The 2025 Data Security and Compliance Risk Report reveals widespread encryption gaps, fragmented architectures, and poor visibility fueling costly breaches.
Organizations today face mounting risks as managed file transfer (MFT) systems move sensitive data across clouds, partners, and internal networks. While digital transformation accelerates business operations, it simultaneously creates blind spots that expand attack surfaces, complicate compliance, and inflate operational costs. Kiteworks 2025 Data Security and Compliance Risk: MFT Survey Report reveals just how costly inadequate visibility has become.
In this exclusive TechBullion Q&A, we speak with Tim Freestone, CMO at Kiteworks, and Patrick Spencer, Ph.D., SVP, Americas Marketing and Industry Research at Kiteworks, about the report’s most critical findings. They explain why 59% of organizations experienced MFT security incidents despite widespread investments, how encryption gaps and fragmented architectures create cascading vulnerabilities, and what separates the incident-free 39% from their breached counterparts. From mid-market organizations suffering 32% breach rates despite high testing to enterprises achieving 10% through mature programs, they reveal how companies can transform scattered security efforts into integrated defenses that measurably reduce incidents.
Kiteworks 2025 MFT Security Report — At a Glance
- Fragmented Security Drives Breaches: 59% of organizations suffered MFT incidents despite major security investments. Lack of unified governance and SIEM integration creates blind spots.
- AI Risk Grows: 48% review AI threats, 44% enforce controls, but 30% allow uncontrolled use with sensitive data.
- Encryption Gaps Persist: Only 42% encrypt data at rest. Healthcare excels in transit encryption (100%) but stores data largely unprotected, leading to a 44% incident rate.
- Mid-Market Vulnerability: Companies with 5,000–10,000 employees face the highest breach rate at 32%, testing incident response without fixing core gaps.
- Policy Isn’t Enough: Government agencies adopt NIST/FedRAMP frameworks but encrypt data at rest only 8%, leading to a 50% incident rate.
- Financial Services Lead: Lowest breach rate (25%) thanks to balanced, integrated controls across encryption, automation, and governance.
- Advanced Threats Underused: Only 27% deploy Content Disarm & Reconstruction (CDR).
Q1: The survey shows 59% of organizations experienced MFT security incidents in the past year. What’s driving this high incident rate despite widespread security investments?
Tim Freestone: The core issue is fragmented security without unified governance. The report reveals that organizations deploy isolated point solutions but lack comprehensive frameworks to enforce policies consistently. Specifically, 63% operate without SIEM integration, meaning security teams have zero visibility into file transfer events containing sensitive data. Beyond the encryption gap where only 42% use AES-256 at rest, organizations lack layered defenses: just 27% deploy content disarm and reconstruction for advanced threats, 37% haven’t integrated identity providers, and 42% skip quarterly security reviews. The 62% running fragmented systems across email, file sharing, and web forms multiply these blind spots exponentially. Real protection requires what Kiteworks calls integrated governance—combining encryption at rest and in transit, continuous threat monitoring, automated access controls with ABAC, advanced content inspection including CDR, and consolidated audit trails. The incident-free 39% understand this: they don’t just implement controls; they unify them under comprehensive governance that tracks and protects data throughout its lifecycle.
Q2: Healthcare achieved 100% end-to-end encryption in transit but only 11% encrypt data at rest. How does this paradox affect their security posture?
Patrick Spencer: This represents one of the most striking disconnects in the survey data. Healthcare organizations have focused on visible compliance requirements—encrypting data in motion satisfies HIPAA’s “addressable” specifications—while ignoring where attackers actually strike: stored data in file repositories, backups, and temporary directories. The result is a 44% incident rate with the highest breach percentage at 11%. Healthcare’s fragmented systems across clinical, administrative, and research functions compound this vulnerability. They’ve invested heavily in cloud adoption (44% cloud-only deployment) but failed to extend encryption comprehensively. This selective implementation creates a false sense of security that proves costly when breaches occur.
Q3: Mid-market organizations (5,000-10,000 employees) show the highest breach rate at 32% despite high incident response testing rates. Why are they most vulnerable?
Tim Freestone: Mid-market companies face a dangerous mismatch between their threat profile and security maturity. They’re large enough to attract sophisticated attackers who view them as lucrative targets, yet they’re still building the comprehensive security programs that larger enterprises have established. Despite 75% testing incident response regularly—the highest rate of any size category—they’re testing for resilience without addressing underlying gaps in encryption, automation, and integration. It’s security theater: they’re prepared to respond to incidents but haven’t prevented the fundamental vulnerabilities that cause them. Resource constraints force difficult choices, and too often they invest in visible activities like IR testing rather than foundational controls that would reduce their 32% breach rate.
Q4: Government agencies show strong policy frameworks but only 8% encrypt data at rest—the weakest of any sector. What explains this policy-practice disconnect?
Patrick Spencer: Government exemplifies how compliance on paper doesn’t equal security in practice. While agencies broadly adopt federal frameworks like NIST and FedRAMP, and 67% enforce regional storage for sovereignty requirements, actual technical implementation lags severely. The 8% AES-256 adoption stems from systemic challenges: legacy infrastructure that’s difficult to modify, complex procurement processes that slow technology adoption, and budget cycles that favor visible initiatives over foundational security. The result is a 50% incident rate with 25% experiencing unauthorized access attempts. Government can implement controls when mandated—as sovereignty enforcement demonstrates—but voluntary best practices like comprehensive encryption continue to lag because they lack the forcing function of explicit requirements.
Q5: Financial services achieves the lowest incident rate at 25%. What practices differentiate them from other industries?
Tim Freestone: Financial Services demonstrates that balanced, comprehensive implementation beats sporadic excellence. They don’t lead in any single control—not encryption, integration, or automation individually—but maintain solid implementation across all dimensions simultaneously. This consistency creates layered defenses that prove difficult to penetrate. They’ve also successfully unified multiple compliance requirements (GDPR, PCI DSS, SOC 2) into single control sets rather than treating each framework separately, reducing complexity while improving coverage. The key lesson is that Financial Services treats security as an integrated system rather than a collection of independent initiatives. Their success comes despite facing the heaviest regulatory burden, proving that comprehensive approaches work when implemented with appropriate rigor and resources.
Q6: Only 27% of organizations use Content Disarm and Reconstruction (CDR). Why does this advanced threat protection remain so underutilized?
Patrick Spencer: CDR adoption reveals how organizations plateau at basic controls rather than advancing to address modern threats. Most rely on antivirus (63%) and DLP (63%) for content inspection—technologies designed for previous generations of attacks—while only 37% validate file types and just 27% deploy CDR. This gap exists because CDR requires more than technology purchase: it demands workflow modifications for file reconstruction, user education about sanitized files, and acceptance that convenience may be reduced for security. Organizations comfortable with legacy approaches resist these changes. However, the incident-free 39% show significantly higher CDR adoption, recognizing that traditional antivirus cannot catch sophisticated file-based attacks that hide malicious code in document structures.
Q7: The survey shows 48% conduct regular AI risk reviews but only 44% implement automated controls, and 30% permit uncontrolled AI usage. What does this reveal about AI governance maturity?
Tim Freestone: AI governance represents the newest frontier where we’re seeing the same policy-practice disconnect that affects other controls. Organizations recognize the risk—48% regularly review AI threats and 40% have policies restricting AI tool usage—but struggle to enforce these policies technically. The 26% who’ve already experienced AI-related incidents demonstrate that awareness without enforcement fails. The 30% permitting uncontrolled AI usage with sensitive files expose themselves to data exfiltration through tools designed to learn from uploaded content. This pattern repeats throughout the survey: strategic awareness fails to translate into operational safeguards. As AI adoption accelerates and regulators focus on algorithmic accountability, organizations must move beyond reviewing risks to implementing the automated controls that prevent misuse.
Q8: The report shows organizations with legacy MFT systems face higher incident rates. What makes these older platforms particularly vulnerable to modern attacks?
Patrick Spencer: Legacy MFT solutions, many built in the 1990s-2000s, fundamentally weren’t designed for today’s threat landscape. They rely on basic encryption and directory controls insufficient against advanced persistent threats that have become industrialized. These systems run on separately-managed infrastructure—databases, file systems, operating systems—where security implementation is left to customers, creating inconsistent protection. They lack embedded defenses like web application firewalls, intrusion detection, and hardened architectures that prevent exploit chains. Modern MFT platforms address this through hardened virtual appliances with built-in security controls, unified governance, and architectures specifically designed to counter APT attacks—eliminating the fragmentation and implementation gaps that make legacy systems vulnerable.
Q9: Based on the survey findings, what three actions should organizations prioritize immediately to reduce their incident risk?
Tim Freestone: The data points to three critical gaps that separate the 59% experiencing incidents from the 39% who remain secure. First, implement AES-256 encryption for data at rest immediately—this addresses the most severe vulnerability affecting 58% of organizations. Second, integrate MFT systems with SIEM/SOC platforms to eliminate the blind spots affecting 63% of organizations; modern platforms enable this in hours, not months, providing immediate visibility into file transfer events. Third, begin architectural consolidation to address the 62% operating fragmented systems across email, file sharing, and web forms. While unification requires longer timeframes, even incremental consolidation reduces attack surface and simplifies security management. Organizations addressing these three areas see dramatic improvement in outcomes—not because they’re perfect, but because they’ve closed the fundamental vulnerabilities that attackers exploit most successfully.
For deeper insights, see Kiteworks’ full 2025 Data Security and Compliance Risk: MFT Survey Report.
