Cyentia IRIS 2025 Pre-Release Insights: Actionable Data Security and Compliance Takeaways for Enterprise Leaders
Congratulations to Professor Wade Baker and the exceptional teams at Cyentia and Feedly for an eye-opening pre-release webinar on May 28 that gave us an exclusive preview of the upcoming 2025 Information Risk Insights Study (IRIS). While we’ll have to wait until June for the full report, the insights shared during this session are too critical to sit on. What Wade revealed challenges everything we thought we knew about protecting corporate data.
If you’re responsible for data security or compliance at your organization, clear your calendar for the next 15 minutes. What you’re about to read from the webinar preview could be the difference between explaining a breach to regulators next quarter or preventing one entirely. The numbers Wade shared are stark: 9.3% of organizations will experience a significant security incident this year, with extreme losses reaching $786.9 million. But here’s what should really grab your attention—your biggest threat isn’t some shadowy hacker group. It’s the valid credentials floating around your organization right now.
Having attended the May 28 pre-release webinar, we were struck not just by the escalation in threats, but by how fundamentally the game has changed. Traditional security approaches aren’t just failing—they’re becoming irrelevant. While we eagerly await the full report in June, let’s dive into the key insights Wade and the Feedly team shared about what this means for your data security and compliance programs.
What Is the Cyentia IRIS Report and Why Should the Preview Worry You?
The Cyentia Information Risk Insights Study (IRIS) represents the gold standard in evidence-based security analysis. Unlike vendor-sponsored reports that often paint partial pictures, IRIS draws from comprehensive incident data across industries, company sizes, and attack types to deliver unbiased insights into real-world threats.
Wade Baker, Cyentia’s co-founder and data scientist extraordinaire, brings decades of experience from his time leading Verizon’s Data Breach Investigations Report team. His methodology focuses on actionable intelligence rather than fear mongering, which is why security leaders worldwide eagerly await each year’s findings. The partnership with Feedly adds another dimension, incorporating real-time threat intelligence to provide forward-looking insights alongside historical analysis.
During the May 28 webinar, Wade gave us a tantalizing preview of what’s coming in the full report this June. What sets IRIS apart is its commitment to statistical rigor. Every finding undergoes peer review, every statistic includes confidence intervals, and every recommendation stems from actual incident data rather than speculation. When Wade says supply chain attacks are 6x more prevalent than reported, he’s not guessing—he’s showing you what the data reveals when you look beyond surface-level reporting.
The timing of this pre-release couldn’t be more critical. With regulatory enforcement intensifying, cyber insurance becoming harder to obtain, and breach costs skyrocketing, organizations can’t afford to wait until June to start adapting their security strategies. The insights Wade shared demand immediate attention and action.
5 Critical Findings from the Pre-Release That Demand Immediate Action
During the webinar, Wade revealed five game-changing insights that every security and compliance leader needs to understand—even before the full report drops in June:
- Valid account compromises remain the #1 attack vector across all organization sizes. This preview finding confirms what many suspected but couldn’t prove—attackers prefer using legitimate credentials over sophisticated hacking. When valid accounts become the weapon of choice, every compliance framework you follow becomes vulnerable.
- Supply chain attacks are 6x more prevalent than traditional reporting suggests. Wade’s preview analysis shows that while incident reports typically rank these attacks 9th in frequency, actual prevalence data places them 3rd. This massive disconnect, revealed for the first time in the webinar, means most organizations drastically underestimate their third-party risk exposure.
- The 9.3% incident rate represents a 3.7x increase since 2008. This stunning statistic from the preview means nearly one in ten organizations will experience a significant security incident this year. Wade emphasized this is higher than the percentage of businesses that will face traditional disasters combined.
- Median losses have exploded to $3.2 million—a 20x increase. The webinar revealed this isn’t gradual growth; it’s an explosion that fundamentally changes the economics of cybersecurity. When a single incident costs more than many companies’ entire annual security budgets, prevention becomes existential.
- Organizations over $10B revenue face 620x higher incident rates. This preview finding shows large enterprises aren’t just bigger targets—they’re fundamentally different targets. Wade explained how operational complexity creates exponentially more attack surface, leading to near-certain breach scenarios.
Deep Dive: Identity and Access Management Crisis
Why are valid credentials the biggest security threat facing organizations today? The answer lies in a fundamental mismatch between how we’ve built security and how modern businesses operate.
Traditional security models assume threats come from outside, so we build walls—firewalls, intrusion detection systems, network segmentation. But when attackers use valid credentials, they’re not breaking in; they’re logging in. They bypass every perimeter defense, every detection system calibrated for abnormal behavior, every control designed to spot intruders. They look exactly like authorized users because, technically, they are.
The compliance implications are staggering. GDPR Article 32 requires “appropriate technical and organizational measures” to ensure security. But what’s appropriate when the attack vector is indistinguishable from normal usage? CCPA demands “reasonable security procedures,” but how do you define reasonable when legitimate access becomes the weapon?
During the webinar, Wade emphasized that the data shows valid account compromises consistently ranking first across every industry, every company size, every geographic region. This isn’t a targeted problem affecting specific sectors—it’s universal. The preview made clear that attackers have realized stealing or buying credentials is far easier than exploiting technical vulnerabilities. Why break down the door when you can steal the keys?
Zero-trust architecture emerges as the necessary response, but implementing it requires fundamental changes to how organizations operate. Every access request must be verified, every session continuously validated, every permission regularly reviewed. It’s not just a technology shift—it’s a complete rethinking of trust in digital systems.
The cost of inaction? Wade’s preview data suggests organizations clinging to perimeter-based security face incident rates 3x higher than those implementing zero-trust principles. When every employee, contractor, and partner represents a potential compromise vector, identity truly becomes the new perimeter.
Hidden Supply Chain Compliance Time Bomb
Third-party risk has transformed from a procurement concern to an existential threat. The webinar’s revelation that supply chain attacks are 6x more prevalent than reported should send shockwaves through every boardroom—and Wade indicated the full June report will provide even more alarming details.
Traditional vendor assessments—annual questionnaires, SOC 2 reports, contract clauses—are security theater in today’s threat landscape. By the time you review last year’s assessment, your vendor might have experienced multiple unreported compromises. The 94-day median remediation time for leaked credentials means attackers have a three-month window to exploit your trusted relationships.
GDPR explicitly requires organizations to ensure their data processors maintain appropriate security measures. Article 28 demands written contracts, security guarantees, and audit rights. But how can you demonstrate compliance when you don’t even know your vendors have been compromised? The regulation assumes visibility that simply doesn’t exist in most vendor relationships.
Recent high-profile breaches illustrate the cascade effect. When Change Healthcare fell to ransomware, thousands of healthcare providers couldn’t process claims. When CDK Global was compromised, car dealerships nationwide ground to a halt. When Blue Yonder faced attacks, retail supply chains froze. Each incident started with a single vendor compromise but rippled through entire industries.
The “trusted relationship” attack vector particularly targets mid-size and large organizations, exploiting the very connections that enable modern business. Attackers know that once inside a trusted vendor’s environment, they can move laterally to customers with minimal detection risk. Your security is only as strong as your weakest vendor’s security—and you probably don’t even know who that is.
Building a continuous monitoring program isn’t optional anymore. Organizations need real-time visibility into vendor security postures, automated alerts for compromises, and rapid response capabilities for third-party incidents. The days of annual assessments and paper attestations are over. In the interconnected economy, your vendors’ risks are your risks, and their breaches are your breaches.
Small Business, Big Target: The 70% Reality
The webinar preview demolished the myth that cybercriminals only target large enterprises. With 70% of incidents affecting organizations under $100M in revenue, small and medium businesses find themselves squarely in the crosshairs—facing the same sophisticated attacks as Fortune 500 companies but without comparable resources to defend against them.
The numbers Wade shared tell a brutal story. While large enterprises deal with ransomware in 39% of their breaches, small businesses see it in 88% of incidents. The median loss of 0.65% of annual revenue might sound manageable until you realize that for a $10M company, that’s $65,000—often the difference between profit and loss for the year. For businesses operating on thin margins, a single incident can trigger a downward spiral.
Why do attackers love smaller targets? Simple economics. Smaller organizations typically have weaker security controls, limited IT staff, and minimal security budgets. They’re subject to the same regulations as larger companies—GDPR doesn’t care about your revenue—but lack compliance expertise. They’re required to implement “appropriate technical measures” but can’t afford enterprise-grade solutions.
The compliance burden hits especially hard. A small medical practice faces the same HIPAA requirements as a major hospital system. A regional retailer must meet identical PCI DSS standards as a national chain. A startup processing European data confronts the same GDPR obligations as a multinational corporation. The regulations assume resources that simply don’t exist.
But there’s hope in the preview data. Wade showed that focused investments in basic controls—multi-factor authentication, regular patching, employee training—dramatically reduce incident rates even for resource-constrained organizations. The key is prioritization. Small businesses can’t do everything, but they can do the right things. Understanding which controls provide maximum protection for minimum investment becomes crucial for survival in this threat landscape. The full report in June will reportedly include a detailed SMB security roadmap.
Translating Preview Findings into Your Compliance Program
While we await the full report, the webinar findings already provide a roadmap for strengthening your compliance posture across every major regulatory framework.
For GDPR Compliance:
The 72-hour breach notification requirement becomes nearly impossible when you consider the preview findings. With valid account compromises often going undetected for months and supply chain attacks hiding in trusted relationships, how can you notify authorities about breaches you don’t know occurred? Wade suggested implementing continuous monitoring specifically designed to detect authorized access misuse—not just unauthorized access.
Data residency challenges multiply when considering the 620x higher incident rate for large organizations. Multi-national companies must assume they’re experiencing reportable incidents across multiple jurisdictions simultaneously. This requires pre-positioned incident response teams in each region, pre-drafted notification templates in local languages, and clear escalation procedures that can activate within hours, not days.
For CCPA/State Privacy Laws:
The “reasonable security” standard takes on new meaning when 9.3% of organizations experience incidents. Courts and regulators will increasingly view traditional perimeter security as unreasonable given its documented failure rate. Organizations must demonstrate they’ve adapted their security programs to address the actual threat landscape, not theoretical risks.
Vendor contract requirements become critical given the 6x underreporting of supply chain attacks. Standard contract language requiring “industry-standard security” means nothing when the industry standard fails. Contracts need specific security requirements, continuous monitoring obligations, and rapid notification timelines—measured in hours, not days.
For HIPAA:
The minimum necessary standard faces new challenges when valid credentials provide unlimited access. How do you enforce minimum necessary when compromised accounts can access everything the legitimate user could? The answer requires dynamic access controls that adjust based on behavior, not just identity.
Business Associate Agreements need fundamental revision. The traditional annual assessment model can’t address the reality that your business associates face the same 9.3% incident rate. Healthcare organizations need continuous assurance, not point-in-time attestations.
For CMMC 2.0:
The defense industrial base can’t ignore these findings. With supply chain attacks ranking 3rd in actual prevalence, the entire CMMC framework’s emphasis on flow-down requirements gains new urgency. Every contractor and subcontractor represents a potential entry point for nation-state actors seeking defense information.
Your 90-Day Action Plan
Don’t wait for the full June report—transform these preview insights into action with this prioritized implementation roadmap:
Days 1-30: Assessment Phase
Start with a comprehensive identity and access audit. Document every account with elevated privileges, every service account, every API key. The valid account compromise threat means you need perfect visibility into who can access what. Don’t trust your current documentation—verify everything.
Create a real third-party inventory. Not just direct vendors, but subprocessors, cloud services, and anyone who touches your data. The 6x underreporting means your current vendor list probably misses critical relationships. Include shadow IT and departmental purchases that bypass procurement.
Establish your baseline incident rate. Look back 24 months and document every security event, no matter how minor. The 9.3% benchmark means nothing if you don’t know your own rate. Include near-misses and prevented incidents—they reveal where your controls actually work.
Perform a brutal compliance gap analysis. Compare your current controls against the IRIS findings, not just regulatory checklists. Where would valid account compromises bypass your defenses? How would you detect supply chain attacks? Be honest about weaknesses—denial won’t stop attackers.
Days 31-60: Quick Wins Phase
Implement MFA everywhere, starting with privileged accounts and expanding outward. The report shows this single control dramatically reduces successful compromises. Don’t accept exceptions—every account that can access sensitive data needs multi-factor protection.
Conduct rapid vendor assessments focusing on your top 20% highest-risk relationships. Don’t wait for annual reviews. Ask specific questions about their identity management, incident history, and customer notification procedures. Terminate relationships with vendors who can’t provide satisfactory answers.
Update incident response plans to address valid account compromises and supply chain attacks specifically. Traditional plans assume you’ll detect breaches through technical indicators. The IRIS findings show you need behavioral detection and third-party monitoring integration.
Launch emergency employee training on account security. Skip the generic phishing videos. Focus on password managers, MFA usage, and recognizing account takeover attempts. Make it personal—explain how their compromised account could cost millions.
Days 61-90: Strategic Implementation Phase
Develop your zero-trust roadmap with realistic timelines and budgets. The report proves perimeter security has failed, but replacement takes time. Start with critical systems and expand outward. Focus on quick wins that demonstrate value to secure ongoing funding.
Deploy continuous monitoring for both internal systems and vendor environments. The 94-day credential exposure window Wade mentioned demands real-time detection. Automated systems can alert you to compromises before attackers fully exploit them.
Prepare board-level risk communications that translate the preview findings into business impact. Directors need to understand that the 9.3% incident rate isn’t a technology problem—it’s a business survival issue. Use the $3.2M median loss figure to justify security investments now, before the full report creates industry-wide budget competition.
Reallocate budgets from failed perimeter defenses to identity management and third-party risk programs. The preview data proves where attacks actually originate. Stop investing in yesterday’s solutions and fund tomorrow’s defenses before the June report drives up demand for security resources.
ROI of Proactive Data Security
What is the return on investment for implementing these security measures? The preview data provides compelling math that every CFO needs to understand before the full report drops.
Start with the basics: median breach costs have reached $3.2 million, while extreme losses hit $786.9 million. Compare that to the cost of implementing robust identity management, third-party monitoring, and zero-trust architecture—typically 5% to 10% of the potential loss amount. The ROI calculation becomes straightforward: spend hundreds of thousands to avoid losing millions.
But direct costs tell only part of the story. Compliance fines under GDPR can reach 4% of global revenue. For a $1B company, that’s $40 million—far exceeding any security budget. Add litigation costs, which the report shows increasing 40% year-over-year, and the financial argument becomes overwhelming.
Consider opportunity costs. The webinar revealed how breaches create 3-6 months of operational disruption while organizations recover. During that time, new initiatives stall, customer acquisition slows, and competitive advantage erodes. Companies that avoid breaches maintain momentum while competitors struggle with recovery.
Reputation value defies easy calculation but drives long-term success. Wade’s analysis indicates that organizations with strong security postures experience 25% less customer churn following industry breaches. When your competitor suffers a breach, their customers look for alternatives. Strong security becomes a competitive differentiator, not just a cost center.
How Kiteworks Addresses the Cyentia Preview’s Critical Findings
The webinar insights align remarkably with the security challenges Kiteworks has been helping organizations solve. Let’s examine how our Private Data Network approach directly addresses each critical finding Wade revealed.
Combating the #1 Threat: Valid Account Compromises
Kiteworks implements robust role-based and attribute-based access controls within its Private Data Network, delivering the zero-trust architecture the preview findings recommend. Rather than trusting users based on credentials alone, our platform continuously validates access rights based on context, behavior, and data sensitivity. When credentials are compromised, anomalous access patterns trigger immediate alerts and automatic access restrictions.
Securing the Supply Chain Blind Spot
With supply chain attacks 6x more prevalent than reported, organizations need secure channels for external data exchange that protect third-party communications. Kiteworks provides exactly that—purpose-built infrastructure for sharing sensitive content with vendors, partners, and customers while maintaining complete visibility and control. Every file transfer, every access attempt, every data movement gets logged and analyzed, eliminating the blind spots traditional security tools miss.
The Data-Centric Security Approach
The preview’s finding that traditional perimeter security has failed (evidenced by the 3.7x increase in incidents despite massive security investments) validates Kiteworks’ data-centric approach. Instead of trying to build higher walls, we protect sensitive information wherever it travels—between people, systems, clouds, and organizations. This approach acknowledges modern business reality: data must flow, but it must flow securely.
Supporting Resource-Constrained Organizations
For the 70% of incidents affecting organizations under $100M revenue, Kiteworks offers a comprehensive yet manageable solution. Smaller companies can meet the same regulatory requirements as enterprises without requiring enterprise-level resources. Our platform scales with your organization, providing enterprise-grade security at SMB-friendly complexity levels.
Defeating Trusted Relationship Attacks
The rise of “trusted relationship” attacks particularly affecting mid-size and large organizations demands new approaches to partner collaboration. Kiteworks’ unified governance and auditing capabilities provide complete visibility and control over sensitive data access, even among trusted partners. When trust becomes a vulnerability, you need verification—and that’s exactly what our platform delivers.
Regulatory Breach Notification Readiness
With extreme breach costs reaching $786.9 million and growing 5x faster than typical losses, organizations need comprehensive audit trails that support rapid breach notification across multiple jurisdictions. Kiteworks maintains immutable logs of every data interaction, enabling organizations to meet 72-hour GDPR notification requirements and similar obligations worldwide. When regulators ask, “what happened to our citizens’ data?”—you’ll have definitive answers.
Conclusion: From Preview Insights to Action
Wade Baker and the teams at Cyentia and Feedly deserve our sincere gratitude for sharing these critical insights ahead of the full report release. In an industry drowning in vendor hype and unsubstantiated claims, they’ve delivered hard data that security leaders can actually use—even before the complete analysis arrives in June.
The transformation ahead isn’t optional. Moving from reactive to proactive security, from perimeter-based to data-centric protection, from point-in-time assessments to continuous monitoring—these aren’t just best practices anymore. They’re survival requirements in an environment where 9.3% of organizations will experience significant incidents this year.
The webinar’s clearest message? Traditional approaches haven’t just failed—they’ve become irrelevant. When valid credentials are the primary attack vector, when supply chains hide massive risks, when every organization faces near-certain compromise, yesterday’s security playbook becomes tomorrow’s breach report.
Kiteworks stands ready to help organizations navigate this new landscape. We’ve built our Private Data Network specifically to address the challenges the preview highlights. But technology alone isn’t enough. Success requires commitment to fundamental change in how we think about data protection.
The urgency cannot be overstated. With incident rates climbing, losses exploding, and regulations tightening, delay equals danger. Every day you operate with traditional security increases your exposure to modern threats. And with the full report coming in June, organizations that act on these preview insights now will have a significant advantage.
Frequently Asked Questions
The Cyentia Information Risk Insights Study (IRIS) 2025 is an evidence-based security analysis that examines real-world incident data across industries and company sizes. Wade Baker and the Cyentia team previewed key findings during a May 28 webinar with Feedly, revealing critical insights including a 9.3% organizational breach rate and median losses of $3.2 million. The full report will be released in June 2025, providing comprehensive analysis of cyber threats, attack vectors, and actionable security recommendations based on rigorous statistical methodology.
Valid account compromises top the threat list because they allow attackers to bypass traditional security controls by using legitimate credentials. The Cyentia preview revealed this attack vector affects organizations of all sizes equally, as compromised accounts appear identical to authorized users. This makes detection extremely difficult—attackers can operate for months undetected, access sensitive data, and move laterally through networks. Traditional perimeter defenses become useless when threats use valid credentials, which is why Wade Baker emphasized zero-trust architecture as the necessary response during the webinar.
Small businesses can significantly reduce their 88% ransomware incident rate by implementing focused security controls. The Cyentia preview showed that multi-factor authentication, regular patching, and employee security training provide the highest ROI for resource-constrained organizations. While small companies face the same compliance requirements as enterprises, they should prioritize: MFA on all accounts accessing sensitive data, automated patch management for critical systems, quarterly security awareness training, and documented incident response procedures. Wade indicated the full June report will include a detailed SMB security roadmap.
The Cyentia preview revealed supply chain attacks actually rank 3rd in prevalence versus 9th in traditional reporting, meaning your third-party risk is likely six times higher than you think. This massive gap exists because many supply chain compromises go undetected or unreported, especially when vendors don’t disclose breaches that might affect your data. Organizations must move beyond annual assessments to continuous vendor monitoring, require 24-hour breach notification in contracts, verify security controls rather than accepting attestations, and map all data flows through third parties including subprocessors.
Organizations should begin implementing changes immediately—waiting for the full June report could mean falling victim to the 9.3% incident rate. The preview data shows that companies implementing zero-trust principles see 3x fewer incidents than those using traditional perimeter security. Start with a 90-day action plan: assess current identity management and vendor risks (days 1-30), implement quick wins like MFA and critical vendor reviews (days 31-60), and develop strategic initiatives including zero-trust roadmaps and continuous monitoring (days 61-90). With median breach costs at $3.2 million, every day of delay increases exposure to potentially catastrophic losses.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video How Kiteworks Helps Advance the NSA’s Zero Trust at the Data Layer Model
- Blog Post What It Means to Extend Zero Trust to the Content Layer
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video Kiteworks + Forcepoint: Demonstrating Compliance and Zero Trust at the Content Layer