Kiteworks Report Links MFT Security Failures to Weak Governance Practices
Kiteworks has released its 2025 Data Security and Compliance Risk: Annual MFT Survey Report, revealing a sharp divide between organizations with mature data governance and those that rely on basic compliance measures. The findings show that enterprises with well-developed governance frameworks report significantly fewer managed file transfer (MFT) incidents, while others continue to struggle with blind spots in data visibility and risk management.
The report paints a picture of organizations meeting minimal security requirements but missing deeper governance fundamentals.
"Organizations check compliance boxes while missing fundamental governance," said Kiteworks Chief Strategy Officer Tim Freestone. "They can't tell you where sensitive files are stored, who accessed them last week, or how they move between systems. Without this visibility, even sophisticated security tools become expensive decorations."
One of the more troubling insights involves risk miscalibration. Organizations rated patch management as only "very important" rather than "critical," despite reporting a 59% incident rate in that category. That same moderate stance, the report suggests, extends across other key control areas, leaving enterprises underprepared for current threat levels.
Kiteworks researchers also found that many MFT environments rely on disconnected antivirus and DLP tools without centralized governance. In such cases, organizations cannot answer basic questions about data location, third-party access, or exposure from vendor compromise. The absence of SIEM or SOC integration further compounds this, allowing attackers to exploit overlooked file-transfer channels while defenders monitor less critical surfaces.
AI-related risks add another layer of complexity. Nearly half of respondents have begun addressing AI threats, but over a quarter have already experienced incidents involving AI tools and sensitive data. Another 30% still allow uncontrolled AI interaction with proprietary information.
"The data shows a troubling pattern," explained Patrick Spencer, SVP, Americas and Industry Marketing at Kiteworks. "Organizations with mature governance achieve substantially better audit logging effectiveness compared to those without. They demonstrate markedly improved third-party risk management and enhanced security awareness."
The report identifies five capabilities that consistently predict stronger performance: data discovery and classification, data flow mapping, dynamic access control, real-time vendor governance, and continuous metrics tracking. Together, these enable what Kiteworks calls the "governance multiplier effect"—a compounding improvement across all control areas.
By contrast, sectors with fragmented governance continue to face predictable challenges. Government agencies often maintain strong policy frameworks but fall short in encryption at rest, while healthcare organizations over-index on transit encryption and leave stored data exposed. Financial institutions fare better, maintaining a more balanced governance approach and lower incident rates.
"The path forward requires fundamental shifts," concluded Freestone. "Stop buying tools and start building governance. Know where every sensitive file lives, how it moves, and who touches it. Deploy advanced controls for genuine protection against modern threats. Integrate security tools to eliminate blind spots. The significant incident reduction for organizations with mature governance proves the payoff."
The full Data Security and Compliance Risk: MFT Survey Report is available on the Kiteworks website.