It’s Time for a DRM “Do-over:” Findings and Takeaways in Kiteworks’ 2023 Sensitive Content Communications Report

It’s Time for a DRM “Do-over:” Takeaways from Kiteworks’ 2023 Sensitive Content Communications Report

Digitization Increases Risk

Private and public organizations worldwide are becoming more dependent on digital communications, making the need for robust cybersecurity measures increasingly vital. Growth in digital communication coincides with a rise in cyber threats, with rogue nation-states, cybercriminals, and black-market managed services providers turning their attention to the rich bounty offered by sensitive content.

According to Harvard Business Review, the financial, legal, and compliance impact of cyberattacks on data can be dramatic. For example, audit fees for organizations are around 13.5% higher for organizations for firms that experienced a data breach versus those that haven’t. And there is a downstream impact: 60% of organizations that experience a data breach have raised their prices. For publicly traded companies, there is a measurable impact: Those with a data breach underperform NASDAQ by 8.6% after one year and 11.9% after two years.

Sophistication in cyberattacks makes it increasingly difficult to combat cyber threats. For example, one study found that 80% of threat groups and 40% of malware in 2021 had not been observed before. It’s becoming increasingly difficult, as a result, to block these attacks.

Sensitive Data Breaches on the Rise

Riding on this malicious wave, the theft of sensitive content is escalating at an alarming rate. Mandiant’s 2023 M-Trends Report highlights a startling 37% increase in data theft incidents over a year, rising from 29% to 40%. Furthermore, over 3,500 threat groups, including 900 new in 2022, are part of these attacks, which involve file decoding and deletion in more than one quarter of the incidents. Kiteworks’ latest Sensitive Content Communications Privacy and Compliance Report found identified password and credential attacks, URL manipulation, and denial of service as the most frequent attack vectors on sensitive content communications.

The 2023 Verizon Data Breach Investigations Report underscores the prominence of personal data in these attacks, with more than half of the breaches involving personally identifiable information (PII) and protected health information (PHI). In terms of attack vectors, email, closely followed by web applications and desktop sharing solutions, remains a major security problem for organizations, with nearly 60% of social engineering attacks being pretexting and related to business email compromise (BEC).

Some Data Breaches Are Inadvertent

The mounting cyber threat landscape isn’t just shaped by the actions of these bad actors. Human error plays a substantial role in exposing sensitive content. Verizon’s report suggests that 43% of data breaches involve data misdelivery, while 23% occur due to publishing errors, inadvertently broadcasting data to the wrong audience. These result from instances where email and files are sent or shared with the wrong recipient or recipients, and unauthorized users are given access to sensitive folders, files, and web form data.

Rise of Data Privacy Regulations

Concurrent with the escalating cost of sensitive data hacks is an emphasis on worldwide data privacy regulations. These range from data privacy standards to cybersecurity benchmarks, imposing stringent compliance requirements on businesses operating across diverse jurisdictions.

For instance, the European Union’s General Data Protection Regulation (GDPR), since its implementation in 2018, has emerged as one of the world’s strictest regulations for personal data. It spans across 27 EU member states and carries significant penalties for noncompliance. However, GDPR isn’t alone. Presently, 157 countries have substantial national data protection regulations, marking a significant increase from 145 countries just 15 months prior.

The U.S., while lacking a national regulation akin to the GDPR, enforces strict PHI protection requirements under the Health Insurance Portability and Accountability Act (HIPAA). Moreover, several U.S. states have introduced their own regulations following the passage of the California Consumer Privacy Act (CCPA) in 2018. All of this adds to the complex tapestry of regulations with which businesses need to comply.

Government contracting businesses, especially those in the U.S., are subject to additional regulations. Federal Risk and Authorization Management Program (FedRAMP) has standardized cybersecurity practices for cloud services for all U.S. government agencies and contractors. Cybersecurity Maturity Model Certification (CMMC) 2.0 now requires over 300,000 members of the Defense Industrial Base (DIB) to comply with one of three maturity levels based on their contracts with the Department of Defense (DoD), aiming to protect controlled unclassified information (CUI) and federal contract information (FCI).

Scope for the 2023 Sensitive Content Communications Privacy and Compliance Report

With this as a backdrop, Kiteworks launched an annual report in 2022—its Sensitive Content Communications Privacy and Compliance Report. Last year’s report brought forward numerous useful industry insights. For example, more than half of organizations are inadequately protected against third-party security and compliance risks related to sensitive content communications. Reasons for these failures can be linked to lack of encryption and governance controls, and inaccurate and insufficient compliance reporting. The 2022 report also found that two-thirds of organizations use more than four different sensitive content communication tools. The list of findings could go on.

Last year’s report surveyed over 400 IT, security, risk, and compliance professionals in seven industry sectors. For 2023, we expanded the number of survey participants to over 781 individuals in 13 industries across 15 countries and four continents. As discussed above, disclosure of PII, PHI, transaction data, company financials, intellectual property (IP), non-public information about mergers and acquisitions, and legal matters can be disastrous for most organizations. To manage intentional and inadvertent data exposure and noncompliance with regulations, organizations are turning to digital rights management (DRM). These and other aspects are explored in detail in below.


Unpacking the Complexity of Today’s Communication Landscape

The exponential increase in third-party interactions is a significant security concern for organizations. The report reveals that 90% of organizations shared content with over 1,000 external entities in 2023, a significant leap from 63% in the previous year. What’s more, 44% now share content with over 2,500 third parties. This extensive network of third-party interactions cuts across organizations of various sizes and industry sectors, underlining the universality of the issue.

Further compounding the problem, the use of communication channels to transmit sensitive content is on the rise. With 50% of organizations deploying six or more tools for sensitive content communications, the task of tracking and securing content exchange is growing increasingly complex. This complexity necessitates the allocation of substantial resources, leading to higher costs and a more challenging compliance landscape.

Gaps in Security Maturity

The report brings to light a stark gap between organizations’ current security efforts and what is required for effective sensitive content management. A scant slightly more than one-quarter of respondents consider their security measures and management practices adequate.. Organizations acknowledge the inherent risks associated with various channels, including email, file sharing, mobile apps, and APIs.

The number of incidents specifically targeting sensitive content communication is worryingly high, with over 80% of organizations reporting four or more exploits in the past year. These attacks’ financial and compliance impact has been severe, with over 60% reporting financial repercussions, 44% reporting brand impact, and 42% experiencing compliance and legal costs.

Struggling With Compliance Requirements

Compliance continues to be a significant hurdle, with organizations devoting substantial resources to meet regulatory standards such as GDPR, PIPEDA, PCI DSS, and HIPAA, among others. While respondents show an understanding of best practices, there’s a significant gap in applying these practices.

Only a small fraction of organizations has successfully extended sensitive content tracking, recording, and access control across all users, departments, content types, and third parties. Consequently, only 27% of respondents feel that their compliance risk management is under control. The remaining 73% believe there’s a need for either a complete overhaul of their approach or significant improvements

Realizing the Promise of Digital Rights Management

Amidst the challenges, the report identifies a glimmer of hope in the form of digital rights management (DRM). DRM is seen as a promising solution to these issues, emphasizing the classification of sensitive content, segmenting it based on risk, and controlling access according to roles and geographies.

While adoption has been slow, most organizations understand DRM’s importance and are gradually aligning their strategies accordingly. We believe a “do-over” is necessitated. Despite challenges in deployment, such as the need for agent intervention for unencrypted files with third parties and customizable controls for different users and content types, DRM is steadily gaining ground as a preferred methodology.

The report also underscores the value of adhering to industry standards like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). Complying with these standards can streamline DRM adoption, ensuring more robust protection against cyber threats.

Crucial Role of Technology Partners in Protecting Sensitive Content Communications

Public and sector organizations seeking to combat cyber threats must find the right technology partners. For sensitive content communications, survey respondents look for robust security features, such as automatic end-to-end encryption, DRM, and compliance tracking and reporting. They also look for solutions that enable them to consolidate their disparate communication tools and systems to reduce CapEx and OpEx. This saves them significant time and resources compiling disparate data pools captured across multiple communication tools, assuming those tools even capture the data needed to demonstrate adherence with the associated compliance regulation.

When organizations unify their communication tools onto one platform, they can establish uniform policies for tracking and controlling sensitive content communications in compliance with industry and governmental regulations while applying a unifying security approach. This reduces both their security and compliance risks.


Pessimistic and Optimistic Assessments of Sensitive Content Communications in the Report

This year’s report paints both a concerning and promising picture. On the one hand, sensitive content communications remain a challenge. Organizations face greater risk due to a growth in the number of communication tools they use and the diversity of third parties with which they send and share information. It is no surprise that over three-quarters do not yet track and control sensitive content communications both on-premises and in the cloud as well as across all departments and users. These issues, along with a growing sophistication in cyberattacks, make exploits inevitable—and significant impact is being felt. In the face of financial constraints and the cybersecurity skills shortage, it is impossible to throw more resources and budget at the ascribed problems—assuming such would even work.

On the other hand, the report reveals that leaders and practitioners are prioritizing solutions to address these problems. These coalesce around four different action items:

1. Holistic Approach to Compliance

As different jurisdictions, including various states within the U.S., introduce a mosaic of new regulations, organizations must shift their attention. In this emerging Era of Compliance, the focus should no longer be on ticking the boxes of each individual rule. Instead, organizations must adopt universal best practices, which assure adherence to all regulations. We propose adopting a comprehensive framework such as the NIST CSF, working toward absolute compliance with all its aspects. Such an approach naturally culminates in DRM.

2. Resurgence of DRM

Organizations must adopt a comprehensive method to meticulously categorize data, ensuring each category is readily accessible to those requiring it for their role-specific duties while restricting access to all others. This approach is crucial for proper data management.

3. Insider Threat Protection

Nearly one in five data breaches are caused by employees or other individuals with access to internal systems. By meticulously classifying and segmenting data, and limiting access based on specific roles, organizations can safeguard against both intentional and unintentional data exposure from within.

4. Security Protections

Cybercriminals and illicit nation-states are keenly aware of the worth of sensitive information and aim to exploit any weaknesses or gaps in the security measures of communication tools used to distribute this information. Therefore, it is crucial to comprehend and scrutinize the security features of your communication tools. Using the key priorities highlighted in this report as a reference for these reviews could serve as an effective starting point.

Focus on DRM, NIST CSF, and More in 2023

The 2023 Kiteworks report provides an in-depth overview of the challenges and opportunities in the current intricate security environment. With an increasing number of third parties involved in sharing sensitive content, organizations must intensify their security efforts to safeguard their digital resources.

Despite the daunting task of achieving optimal security, there is optimism with the advent of technologies like DRM and the NIST CSF. By harnessing these tools and aligning with the appropriate technology provider, organizations can ensure their sensitive communication safety, maintain compliance, and ultimately prosper in an increasingly interconnected world.

The report’s findings emphasize the critical importance of securing sensitive content communication in our digital age. Considering the nature of the shared content and its wide distribution, organizations must implement strong measures to protect against continuously evolving cyber threats.

Securing sensitive content communication is undoubtedly laden with obstacles. However, with the right technology, strategic planning, security framework, and governance, organizations can surmount these challenges. The report ultimately acts as a guide for businesses globally, prompting them to take distinct steps to protect their sensitive communications amidst an ever-evolving digital landscape.

Read the full 2023 Sensitive Content Communications Privacy and Compliance Report by downloading a copy today. Click here.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Table of Content
Get A Demo