Kiteworks Report Finds Visibility Gaps Multiply Enterprise Risk

Kiteworks has released its 2025 Data Security and Compliance Risk: Annual Survey Report, highlighting how visibility challenges are compounding security risks for organizations worldwide.

The survey of 461 organizations across North America, Europe, APAC and the Middle East found that 42% of companies that cannot track the number of third-party partners also fail to monitor breach frequency. According to Kiteworks, these cascading blind spots expose enterprises to significant risks.

“Our survey reveals a fundamental truth about modern data security: What you don't know doesn't just hurt you – it multiplies exponentially,” said Tim Freestone, CMO of Kiteworks.

4 universal risk patterns

The research identifies four key patterns that contribute to enterprise risk:

• Visibility-Risk Cascade: 42% of organizations uncertain of third-party counts also miss breach frequency, and 48% of those unaware of breaches cannot quantify litigation costs.

• Third-Party “Danger Zone”: Companies with 1,001–5,000 third parties experience the worst breach outcomes, with 24% facing seven or more annual breaches and 42% requiring 31–90 days for detection.

• AI Governance Vacuum: Only 17% have fully implemented AI governance frameworks. Nearly all organizations that measure AI usage implement at least one privacy-enhancing technology, while 36% of those unaware of AI usage deploy none.

• Detection-Cost Correlation: Faster breach detection correlates with significantly lower litigation costs. By contrast, 36% of organizations with 10 or more hacks report litigation expenses exceeding $3 million.

Industry and regional gaps

Kiteworks’ new risk scoring algorithm revealed that 15% of organizations operate at “Critical” risk levels (scores of 7–10), with a median score of 4.84. Industry results varied widely, with energy and utilities ranking highest at 5.51, while life sciences and pharmaceuticals scored lowest at 3.37.

Regional findings also showed distinct weaknesses, from Middle East organizations with zero 24-hour breach detection to European companies with limited EU Data Act readiness and APAC organizations struggling to assess AI risks.

“Whether it’s Middle East organizations with zero 24-hour detection, European companies with only 23% EU Data Act readiness, or APAC’s 35% who can’t assess AI risks – the root cause is always the same: Organizations can’t protect what they can’t see,” said Patrick Spencer, VP of Corporate Marketing and Research at Kiteworks.

Recommendations and trends

The report outlines three imperatives for global organizations:

1. Implement comprehensive visibility by tracking third-party counts and AI data flows.

2. Scale security controls before third-party relationships reach the 1,001 threshold.

3. Mandate AI data measurement, enabling higher adoption of privacy-enhancing technologies.

The report also noted that mature privacy programs deliver measurable returns, including a 27% reduction in security losses and 21% increases in both customer loyalty and operational efficiency.

Despite ongoing warnings, progress has been slow. Over the past four years, encryption adoption increased only 9 percentage points, from 47% to 56%, while reliance on manual compliance processes continues at more than 70%.

“The data delivers an unmistakable verdict: 2025 is an inflection point where organizations must abandon incremental improvements for transformative change,” Freestone said.

The complete report is available here.