Organizations are flying blind when it comes to tracking data breaches, AI use, and their third-party counts.
According to a survey of 461 organizations across North America, Europe, APAC, and the Middle East by Kiteworks, 46% of companies that don't know their third-party count also don't know their breach frequency.
Meanwhile, 48% of those that are uncertain about breaches can't quantify litigation costs, 36% of those unaware of AI usage are implementing zero privacy technologies, and 42% of those uncertain about hacks report uncertainty in detection times. All of this, the firm said, creates a dangerous cascade effect.
"Our survey reveals a fundamental truth about modern data security: What you don't know doesn't just hurt you – it multiplies exponentially," said Tim Freestone, CMO of Kiteworks.
"Organizations operating blind face dramatically worse outcomes across every metric we measured. The cascade effect is undeniable: unknown third-party relationships lead to missed breaches, which prevent compliance demonstration, which results in massive costs."
When it comes to third parties, having between 1,001 and 5,000 appears to be the danger zone. Of these firms, 24% face at least seven breaches a year – the worst of any segment. Meanwhile, 46% report the highest supply chain risk, and 42% said they take between 31 and 90 days to detect breaches.
And this is costing companies dear, with organizations with faster detection showing significantly lower litigation costs. More than three-quarters of those experiencing more than 10 hacks facing litigation costs of at least $3 million.
The AI governance vacuum
Kiteworks also describes an AI governance 'vacuum', with only 17% having fully implemented technical AI governance frameworks, and 36% of those with unknown AI usage implementing no privacy-enhancing technologies (PETs) at all.
The highest risks were found in the energy and utilities sector, followed by technology and life sciences, and pharma. And lack of visibility was an issue worldwide.
"What's striking about our data is how different regions fail in different ways, yet all face the same fundamental challenge: visibility determines destiny," said Patrick Spencer, Kiteworks VP of corporate marketing and research.
"Whether it's Middle East organisations with zero 24-hour detection, European companies with as little as 12% EU Data Act readiness, or APAC's 35% who can't assess AI risks – the root cause is always the same: Organisations can't protect what they can't see."
The researchers urge organizations to track exact third-party counts and AI data flows – those that do so, they said, achieve 43% breach-free rates, compared with constant incidents for those operating blind.
They should deploy enterprise-grade controls before reaching 1,001 third-party relationships, track AI usage, and introduce privacy programs.
"The data delivers an unmistakable verdict: 2025 is an inflection point where organisations must abandon incremental improvements for transformative change," said Freestone.
"The tools exist, the strategies are proven, and our data shows exactly what works. The only question is whether organisations will act with the urgency this moment demands."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Public sector cyber leaders are tired of clunky, outdated toolsNews Cybersecurity practitioners in the public sector need more powerful tools to contend with a growing array of threats
-
SonicWall appoints Michael Crean to lead new Managed Security Services DivisionNews The industry and channel veteran will spearhead the security vendor’s ongoing expansion into managed security services
-
AI tools are a game changer for enterprise productivity, but reliability issues are causing major headaches – ‘everyone’s using AI, but very few know how to keep it from falling over’News Enterprises are flocking to AI tools, but very few lack the appropriate infrastructure to drive adoption at scale
-
Everything you need to know about Sophos’ new partner programNews The vendor’s new channel initiative unifies the Sophos and Secureworks channel ecosystems to generate new partner opportunities
-
Upskilling staff is key to mitigating cyber attacks: Here's how a cybersecurity certification can helpISACA's CCOA certification grants access to practical learning opportunities so cybersecurity analysts can grow into their roles and keep their organizations safe
-
Proofpoint bolsters Microsoft 365 protection with Hornetsecurity acquisitionNews Proofpoint said the acquisition will “significantly enhance” its human-centric security capabilities
-
ReliaQuest targets international growth, agentic AI gains with $500 million investmentNews Cybersecurity firm ReliaQuest has raised $500 million as part of a funding round aimed at accelerating international growth and product development.
