INDUSTRY INSIGHT
EVERY SENSITIVE DATA POINT COLLECTED THROUGH INADEQUATE INFRASTRUCTURE IS A POTENTIAL INCIDENT WAITING TO MATERIALISE.
Yaron Galant, Chief Product Officer, Kiteworks
concerns were ensuring forms displayed correctly across different browsers and capturing basic information without crashing. Security was an afterthought.
This architecture creates several fundamental weaknesses. First, most legacy forms store data in standard databases without proper encryption. The information sits there, accessible to anyone with the relevant credentials. Vulnerable to insider threats and exposure during infrastructure breaches.
Second, these forms lack granular access controls. They operate on simple permission models where users either have access or don’ t. There are no data sensitivity levels, no ability to segment access and no framework for implementing time-limited permissions.
Third, traditional forms provide minimal audit capabilities. They might log when a form was submitted. But they don’ t track who viewed the data, when they accessed it, who they shared it with, or what they did with the information afterwards. This absence of comprehensive audit trails makes compliance reporting nearly impossible. Leaving organisations unable to demonstrate due diligence during regulatory investigations.
Fourth, legacy forms treat all data the same. Whether they are collecting someone’ s preferred contact method or their medical history, the underlying infrastructure doesn’ t differentiate. There’ s no recognition that different data types require different security measures, encryption standards or retention policies.
Perhaps most critically, having been developed with minimal security awareness, traditional forms lack both input validation and regular security patching. This fact, compounded with the broad attack surface afforded by their many input fields and direct connection to the database, make forms a ripe opportunity for hackers looking for a way to break in.
The regulatory reality
Of course, the regulatory environment has evolved dramatically in recent times. The UK
General Data Protection Regulation( GDPR) has established strict requirements for data processing. Similarly., the Data Protection Act 2018 has imposed obligations around special category data. Exactly the type of information many organisations collect through web forms.
Healthcare organisations face even stricter requirements through NHS data security standards and the Health and Social Care Act. Financial services must navigate the Financial Conduct Authority’ s data security regulations. Legal practices are bound by Solicitors Regulation Authority requirements regarding client confidentiality.
These aren’ t theoretical concerns. The Information Commissioner’ s Office( CIO) has issued fines totalling millions in the past year alone for data protection failures. The regulatory reality is clear. The moment someone submits their information; the duty of care begins.
All this is happening at a time when attackers have developed sophisticated methods to exploit form vulnerabilities, and they’ re constantly refining their approaches.
Rethinking how forms are built
Transforming data collection from vulnerability to defence requires fundamentally rethinking how forms are built. Data collection should begin with encryption, input validation as standard. Information should be validated and encrypted from the moment it enters a form field, remain so during processing and storage and only be decrypted when authorised users need access for legitimate purposes. Regular, thorough and frequent security patching is also a must in order to prevent exploitation of known vulnerabilities.
Comprehensive audit trails are essential. Every interaction with collected data should be logged. Who accessed it, when, what they did with it and how long they retained access.
The architecture should implement data minimisation by design. Forms should only collect information that’ s genuinely necessary. Plus, authentication and verification should be bidirectional. Users should be able to verify they’ re submitting information to legitimate forms. Organisations should be able to verify the identity of form submitters when appropriate, preventing fraudulent submissions and establishing clear accountability.
36 www. intelligentcxo. com