This article first appeared in News in the Channel magazine issue #38.
Legacy web forms may not be exciting, but they do provide an attack surface for cybercriminals and managed service providers can help to keep them secure, as David Byrnes, VP of Global Channels at Kiteworks, explains.
Legacy web forms do not typically generate much excitement in security conversations. They are the digital equivalent of paperwork. Necessary, unglamorous and taken for granted. Yet, that is precisely why they have become one of the most dangerous attack surfaces in enterprise IT, and why managed service providers and security-focused partners should be paying close attention.
A recent survey of security, risk management, compliance and IT leaders reveals something that should reshape how channel partners think about their service portfolios. Organisations are spending six figures annually on form security, planning major upgrades in the next six months, and admitting they lack the expertise to execute properly. That gap between budget and capability is where partners can build sustainable, high-margin practices.
Traditional response is not working
Forms have quietly become the primary intake mechanism for an organisation’s most sensitive data. They are no longer simple contact pages or feedback widgets. They are core infrastructure and failing spectacularly.
The data is sobering: 88% of organisations experienced at least one form-related security incident over the past 24 months and 44% suffered a confirmed data breach specifically through form submissions.
The traditional response of simply deploying a web application firewall is clearly not working. Forms created across different departments, embedded in legacy systems, built on various platforms, and deployed across mobile and web channels create a fragmented landscape that perimeter defences simply cannot address comprehensively.
Spending heavily but achieving little
While it can be difficult for partners to evangelise solutions to problems customers have not recognised yet, that is not the case here. The survey showed that 83% of organisations already allocate at least $100,000 (£75,150) annually to form security and a fifth exceed $500,000 (£376,000). More importantly, 71% plan to implement or upgrade their form security controls within the next six months. This makes it active budget, not theoretical interest.
Currently, budget goes on fragmented projects, ad-hoc hardening, custom development work, emergency fixes for legacy portals after incidents occur. It is reactive, inefficient and unsustainable.
The execution gap
Despite substantial budgets, organisations cite significant barriers to improving their form security posture with 58% citing lack of internal expertise and 48% complain of technical complexity, whereas 41% blame legacy system limitations.
Organisations want to modernise their form security and have money to do it but cannot execute cleanly on their own. They are managing forms spread across IT, operations, HR, finance, marketing and other departments. More than a third of forms receive fewer than 10 submissions monthly. Yet those low-volume forms often collect financial records, authentication credentials, employee data and government IDs. It is a long tail of sensitive data collection with minimal governance.
The survey identifies priorities that should guide partner service development. Customers need encryption that covers data from submission through processing and storage; not just in transit. They need consistent validation, identity verification and logging across all forms, regardless of where those forms live. They need deployment flexibility that satisfies residency requirements whether cloud, hybrid, on-premises or private cloud.
Plus, they need automated evidence generation mapped to whichever frameworks govern their industry. Partners that can deliver these capabilities as managed services position themselves as compliance enablers.
How to structure offerings
The practical question for MSPs and MSSPs is how to structure service offerings around this opportunity. Discovery and risk assessment address the foundational problem that organisations do not know what forms they have or what data those forms collect. A fixed-fee engagement that inventories forms across departments and systems, classifies data sensitivity, scores risk based on controls and residency, and produces a prioritised migration roadmap creates immediate value and can lead to implementation work.
Implementation and migration reflects how customers plan to deploy. Partners can design and build high-risk forms first then integrate with identity systems and back-end infrastructure and systematically address legacy forms over time. Each phase generates revenue while demonstrating measurable risk reduction.
Managed detection and response targets those 82% of organisations that have real-time detection capabilities, but no automated response. Partners can offer centralised monitoring, automated containment playbooks, and integration with existing SIEM and SOAR investments as a managed security service.
Compliance as a service addresses the audit burden directly. Most platforms provide logs; few provide audit-ready reports. Partners can deliver regular evidence packages mapped to relevant frameworks, monitor residency compliance across regions and offer continuous compliance dashboards that track audit workload and incident metrics. This reduces customer audit pain while generating recurring revenue.
What next?
Form security represents a convergence that channel partners rarely encounter. Something that is high risk, has substantial existing budget, compressed timelines, clear acknowledgment of capability gaps and regulatory pressure forcing action. Customers are not waiting to be convinced that these matter; they are looking for partners that can help. The question is not whether this market exists, it is whether you are positioned to capture it.
