Email Security in 2025: Critical Findings Show Your Industry and Location Determine Your Risk
Executive Summary
Email remains the primary attack vector for cybercriminals, yet most organizations approach email security with outdated assumptions. Kiteworks’ Data Security and Compliance Risk: 2025 Annual Survey Report analyzed 461 cybersecurity professionals across 11 industries and 4 regions, revealing surprising patterns in vulnerability that challenge conventional security strategies.
Main Idea
Your email security risk is predetermined by two overlooked factors: industry and location. The data reveals a 52% risk gap between industries (Defense & Security scores 6.21 vs. Life Sciences at 4.09) and a 28% regional differential (APAC at 5.73 vs. Europe at 4.48). These factors compound dangerously – APAC defense contractors face an effective risk score of 7.95. Despite decades of security evolution, email remains 15.9% riskier than purpose-built channels like SFTP, with traditional email’s fundamental architecture creating persistent vulnerabilities that bolt-on security features can’t fully address.
Why You Should Care
Generic security strategies fail because attackers don’t target generically – they precisely exploit industry-specific vulnerabilities in regions with weaker protections. If you’re using industry-average benchmarks, you’re either wasting resources or leaving dangerous gaps. Organizations achieving 40-60% risk reduction share three practices: preventing human errors before they occur (not just blocking threats), implementing zero-knowledge encryption where even IT admins can’t access data, and making security invisible to achieve 95% adoption. The most critical insight: 60% of breaches start with employee mistakes, yet most organizations only focus on inbound threat detection. Understanding your true position on the industry-location risk matrix enables targeted investment in capabilities that actually matter for your specific threat profile.
I. Introduction & Key Findings Summary
When 461 cybersecurity professionals revealed their organizations’ email vulnerabilities, one clear pattern emerged: Your industry might determine whether you’re 52% more likely to suffer an email breach – and most companies don’t even know which category they fall into.
In an era where a single compromised email can cost millions in damages and destroy decades of reputation, understanding your organization’s risk profile has become essential. These findings, drawn from a comprehensive analysis of cybersecurity professionals across 11 industries and 4 major geographic regions, reveal that email security risk isn’t universal – it’s a complex landscape shaped by factors most organizations overlook.
The data tells a clear story:
- Defense and Security organizations face a 6.21 risk score – 52% higher than Life Sciences companies
- APAC-based companies carry a 5.73 average risk score – 28% more vulnerable than their European counterparts
- Email remains 16% riskier than SFTP, despite decades of security evolution
What’s particularly revealing is that organizations successfully reducing these risks share common approaches: They’ve implemented proactive human error prevention, zero-knowledge encryption architectures, and seamless security integration that doesn’t disrupt workflows. These findings don’t just present numbers – they provide actionable intelligence to help you understand where your organization stands and what specific capabilities can meaningfully improve your security posture.
Key Takeaways
-
Your Industry Matters More Than Your Security Stack
Defense and security organizations face a 6.21 risk score while life sciences sits at 4.09 – a 52% difference based purely on industry. This means a pharmaceutical company could have better security tools than a defense contractor and still face lower risk simply because attackers prioritize military secrets over drug formulas.
-
Geography Creates a 28% Security Swing
European organizations enjoy a 4.48 average risk score compared to APAC’s 5.73, creating a 28% advantage through regulatory culture and infrastructure. However, when high-risk industries operate in high-risk regions, these factors multiply – an APAC defense contractor faces an effective risk of 7.95.
-
Email Remains 15.9% Riskier Than Secure Alternatives
Despite decades of security evolution, email (5.11) is still significantly more vulnerable than SFTP (4.41) for sensitive data transmission. Yet organizations continue using email for 90% of business communication because 4.9 billion people have it and it requires no special training.
-
Preventing Human Error Reduces Incidents by 41%
Organizations that help employees avoid mistakes (like catching misaddressed emails or warning about sensitive data) see 41% fewer incidents than those relying solely on blocking malicious emails after arrival. The data shows when security is invisible and automatic, adoption rates exceed 95%; when it requires extra steps, adoption drops below 30%.
-
Industry Averages Hide Dangerous Variance
Life sciences shows the starkest example with a 1.72-point gap between average (4.09) and median (5.81) risk scores – meaning half the industry has military-grade security while half has almost none. This variance appears across sectors, making industry averages meaningless for benchmarking; smart organizations compare against the 75th percentile, not the mean.
How We Calculated Risk Scores: Our Methodology
The risk scores presented in this analysis (ranging from 4.09 to 6.21) were calculated using a weighted composite of three key factors from our 461 respondents:
1. Reported Incident Frequency (40% weight)
- Number of email security incidents in the past 12 months
- Severity of incidents (data breach, financial loss, operational disruption)
- Time to detection and resolution
2. Control Effectiveness (35% weight)
- Implementation of 25 key security controls (DMARC, encryption, DLP, etc.)
- Maturity level of each control (none, basic, intermediate, advanced)
- User adoption and compliance rates
3. Threat Exposure (25% weight)
- Volume of attempted attacks
- Sophistication of attacks faced
- Industry-specific threat intelligence
- Geographic threat landscape data
The 1-10 Scale:
- 8-10: Critical risk (frequent incidents, weak controls, extreme exposure)
- 6-7: High risk (regular incidents, gaps in controls, elevated exposure)
- 4-5: Moderate risk (some incidents, standard controls, average exposure)
- 1-3: Low risk (minimal incidents, strong controls, low exposure)
Regional Modifiers: We calculated these by comparing each region’s average score to the global baseline, creating multiplication factors (Europe = 0.88x, APAC = 1.28x, etc.). This allows organizations to adjust their industry risk score based on geographic location.
II. The Industry Risk Hierarchy: Who’s in the Crosshairs?
A. High-Risk Industries: The Prime Targets
The data reveals three industries operating with risk scores exceeding 5.3:
| Industry | Average Risk Score | Median Risk Score | Risk Level |
|---|---|---|---|
| Defense & Security | 6.21 | 6.46 | Critical |
| Professional Services | 5.51 | 5.48 | High |
| Technology | 5.37 | 5.81 | High |
Defense & Security (6.21) tops our risk index, and the reasons are straightforward. These organizations handle classified information, military intelligence, and critical infrastructure data – making them prime targets for nation-state actors and advanced persistent threat (APT) groups. The consistency between average and median scores (6.21 vs. 6.46) indicates this isn’t about outliers – the entire sector faces elevated threats.
Adding to this pressure, the Department of Defense’s CMMC 2.0 (Cybersecurity Maturity Model Certification) requirements now mandate specific email security controls for all defense contractors handling controlled unclassified information (CUI). While CMMC 2.0 establishes baseline protections, our data shows that meeting minimum compliance standards isn’t enough – the most successful organizations exceed these requirements by implementing proactive threat prevention rather than reactive detection alone.
Why does this happen? When attackers know an organization holds national security data, they invest more resources in breaching it. Organizations in this sector that have successfully reduced risk have implemented AI-driven threat protection systems that detect sophisticated attacks before they reach users, combined with automated data loss prevention (DLP) that scans every outbound communication for private data.
Professional Services (5.51) firms – including consulting, accounting, and business services – hold valuable client data. From M&A plans to financial records, these organizations often have weaker security than their enterprise clients while holding equally sensitive information. This creates an attractive steppingstone for supply chain attacks.
The cause is clear: Attackers target the weakest link. If they can’t breach a Fortune 500 company directly, they’ll go after the consulting firm that has access to the same data. The most effective mitigation strategies we’ve observed include implementing machine learning systems that identify risks like misaddressed emails or improper data handling before messages are sent, providing real-time alerts that prevent costly mistakes.
Technology companies (5.37) face an irony: Despite employing sophisticated security stacks and technical talent, they’re still prime targets. The reason? They process vast data volumes, develop valuable intellectual property, and serve as critical nodes in the digital supply chain. The gap between average and median scores (5.37 vs. 5.81) suggests some tech companies significantly outperform others in security implementation.
B. Moderate-Risk Industries: The Steady Targets
Five industries cluster in the moderate-risk zone (5.0-5.3), each facing unique challenges:
| Industry | Average Risk Score | Median Risk Score |
|---|---|---|
| Energy/Utilities | 5.32 | 5.32 |
| Legal/Law | 5.18 | 5.64 |
| Financial Services | 5.13 | 5.32 |
| Education | 5.09 | 5.81 |
| Government | 5.00 | 5.16 |
Energy/Utilities (5.32) organizations have become targets due to their critical infrastructure role. When a power grid or water system goes down, entire regions suffer – making these organizations attractive to both criminals seeking ransom and nation-states seeking leverage. The perfect alignment of average and median scores indicates consistent threat levels across the sector.
These organizations benefit most from unified data governance platforms that centralize security, logging, and audit capabilities across all communication channels. Why? Because attacks often come through multiple vectors, and siloed security creates blind spots.
Legal firms (5.18) handle attorney-client privileged information, merger details, and litigation strategies – all valuable to competitors and criminals. The higher median (5.64) suggests most firms face elevated risks, with a few outliers bringing down the average.
Law firms that have reduced their risk profiles often employ zero-knowledge encryption architectures. This makes sense: If the law firm itself can’t decrypt client communications, neither can hackers who breach their systems. Combined with built-in audit logs and legal proof of delivery, this approach addresses both security and compliance needs.
Financial Services (5.13) benefit from heavy regulation (SOX, PCI DSS) that mandates security investment yet remain attractive targets due to direct monetary value. Their moderate ranking shows that compliance-driven security provides real protection – but only when implemented properly.
The most effective financial institutions combine regulatory compliance with adaptive security policies that dynamically enforce encryption and DLP based on user behavior, content sensitivity, and real-time risk assessment. This moves beyond checkbox compliance to actual risk reduction.
C. Lower-Risk Industries: Still in the Game
Even “lower-risk” industries maintain concerning scores above 4.0:
| Industry | Average Risk Score | Median Risk Score |
|---|---|---|
| Healthcare | 4.80 | 4.84 |
| Manufacturing | 4.56 | 4.84 |
| Life Sciences/Pharma | 4.09 | 5.81 |
Healthcare (4.80) benefits from HIPAA compliance requirements that force security investments. The tight alignment between average and median scores shows consistent implementation across the sector. But here’s what’s interesting: Healthcare organizations have found success with solutions that work natively within existing email platforms like Outlook and Gmail.
Why does this matter? Because doctors and nurses won’t use security tools that slow them down. When security is invisible and automatic, adoption rates soar and risk drops.
Life Sciences/Pharmaceuticals (4.09) presents our most puzzling finding: the lowest average risk but a 1.72-point variance from the median. This tells us something important – the industry is split between organizations with excellent security and those with almost none.
Industry Insight Box: What drives these risk differentials? Our analysis reveals three key factors:
- Data Value: The more valuable the data, the more attacks you’ll face. Industries handling financial, defense, or intellectual property data see 35% more attack attempts.
- Regulatory Pressure: Compliance requirements work. Sectors with strict regulations show 22% lower risk scores – but only when paired with technology that automates compliance.
- Human Factor: Technology alone isn’t enough. Organizations that help employees avoid mistakes see 41% fewer incidents than those relying solely on blocking bad emails after arrival.
III. Geographic Vulnerabilities: A Global Risk Map
A. Regional Risk Rankings: Your Location Shapes Your Threat
Geographic analysis reveals clear disparities in email security risk:
| Region | Average Risk | Median Risk | Countries Analyzed | Risk Differential |
|---|---|---|---|---|
| APAC | 5.73 | 6.29 | Australia, NZ, Singapore | +28% vs. Europe |
| North America | 5.60 | 5.81 | United States, Canada | +25% vs. Europe |
| Middle East | 4.83 | 5.00 | Israel, UAE, Saudi Arabia | +8% vs. Europe |
| Europe | 4.48 | 4.84 | U.K., France, Germany, Austria, Switzerland | Baseline |
APAC (5.73 average, 6.29 median) leads the risk rankings, and the high median tells us this isn’t about a few bad actors – most organizations in the region face elevated threats. Why? Rapid digitalization in Australia, New Zealand, and Singapore has outpaced security maturity. Companies adopted email and digital communication quickly but didn’t invest proportionally in security.
North America (5.60 average, 5.81 median) follows closely. The United States hosts the world’s largest economy and most valuable companies, making it a target-rich environment. Canadian resource companies add to the regional risk profile. But there’s another factor: the prevalence of legacy systems that can’t be easily upgraded with modern security features.
Europe (4.48 average, 4.84 median) demonstrates what happens when regulation drives security investment. GDPR didn’t just create compliance requirements – it fundamentally changed how organizations think about data protection. European organizations have widely adopted flexible encryption standards that bridge diverse protocols while providing seamless secure delivery. The result? Measurably lower risk.
B. Why Geography Matters: The Four Pillars of Regional Risk
1. Regulatory Environment Creates Security Culture
Europe’s 28% risk advantage stems from more than just GDPR fines. The regulation created a culture where privacy is expected, security is funded, and breaches are unacceptable. This cultural shift drives adoption of privacy-preserving technologies like zero-knowledge architectures where only the data owner holds encryption keys.
2. Regional Infrastructure Shapes Vulnerabilities
Newer infrastructure in APAC countries paradoxically creates more risk. Why? Because it was built for speed and connectivity, not security. Meanwhile, Europe’s infrastructure – rebuilt with privacy regulations in mind – includes security by design.
3. Threat Actors Follow the Money
North American companies face more attacks simply because that’s where the money is. With the world’s largest economy and most valuable intellectual property, the region attracts both criminal groups and nation-state actors. The math is simple: Higher rewards justify higher investment in attacks.
4. Cultural Attitudes Drive User Behavior
In Europe, employees expect privacy and question suspicious emails. In regions where rapid growth dominates, convenience often trumps security. This human factor accounts for up to 40% of the regional risk differential.
IV. Email vs. Alternative Communication Channels
A. The Communication Risk Hierarchy
Our analysis reveals surprising insights about communication channel security:
| Communication Channel | Risk Score | Difference vs. Email | Why It’s More/Less Secure |
|---|---|---|---|
| Web Forms | 5.22 | +2.1% | Often lack email’s security evolution |
| 5.11 | Baseline | Fundamental protocol weaknesses | |
| Chat Platforms | 5.07 | -0.8% | Newer protocols, but rapid adoption |
| File Sharing | 4.83 | -5.8% | Better access controls |
| Managed File Transfer | 4.72 | -8.3% | Purpose-built for security |
| SFTP | 4.41 | -15.9% | Encryption and authentication built-in |
Why Email Remains Vulnerable (5.11)
Email’s risk stems from its original design. Created in 1971 for academic collaboration, email assumes trust by default – everyone is presumed legitimate until proven otherwise. Modern security features are add-ons, not fundamental architecture. To truly reduce risk, organizations must anchor zero-trust and zero-knowledge principles at the data layer itself, ensuring authenticity, integrity, and confidentiality are foundational rather than bolted on. This data-centric approach supports data sovereignty requirements by enforcing granular access controls and maintaining auditable trails aligned to frameworks like NIST CSF across all communication channels – email, file sharing, and web forms.
Most organizations implement either outbound or inbound protections, but rarely both, leaving exploitable gaps. Outbound protection prevents data leaks through policy-driven scanning and encryption before messages leave your network. Inbound protection blocks threats like malware and phishing before they reach users. Without bidirectional protection, attackers simply probe for the unguarded path – it’s why 60% of breaches still succeed despite security investments.
Organizations reducing email risk most effectively implement complete bidirectional protection with zero-trust access (continuous authentication and policy-based controls) and zero-knowledge encryption (ensuring only authorized recipients can decrypt content). This combined approach not only closes security gaps but also addresses data sovereignty requirements through regional data residency enforcement, cross-border flow policies, and comprehensive auditability.
The Surprise: Web Forms (5.22) Are Riskier
Web forms pose higher risk than email. Why? Because while email has decades of security evolution, many web forms are built quickly without proper input validation, encryption, or audit logs. They’re often forgotten in security audits until after a breach.
The problem runs deeper than simple oversight. Web forms are typically created by developers focused on functionality, not security. Unlike email’s standardized protocols (SPF, DKIM, DMARC), each web form is custom-built with unique vulnerabilities – storing data in plain text, lacking rate limiting, accepting malicious scripts, or transmitting sensitive information unencrypted. Organizations falsely assume web forms are safer because they’re “on our website,” leading to minimal monitoring while attackers exploit these unguarded entry points.
The solution is clear: Organizations need secure web form solutions that match the advanced security capabilities found in modern file sharing, managed file transfer (MFT), and secure communication platforms. This means built-in encryption, comprehensive audit logs, input validation, DLP scanning, and real-time threat detection – not just basic contact forms bolted onto websites. Just as you wouldn’t use consumer-grade email for sensitive data, you shouldn’t use basic web forms when secure alternatives exist that provide enterprise-grade protection while maintaining user convenience.
The Security Champion: SFTP (4.41)
SFTP shows what purpose-built security looks like. With encryption and authentication as core features, not add-ons, it’s 16% safer than email. The challenge? It requires both sender and recipient to have SFTP access, making it impractical for general communication.
However, many organizations still rely on legacy file sharing platforms that create their own vulnerabilities. These systems suffer from limited visibility and monitoring, making breach detection nearly impossible until it’s too late. Their inadequate access controls lack the granular permissions modern security demands, while heavy client software requirements and complex deployments increase data leakage risk – exposing sensitive information during editing or transfer. The security measures that were supposed to protect data end up hampering collaboration by restricting copying, editing, and external sharing, creating a false choice between security and productivity.
The gap between legacy platforms and modern secure file sharing is stark. Today’s purpose-built solutions provide centralized tracking, granular access controls, seamless deployment, and comprehensive audit logs – all while maintaining the user experience employees expect. They support diverse file types without compromising security and enable version control that satisfies both collaboration needs and regulatory requirements. The lesson is clear: Security by design beats security by restriction every time.
V. The Hidden Patterns: What the Data Really Tells Us
A. The Variance Problem: Why Averages Don’t Tell the Whole Story
Life Sciences: A Tale of Two Industries (1.72-Point Gap)
- Average Risk: 4.09 (lowest of all industries)
- Median Risk: 5.81 (higher than technology!)
- What This Means: Half the industry has excellent security; half has almost none
This split makes sense when you understand the industry. Large pharmaceutical companies with billion-dollar drug patents invest heavily in security – they must. But small biotech startups? They’re focused on research, not IT security. The result is an industry average that tells us nothing useful.
Education’s Consistency Problem (0.72-Point Gap)
Universities show similar patterns. Well-funded research universities have dedicated security teams and advanced tools. Community colleges often have one IT person handling everything. K-12 schools? They’re often sitting ducks for ransomware.
The Lesson: Know Your Real Peer Group
Don’t compare your security to industry averages – they hide dangerous realities. Instead:
- Find organizations your size with similar data sensitivity
- Benchmark against the 75th percentile, not the average
- Remember: attackers target the weakest, not the average
B. When Risks Multiply: The Compound Effect
Here’s where it gets interesting. When high-risk industries operate in high-risk regions, the dangers don’t just add – they multiply:
Real-World Examples:
- APAC Defense Contractors: 6.21 × 1.28 = 7.95 effective risk
- North American Financial Services: 5.13 × 1.25 = 6.41 effective risk
- European Healthcare: 4.80 × 0.88 = 4.22 effective risk
Why Multiplication, Not Addition?
Because attackers are smart. They look for the easiest targets with the highest payoffs. A defense contractor (valuable data) in APAC (weaker regulatory protection) becomes exponentially more attractive than either factor alone would suggest.
VI. Actionable Security Strategies by Risk Profile
A. For Critical-Risk Organizations (6.0+ scores): Defense & Security
If you’re in this category, traditional security isn’t enough. You need:
1. Prevention, Not Just Detection.
Stop breaches before they happen:
- Machine learning that catches misaddressed emails before sending
- Real-time alerts when someone’s about to send sensitive data insecurely
- Behavioral analysis that knows when something’s “off”
Why this works: Most breaches start with human error. Catching mistakes before they become incidents reduces risk by 40%+.
2. Zero-Knowledge Architecture.
If you can’t read it, neither can hackers:
- End-to-end encryption where only recipients have keys
- No ability for IT admins to decrypt messages
- Hardware security modules protecting key infrastructure
Why this works: Even if attackers fully compromise your systems, they get nothing useful.
3. Unified Security Across All Channels
Stop playing whack-a-mole:
- Single security policy for email, file transfer, and chat
- Consistent logging and audit trails
- One place to monitor all communication risks
Why this works: Attackers probe for the weakest channel. Consistent security removes easy targets.
B. For High-Risk Organizations (5.3-5.9): Technology, Professional Services, Energy
You need enterprise-grade security that doesn’t slow business:
1. AI That Learns Your Business
- Understands normal communication patterns
- Flags unusual behavior without false alarms
- Adapts to new threats automatically
Implementation tip: Start with a learning period where AI observes but doesn’t block. This reduces false positives by 70%.
2. Security That Users Don’t See
- Works within Outlook, Gmail, Microsoft 365
- No extra passwords or portals
- Automatic encryption based on content
Success metric: If users complain about security, you’re doing it wrong. Good security is invisible.
3. Compliance Without Complexity
- Automatic classification of regulated data
- One-click compliance reports
- Built-in support for your industry’s regulations
Reality check: Manual compliance wastes money and misses risks. Automation pays for itself in avoided fines.
C. For Moderate-Risk Organizations (4.5-5.3): The Balanced Approach
You need solid security without enterprise prices:
1. Smart Basics
- Email authentication (SPF, DKIM, DMARC) properly configured
- Standard multi-factor authentication for all users
- Regular security awareness training
Common mistake: Having these tools but not configuring them properly. DMARC in monitor mode provides no protection.
2. Targeted Protection
- Extra security for executives and finance teams
- Automated scanning for payment-related emails
- Enhanced monitoring during high-risk periods
Why it works: You can’t protect everything equally. Focus on what attackers want most.
3. Vendor Management
- Security requirements in all contracts
- Regular assessment of third-party risks
- Incident notification requirements
Remember: Your vendors’ security is your security. One weak partner can compromise everything.
VII. Future-Proofing Your Email Security
A. What’s Coming: The Next Wave of Threats
AI-Generated Attacks (Already Here)
Attackers now use AI to:
- Write perfect phishing emails in any language
- Mimic writing styles of executives
- Generate deepfake audio for voice phishing
- Find the perfect timing for attacks
Defense strategy: Fight AI with AI. Human review can’t catch AI-generated threats at scale.
Quantum Computing (3-5 Years Away)
When quantum computers arrive:
- Current encryption becomes breakable
- Past encrypted emails become readable
- Real-time decryption becomes possible
Defense strategy: Start migrating to quantum-resistant encryption now. It’s compatible with current systems but protects against future threats.
Supply Chain Attacks (Growing Now)
Attackers increasingly:
- Target vendors to reach real targets
- Compromise one to breach many
- Use trusted relationships as weapons
Defense strategy: Extend your security requirements to all partners. Trust, but verify – always.
B. Building Resilient Email Security
The Future Architecture Includes:
- Predictive Risk Analysis: AI that prevents attacks before they’re launched
- Context-Aware Protection: Security that adjusts based on user, content, and threat level
- API-Driven Security: Protection that follows data wherever it goes
- Quantum-Safe Encryption: Future-proof protection starting now
VIII. Conclusion & Next Steps
These findings from our analysis of 461 organizations reveal that email security risk varies significantly based on industry (52% spread) and geography (28% spread). But the data also shows a clear path forward.
What Actually Reduces Risk:
- Preventing human errors before they happen (41% reduction)
- Making security invisible to users (95% adoption vs. 30%)
- Unifying security across all channels (removes gaps)
- Using AI to fight AI-powered threats (necessary for modern attacks)
- Building zero-knowledge architectures (protects even if breached)
- Implementing a private data network with comprehensive governance
The most successful organizations are moving beyond point solutions to private data networks that unify security and governance across all communication channels. This approach treats email, file sharing, web forms, and managed file transfer as interconnected components of a single data ecosystem rather than isolated tools. By applying consistent advanced security policies, maintaining unified audit logs, and enforcing data sovereignty requirements across all channels, organizations eliminate the gaps attackers exploit while simplifying compliance and reducing operational complexity.
Organizations looking to benchmark their security posture against these findings should focus on capabilities that address both the technological and human elements of email security within a unified governance framework.
Final thought: In today’s threat landscape, the question isn’t whether you’ll be targeted – it’s whether you’ll be ready. The data shows that readiness isn’t about having the most tools. It’s about having the right capabilities, properly implemented, with user adoption built in from the start – all operating within a cohesive private data network that provides visibility, control, and protection across every communication channel.
Frequently Asked Questions
Organizations with the lowest risk scores consistently use five approaches: preventing errors before they happen (like catching misaddressed emails), zero-knowledge encryption (where only recipients can decrypt), seamless integration with existing email tools, automated policy enforcement, and unified governance across all communication channels. Together, these reduce risk by 40%-60%.
They make security invisible. This means working within existing email clients, automatically applying protection based on content, and providing guidance instead of roadblocks. When security requires no extra steps, adoption rates exceed 95%. When it requires extra work, adoption drops below 30%.
Human error prevention. Most organizations focus on detecting threats after arrival, but 60% of breaches start with employee mistakes. Organizations that help employees avoid errors (like sending data to wrong recipients) see 41% fewer incidents than those only blocking malicious emails.
Four factors create regional differences: regulation (GDPR reduced European risk by 28%), infrastructure (newer systems in APAC lack built-in security), threat actors (follow the money to North America), and culture (privacy expectations vary by region). These factors combine to create measurable risk differences.
Not necessarily. For highly sensitive data, use secure channels like SFTP (15.9% safer). For general business communication, focus on making email safer with proper controls. The goal is matching security to sensitivity – not abandoning useful tools.
We used a weighted composite of three factors: reported incident frequency (40%), control effectiveness (35%), and threat exposure (25%). Scores range from 1-10, with regional modifiers calculated by comparing each region’s average to the global baseline. This methodology allows organizations to benchmark their own risk accurately.
These findings are drawn from a comprehensive analysis of 461 cybersecurity professionals across 11 industries and 4 geographic regions, collected in April 2025. Risk scores were calculated using a weighted methodology examining incident frequency, control effectiveness, and threat exposure.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video How Kiteworks Helps Advance the NSA’s Zero Trust at the Data Layer Model
- Blog Post What It Means to Extend Zero Trust to the Content Layer
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video Kiteworks + Forcepoint: Demonstrating Compliance and Zero Trust at the Content Layer