The 2025 Data Security and Compliance Risk: Data Forms Survey Report exposes governance gaps, shadow forms, and inadequate orchestration driving widespread breaches despite “advanced” security programs.
Web forms were once treated as simple front ends—basic fields on a webpage that handed data off to “real” systems behind the scenes. But the Kiteworks 2025 Data Security and Compliance Risk: Data Forms Survey Report shows that this assumption is not just outdated—it’s dangerous.
In one of the most comprehensive examinations of form security to date, the report reveals a striking reality: 88% of organizations experienced at least one form-related security incident in the past two years, and 44% suffered a confirmed breach through form submissions.
Even more surprising, the majority of respondents describe their security programs as advanced or leading. That confidence stands in sharp contrast to actual outcomes. Legacy and shadow forms, inconsistent validation, fragmented governance, and incomplete encryption pipelines continue to expose sensitive data across industries.
The report also explores the regulatory pressures shaping modern intake—from GDPR, HIPAA, PCI DSS, and state privacy laws to CMMC 2.0, FedRAMP, and the rise of strict data sovereignty requirements. As organizations scale to hundreds or thousands of forms—many owned by business units rather than security teams—the operational burden grows exponentially.
In this exclusive TechBullion Q&A, Tim Freestone, CMO at Kiteworks, and Patrick Spencer, Ph.D., SVP, Americas Marketing & Industry Research at Kiteworks, break down the report’s most critical findings. They explain why detection without orchestration continues to fuel breaches, why low-volume and legacy forms pose outsized risk, and what organizations must prioritize to close long-standing gaps.
Kiteworks 2025 Data Forms Security Report — At a Glance
- 88% Hit by Form-Related Incidents
Nearly nine in ten organizations experienced at least one security incident; 44% confirmed a breach via form submissions.
- False Sense of Maturity
Most respondents rate their programs as “advanced,” yet breach rates remain high due to uneven control coverage.
- Gaps in Orchestration
82% have real-time detection, but only 48% automate response—leaving long windows for attackers to exploit.
- Shadow & Legacy Forms Create Blind Spots
Department-built and embedded third-party forms often bypass WAFs, SIEMs, encryption, and centralized governance.
- Regulation Expands the Stakes
GDPR, HIPAA, PCI DSS, CMMC 2.0, FedRAMP, and state privacy laws increasingly govern form-collected data.
- Sovereignty Requirements Surge
85% consider data sovereignty critical; 61% say it’s now a strict requirement for compliance.
- Long-Tail Forms, High-Value Data
35% of forms receive fewer than 10 submissions yet frequently capture financial records, IDs, and credentials.
- Budgets Rising, But Environments Lag
71% plan security upgrades within six months, but legacy systems and dispersed ownership slow execution.
Q1. What surprised you most in this year’s findings?
Tim Freestone: How normal these incidents have become. When 88% of organizations report at least one form-related security incident over two years—and almost half confirm an actual breach—we’re not talking about edge cases anymore. That’s systemic risk.
What really concerns me is that these numbers sit alongside very high self-reported maturity. Most respondents believe they’re running “advanced” or “leading” programs, yet incident rates barely drop even at the top end of the scale.
The story the data tells is that controls exist somewhere, but not everywhere. Attackers are very good at finding pockets of weaker validation, older forms, and poorly governed intake processes.
Q2. Why are web forms still such a weak point when most organizations already have WAFs, SIEM, and other controls in place?
Patrick Spencer: The report shows extremely high adoption of traditional controls. Close to nine in ten use a web application firewall. More than 80% have real-time detection. Most rely on server-side validation and parameterized queries.
Those tools do their job—organizations are catching bot attacks, SQL injection attempts, and cross-site scripting probes. But detection isn’t the same as protection across the board, and that’s where the gap shows up.
The problem is uneven coverage. Those controls protect the flagship applications, but legacy forms, embedded widgets, and departmental tools often live outside standard pipelines. They might post into older back-end systems, lack field-level encryption, or rely on client-side validation only. When attacks hit those unprotected forms, there’s no WAF in the way and no alert firing.
This is fundamentally a governance problem. Most organizations don’t have a complete inventory of their forms, let alone visibility into which ones handle sensitive data, who owns them, or whether they meet security standards. Without that foundation, controls get applied inconsistently—security teams protect what they know about, while shadow forms and legacy intake points slip through.
Attackers don’t need the average form to be weak. They just need one exposed form that handles authentication credentials, financial records, or protected health information—and they’re very good at finding those gaps. Closing them requires centralized tracking and governance that brings every form into scope, not just the ones that happen to sit in front of the SOC’s radar.
Q3. The report highlights a “detection without orchestration” gap. Can you unpack that?
Patrick Spencer: We found that 82% of organizations have real-time threat detection on forms, but only 48% pair that with automated response. That leaves roughly a third who can see attacks as they happen but still rely on manual tickets, emails, and hand-offs to act. And nearly one in five don’t have real-time detection at all.
When we compared cohorts, organizations that combined detection with automation had lower incident rates, fewer breaches via forms, and shorter containment times.
The takeaway is straightforward: visibility alone doesn’t protect you. If a botnet is hammering a login or a script is probing for injection flaws, every extra hour before containment increases the chance it turns into a breach. Automation closes that window.
Q4. Data sovereignty seems to have moved from a niche concern to a top-tier requirement. What’s driving that shift?
Tim Freestone: Data sovereignty is one of the clearest signals in the report. 85% of respondents say data sovereignty is critical or very important, and 61% say it’s strictly required for compliance.
In some segments—government and financial services in particular—over 90% fall into those top two importance bands. In U.S. federal and public-sector contexts, you see hard requirements for in-country or government-cloud deployment, FIPS-validated cryptography, and FedRAMP authorization.
What’s changed is that forms now collect data covered by GDPR, HIPAA, PCI DSS, state privacy laws, and local residency rules all at once. If you can’t prove where that data sits, how it moves, and which jurisdiction governs it, you’re not just facing technical risk—you’re facing regulatory and contractual exposure that boards and regulators care deeply about.
Q5. How do risks and requirements differ across industries?
Patrick Spencer: The attack patterns are broadly similar—bots, credential abuse, injection—but the stakes and regulatory context vary sharply.
Financial institutions collect the widest mix of financial records, payment card data, and authentication credentials under one of the heaviest regulatory stacks. A single form breach can trigger both financial loss and multi-regime scrutiny.
Healthcare operates with protected health information on almost every form, making even a modest incident both costly and operationally disruptive.
Technology and manufacturing have enormous attack surfaces because forms span customer portals, supplier workflows, partner integrations, and legacy systems—often across multiple regions.
Government faces the strictest entry requirements. FedRAMP, FIPS 140-3, CMMC 2.0, and stringent residency expectations effectively filter out vendors that can’t meet those baselines.
All sectors share the same core problem—forms as under-secured intake—but what “good” looks like is highly sector-specific.
Q6. The report talks about the “long tail” of low-volume and legacy forms. Why should security leaders worry about those?
Tim Freestone: It’s tempting to focus only on the big, high-volume portals, but the data shows that’s a mistake.
About 35% of forms receive fewer than 10 submissions, yet those low-volume forms frequently collect financial records, credentials, employee data, or government ID numbers. They’re often built by business units, bolted onto older applications, or embedded from third parties—which means weaker validation, inconsistent encryption, and little central oversight.
Attackers understand this. They deliberately probe that long tail because it’s where controls are thinnest, governance is weakest, and ownership is ambiguous.
If your strategy doesn’t explicitly bring those forms into scope—inventory, policy, encryption, logging—you’re leaving doors open throughout your environment.
Q7. Organizations are clearly investing—most have six-figure form-security budgets—yet progress still feels slow. What’s holding them back?
Patrick Spencer: One of the more encouraging findings is that 71% of organizations plan to implement or upgrade their form security in the next six months, which tells us leaders recognize the risk and are actively moving to address it.
At the same time, they’re not starting from a blank slate; they’re trying to retrofit stronger controls into complex, often fragile environments. Budget still competes with other security priorities, legacy systems can’t always support modern controls without refactoring, and many teams lack specialized expertise in securing high-risk data collection at scale.
So you get this tension. Urgency is high and plans are in motion, but execution takes time. The organizations that will pull ahead are those that treat form security as a strategic initiative—standardizing on secure patterns and platforms—rather than a series of one-off fixes.
Q8. Given these findings, what should organizations prioritize over the next 6–12 months?
Tim Freestone: I’d group the priorities into three buckets.
First, centralize governance. Inventory every form, retire redundant ones, and mandate a single standard for validation, encryption from submission through storage, logging, and monitoring—across web, mobile, and embedded experiences.
Second, close the gaps that turn incidents into breaches. Pair real-time detection with automated response, strengthen identity on high-risk flows, and modernize or replace legacy forms that can’t meet today’s requirements.
Third, treat data residency and compliance evidence as design constraints, not after-the-fact tasks. Choose deployment models that align with your regulatory profile and automate as much of the audit trail as possible.
In practical terms, that means moving from generic web forms to secure data forms built from the ground up to enforce policy, protect sensitive fields, and deliver the auditability regulators now expect.
For deeper insights, see the Kiteworks 2025 Data Security and Compliance Risk: Data Forms Survey Report.
