Organisations struggling to control sensitive content, study finds

Kiteworks, which delivers data privacy and compliance for sensitive content communications through its Private Content Network, has unveiled its 2024 Sensitive Content Communications Privacy and Compliance Report, offering critical insights into the current state of sensitive content communications.

The report, based on a comprehensive survey of 572 IT, security, risk management, and compliance leaders, reveals significant vulnerabilities and challenges faced by organisations in managing and securing their sensitive information.

Among the key findings, the report highlights significant global challenges in managing sensitive content communications. When data is sent or shared externally, 57% of global respondents said they cannot track, control, and report on these activities. Not surprisingly, compliance reporting is a major challenge, with 34% of respondents generating audit log reports over eight times per month to satisfy internal and external compliance requests. This frequent reporting requirement reflects the ongoing struggle to meet stringent regulatory demands.

Tim Freestone, Chief Strategy and Marketing Officer at Kiteworks, emphasises the urgency of addressing these vulnerabilities: “Our report uncovers significant gaps that organisations must address to protect their sensitive content and comply with increasingly stringent regulations. The insights provided are a call to action for businesses to re-evaluate their content communication strategies and invest in robust security solutions.”

Proliferation of content communication tools leads to risks

The 2024 Kiteworks report highlights significant shifts and ongoing challenges in the use of content communication tools. Nearly one-third of respondents said their organisations rely on six or more content communication tools. In addition to ratcheting up risks, managing this tool soup decreases operational efficiency and makes it difficult to generate consolidated audit logs.

Preventing leaks of intellectual property (IP) and sensitive secrets is a top priority for 56% of respondents, underscoring the critical importance of protecting valuable information assets. In contrast, fewer organisations prioritise the impact on brand reputation (15%) and cost savings (26%). This shift indicates a growing focus on the direct risks associated with data breaches and information leakage.

Particular sectors express heightened concerns over IP leakage. In the legal sector, for example, 75% of respondents cite this as a significant risk, reflecting the industry’s reliance on confidential information. Similarly, the oil and gas sector, with its proprietary technologies and sensitive data, shows considerable concern over IP leakage. These findings highlight the need for sector-specific strategies to address unique vulnerabilities and reinforce the importance of robust content communication practices across all industries.

Impact of data breaches

External malicious hacks of sensitive content communications remain a serious risk globally. 32% of organisations reported experiencing seven or more sensitive content communications breaches last year. This is a slight improvement from 2023, where 36% of organisations reported such breaches. However, 9% of respondents globally admitted they do not know if their sensitive content was breached, indicating a significant gap in advanced security detection and incident response capabilities.

The federal government sector reported the highest incidence of breaches, with 17% indicating they had 10 or more breaches and another 10% reporting seven to nine breaches. Alarmingly, 42% of security and defence organisations admitted to having seven or more breaches, highlighting the critical need for enhanced security measures in these sectors.

Geographically, APAC had the highest percentage of organisations reporting seven or more breaches, at 43%. This high number is concerning given the extensive third-party exchanges in the region. The legal costs associated with data breaches remain high, with 8% of organisations incurring over $7 million (£5.4m) in legal fees last year, and 26% reporting costs exceeding $5 million (£3.9m). Larger organisations, especially those with over 30,000 employees, faced even higher costs, with 24% reporting legal fees over $7 million.

Higher education emerged as the most affected industry, with 49% of respondents indicating they paid over $5 million in legal fees last year. Geographically, the Americas topped the list, with 27% of organisations reporting legal costs over $5 million, while 12% of EMEA respondents were unsure of the financial impact.

Organisations struggle to manage third-party risk

Managing third-party risk continues to be a significant challenge for organisations worldwide. The report reveals that 66% of organisations exchange sensitive content with 1,000 or more third parties, although this is a decrease from 84% in 2023. This reduction suggests that organisations are increasingly recognising the risks associated with extensive third-party interactions and are implementing measures to control access more effectively.

The APAC region has the highest volume of third-party connections, with 77% of organisations exchanging sensitive content with 1,000 or more third parties. Within the professional services sector, 51% of organisations exchange sensitive content with 2,500 or more third parties, significantly higher than the next highest industry, higher education, at 47%.

A concerning 39% of organisations globally are unable to track and control access to sensitive content once it leaves their domain. Surprisingly, compared to IT and risk and management professionals, cybersecurity professionals cited greater confidence in their organisations’ ability to track and control access to content once it leaves their domains (48% said they track and control three-quarters or more). This issue is particularly pronounced in the EMEA region, where 43% of organisations admit to losing the ability to track and control access to more than half of their sensitive content once it is shared externally. Local government organisations face the greatest challenge, with 54% unable to track and control sensitive content after it leaves their organisation, followed by pharmaceutical and life sciences companies at 50%.

Sensitive content communications security needs improvement

The report underscores the pressing need for improvements in managing sensitive content security. Only 11% of organisations believe no improvement is needed, a significant drop from 26% in 2023. This indicates a growing awareness of security risks and the necessity for enhanced security measures. The need for significant improvements is especially pronounced in the professional services sector, with 47% of firms acknowledging this need, and in large organisations where over half of respondents from companies with 20,001 to 30,000 employees reported a need for significant improvement.

When it comes to using advanced security technology for internal sensitive content communications, only 59% of respondents indicate they do so all the time. The EMEA region lags, with only 53% consistently using advanced security measures, compared to 67% in the Americas and 57% in APAC. State governments are leading in this area, with 71% reporting consistent use of advanced security technologies, followed by higher education institutions at 65%.

Organisations are also prioritising security certifications and validation, with ISO 27001, 27017, and 27018 topping the list as the most critical certifications. These were followed by NIST 800-171/CMMC 2.0. Notably, 59% of EMEA organisations prioritise ISO certifications, higher than other regions. In contrast, IRAP was more frequently selected by APAC organisations. The findings reflect a strong regional focus on different security standards based on local regulatory environments.

File size limitations pose additional challenges, particularly in the energy and utilities sectors. About 34% of respondents implement over 50 workarounds monthly due to email file size restrictions. For managed file transfers and SFTP, 27% and 31% respectively face similar limitations. Energy and utility firms are significantly affected, with 29% encountering email file size issues 50 times or more monthly, and 36% facing managed file transfer limitations.

Compliance challenges persist for sensitive communications

This year, 56% of organisations indicated that they require some improvement in compliance management, a significant increase from 32% in 2023. This growing concern reflects the increasing complexity and stringency of regulatory requirements.

Key compliance concerns for organisations include GDPR and US state privacy laws, with 41% of respondents citing each as their primary compliance focus. This aligns with regional priorities, as a higher percentage of EMEA organisations emphasise GDPR compliance, while US organisations focus more on state privacy laws. Risk and compliance leaders pinpointed GDPR as their biggest compliance area (52%). IT leaders, in contrast, listed US State data privacy laws as their top priority (52%).

The frequency and burden of generating audit log reports remain substantial. About 34% of organisations report that they must generate audit logs more than eight times per month to satisfy internal and external compliance requests. This task consumes significant resources, with 31% of respondents spending over 2,000 staff hours annually compiling these reports. Larger organisations face an even greater burden, with 32% of those with over 30,000 employees spending more than 2,500 hours annually on compliance reporting.

Notable compliance gaps persist across various industries. For example, only 38% of security and defence contractors prioritise CMMC compliance, which poses a significant risk given the impending enforcement of CMMC 2.0. Failure to comply with these standards could result in the loss of Department of Defense contracts. These gaps highlight the critical need for organisations to prioritise and invest in robust compliance strategies to address evolving regulatory demands and mitigate associated risks.

Organisations struggle to classify data and assess risk

Organisations continue to face challenges in effectively classifying data and assessing associated risks. More than half (51%) of organisations report that less than 50% of their unstructured data is tagged and classified. This lack of comprehensive data classification poses significant risks as unstructured data often contains sensitive information that needs protection.

Additionally, 40% of organisations indicate that 60% or more of their unstructured data requires tagging and classification. This highlights the growing recognition of the importance of data management practices in mitigating security and compliance risks.

Sector-specific risks are also prominent. For instance, energy and utilities firms are particularly concerned about the integration of generative AI (GenAI) technologies, with 50% citing this as a significant risk. Higher education institutions focus on protecting personally identifiable information (PII), with 50% highlighting this concern. In the healthcare sector, 58% of organisations prioritise the protection of protected health information (PHI).

When it comes to data types that are the biggest risk, IT as well as risk and compliance leaders ranked financial documents (56% and 61% respectively) at the top of their lists. Cybersecurity leaders, in contrast, listed IP at the top of their risk priorities (51%) followed by financial documents (46%).

These findings underscore the critical need for organisations to enhance their data classification efforts and adopt tailored risk management strategies to address the unique challenges of their respective industries.

Actionable Kiteworks report outcomes

The 2024 Kiteworks report highlights an urgent need for organisations to address gaps in sensitive content communications security and compliance. As the threat landscape evolves, it is imperative for businesses to implement robust strategies to protect their sensitive information.

Patrick Spencer, VP of Corporate Marketing and Research at Kiteworks, emphasises the importance of sensitive content communications privacy and compliance: “The 2024 report exposes critical gaps in how organisations manage and secure their sensitive data. With a significant number of organisations experiencing multiple data breaches and struggling to meet compliance requirements, it is imperative that businesses take proactive steps to fortify their sensitive content communication strategies. The report’s findings underscore the need for organisations to adopt comprehensive solutions that incorporate next-generation digital rights management (DRM) capabilities. By maintaining control over sensitive content even after it has been shared externally, businesses can effectively mitigate risks and ensure the privacy and compliance of their most valuable information assets.”

Kiteworks addresses these challenges by providing a comprehensive Private Content Network for managing sensitive content communications. The platform offers advanced encryption, secure file sharing, and compliance management tools, all integrated into a single platform to enhance security and operational efficiency.

Recent next-gen DRM additions to the Kiteworks platform, SafeEDIT and SafeVIEW, further enhance the protection of sensitive content. SafeEDIT enables secure editing and collaboration on sensitive documents, tracked and controlled. SafeVIEW provides a secure environment for viewing sensitive content, preventing unauthorised copying, printing, or sharing.

To read the full report, click here.

The post Organisations struggling to control sensitive content, study finds appeared first on Data Centre & Network News.

Kiteworks, which delivers data privacy and compliance for sensitive content communications through its Private Content Network, has unveiled its 2024 Sensitive Content Communications Privacy and Compliance Report, offering critical insights into the current state of sensitive content communications.

The report, based on a comprehensive survey of 572 IT, security, risk management, and compliance leaders, reveals significant vulnerabilities and challenges faced by organisations in managing and securing their sensitive information.

Among the key findings, the report highlights significant global challenges in managing sensitive content communications. When data is sent or shared externally, 57% of global respondents said they cannot track, control, and report on these activities. Not surprisingly, compliance reporting is a major challenge, with 34% of respondents generating audit log reports over eight times per month to satisfy internal and external compliance requests. This frequent reporting requirement reflects the ongoing struggle to meet stringent regulatory demands.

Tim Freestone, Chief Strategy and Marketing Officer at Kiteworks, emphasises the urgency of addressing these vulnerabilities: “Our report uncovers significant gaps that organisations must address to protect their sensitive content and comply with increasingly stringent regulations. The insights provided are a call to action for businesses to re-evaluate their content communication strategies and invest in robust security solutions.”

Proliferation of content communication tools leads to risks

The 2024 Kiteworks report highlights significant shifts and ongoing challenges in the use of content communication tools. Nearly one-third of respondents said their organisations rely on six or more content communication tools. In addition to ratcheting up risks, managing this tool soup decreases operational efficiency and makes it difficult to generate consolidated audit logs.

Preventing leaks of intellectual property (IP) and sensitive secrets is a top priority for 56% of respondents, underscoring the critical importance of protecting valuable information assets. In contrast, fewer organisations prioritise the impact on brand reputation (15%) and cost savings (26%). This shift indicates a growing focus on the direct risks associated with data breaches and information leakage.

Particular sectors express heightened concerns over IP leakage. In the legal sector, for example, 75% of respondents cite this as a significant risk, reflecting the industry’s reliance on confidential information. Similarly, the oil and gas sector, with its proprietary technologies and sensitive data, shows considerable concern over IP leakage. These findings highlight the need for sector-specific strategies to address unique vulnerabilities and reinforce the importance of robust content communication practices across all industries.

Impact of data breaches

External malicious hacks of sensitive content communications remain a serious risk globally. 32% of organisations reported experiencing seven or more sensitive content communications breaches last year. This is a slight improvement from 2023, where 36% of organisations reported such breaches. However, 9% of respondents globally admitted they do not know if their sensitive content was breached, indicating a significant gap in advanced security detection and incident response capabilities.

The federal government sector reported the highest incidence of breaches, with 17% indicating they had 10 or more breaches and another 10% reporting seven to nine breaches. Alarmingly, 42% of security and defence organisations admitted to having seven or more breaches, highlighting the critical need for enhanced security measures in these sectors.

Geographically, APAC had the highest percentage of organisations reporting seven or more breaches, at 43%. This high number is concerning given the extensive third-party exchanges in the region. The legal costs associated with data breaches remain high, with 8% of organisations incurring over $7 million (£5.4m) in legal fees last year, and 26% reporting costs exceeding $5 million (£3.9m). Larger organisations, especially those with over 30,000 employees, faced even higher costs, with 24% reporting legal fees over $7 million.

Higher education emerged as the most affected industry, with 49% of respondents indicating they paid over $5 million in legal fees last year. Geographically, the Americas topped the list, with 27% of organisations reporting legal costs over $5 million, while 12% of EMEA respondents were unsure of the financial impact.

Organisations struggle to manage third-party risk

Managing third-party risk continues to be a significant challenge for organisations worldwide. The report reveals that 66% of organisations exchange sensitive content with 1,000 or more third parties, although this is a decrease from 84% in 2023. This reduction suggests that organisations are increasingly recognising the risks associated with extensive third-party interactions and are implementing measures to control access more effectively.

The APAC region has the highest volume of third-party connections, with 77% of organisations exchanging sensitive content with 1,000 or more third parties. Within the professional services sector, 51% of organisations exchange sensitive content with 2,500 or more third parties, significantly higher than the next highest industry, higher education, at 47%.

A concerning 39% of organisations globally are unable to track and control access to sensitive content once it leaves their domain. Surprisingly, compared to IT and risk and management professionals, cybersecurity professionals cited greater confidence in their organisations’ ability to track and control access to content once it leaves their domains (48% said they track and control three-quarters or more). This issue is particularly pronounced in the EMEA region, where 43% of organisations admit to losing the ability to track and control access to more than half of their sensitive content once it is shared externally. Local government organisations face the greatest challenge, with 54% unable to track and control sensitive content after it leaves their organisation, followed by pharmaceutical and life sciences companies at 50%.

Sensitive content communications security needs improvement

The report underscores the pressing need for improvements in managing sensitive content security. Only 11% of organisations believe no improvement is needed, a significant drop from 26% in 2023. This indicates a growing awareness of security risks and the necessity for enhanced security measures. The need for significant improvements is especially pronounced in the professional services sector, with 47% of firms acknowledging this need, and in large organisations where over half of respondents from companies with 20,001 to 30,000 employees reported a need for significant improvement.

When it comes to using advanced security technology for internal sensitive content communications, only 59% of respondents indicate they do so all the time. The EMEA region lags, with only 53% consistently using advanced security measures, compared to 67% in the Americas and 57% in APAC. State governments are leading in this area, with 71% reporting consistent use of advanced security technologies, followed by higher education institutions at 65%.

Organisations are also prioritising security certifications and validation, with ISO 27001, 27017, and 27018 topping the list as the most critical certifications. These were followed by NIST 800-171/CMMC 2.0. Notably, 59% of EMEA organisations prioritise ISO certifications, higher than other regions. In contrast, IRAP was more frequently selected by APAC organisations. The findings reflect a strong regional focus on different security standards based on local regulatory environments.

File size limitations pose additional challenges, particularly in the energy and utilities sectors. About 34% of respondents implement over 50 workarounds monthly due to email file size restrictions. For managed file transfers and SFTP, 27% and 31% respectively face similar limitations. Energy and utility firms are significantly affected, with 29% encountering email file size issues 50 times or more monthly, and 36% facing managed file transfer limitations.

Compliance challenges persist for sensitive communications

This year, 56% of organisations indicated that they require some improvement in compliance management, a significant increase from 32% in 2023. This growing concern reflects the increasing complexity and stringency of regulatory requirements.

Key compliance concerns for organisations include GDPR and US state privacy laws, with 41% of respondents citing each as their primary compliance focus. This aligns with regional priorities, as a higher percentage of EMEA organisations emphasise GDPR compliance, while US organisations focus more on state privacy laws. Risk and compliance leaders pinpointed GDPR as their biggest compliance area (52%). IT leaders, in contrast, listed US State data privacy laws as their top priority (52%).

The frequency and burden of generating audit log reports remain substantial. About 34% of organisations report that they must generate audit logs more than eight times per month to satisfy internal and external compliance requests. This task consumes significant resources, with 31% of respondents spending over 2,000 staff hours annually compiling these reports. Larger organisations face an even greater burden, with 32% of those with over 30,000 employees spending more than 2,500 hours annually on compliance reporting.

Notable compliance gaps persist across various industries. For example, only 38% of security and defence contractors prioritise CMMC compliance, which poses a significant risk given the impending enforcement of CMMC 2.0. Failure to comply with these standards could result in the loss of Department of Defense contracts. These gaps highlight the critical need for organisations to prioritise and invest in robust compliance strategies to address evolving regulatory demands and mitigate associated risks.

Organisations struggle to classify data and assess risk

Organisations continue to face challenges in effectively classifying data and assessing associated risks. More than half (51%) of organisations report that less than 50% of their unstructured data is tagged and classified. This lack of comprehensive data classification poses significant risks as unstructured data often contains sensitive information that needs protection.

Additionally, 40% of organisations indicate that 60% or more of their unstructured data requires tagging and classification. This highlights the growing recognition of the importance of data management practices in mitigating security and compliance risks.

Sector-specific risks are also prominent. For instance, energy and utilities firms are particularly concerned about the integration of generative AI (GenAI) technologies, with 50% citing this as a significant risk. Higher education institutions focus on protecting personally identifiable information (PII), with 50% highlighting this concern. In the healthcare sector, 58% of organisations prioritise the protection of protected health information (PHI).

When it comes to data types that are the biggest risk, IT as well as risk and compliance leaders ranked financial documents (56% and 61% respectively) at the top of their lists. Cybersecurity leaders, in contrast, listed IP at the top of their risk priorities (51%) followed by financial documents (46%).

These findings underscore the critical need for organisations to enhance their data classification efforts and adopt tailored risk management strategies to address the unique challenges of their respective industries.

Actionable Kiteworks report outcomes

The 2024 Kiteworks report highlights an urgent need for organisations to address gaps in sensitive content communications security and compliance. As the threat landscape evolves, it is imperative for businesses to implement robust strategies to protect their sensitive information.

Patrick Spencer, VP of Corporate Marketing and Research at Kiteworks, emphasises the importance of sensitive content communications privacy and compliance: “The 2024 report exposes critical gaps in how organisations manage and secure their sensitive data. With a significant number of organisations experiencing multiple data breaches and struggling to meet compliance requirements, it is imperative that businesses take proactive steps to fortify their sensitive content communication strategies. The report’s findings underscore the need for organisations to adopt comprehensive solutions that incorporate next-generation digital rights management (DRM) capabilities. By maintaining control over sensitive content even after it has been shared externally, businesses can effectively mitigate risks and ensure the privacy and compliance of their most valuable information assets.”

Kiteworks addresses these challenges by providing a comprehensive Private Content Network for managing sensitive content communications. The platform offers advanced encryption, secure file sharing, and compliance management tools, all integrated into a single platform to enhance security and operational efficiency.

Recent next-gen DRM additions to the Kiteworks platform, SafeEDIT and SafeVIEW, further enhance the protection of sensitive content. SafeEDIT enables secure editing and collaboration on sensitive documents, tracked and controlled. SafeVIEW provides a secure environment for viewing sensitive content, preventing unauthorised copying, printing, or sharing.

To read the full report, click here.

The post Organisations struggling to control sensitive content, study finds appeared first on Data Centre & Network News.

 

Залишити відповідь