New Survey Finds Most Organizations Vulnerable to Breaches Through Legacy Web Forms
Key Highlights
- Most organizations have experienced web form-related security incidents, with nearly half resulting in data breaches, exposing critical vulnerabilities.
- Legacy web forms are inadequate for modern security needs, especially regarding data sovereignty, multi-region compliance, and protection against automated attacks.
- A significant gap exists between organizations' perceived security maturity and their actual vulnerability to threats like bot attacks, SQL injections, and session hijacking.
- Mobile form submissions are rising, yet protections like certificate pinning and biometric authentication are rarely enforced, increasing attack surfaces.
A new survey of cybersecurity and compliance professionals finds that most organizations remain highly vulnerable to attacks and data breaches through legacy web forms, despite widespread confidence in their overall security posture.
Kiteworks’ 2025 “Data Security and Compliance Risk: Data Forms Survey Report,” based on responses from 324 cybersecurity, risk, IT and compliance professionals, found that 88% of organizations experienced at least one web-form-related security incident in the past two years. Of those, 44% reported confirmed data breaches originating from form submissions.
The findings expose a gap between perception and reality. While 64% of respondents described their organization’s security maturity as “advanced” or “leading,” nearly nine in 10 still reported being affected by web form attacks.
“The findings are clear. Stop using legacy web forms. Start using secure data forms,” said Tim Freestone, chief marketing officer at Kiteworks. “Traditional web forms have become the weakest link in enterprise data protection. Organizations collect their most sensitive information through forms like financial records, health data, authentication credentials, government IDs, yet most form solutions were built for convenience, not security.”
According to the report, organizations are facing a wide range of attacks targeting web forms. Sixty-one percent said they encountered bot-driven or automated attacks that flood forms with malicious traffic. Nearly half reported exposure to SQL injection attacks, 39% experienced cross-site scripting vulnerabilities, 28% suffered session hijacking incidents, and 21% experienced man-in-the-middle attacks.
These threats persist even as companies adopt standard security controls, suggesting that protection is inconsistent, especially across older or department-managed forms that fall outside centralized oversight.
One of the most significant findings in the survey was the importance of data sovereignty and the requirement that data be stored and processed within specific geographic boundaries. Eighty-five percent of respondents said data sovereignty is “critical” or “very important,” and 61% said it is strictly required for compliance.
“The sovereignty findings fundamentally change the conversation around form security,” said Patrick Spencer, senior vice president of Americas Marketing and Industry Research at Kiteworks. “Organizations cannot simply opt out of sovereign control — they must demonstrate that citizen and customer data remains within approved jurisdictions. Traditional form solutions cannot deliver these capabilities because they were never architected with multi-region isolation or government-cloud deployment in mind.”
Demand for sovereignty was strongest in highly regulated sectors, including government (94%), financial services (93%), healthcare (83%) and technology (86%).
The report also found that organizations must now comply with a complex mix of regulations. Ninety-two percent cited requirements related to the General Data Protection Regulation in Europe, 58% must meet Payment Card Industry Data Security Standard obligations, and 41% are subject to HIPAA rules in the U.S. health sector. Among government respondents, 75% said FedRAMP authorization is required for the systems they use.
That regulatory pressure is pushing change. Seventy-one percent of organizations surveyed plan to upgrade or replace their form infrastructure within the next six months, largely due to recent incidents (82%) and growing compliance demands (76%).
At the same time, the research revealed a major gap between threat detection and response. While 82% of organizations use real-time monitoring to detect suspicious activity, only 48% have automated incident response in place. Roughly one-third still rely on manual processes such as tickets, emails and human intervention to contain threats, increasing the likelihood that an attack can escalate into a full breach.
Mobile usage is another emerging risk. The survey found that 71% of organizations now receive between 21% and 60% of form submissions from mobile devices. However, mobile-specific protections lag behind desktop security controls. Only 23% of respondents consider certificate pinning essential, and although biometric authentication is used by 48%, it is rarely enforced for high-risk transactions.
As web forms continue to play a central role in customer engagement, onboarding, identity verification and service delivery, Kiteworks’ report argues that they must be treated as core security infrastructure rather than simple data collection tools.
The report recommends that organizations centralize form governance, implement end-to-end and field-level encryption validated to government standards, enforce data residency controls, link real-time monitoring with automated response and generate compliance evidence automatically.
Kiteworks is headquartered in Silicon Valley and provides a platform designed to secure the exchange of sensitive data across organizations. The company says its private data network is used by more than 1,500 enterprises and government agencies worldwide, protecting more than 100 million end users.
The full 2025 Data Forms Survey Report is now available.