Data security is no longer just about deploying tools to identify and prevent the outflow of sensitive information. It now requires a deep understanding of how sensitive data is created, stored, accessed, and used—and how users may, intentionally or unintentionally, put it at risk.
Today’s efforts have also shifted away from purely technology-led strategies. With 64% of organizations now operating a formal data governance program and another 23% in the process of building one, it’s clear that businesses are embracing programmatic approaches that integrate governance, policies, processes, and tools into a comprehensive data protection strategy. At the same time, security teams are securing stronger budget commitments to improve their ability to keep sensitive data from leaving the organization.
Yet despite these positive trends, 77% of organizations reported an insider-related incident in the past 18 months, with 58% experiencing six or more. Why are so many still struggling to protect sensitive data?
The findings suggest a surprising culprit: the very Data Loss Prevention (DLP) tools designed to stop data loss may now be holding organizations back. Insider-driven risk has become one of the most urgent and complex challenges in enterprise security. As data flows increasingly through users, cloud applications, AI tools, and hybrid work environments, traditional perimeter-based, content-only DLP tools can’t keep up. These legacy systems were built to block outflows not to understand the nuanced behaviors and contexts that expose sensitive data in modern workflows.
Security leaders are recognizing that modern data security requires more than enforcement—it demands visibility
into the data, the activities, and the people putting that data at risk. Yet most organizations are still relying on traditional DLP tools that weren’t designed for today’s decentralized environments, unstructured data flows, or user-driven cloud and AI usage.
Based on a 2025 survey of 883 IT and cybersecurity professionals, this report explores the current state of enterprise data protection, where legacy DLP tools are falling short, and the capabilities security leaders are prioritizing as they modernize their data protection programs.
