Europe’s Collaboration Security Confidence Gap: Why Confidence in Your Tools Isn’t the Same as Control Over Your Data
Confidence is not a control. That distinction is the story hiding inside a new survey of IT professionals across the UK, France, and Germany, commissioned by communications provider Wire and reported by Dark Reading. On paper, European organizations sound secure: 84% of IT professionals say they’re confident in the security of their collaboration environments, and 79% trust their ability to control access to collaboration data. Read past the headline number, though, and the same survey population tells a very different story about what’s actually happening inside their environments.
Only 29% said their current tools were fully suitable for handling sensitive communications. Sixty-one percent said access to shared files often stays active longer than it should. Thirty-four percent struggle to even determine who has access to a given sensitive file, and 19% describe revoking that access, once granted, as very difficult. On the external collaboration side, where data leaves the organization’s own walls, the picture gets worse: 75% use the same email platform for internal and external communication, 45% lean on file-sharing links, 42% use consumer messaging apps for business content, and just 28% use a dedicated secure tool built for external collaboration.
This isn’t a story about a breach. No single organization named in the survey suffered an incident, and Wire’s data describes market-wide sentiment rather than a specific attack. That’s precisely what makes it useful. It’s a rare, structured look at how a large population of IT professionals actually perceives — and misjudges — the gap between “we feel secure” and “we can prove and enforce security.” For any organization running collaboration through email, consumer messaging apps, and ad hoc file-sharing links, this survey is a mirror, and the reflection shows exactly where governance breaks down.
Kiteworks secure data exchange exists because this gap between perceived and actual control is exactly the problem unified data governance is built to close. The rest of this post walks through what the numbers actually mean, why the confidence figures are misleading on their own, and what closing the gap looks like in practice.
Key Takeaways
1. Confidence and control are two different things, and most IT leaders are confusing them.
A new survey of UK, French, and German IT professionals found 84% confident in their collaboration security, yet only 29% believe their tools are fully suitable for handling sensitive communications.
2. Access doesn’t expire when it should.
Sixty-one percent of respondents said access to shared files often remains active longer than necessary, and 19% find it very difficult to revoke access once it has been granted. Data minimization principles — applied to access scope and duration at the moment of sharing — are the policy foundation for automatic expiration as a default behavior.
3. External collaboration runs on a fragmented, ungoverned tool stack.
Three-quarters of organizations use the same email platform for internal and external communication, 45% rely on file-sharing links, and 42% use consumer messaging apps to move sensitive content outside the company.
4. Visibility gaps are the root cause, not a side effect.
Thirty-four percent of IT professionals struggle to determine who currently has access to sensitive files, which makes governed offboarding and data breach response nearly impossible to execute reliably.
5. The fix is architectural, not behavioral.
Closing the gap requires unifying collaboration onto a single governed platform with per-file access controls, automatic expiration, and full audit logging rather than asking employees to use fragmented tools more carefully.
Why 84% Confidence and 29% Suitability Can Both Be True
It’s tempting to treat the 84% confidence figure and the 29% suitability figure as a contradiction. They aren’t. They’re measuring two different things, and understanding that difference explains almost everything else in the survey.
Confidence, as most respondents likely interpreted the question, measures whether the tools an organization already uses have held up so far — no visible breach, no headline incident, no obvious failure. That’s a backward-looking, availability-based judgment. It answers, “Has anything gone wrong that I know about?”
Suitability measures something forward-looking and much harder to assess: whether the tool’s actual architecture — its access controls, its logging, its ability to enforce policy consistently across every channel — is built to handle sensitive content by design. That’s the question that produces a 29% “yes.”
The gap between those two numbers is where risk lives undetected. An organization can go years without an obvious security failure while still lacking the underlying controls that would prevent or even reveal a slow, quiet data leak: an external partner who still has access to a shared folder eighteen months after the project ended, a sensitive contract sitting in a personal messaging thread, a departed employee’s file-sharing links that were never revoked. None of that shows up as an “incident” in the way that triggers a confidence downgrade. All of it shows up as unmanaged risk the moment a regulator, auditor, or attacker goes looking. For organizations managing personally identifiable information or other regulated data categories, that unmanaged risk carries specific notification and remediation obligations that confidence alone cannot satisfy.
This is also why security risk management programs that rely on self-reported confidence surveys or annual pen tests consistently underestimate exposure in collaboration environments. The tools aren’t failing loudly. They’re failing quietly, one ungoverned share at a time, and quiet failure doesn’t move a confidence number until it becomes a headline.
The Access Lifecycle Problem: Granting Is Easy, Revoking Is Hard
Look closely at the three numbers describing access management, and a pattern emerges that should worry any CISO more than the confidence figures reassure them. Sixty-one percent say access often stays active longer than necessary. Thirty-four percent struggle to determine who currently has access to sensitive files. Nineteen percent find revoking access, once granted, very difficult.
Put those together and you get a full description of a broken access lifecycle: granting access is simple and fast, because that’s the step everyone optimizes for — a new vendor needs a folder, a new partner needs a file, done in thirty seconds. But nobody has built the mirror-image process for taking access away when it’s no longer needed. There’s no consistent trigger, no owner, no system of record that flags a share for review when a project ends or a contract expires.
This is the classic asymmetry in access controls built on general-purpose collaboration tools rather than governed content platforms. Email attachments, consumer file-sharing links, and messaging app transfers all share the same structural flaw: once a file leaves the sender’s control, there is no reliable, centralized way to know who still has it, let alone to revoke it. A shared link doesn’t ask permission to keep working. An email attachment doesn’t check in with a policy engine before a recipient forwards it again. Attribute-based access control (ABAC) — where access decisions evaluate content sensitivity, user role, and temporal context simultaneously — is the technical mechanism that enforces contextual, time-bounded permissions that static role assignments and link sharing cannot replicate.
Contrast that with what digital rights management and per-file access governance are designed to do: tie access to the file itself, not to whoever happens to have a copy of it, so that permissions can be time-boxed, monitored, and revoked centrally regardless of where the file physically sits. That’s the architectural difference between “we sent it and hope it’s fine” and “we control it for its entire lifecycle.” The 19% who describe revocation as very difficult aren’t describing a training gap. They’re describing a tooling gap that training cannot fix.
The 34% who can’t determine current access holders face an even more acute version of the same problem. You cannot govern what you cannot see. Without a consolidated audit trail spanning every collaboration channel, “who has access to this file right now” becomes a question that requires manually checking email server logs, file-sharing platform admin consoles, and messaging app records separately — assuming those logs even exist and retain history long enough to matter. During an incident, that’s not an inconvenience. It’s the difference between a contained response and a breach notification with an unknown scope.
External Collaboration: Where Fragmentation Becomes Exposure
The internal numbers describe a governance problem. The external collaboration numbers describe something closer to an open door.
Seventy-five percent of surveyed organizations use the same email platform for internal and external communication. On its face, that sounds efficient — one platform, one inbox, one set of skills for everyone. In practice, it means the same email security posture designed for trusted internal traffic is being extended, largely unchanged, to communication with vendors, partners, contractors, and clients whose own security postures the sending organization has no visibility into and no control over. The supply chain risk management implications are direct: every external email recipient who has unrevoked access to sensitive files is a third-party exposure the organization cannot monitor or control through its own infrastructure.
Forty-five percent use file-sharing links for external collaboration — convenient, familiar, and almost impossible to govern once distributed. A link shared with one external recipient can be forwarded, and the sender typically has no way to know it happened, no expiration date enforced by default, and no centralized log of every access event. Forty-two percent use consumer messaging apps for business content moving outside the organization, tools built for personal conversation, not for data governance, retention policy, or regulatory audit trails.
Only 28% use a dedicated secure tool built specifically for external collaboration. That means, by the survey’s own numbers, roughly seven in ten organizations are managing their highest-risk data flows — the ones that cross the organizational boundary into environments the IT team doesn’t control — using tools that were never designed for that job. And 33% openly admit they lack confidence in retaining control over files once they’ve been shared externally, which is the honest, unvarnished version of what the other statistics are describing in aggregate.
This fragmentation compounds in a specific, predictable way. Every additional channel used for external collaboration — email, file-sharing links, consumer messaging, plus whatever the dedicated 28% are running — is a separate system with its own access controls, its own logging (or lack of it), and its own revocation mechanism (or lack of one). A security team trying to answer “what sensitive data have we shared with this vendor, and can we shut off access if the relationship ends” has to reconstruct the answer across four or five disconnected systems, each with incomplete visibility. That reconstruction takes time the organization rarely has during an actual incident, and it’s simply never attempted during normal operations, which is exactly how access lingers for months or years past its useful life.
Kiteworks secure file sharing and secure MFT were built around the opposite assumption: that internal and external content sharing should run through a single governed environment with consistent access controls, encryption, and logging regardless of which side of the organizational boundary the recipient sits on. That consolidation is what turns “we lack confidence in retaining control” into a question with a concrete, verifiable answer.
What Closing the Gap Actually Requires
The instinct after reading survey data like this is to reach for a training program or a policy memo: remind employees not to use consumer messaging apps for sensitive files, ask them to double-check who has access before sharing, add a line to the security awareness deck. That instinct is understandable and almost entirely wrong. The Wire survey doesn’t describe a population of careless employees. It describes IT professionals — people whose job is security — reporting that their own tools don’t give them the suitability, visibility, or revocation capability they need. You cannot train your way out of a tooling limitation.
Closing the gap requires four specific architectural capabilities that fragmented email, link-sharing, and messaging tools were never designed to provide together in one place.
First, unified access controls that apply the same policy logic whether the recipient is an employee, a vendor, or a client. Second, per-file governance rather than per-platform governance, so that permissions travel with the content itself and can be adjusted or revoked without needing to know every place a copy might exist. Third, automatic expiration as a default behavior rather than a manual afterthought, so access that “stays active longer than necessary” becomes structurally rare instead of the norm 61% of respondents describe. Fourth, a single audit trail spanning every collaboration channel, so the 34% who currently can’t answer “who has access to this file” have an actual answer, in seconds, not a multi-system investigation.
A CISO Dashboard that surfaces active shares, stale permissions, and external access in one view turns the survey’s most alarming statistics into a solvable operational problem rather than a standing risk. Instead of asking “does anyone remember who we shared that contract with,” the answer is a query away. Instead of hoping a departed vendor’s link access expired on its own, expiration is enforced by policy at the moment access was granted. Connecting this visibility layer to a SIEM platform gives security teams behavioral alerting when access patterns deviate from the established baseline — the detection layer that converts the survey’s “quiet failures” into observable, actionable signals before they become reportable incidents.
None of this requires abandoning email or messaging entirely — employees will always need familiar communication channels. It requires routing the sensitive content itself, the files and data that actually carry risk, through a governed layer that sits underneath and across those channels, enforcing consistent policy no matter which app the conversation happens to be in. That’s the practical difference between confidence based on absence of evidence and confidence based on actual, demonstrable control.
Regulatory Pressure Is Raising the Cost of the Confidence Gap
European organizations don’t have the luxury of treating this gap as a someday problem. The regulatory environment across the UK, France, and Germany has moved decisively toward requiring exactly the kind of demonstrable control this survey shows is largely missing.
GDPR has required organizations to know where personal data lives and who can access it for years, but enforcement has sharpened, and regulators increasingly expect organizations to produce evidence, not assurances, during an investigation. The NIS 2 Directive, now in force across EU member states including France and Germany, extends cybersecurity risk management obligations to a much broader set of “essential” and “important” entities and explicitly requires supply chain security measures — a direct hit on organizations that still lean on email, file-sharing links, and consumer messaging apps for the external collaboration the directive is most concerned about. Financial services organizations face DORA requirements around third-party risk and ICT incident reporting that assume the organization can actually trace where sensitive data has gone and who touched it.
The common thread across all three frameworks is the same distinction the Wire survey draws out: regulators are done accepting confidence as a substitute for control. An organization that says “we’re confident in our security” during a GDPR compliance inquiry or a NIS2 compliance audit will be asked to show the access logs, the revocation records, and the current permission list for the data set in question. If the honest answer is “34% of the time we can’t determine who has access,” that’s not a communications problem. It’s an audit trail and data governance gap that regulators are now specifically empowered, and increasingly inclined, to penalize.
Organizations still running external collaboration through fragmented, unlogged channels are positioning themselves for that scrutiny at the worst possible time — after enforcement catches up to the gap, not before. The Kiteworks 2026 Data Security and Compliance Risk: Annual Forecast Report tracks this kind of regulatory and third-party risk exposure across industries and is a useful benchmark for organizations trying to gauge where their own external collaboration practices stand.
From Confidence to Verifiable Control
The most useful thing about the Wire survey is what it doesn’t say. It doesn’t claim European organizations are careless, and it doesn’t describe a specific breach anyone should panic about. What it does is give a large, structured population of IT professionals a chance to describe their own environment honestly, and what they described is a gap between the confidence they feel and the control they can actually demonstrate.
That gap is closeable, and closing it doesn’t require a different level of vigilance from employees who are already stretched thin. It requires a different architecture: one where access controls are consistent across internal and external collaboration, where access expires by default instead of by exception, where a single audit trail answers “who has access to this right now” without a multi-system investigation, and where revocation is a policy action rather than a manual scramble across five different tools.
Kiteworks secure data exchange consolidates the fragmented email, file-sharing link, and consumer messaging channels this survey describes into a single governed environment built specifically to close the confidence-versus-control gap — for internal teams and external partners alike. The Kiteworks Private Data Network extends this unified governance across every content communication channel, giving organizations the demonstrable control that GDPR, NIS2, and DORA enforcement increasingly demand.
To learn more about closing the gap between collaboration security confidence and verifiable control, schedule a custom demo today.
Frequently Asked Questions
It refers to the disconnect between how secure IT professionals feel about their collaboration tools and how suitable those tools actually are for handling sensitive data. In the Wire-commissioned survey, 84% expressed confidence in their security, but only 29% considered their tools fully suitable for sensitive communications. The gap matters because confidence based on the absence of a visible incident doesn’t hold up under regulatory scrutiny, an audit, or an actual breach investigation, all of which require organizations to demonstrate access controls and audit trails, not just report a feeling. Organizations subject to regulatory compliance obligations — GDPR, NIS2, DORA — face the starkest consequences from this gap: a supervisory authority inquiry will demand documented evidence of access control and revocation capability, not a confidence survey score.
Most collaboration tools optimize heavily for granting access quickly and provide little to no structured process for revoking it. Email attachments, file-sharing links, and consumer messaging apps generally don’t expire automatically, don’t track every place a file has ended up, and don’t flag stale permissions for review when a project or contract ends. Sixty-one percent of surveyed IT professionals reported this exact problem, and fixing it requires per-file access controls with built-in expiration rather than relying on someone remembering to manually revoke access later. Applying data minimization principles at the access provisioning stage — setting the shortest defensible access duration as the default rather than open-ended sharing — is the policy foundation that makes automatic expiration operationally sustainable.
External collaboration extends the organization’s data outside environments it directly controls, and the survey shows most organizations do this through tools built for convenience, not governance: 75% use the same email platform internally and externally, 45% use file-sharing links, and 42% use consumer messaging apps. Only 28% use a dedicated secure tool for external collaboration. Each of these channels has its own weak or nonexistent access controls and logging, so sensitive content shared externally is far harder to track, audit, or revoke than content that stays within a single internal system. The supply chain risk management dimension compounds this: every external partner holding unrevoked file access represents a third-party exposure the organization cannot monitor or shut down through its own security infrastructure.
No. The survey respondents are IT professionals describing limitations in their own tools, not gaps in employee awareness. Thirty-four percent can’t determine who has access to sensitive files and 19% find revocation very difficult because the underlying platforms lack unified access controls, centralized audit trails, and automatic expiration — structural gaps that require an architectural fix, specifically consolidating collaboration onto a governed platform, rather than a training or policy fix. A documented incident response plan that includes a “determine current file access holders” step will quickly surface whether the underlying tooling can actually answer that question — organizations that find they cannot should treat the tooling gap as the incident response risk it is, not a future roadmap item.
Both frameworks require organizations to demonstrate, not just assert, that they know where sensitive data resides, who can access it, and how third-party and supply chain data sharing is secured. GDPR enforcement increasingly expects documented access controls and audit evidence, while the NIS 2 Directive specifically extends cybersecurity obligations to supply chain and third-party data sharing across EU member states, including France and Germany. An organization that cannot answer “who currently has access to this file” during a regulatory inquiry faces direct compliance exposure, not just reputational risk. DORA compliance adds a financial services dimension: ICT incident reporting and third-party risk management obligations under DORA require organizations to trace exactly where sensitive data has gone and who touched it — the same demonstrable control the Wire survey shows most European organizations currently lack.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
- Blog Post How to Secure Classified Data Once DSPM Flags It
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders