As artificial intelligence (AI) tools introduce new complexities into data collection and protection, many compliance professionals assume that AI is the biggest threat to maintaining data security.
But the actual source of most data privacy risk might surprise you: your own workforce. Recent studies show that taking into account both malicious and unintentional misuse of data, employees are the root cause of the largest share of data breaches involving personal data.
Find out which mistakes and mishaps most often compromise sensitive data, why security training may fail to prevent breaches and how to build a company culture that takes data loss prevention seriously.
The Importance of Data Security Among Rising Challenges
The privacy risks that come along with the increasing adoption of AI have only made data protection more challenging for organizations and employees alike. AI offers both promise and threat for compliance, governance and risk officers as well as other employees, especially when customer data flows across multiple tools and platforms.
How AI Reshapes Consumer Expectations
Consumers are aware that AI tools like large language models (LLMs) are amassing troves of personal data, and they understand that this development has the potential to benefit or harm them. According to a 2025 Pew Research poll, 71% of U.S. adults reported feeling concerned about their personal information being misused by AI.
At the same time, your customers expect you to responsibly use this customer data to tailor their experience to their preferences. Qualtrics reports that 64% of consumers want companies to use data like purchase history and site visits to create personalized experiences without increasing privacy risks.
What Employees Expect From AI
On the other hand, employees sometimes have a different perspective on AI. Many may see specific tools as opportunities to streamline bloated workflows and eliminate repetitive tasks.
Depending on the depth of your security training, members of your organization may be unaware of the privacy risks posed by sharing user data with AI tools that lack proper safeguards.
The Biggest Obstacles to Data Security Outside Your Organization
When you think about a typical data breach, you probably assume that some kind of malefactor from outside your organization is responsible, whether that’s a malicious cybercriminal or poorly secured tools or software.
This assumption can often prove correct, like in these cases:
- Sensitive data stored in unsecure tools, such as email and messaging apps, is a frequent source of data leaks.
- Cybercriminals intent on stealing user data for purposes of identity theft, credit card fraud or some other kind of criminal enterprise prey on insufficient security systems.
- Bad actors breaking into physical offices to gain access to on-site data storage are a less common but still present threat to data privacy.
However, risk assessment professionals often overestimate the impact of outside actors like cybercriminals and underestimate the cost of employee mistakes and mismanagement. For many organizations, the biggest data privacy risk may be their own team.
Read: Data Privacy: A Comprehensive Guide
How Employees Put Data at Risk From Within
To be clear, our goal isn’t to imply that you should view every one of your employees with suspicion. In many cases, employees accidentally fall afoul of data privacy laws, which can ultimately be attributed to subpar security training and insufficient privacy assessments.
That doesn’t mean malicious misuse of data never happens, though. Here’s how to anticipate the most common sources of an internal data breach, accidental or deliberate.
When Mistakes Lead to Data Breaches
According to Proofpoint’s 2025 Voice of the CISO report, unintentional data mishandling, such as an employee losing their credentials or device or using the wrong outside tool, accounts for the vast majority of data breaches.
Here are the most common ways simple mistakes escalate into security risks:
- Using unsecure tools for internal communications: A third of senior cybersecurity leaders surveyed by Mind.io in 2025 reported storing sensitive data in communication and collaboration tools. Employees who mistakenly assume these tools are properly secured unintentionally expose your customer data to risk.
- Falling for phishing scams: Even employees who were trained to recognize phishing attempts may fall for a sophisticated scam in the midst of a busy day. According to Proofpoint, stolen credentials account for up to 32% of avoidable data breaches.
- Sharing data with generative AI tools: An increasingly common source of data leaks is employees unknowingly using poorly secured AI tools to handle routine tasks. A recent analysis by Harmonic found that sensitive data is leaking into generative AI tools like ChatGPT and Claude at scale, creating significant privacy risks.
Learn More: AI Deepfakes and Phishing: How To Upgrade Your Employee Training for AI and GRC
When Intentional Mishandling Causes a Breach
While less common than accidental misuse, intentionally malicious or criminal mishandling of data does account for up to 34% of breaches reported in Proofpoint’s 2025 Voice of the CISO report. Keep in mind that this figure doesn’t include bad actors from outside the organization, such as hackers.
Here are a few ways a compromised or malicious employee can endanger your data security:
- Publicizing sensitive data: In rare cases, a disgruntled employee may choose to share classified or personal data in a deliberate attempt to harm the organization’s credibility, operations or both. Identifying the individual at the source of the leak is critical to effective risk mitigation.
- Stealing credentials or devices: While hackers and other cybercriminals are more likely to be behind phishing attempts, any malicious employee seeking to cover their tracks would find it far easier to gain access to another employee’s login information or physical device, compounding existing privacy risks.
Why Your Existing Data Security Training Isn’t Enough
As you’re reading this, you might catch yourself thinking that your team would never fall prey to a phishing attempt or make use of an insecure tool. But consider that the majority of CISOs feel the same way. This perception simply doesn’t align with the statistics around employee-caused data leaks.
So what explains the gulf between perception and reality? The real problem might be that existing data security training hasn’t caught up to the new risks and opportunities posed by the rise of artificial intelligence.
Most security training doesn’t teach employees the skills they need to recognize the evolving threats to conduct meaningful privacy assessments tied to real-world workflows. Phishing attempts grow more sophisticated all the time, while generative AI tools promise convenience while hiding the failures of their security systems. As a result, organizations struggle to keep pace with modern privacy risks.
Read: Top 5 Objections to Data Privacy Management Software: Cost, Implementation and More
How To Build a Company-wide Culture of Data Protection
The bottom line here is that as AI adoption rapidly spreads, potential data risks are multiplying both within and outside of your organization. The best way to safeguard consumer data and prevent employee mistakes is thorough and up-to-date security training, as well as a day-to-day culture that emphasizes privacy and diligence.
If preventing data breaches isn’t motivation enough, you should know that CISOs who invest in data privacy report anywhere from 1x-5x return on their investment.
You can learn more about how to build a future-proof company culture of data privacy in the Onspring eBook Data Privacy in the Age of AI. Download the eBook now.
