Press Release

One-third of organizations experienced seven-plus data breaches last year, leading to 26% spending over $5 million on legal fees litigating data breaches

Kiteworks, which delivers data privacy and compliance for sensitive content communications through its Private Content Network, unveiled its 2024 Sensitive Content Communications Privacy and Compliance Report, offering critical insights into the current state of sensitive content communications. The report, based on a comprehensive survey of 572 IT, security, risk management, and compliance leaders, reveals significant vulnerabilities and challenges faced by organizations in managing and securing their sensitive information.

Among the key findings, the report highlights significant global challenges in managing sensitive content communications. When data is sent or shared externally, 57% of global respondents said they cannot track, control, and report on these activities. Not surprisingly, compliance reporting is a major challenge, with 34% of respondents generating audit log reports over eight times per month to satisfy internal and external compliance requests. This frequent reporting requirement reflects the ongoing struggle to meet stringent regulatory demands.

Tim Freestone, Chief Strategy and Marketing Officer at Kiteworks, emphasizes the urgency of addressing these vulnerabilities: “Our report uncovers significant gaps that organizations must address to protect their sensitive content and comply with increasingly stringent regulations. The insights provided are a call to action for businesses to re-evaluate their content communication strategies and invest in robust security solutions.”

Proliferation of Content Communication Tools Leads to Risks

The 2024 Kiteworks report highlights significant shifts and ongoing challenges in the use of content communication tools. Nearly one-third of respondents said their organizations rely on six or more content communication tools. In addition to ratcheting up risks, managing this tool soup decreases operational efficiency and makes it difficult to generate consolidated audit logs.

Preventing leaks of intellectual property (IP) and sensitive secrets is a top priority for 56% of respondents, underscoring the critical importance of protecting valuable information assets. In contrast, fewer organizations prioritize the impact on brand reputation (15%) and cost savings (26%). This shift indicates a growing focus on the direct risks associated with data breaches and information leakage.

Particular sectors express heightened concerns over IP leakage. In the legal sector, for example, 75% of respondents cite this as a significant risk, reflecting the industry’s reliance on confidential information. Similarly, the oil and gas sector, with its proprietary technologies and sensitive data, shows considerable concern over IP leakage. These findings highlight the need for sector-specific strategies to address unique vulnerabilities and reinforce the importance of robust content communication practices across all industries.

Impact of Data Breaches

External malicious hacks of sensitive content communications remain a serious risk globally. 32% of organizations reported experiencing seven or more sensitive content communications breaches last year. This is a slight improvement from 2023, where 36% of organizations reported such breaches. However, 9% of respondents globally admitted they do not know if their sensitive content was breached, indicating a significant gap in advanced security detection and incident response capabilities.

The federal government sector reported the highest incidence of breaches, with 17% indicating they had 10 or more breaches and another 10% reporting 7 to 9 breaches. Alarmingly, 42% of security and defense organizations admitted to having seven or more breaches, highlighting the critical need for enhanced security measures in these sectors.

Geographically, APAC had the highest percentage of organizations reporting seven or more breaches, at 43%. This high number is concerning given the extensive third-party exchanges in the region. The legal costs associated with data breaches remain high, with 8% of organizations incurring over $7 million in legal fees last year, and 26% reporting costs exceeding $5 million. Larger organizations, especially those with over 30,000 employees, faced even higher costs, with 24% reporting legal fees over $7 million.

Higher education emerged as the most affected industry, with 49% of respondents indicating they paid over $5 million in legal fees last year. Geographically, the Americas topped the list, with 27% of organizations reporting legal costs over $5 million, while 12% of EMEA respondents were unsure of the financial impact.

Organizations Struggle to Manage Third-party Risk

Managing third-party risk continues to be a significant challenge for organizations worldwide. The report reveals that 66% of organizations exchange sensitive content with 1,000 or more third parties, although this is a decrease from 84% in 2023. This reduction suggests that organizations are increasingly recognizing the risks associated with extensive third-party interactions and are implementing measures to control access more effectively.
The APAC region has the highest volume of third-party connections, with 77% of organizations exchanging sensitive content with 1,000 or more third parties. Within the professional services sector, 51% of organizations exchange sensitive content with 2,500 or more third parties, significantly higher than the next highest industry, higher education, at 47%.

A concerning 39% of organizations globally are unable to track and control access to sensitive content once it leaves their domain. Surprisingly, compared to IT and risk and management professionals, cybersecurity professionals cited greater confidence in their organizations’ ability to track and control access to content once it leaves their domains (48% said they track and control three-quarters or more). This issue is particularly pronounced in the EMEA region, where 43% of organizations admit to losing the ability to track and control access to more than half of their sensitive content once it is shared externally. Local government organizations face the greatest challenge, with 54% unable to track and control sensitive content after it leaves their organization, followed by pharmaceutical and life sciences companies at 50%.

Sensitive Content Communications Security Needs Improvement

The report underscores the pressing need for improvements in managing sensitive content security. Only 11% of organizations believe no improvement is needed, a significant drop from 26% in 2023. This indicates a growing awareness of security risks and the necessity for enhanced security measures. The need for significant improvements is especially pronounced in the professional services sector, with 47% of firms acknowledging this need, and in large organizations where over half of respondents from companies with 20,001 to 30,000 employees reported a need for significant improvement.

When it comes to using advanced security technology for internal sensitive content communications, only 59% of respondents indicate they do so all the time. The EMEA region lags, with only 53% consistently using advanced security measures, compared to 67% in the Americas and 57% in APAC. State governments are leading in this area, with 71% reporting consistent use of advanced security technologies, followed by higher education institutions at 65%.

Organizations are also prioritizing security certifications and validation, with ISO 27001, 27017, and 27018 topping the list as the most critical certifications. These were followed by NIST 800-171/CMMC 2.0 . Notably, 59% of EMEA organizations prioritize ISO certifications, higher than other regions. In contrast, IRAP was more frequently selected by APAC organizations. The findings reflect a strong regional focus on different security standards based on local regulatory environments.

File size limitations pose additional challenges, particularly in the energy and utilities sectors. About 34% of respondents implement over 50 workarounds monthly due to email file size restrictions. For managed file transfers and SFTP, 27% and 31% respectively face similar limitations. Energy and utility firms are significantly affected, with 29% encountering email file size issues 50 times or more monthly, and 36% facing managed file transfer limitations.

Compliance Challenges Persist for Sensitive Communications

This year, 56% of organizations indicated that they require some improvement in compliance management, a significant increase from 32% in 2023. This growing concern reflects the increasing complexity and stringency of regulatory requirements.

Key compliance concerns for organizations include GDPR and U.S. state privacy laws, with 41% of respondents citing each as their primary compliance focus. This aligns with regional priorities, as a higher percentage of EMEA organizations emphasize GDPR compliance, while U.S. organizations focus more on state privacy laws. Risk and compliance leaders pinpointed GDPR as their biggest compliance area (52%). IT leaders, in contrast, listed U.S. State data privacy laws as their top priority (52%).

The frequency and burden of generating audit log reports remain substantial. About 34% of organizations report that they must generate audit logs more than eight times per month to satisfy internal and external compliance requests. This task consumes significant resources, with 31% of respondents spending over 2,000 staff hours annually compiling these reports. Larger organizations face an even greater burden, with 32% of those with over 30,000 employees spending more than 2,500 hours annually on compliance reporting.

Notable compliance gaps persist across various industries. For example, only 38% of security and defense contractors prioritize CMMC compliance, which poses a significant risk given the impending enforcement of CMMC 2.0. Failure to comply with these standards could result in the loss of Department of Defense contracts. These gaps highlight the critical need for organizations to prioritize and invest in robust compliance strategies to address evolving regulatory demands and mitigate associated risks.

Organizations Struggle to Classify Data and Assess Risk

Organizations continue to face challenges in effectively classifying data and assessing associated risks. More than half (51%) of organizations report that less than 50% of their unstructured data is tagged and classified. This lack of comprehensive data classification poses significant risks as unstructured data often contains sensitive information that needs protection.

Additionally, 40% of organizations indicate that 60% or more of their unstructured data requires tagging and classification. This highlights the growing recognition of the importance of data management practices in mitigating security and compliance risks. High-risk data types identified by respondents include financial documents (55%), intellectual property (44%), and legal communications (4%). These data types are often targeted in cyberattacks and need robust protection measures.

Sector-specific risks are also prominent. For instance, energy and utilities firms are particularly concerned about the integration of generative AI (GenAI) technologies, with 50% citing this as a significant risk. Higher education institutions focus on protecting personally identifiable information (PII), with 50% highlighting this concern. In the healthcare sector, 58% of organizations prioritize the protection of protected health information (PHI).

When it comes to data types that are the biggest risk, IT as well as risk and compliance leaders ranked financial documents (56% and 61% respectively) at the top of their lists. Cybersecurity leaders, in contrast, listed IP at the top of their risk priorities (51%) followed by financial documents (46%).

These findings underscore the critical need for organizations to enhance their data classification efforts and adopt tailored risk management strategies to address the unique challenges of their respective industries.

Actionable Kiteworks Report Outcomes

The 2024 Kiteworks report highlights an urgent need for organizations to address gaps in sensitive content communications security and compliance. As the threat landscape evolves, it is imperative for businesses to implement robust strategies to protect their sensitive information.

Patrick Spencer, VP of Corporate Marketing and Research at Kiteworks, emphasizes the importance of sensitive content communications privacy and compliance: “The 2024 report exposes critical gaps in how organizations manage and secure their sensitive data. With a significant number of organizations experiencing multiple data breaches and struggling to meet compliance requirements, it is imperative that businesses take proactive steps to fortify their sensitive content communication strategies. The report’s findings underscore the need for organizations to adopt comprehensive solutions that incorporate next-generation digital rights management (DRM) capabilities. By maintaining control over sensitive content even after it has been shared externally, businesses can effectively mitigate risks and ensure the privacy and compliance of their most valuable information assets.”

Kiteworks addresses these challenges by providing a comprehensive Private Content Network for managing sensitive content communications. The platform offers advanced encryption, secure file sharing, and compliance management tools, all integrated into a single platform to enhance security and operational efficiency.

Recent next-gen DRM additions to the Kiteworks platform, SafeEDIT and SafeVIEW, further enhance the protection of sensitive content. SafeEDIT enables secure editing and collaboration on sensitive documents, tracked and controlled. SafeVIEW provides a secure environment for viewing sensitive content, preventing unauthorized copying, printing, or sharing.

For all the survey findings and takeaways, get your copy of the report today at https://www.kiteworks.com/sensitive-content-communications-report/.

For real-world practitioner insights on the report, watch or listen to the Kitecast episode at https://www.kiteworks.com/kitecast/kiteworks-2024-survey-report-expert-panel-on-data-privacy-and-security/.

PR Contact

David Schutzman

Schutzman Public Relations
david@schutzmanpr.com