Why 46% of Companies Don’t Know Their Breach Frequency [Kiteworks 2025 Annual Survey Report]
New research reveals cascading visibility failures create a perfect storm of vulnerability across enterprises globally.
When we launched this research series four years ago, we expected to document steady progress in enterprise security. Instead, we’ve uncovered a troubling reality that’s getting worse, not better: 46% of companies don’t know how often they’re breached. This isn’t just a technology problem—it’s a visibility crisis creating cascading vulnerabilities that cost organizations millions in undetected breaches and litigation.
Having overseen this research since its inception in 2022, we’ve witnessed the evolution from tracking simple security metrics to uncovering complex, interconnected risk patterns. Each year, we survey security and compliance leaders across industries and geographies, analyzing their responses to understand breach patterns. This year’s findings from 461 organizations are the most concerning yet: when companies can’t answer basic security questions—from third-party access counts to AI data usage—they’re not experiencing isolated knowledge gaps. They’re operating without critical visibility across their entire security landscape.
The 2025 Data Security and Compliance Risk: Annual Survey Report reveals something we’ve suspected for years but couldn’t prove until now: security blindness is contagious. One “don’t know” answer predicts others with alarming accuracy, creating a cascade of vulnerability that transforms manageable risks into existential threats.
Evolution of Enterprise Data Risk: From Simple Metrics to Complex Patterns
When we started tracking security metrics in 2022, the landscape was fundamentally different. We measured encryption adoption rates, calculated compliance costs, and counted vendor relationships. These were important data points, but they told discrete stories—isolated snapshots of security posture that failed to capture the interconnected nature of modern risk.
Four years and thousands of validated responses later, we can see what we missed: Security challenges don’t exist in isolation – they cascade and compound in predictable, measurable patterns. What began as straightforward research into how organizations protect sensitive content has evolved into a sophisticated understanding of how security failures interconnect, with individual weaknesses amplifying throughout the ecosystem.
This year’s data, validated against actual breach outcomes from participating organizations, finally quantifies these cascade effects. We can now measure how a simple inability to count third-party relationships predicts breach frequency, detection delays, and litigation costs with startling accuracy. More importantly, we’ve identified the specific factors that separate high-performing security organizations from those trapped in perpetual crisis management.
Key Takeaways
-
Nearly Half of Companies Operate Blind to Their Own Security
46% of organizations don’t know their breach frequency, creating a cascade effect where one visibility gap predicts others. This operational blindness correlates with 46% higher security incidents and transforms manageable risks into million-dollar disasters.
-
The 1,001-5,000 Vendor “Danger Zone” Creates Maximum Risk
Organizations managing between 1,001 and 5,000 third parties face the worst outcomes, with 24% experiencing 7+ annual breaches. This sweet spot attracts sophisticated attackers while lacking enterprise-grade defenses, resulting in 26% of these companies facing $3-5M in litigation costs.
-
AI Governance Lags Dangerously Behind AI Adoption
Only 17% of organizations have implemented technical AI governance frameworks despite widespread AI use. Among companies unaware of their AI data usage, many lack privacy protections entirely, creating unprecedented exposure as sensitive data flows into ungoverned systems.
-
Privacy Technologies Deliver Proven ROI But Remain Underutilized
Organizations using three or more privacy-enhancing technologies detect breaches 67% faster and keep litigation costs 81% lower. Yet 14-36% of companies use no PETs at all, leaving massive protective value and cost savings unrealized.
-
Detection Speed Directly Determines Financial Impact
Organizations detecting breaches within 7 days typically keep costs under $1 million, while those taking 31-90 days face $3-5 million in expenses. Strong visibility enables rapid detection, but 31% of organizations with 5,000+ vendors take over 90 days to discover breaches.
Discovery That Changed Everything: Visibility Determines Destiny
The 2025 data’s most profound insight centers on organizational visibility—or its absence. When companies respond “don’t know” to fundamental security questions, it signals systemic blindness rather than isolated knowledge gaps. This pattern emerged consistently across every industry, geography, and organization size we studied.
Consider this seemingly simple question: “How many third-party relationships does your organization maintain?”
The inability to answer this basic question correlates with catastrophic security failures:
Table 1: The Cascade Effect of Visibility Failures
| Primary Blind Spot | Secondary Failure | Tertiary Impact | Ultimate Cost |
|---|---|---|---|
| Can’t count third parties (46%) | Don’t know breach frequency (46%) | Can’t quantify litigation costs (48%) | $3M-$5M average breach cost |
| Unaware of AI data usage (36%) | Zero privacy controls (36%) | 31-90 day detection times (42%) | 73% worry about model leakage |
| Unknown compliance hours (20-26%) | Manual processes dominate (70%+) | Missed regulatory deadlines | $2.33 hidden cost per $1 spent |
| Uncertain detection times (42%) | Poor incident response (68%) | Extended breach exposure | 10+ annual breaches (28%) |
Four primary visibility failures predict security outcomes with remarkable accuracy:
Unknown third-party count: These organizations exist in perpetual reactive mode, unable to track data flows or assess risk systematically. Our analysis found organizations with low confidence in third-party tracking show 46% correlation with increased security incidents. They literally don’t know if they’ve been compromised. Daily operations reveal forgotten vendors accessing critical systems, creating shadow IT vulnerabilities that attackers exploit with increasing sophistication.
Unknown AI data usage: With organizations implementing zero privacy protections when unaware of AI usage patterns, companies are running uncontrolled experiments with sensitive data at unprecedented scales. The speed of AI adoption has completely outpaced governance capabilities. Organizations that can’t quantify what percentage of data entering AI systems is sensitive or private show dramatically higher breach rates and longer detection times. They’re essentially operating massive data processing operations without any oversight or control mechanisms.
Unknown compliance hours: Between 20% and 26% of security professionals across different roles can’t quantify compliance time investment, preventing optimization of manual processes that drain thousands of hours annually. This lack of visibility into compliance burden creates a vicious cycle—organizations can’t improve what they can’t measure, leading to ever-increasing manual workloads that prevent investment in automation or process improvement.
Unknown detection times: Most critically, organizations with poor third-party visibility struggle with breach detection capabilities. In security, time equals money—and undetected breaches create exponential cost escalation. Every day a breach goes undetected increases remediation costs significantly, not including regulatory fines, litigation costs, and reputational damage.
1,001-5,000 Third-Party “Danger Zone”: Where Risk Explodes
This year’s data identifies a specific vendor volume range creating disproportionate risk that defies conventional wisdom about scale and security. Organizations managing between 1,001 and 5,000 partners face the worst security outcomes across every metric we measured:
Table 2: Risk Metrics by Third-Party Volume
| Third-Party Count | Annual Breaches | Detection Time | Supply Chain Risk | Average Breach Cost |
|---|---|---|---|---|
| <500 | Lower breach rates | 77% detect <7 days | 30% increase | 45% under $1M |
| 501-1,000 | Moderate rates | Mixed performance | 32% increase | $1M-$3M typical |
| 1,001-5,000 | 24% face 7+ | Longer detection | 46% increase | 44% face $3M-$5M |
| >5,000 | Higher rates | 31% take >90 days | 43% increase | Higher costs |
This danger zone emerges from a perfect storm of competing pressures that create unique vulnerabilities:
Complexity Without Capability: These organizations have outgrown manual vendor management capabilities. Security teams can personally verify 100 vendors, perhaps stretch to 500 with excellent processes, but human-scale management fails catastrophically at 1,000+ relationships. Yet they typically lack the budget for enterprise-grade automated controls that larger organizations employ.
Visibility Breakdown: At this scale, spreadsheets fail, email-based processes collapse, and point solutions create more gaps than they fill. Organizations report using multiple tools to manage vendor relationships, none of which integrate effectively. The result is a patchwork of partial visibility that creates false confidence while leaving massive blind spots.
Attacker Sweet Spot: Sophisticated threat actors specifically target this range. These organizations are large enough to have valuable data and complex enough to have security gaps, but lack the resources of true enterprises. Supply chain attacks increasingly focus on organizations in this size range.
Resource Mismatch: The danger zone organizations typically have security teams of 5-15 people trying to manage enterprise-scale complexity. They face the same regulatory requirements as Fortune 500 companies but with a fraction of the resources. This creates an unsustainable situation where security teams are perpetually overwhelmed, leading to mistakes, oversights, and burnout.
Interestingly, organizations exceeding 5,000 partners show improvement in some metrics because boards finally approve enterprise-grade controls at that scale. The danger zone persists precisely because it attracts sophisticated attacks without justifying enterprise defenses in the eyes of budget-conscious executives.
AI Adoption Without Governance: The 2025 Reality Check
While AI transformation dominates technology discussions, our data exposes a governance gap that’s creating new attack vectors at unprecedented scale. The speed of AI adoption has completely outpaced the development of governance frameworks, creating an environment where sensitive data flows into AI systems without oversight, control, or even basic awareness.
Only 17% of organizations have implemented technical AI governance frameworks—a shockingly low number given the risks involved. This means 83% of organizations using AI lack the technical controls necessary to prevent data leakage, ensure compliance, or even know what data their AI systems are processing.
The correlation between AI awareness and security outcomes proves striking. Organizations that measure their AI-generated content show dramatically different security profiles:
AI Governance Maturity Levels:
- Technical controls with data loss prevention: 17% adoption (highest effectiveness)
- Restricted use with training and audits: 27% adoption (moderate effectiveness)
- Guidelines with employee discretion: 21.2% adoption (limited effectiveness)
- Warning messages without enforcement: 19.6% adoption (minimal impact)
- No specific policies: 10.3% (operating in complete darkness)
The most alarming finding: among organizations unaware of their AI usage patterns, many implement inadequate privacy protections. These companies are essentially running uncontrolled experiments with their most sensitive data, often without realizing it. Employees use consumer AI tools for convenience, inadvertently exposing trade secrets, customer data, and intellectual property to systems with unclear data retention and usage policies.
Organizations with 16% to 30% AI-generated content demonstrate especially concerning patterns—they’re aware enough to measure but lack adequate controls. It’s equivalent to monitoring your speed while driving without basic safety measures. They know they’re at risk but haven’t taken meaningful steps to protect themselves.
The fear-action gap proves particularly troubling. Among organizations with visibility gaps in their AI usage, 67% to 75% express deep concern about AI model leakage and data exposure, yet only 25% have implemented meaningful governance frameworks. This disconnect between awareness and action creates a dangerous situation where organizations understand the threat but feel unable to address it effectively.
Geographic Security Patterns: Regional Strengths and Critical Weaknesses
Regional differences in regulation, business culture, and threat landscapes create distinct security profiles that offer valuable lessons for global organizations. Each region has developed unique approaches shaped by local pressures, regulations, and cultural factors:
North America: The Litigation-Driven Model
North American companies operate at significant scale. This creates unique challenges and opportunities:
Strengths: North American organizations show 21% AI control implementation, with 53% implementing encryption across 76%-100% of sensitive data—the highest encryption rate globally. The average data breach in North America now costs $10.22 million (up 9% YoY), driving investment in technical controls and automated monitoring systems.
Weaknesses: The focus on scale sometimes creates complexity that becomes difficult to manage. Organizations report spending significant time on compliance documentation, often at the expense of proactive security improvements.
Unique Challenges: Balancing innovation with security at scale creates challenges in some organizations. Security teams report pressure to both enable AI adoption for competitive advantage while simultaneously preventing any possibility of data exposure—a challenging mandate that requires careful balance.
Europe: Regulation as Catalyst for Excellence
GDPR‘s implementation proved that thoughtful regulation can drive genuine security improvement rather than mere compliance theater:
Strengths: European organizations show 56% IT specialist concentration, compared to 41% in North America. They lead privacy technology adoption globally, with 80% citing significant positive impact from GDPR. This regulatory pressure created real capability, not just paperwork.
Weaknesses: The proliferation of overlapping frameworks—GDPR, NIS 2, DORA, EU Data Act—now threatens to overwhelm the benefits. Organizations report spending increasing time on regulatory interpretation and framework mapping rather than security implementation.
Unique Challenges: The September 2025 EU Data Act deadline approaches with varying levels of preparation. Financial Services leads at 47% fully prepared, while Education lags at just 14%. The complexity of data portability and interoperability requirements under the Act creates technical challenges that many organizations underestimated.
Asia-Pacific: The Encryption Leaders
APAC organizations demonstrate what focused execution can achieve, even with limited resources:
Strengths: With 44% implementing encryption across 76%-100% of sensitive data, APAC organizations prove that fundamental security controls can be deployed effectively regardless of size or resources. This focus on core protections provides better outcomes than more complex but poorly implemented strategies.
Weaknesses: Organizations in the region show varying levels of AI risk awareness, suggesting innovation consistently outpaces governance. The rapid adoption of new technologies without corresponding governance frameworks creates vulnerabilities that sophisticated attackers increasingly exploit.
Unique Challenges: Balancing rapid growth with security maturity proves difficult. APAC organizations often scale from startup to enterprise in months rather than years, creating situations where security infrastructure lags behind business growth.
Middle East: The Certification Focus
Strengths: With 60% requiring security certifications (global peak) and 18% conducting compliance training, these organizations show the highest certification requirements globally. The emphasis on formal security certifications creates clear standards for vendor relationships.
Weaknesses: Technical control implementation varies, with opportunities for improvement in automated monitoring and response systems. The gap between certification requirements and training investment creates potential vulnerabilities.
Unique Challenges: Rapid digitalization in traditionally paper-based industries creates unique vulnerabilities. Organizations must simultaneously build digital infrastructure and security capabilities, often without established regional best practices to draw upon.
Privacy-Enhancing Technologies: The Maturity Divide
Despite proven benefits and increasing availability, privacy-enhancing technology (PET) adoption remains frustratingly low across all industries and regions. This represents one of the largest missed opportunities in cybersecurity today.
Our analysis reveals a clear hierarchy of adoption that reflects both technical complexity and organizational readiness:
Gateway Technologies (30%-45% adoption):
- Data Minimization: The easiest PET to implement, requiring primarily policy changes rather than technical infrastructure. Organizations can see immediate benefits by simply collecting and retaining less data.
- Zero-Trust Exchange: Moderate complexity but high impact, especially for organizations with complex partner ecosystems.
Intermediate Technologies (15%-25% adoption):
- Secure Multi-Party Computation: Enables data sharing without exposure, critical for industries requiring collaboration while maintaining privacy.
- Confidential Computing: Hardware-based protection providing strong security but requiring infrastructure investment.
Advanced Technologies (<15% adoption)
- Homomorphic Encryption: Allows computation on encrypted data but requires significant computational resources and expertise.
- Federated Learning: Enables AI model training without centralizing data but demands sophisticated implementation.
Organizations implementing three or more PETs demonstrate dramatically superior outcomes. They detect breaches 67% faster and keep litigation costs 81% lower than organizations using no PETs. Yet 14%-36% of organizations use no PETs at all, leaving massive value unrealized.
From Compliance Burden to Competitive Advantage
The most successful organizations have transformed compliance from a reactive burden into a source of competitive advantage. While typical organizations spend 1,000-1,500 hours annually on compliance reporting—equivalent to nearly a full-time employee—the distribution of this effort reveals strategic opportunities.
Compliance Time Investment Patterns:
- Less than 500 hours: 7% (typically smaller, focused organizations)
- 500-1,000 hours: 13% (streamlined operations with good automation)
- 1,001-1,500 hours: 25%-32% (the most common range)
- 1,501-2,000 hours: 19% (complex operations beginning to strain)
- Over 2,000 hours: 14%-20% (either very large or very inefficient)
- “Don’t know”: 20%-26% (the visibility crisis in action)
EU Data Act preparation levels reveal how strategic approaches play out in practice. Financial Services leads at 47% fully prepared, leveraging existing infrastructure and taking an integrated approach. Education lags at just 14%, hampered by resource constraints. Most surprisingly, 23% of Legal Services organizations—who should understand regulations best—have no preparation plans at all.
The Risk Score Reality: Quantifying Your Exposure
For the first time in our four-year research series, we’ve developed a proprietary risk scoring algorithm that transforms multiple security metrics into a single, actionable score. This enables organizations to benchmark their risk against peers and track improvement over time.
Our scoring methodology synthesizes three fundamental dimensions:
- Breach Frequency (0-5 points based on annual incidents)
- Financial Impact (0-5.5 points based on litigation costs)
- Detection Speed (0-5 points based on discovery time)
The algorithm normalizes these into a 0-10 scale where higher scores indicate higher risk. The results paint a sobering picture:
- 15% of organizations operate at the highest risk levels
- 29% face medium risk with room for improvement
- 31% sit in concerning risk territory
- 25% achieve lower risk statu
The median organization scores 4.84—indicating significant room for improvement across the industry.
Industry variations prove particularly striking. Energy/Utilities faces elevated risk at 5.51, reflecting both their critical infrastructure status and legacy system challenges. Technology ranks high at 4.94—likely due to being primary attack targets. Life Sciences/Pharmaceuticals achieves lower risk at 3.37, demonstrating that regulated industries can achieve excellent outcomes with proper investment.
Inflection Point Is Now
After four years tracking security progress against evolving threats, 2025 represents a fundamental inflection point in data security. The convergence of ungoverned AI adoption, exploding third-party ecosystems, and cascading compliance requirements creates a threat landscape that demands comprehensive response.
Our data clearly demonstrates what works. Organizations achieving comprehensive visibility, implementing layered privacy technologies, and automating core processes consistently outperform their peers across every metric. The tools exist. The strategies are proven. The ROI is quantified.
Yet 46% of organizations still don’t know their breach frequency. They operate without crucial visibility, vulnerable to threats they can’t measure. In 2025, this operational blindness creates unacceptable risk.
In an environment where a single “don’t know” correlates with 46% higher breach rates, where AI processes sensitive data without oversight, and where third-party ecosystems expand beyond human comprehension, half-measures guarantee failure. Good enough is no longer good enough.
The path forward requires fundamental transformation across five dimensions:
- Achieve Total Visibility: Move beyond estimates to precise measurement
- Automate Core Processes: Manual processes cannot scale with modern complexity
- Deploy Privacy Technologies: Basic controls no longer suffice
- Build Proactive Frameworks: Anticipate rather than react
- Embrace Continuous Improvement: Accept breaches will occur and prepare accordingly
The organizations that recognize this inflection point and act decisively will define the next era of data security. Those maintaining status quo approaches will find themselves increasingly vulnerable. The time for transformation is now.
Download the Data Security and Compliance Risk: 2025 Survey Report for detailed analysis, industry-specific insights, and comprehensive recommendations for your security transformation journey.
Frequently Asked Questions
According to the 2025 data, organizations managing between 1,001 and 5,000 third-party relationships face the highest risk, with 41.9% experiencing 7-9 annual breaches and 45.5% reporting increased supply chain risks. This “danger zone” occurs because organizations have enterprise-scale complexity but typically lack the budget for enterprise-grade automated controls, making manual oversight impossible.
Only 17% of organizations have implemented technical AI governance frameworks as of 2025, despite rapid AI adoption across industries. This governance gap is particularly concerning given that 35.8% of organizations unaware of their AI data usage have implemented zero privacy-enhancing technologies, creating significant blind spots in data security.
Detection times vary dramatically by organization size and maturity, with 42.6% of organizations with fewer than 500 third parties detecting breaches in under 7 days, while 31.3% of those with over 5,000 third parties take more than 90 days. The financial impact correlates directly with detection speed—organizations detecting breaches quickly are more likely to keep litigation costs under $1 million, while slower detection frequently leads to costs exceeding $3-5 million.
Data Minimization leads PET adoption at 35.7-42.4% across roles, followed by Secure Multi-Party Computation at 19.9-24.1% and Confidential Computing at 14-18%. Organizations implementing three or more PETs show dramatically better outcomes, with 81% keeping litigation costs under $1 million compared to those using no PETs who face significantly higher costs and slower breach detection.
Preparation varies widely by sector, with Financial Services leading at 46.9% fully prepared, while Education lags significantly at only 13.5% readiness. Most concerning is that 23.1% of Legal Services organizations report having no preparation plans despite the approaching deadline, and Government agencies show only 18.8% full readiness despite handling vast amounts of citizen data.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video How Kiteworks Helps Advance the NSA’s Zero Trust at the Data Layer Model
- Blog Post What It Means to Extend Zero Trust to the Content Layer
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video Kiteworks + Forcepoint: Demonstrating Compliance and Zero Trust at the Content Layer