Kiteworks Warns: Legacy Web Forms Pose 88% Risk to Business Security

Roel Landingin December 9, 2025

Jump To Key Section

Kiteworks’s most recent research on data security and compliance risk, the 2025 Data Forms Survey Report, indicates that 88% of businesses have had at least one security event connected to web-form use in the last two years, and 44% suffered confirmed data breaches as a consequence.

During a closed Q&A with Kiteworks’ management, Tim Freestone, Chief Marketing Officer at Kiteworks, explained that the implications of the report are made clear, exposing a broad disparity between seen and real security posture even among companies that claim to be mature.

What shocked Tim the most in this year’s data?

Tim Freestone

Tim Freestone finds the frequency of form-related events to be noteworthy. He observes that data formerly dismissed as anecdotal has now turned into ‘systemic risk ’; if nearly nine in ten firms confess to form-related events, events are obviously not unique.

Many of those organizations given advanced or leading ratings on their general security systems were more concerning. Having high-level security systems does not guarantee protection when essential pieces of infrastructure, like old or shadow web forms, remain vulnerable; the contrast between confidence and reality exposes a brutal reality.

Freestone just says, “Controls exist somewhere, but not everywhere.” Attackers are good at finding faint outliers: old forms, departmental tools, embedded widgets, precisely where validation, encryption, and governance are usually absent.

Patrick Spencer

Patrick Spencer, SVP, Americas Marketing & Industry Research at Kiteworks, notes that the issue is not scarcity of tools; ordinary defenses abound. Almost 90% of polled companies use a Web Application Firewall (WAF); around 80% have real-time detection active.

Still, many web forms, especially older or third-party ones, are found beyond the protected boundary. These forms often send information to legacy backend systems, thus avoiding current validation and encryption channels. They might lack encryption and run without central supervision, depending solely on client-side validation.

Therefore, even if primary apps block SQL injections or bot intrusions, a single exposed form processing financial data, credentials, or personal information can become a potent breach vector. All an attacker needs, Spencer says, is “one weak form” to get around security.

What is ‘detection without orchestration,’ and why does it matter?

Kiteworks

The report highlights a glaring operational gap: while 82% of organizations deploy real-time detection on forms, only 48% have integrated automated incident response. That leaves a rather vulnerable window.

Many companies in reality can recognise questionable behavior, but the reaction is delayed, sometimes based on manual methods like tickets or email chains. This latency raises the likelihood that an attack will be effective before containment.

Spencer observes that companies using automated response along with detection often report fewer and shorter breaches than those depending on manual correction. Visibility with less action is a burden in this situation.

Over the following 6-12 months, what should businesses concentrate on?

secure data forms

Three strategic aims have been defined by Kitework’s Freestone. Under centralized governance, develop and keep up an exhaustive catalog of all forms facing web, embedded, and mobile. Remove forms that are obsolete or unnecessary. Demand uniform logging and monitoring, a form validation standard, and encryption from submission throughout storage. 

Also Read: How to Improve Business Security with Technology

Replace or modernize legacy forms that can’t support current security requirements. Combine automated response systems with pair detection. Make sure controls are consistently used throughout all intake locations and reinforce identity verification surrounding sensitive flows.

With regulations like GDPR, HIPAA, PCI DSS, and regional data-sovereignty rules influencing data-handling expectations, organizations must weave compliance and data-residency logistics into form design, not consider them as add-ons.

Many companies are overdue on a basic first step: modernizing their form infrastructure, transforming from basic web forms to secure data forms created expressly for policy enforcement, encryption, and auditability.

Related Posts
d-Bobby Shell

How Voltage is Simplifying Bitcoin Payments for the Modern Enterprise: Bobby Shell

  Roel Landingin
Ahmad Bazzi

Optimization, Algorithms, and the Future of Signal Processing: An Interview with Ahmad Bazzi

  Roel Landingin
Nrupesh Patel

Nrupesh Patel’s Blueprint for KPI Architecture and Enterprise Growth

  Roel Landingin
Rob Gonzalez Talks AI Commerce

Why AI Shopping is Stalling: An Interview with Rob Gonzalez

  Roel Landingin
unified design strategy

The Impact of a Unified Design Framework: Mykhailo Nykoliuk

  Roel Landingin

Dr. Vladimir Pastouk’s Non-Toxic Approach to Dental Surgery

  Roel Landingin
Generative AI 2.0

Generative AI 2.0: Tabraiz Feham on the Shift from Tools to Thinking Systems

  Roel Landingin
Alexander Mamasidikov

Alexander Mamasidikov on Why MinePlex 2.0 is the Future of Digital Assets

  Roel Landingin
Steve O’Brien’s

Disrupting the Spin: Steve O’Brien’s Blueprint for the Future of Digital PR

  Roel Landingin
×