Medium-sized firms find themselves in an AI-fueled “danger zone” of cyber risk. But a data-first approach can tip the balance back in their favor.
“It’s the data, stupid.” That’s how Tim Freestone, Chief Strategy Officer at Kiteworks, sums up the pivotal shift underway in cybersecurity today. In a recent interview about Kiteworks’ 2025 Data Security and Compliance Risk Report, Freestone and colleague Patrick Spencer explained to me that companies are finally recognizing that data, more than networks, devices, or applications, must be the focal point of security efforts.
In the age of AI-fuelled threats and sprawling digital ecosystems, cybersecurity is undergoing a fundamental shift. According to Tim Freestone and Patrick Spencer of Kiteworks, the industry is finally waking up to a long-overlooked truth: it’s all about the data.
“We’re really turning a corner right now,” said Freestone. “The entire industry is realising, oh, shoot, it was about the data the whole time.” Echoing James Carville’s famous political slogan, he added, “It’s the data, stupid.”
Historically, cybersecurity focused on defending the perimeter. I.e. networks, endpoints, and cloud infrastructure. But that model no longer holds. With data scattered across hybrid environments and accessed by thousands of third parties, the real risk lies in what’s inside the walls.
AI has only intensified this reality. “AI has really shined a light on that vulnerability,” Freestone explained. “Companies don’t have the visibility they need—where their data is, what’s sensitive, who has access to it.”
The 2025 Data Security and Compliance Risk Report from Kiteworks reveals that 46% of organizations don’t know how often they’re breached, and many can’t quantify the cost of those breaches. Even more concerning: only 17% claim to have proper controls over what data is being fed into public AI tools like ChatGPT.
While all organizations face these challenges, medium-sized companies, those with 1,000 to 5,000 third-party partners, are in a particularly precarious position.
“They’re in that sweet spot of vulnerability and resource misalignment,” said Spencer, Kiteworks’ SVP of Marketing. “They’re big enough to be a good target, but not big enough to have the money and resources to combat it.”
These firms often lack the scale to implement enterprise-grade controls, yet their digital supply chains are just as complex. The result? Higher breach risk, slower detection times, and limited capacity to respond.
Generative AI is a double-edged sword. On one hand, it enables attackers to scale operations, craft more convincing phishing campaigns, and exploit vulnerabilities faster. On the other, it offers defenders powerful tools to automate detection, classify data, and monitor access at scale.
“AI is both the culprit and the cure,” Freestone said. “Now, with advancements in generative AI, it’s more realistic to take control over individual data assets at a petabyte level than it was before.”
Microsoft’s SharePoint Knowledge Agent, for example, uses AI to help organizations discover and tag sensitive data. Tools like these are becoming essential as companies grapple with the sheer volume and complexity of their data estates.
So what can security leaders do to stay ahead?
Ultimately, the shift to data-centric security isn’t just about tools. It’s about mindset. “You’re not going to be successful deploying a bunch of tools nobody realises are really critical,” Freestone said. “If the whole organization doesn’t realise that they need to focus on data as the most important layer of value, it won’t work.”
The message is clear: in 2026 and beyond, data is the battlefield. Organizations that embrace this reality, by investing in visibility, governance, and automation, will be best positioned to defend themselves in an AI-driven world.