bypassing a firewall remains a concerning threat, the greatest threat to businesses today is their own employees bypassing policies in their daily work.
“While not inherently malicious, employee misuse can be just as damaging as a sophisticated breach, especially given that attackers are increasingly turning policy workarounds into external entry points.
“Improving cyber-hygiene from the ground up – by boosting cyber-literacy, investing in skills and awareness and putting additional measures in place, like MFA, for account access – organisations can begin to turn back this tide,” he concluded.
