Request Demo
Platform CapabilitiesPolicy Creation and ManagementFile Sharing and CollaborationFile Transfer AutomationFully Governed Email DataData Streaming with Next-gen DRMControlled AI Data AccessSecure Data Intake Via Online FormsUse CasesControl Data ExchangeMeet Regulatory RequirementsSafeguard Private AI DataPartnersTechnology PartnersMSP & MSSP PartnersResellers & Channel PartnersResourcesResource CenterDevelopersCustomersCompanyAbout UsManagementInvestorsCareersTechnical SupportNewsroomTrust PageVulnerability CenterContact UsRequest Demo
Mouseover to personalize your Kiteworks website experience

2025 MFT Survey Report

Despite claiming mature security programs, organizations are failing at managed file transfer protection.

Executive Summary

Despite claiming mature security programs, organizations are failing at managed file transfer (MFT) protection. The data is stark: 59% suffered MFT security incidents in the past year while basic vulnerabilities remain unaddressed. Government agencies encrypt only 8% of their stored data. Healthcare—handling our most sensitive information—protects just 11%. Even well-resourced mid-market companies show the highest breach rates at 32%.

This failure stems from a critical misalignment in risk priorities. Organizations consistently choose moderate security stances— ranking foundational controls like patching as merely “very important” rather than “extremely critical.” This measured approach proves insufficient against actual threat landscapes.

This isn’t about sophisticated zero-day attacks or nation-state actors. Our inaugural Data Security and Compliance Risk: MFT Survey Report reveals that most incidents exploit fundamental gaps: unencrypted data sitting in storage, security tools that can’t see file transfers, and fragmented systems that create blind spots. Emerging threats compound these vulnerabilities: 26% have already experienced AI-related data incidents while 30% permit uncontrolled AI tool usage with sensitive files.

Three Gaps That Matter Most

Encryption Gap: Organizations obsess over encrypting data in motion (76% have end-to-end encryption) while ignoring data at rest. Only 42% protect stored data with AES-256, leaving the majority vulnerable where attackers strike—in file storage, backups, and temporary directories.

Visibility Gap: 63% of organizations haven’t connected their MFT systems to security monitoring. Their SOC teams watch network traffic and endpoint activity while file transfers—often containing the most sensitive data—operate in darkness.

Complexity Gap: 62% maintain separate systems for email security, file sharing, and web forms. This fragmentation doesn’t just waste resources; it creates the inconsistencies and blind spots that attackers exploit.

Progress Without Impact

Organizations are busy but not effective. The survey shows genuine effort in several areas:

Access Evolution: 67% have implemented attribute-based access control, and 58% conduct quarterly reviews

Vendor Scrutiny: 72% thoroughly evaluate vendor security—yet incidents persist

Emerging Awareness: 48% have begun addressing AI-related risks, yet 26% have already experienced AI-related incidents while 30% permit uncontrolled AI usage with sensitive files But activity doesn’t equal security.

But activity doesn’t equal security. The disconnect between effort and outcomes points to a fundamental problem: Organizations are adding advanced capabilities while leaving foundational vulnerabilities exposed.

This disconnect stems from organizations’ preference for moderate risk stances—ranking critical controls like patching as merely “very important” (3.71 priority score) rather than “extremely critical” (3.05). This measured approach fails to match actual threat severity.

DOWNLOAD THE FULL REPORT