The security stack at a modern organization is genuinely impressive.
Endpoint detection and response on every device. Identity and access management with MFA enforced. Network monitoring with behavioral analytics. DLP policies configured across email and cloud services. Vulnerability management on a regular cadence. SOC coverage, whether in-house or outsourced.
And every year, organizations invest more. Global information security spending reached $213 billion in 2025, growing 15% year-over-year. Most of that investment went into detection, response, and perimeter hardening.
Yet, the model is failing where it matters most. While global breach costs showed a slight dip, the average U.S. data breach cost surged to a record high of $10.22 million in 2025. Even with the fastest detection tools in history, attackers still "dwell" in systems for an average of 181 days before they are identified. Once identified, it takes an additional 60 days to contain the breach.
Something in the model isn't working as well as the investment suggests it should.
The gap is at the file boundary, and almost nothing in the standard enterprise security stack directly addresses it.
What Does the Security Standard Stack Protect?
To understand the gap, it helps to be precise about what each layer of the standard stack is actually defending.
Endpoint protection (EDR, AV, MDM) defends the device. It detects malicious code, blocks known attack patterns, and provides forensic capability when an endpoint is compromised. It doesn't protect the files that were legitimately copied off that device before it was compromised.
Identity and access management (IAM, SSO, MFA) defends the identity. It ensures that only authorized users can authenticate to systems. It doesn't protect the files that an authorized user — or an attacker with their credentials — accesses and downloads.
Network security (firewalls, IDS/IPS, ZTNA) defends the perimeter. It controls what traffic enters and leaves the network. It doesn't protect the files that have already left the network through legitimate channels.
DLP defends the boundary. It monitors data movement and can block certain types of transfers. It generates a 73%+ false positive rate (Ponemon Institute) because it's trying to apply structured-data logic to fundamentally unstructured files, and it has no control over files already on endpoints or already shared with authorized third parties.
SIEM generates visibility. It records what happened and when. It doesn't prevent anything; it's forensic evidence for afterward.
Every layer is valuable and is designed to protect something other than the file itself. The file — the document, the drawing, the contract, the spreadsheet containing your most sensitive information — moves through and between all of these layers, and none of them travels with it.
Is Your Data Only Safe Until It’s Used?
The standard security stack is built to protect "places" and "identities," but it loses sight of the data the moment a file is opened or shared. If your security doesn't travel with the file, you have a persistent blind spot. Close the gap with file-level controls that enforce your policies anywhere.
Where the Security Gap Shows Up
The file boundary gap creates predictable exposure in specific scenarios. Organizations don't usually discover them until after something goes wrong.
Authorized users with legitimate access. The most common data exposure scenario isn't a sophisticated attack. It's an authorized user who downloads sensitive files for a legitimate reason — a traveling engineer, a remote employee, a subcontractor doing approved work — and those files end up on a device or in a location that isn't secured. Every access control in the stack passed. The file is now unprotected.
Third-party and supply chain access. Organizations regularly share sensitive files with attorneys, accountants, consultants, partner organizations, and supply chain vendors. Each of those parties has its own security posture — one that the sharing organization can't audit, can't control, and can't remediate. Once a file is shared, the sharing organization's security stack has no visibility into what happens to it.
Credential compromise. IAM and MFA significantly raise the cost of credential attacks. They don't prevent them entirely — Verizon's DBIR has found 88–93% of breaches involve stolen credentials or insiders across multiple consecutive years. When an attacker authenticates as an authorized user, every layer of the security stack treats them as legitimate. They download files with a clean access log.
The exfiltration model. As covered in recent threat intelligence reporting, exfiltration-only attacks — where attackers steal files without encrypting systems — now represent 22% of ransomware incident response cases (Arctic Wolf, 2025). The entire backup-and-recovery approach to ransomware resilience doesn't apply. The leverage is the files themselves, not the system. A security stack that defends systems but not files is exactly what this attack model is designed to exploit.
The File-Level / Data-Centric Layer
The gap in enterprise data protection is consistent enough that it has a specific solution: protection that lives in the file rather than in the infrastructure around it.
Per-file FIPS 140-3 validated encryption means every sensitive file has its own cryptographic key and access policy. That policy doesn't depend on the device the file is on, the network it's accessed from, or the storage platform it's stored in, and is enforced by the file. A file that's exfiltrated, downloaded to an unmanaged device, or shared with an external party is still governed by the same access controls that applied when it was inside the secured environment.
The specific capabilities this adds to an existing enterprise stack:
Post-download protection. Files remain encrypted and access-controlled after they're downloaded from any corporate system — SharePoint, a secure file share, or a cloud storage platform. The endpoint protection layer defends the device. The file-level layer defends the content, regardless of where it goes.
Third-party access governance. Files shared with external parties carry their own access policy. You can revoke access when a project ends, and generate an audit trail of every access attempt, inside or outside your organization.
Credential compromise resilience. Context-aware access controls require more than valid credentials to open a file. Device trust, location, and time-based conditions mean an attacker with valid stolen credentials still can't open protected files from an unauthorized device or location.
Exfiltration neutralization. If files are stolen, what the attacker gets is nothing. The extortion model — pay us, or we publish your data — requires having data worth threatening to publish. Encrypted files with no accessible decryption path have no publication value.
This layer works alongside the existing stack, not in place of it. Endpoint protection still defends the device. IAM still controls identity. Network security still guards the perimeter. The file-level layer adds what none of those do: persistent protection for the data itself.
The Compliance Case
For organizations under regulatory requirements, the file-level gap isn't just a security risk; it's a compliance gap with specific enforcement consequences.
CMMC Level 2 requires FIPS 140-3 validated encryption on Controlled Unclassified Information (SC.3.177). Defense contractors often have strong perimeter security and endpoint protection, but fail this specific control because the CUI files themselves — CAD drawings, engineering documents, technical specifications — aren't encrypted at the file level. The control cannot be deferred to a POA&M. It has to be in place before certification.
HIPAA's Technical Safeguards (§ 164.312) require access controls, audit logging, and encryption for ePHI wherever it exists — not just inside the EHR. Healthcare organizations with sophisticated network security and identity management still have unprotected PHI in the files that leave those systems.
The FTC Safeguards Rule (§ 314.4(d)) requires financial institutions to encrypt NPI in transit and at rest, including files shared with third-party service providers. The "at rest" obligation doesn't stop at the institution's own storage — it follows the file.
In each case, the regulation requires something the standard enterprise security stack doesn't provide: persistent protection at the file level.
What "Completing" the Stack Looks Like
The organizations that close the file-level gap most effectively treat it the same way they treat any other security layer — as a specific capability with a specific scope, deployed alongside the existing stack without replacing it.
Practically, that means:
Identify the highest-risk file categories first. Technical drawings and engineering specifications for defense contractors. Clinical files and PHI for healthcare. Customer financial records and NPI for financial institutions. Start where the regulatory exposure and breach risk are highest.
Deploy file-level protection on those categories. Per-file encryption and context-aware access controls don't require ripping out existing infrastructure. They integrate with existing storage, email, and collaboration platforms as an additional layer.
Generate the audit evidence. Per-file access logs — every open, view, download, and denied access attempt — provide compliance documentation that standard stack logging doesn't capture. For CMMC, HIPAA, or Safeguards Rule assessments, this is the evidence that demonstrates the data was actually protected, not just that the system around it was secured.
Expand coverage progressively. Once the highest-risk categories are covered, expand to additional file types and workflows. The deployment model scales without architectural change.
The result is a security posture that defends the infrastructure — which the existing stack already does well — and also defends the data. Not just from the perimeter, but wherever the data actually goes.
Neutralize Data Exfiltration in 14 Days
You don't need to rip and replace your infrastructure to meet CMMC or HIPAA requirements. Theodosian integrates with your existing M365 and cloud storage in hours, providing FIPS 140-3 validated protection that travels with every file.
FAQs: Enterprise Data Protection
What is enterprise data protection?
Enterprise data protection is the set of controls, policies, and technologies an organization uses to protect its sensitive data from unauthorized access, exfiltration, and loss. A complete enterprise data protection program addresses data at rest, in transit, and in use — across all storage platforms, endpoints, and external parties the organization works with. Most enterprise security stacks cover the infrastructure layer (devices, network, identity) effectively, but have a systematic gap at the file level: data that moves outside the governed environment loses its protection.
Why do breaches keep happening despite large security investments?
The increase in security spending hasn't eliminated breaches because most of that spending targets the infrastructure around data rather than the data itself. Endpoint protection defends devices. Network security defends the perimeter. DLP monitors data movement. None of these tools protects a file after it's been legitimately accessed and copied outside the secured environment. When an attacker uses stolen credentials to authenticate as a legitimate user, or when a file is shared with a third party whose security posture is weaker, the standard security stack has no visibility or control. File-level protection addresses this specific gap.
What's the difference between data protection and data security?
The terms are often used interchangeably, but there's a useful distinction. Data security tends to refer to the technical controls that protect data from unauthorized access — encryption, access controls, and audit logging. Data protection is broader, encompassing both security controls and governance practices, including data classification, retention policies, and regulatory compliance. An enterprise data protection program requires both governance to know what data you have and what policies apply, and security controls to enforce those policies wherever the data goes.
What does "file-level protection" add that DLP doesn't provide?
DLP monitors data movement and can block certain types of transfers. It's a boundary control; it works at the point where data crosses a monitored perimeter. File-level protection is persistent; it travels with the file after it crosses any boundary. A file protected at the file level remains encrypted and access-controlled on an unmanaged laptop, in a third-party archive, or in an attacker's possession after exfiltration. DLP would have logged the movement. File-level protection makes the data in the file inaccessible without authorization, regardless of where it ends up.
How does enterprise data protection relate to zero trust?
Zero trust is a security model based on the principle of "never trust, always verify" — every access request must be authenticated, authorized, and validated regardless of where it comes from. Most zero trust implementations focus on network access (ZTNA) and identity verification. File-level zero trust extends this model to the data itself: a file applies its own access policy at every open attempt, verifying identity, device trust, and access conditions. This means zero trust principles apply to the data wherever it travels, not just within the network perimeter where zero trust access policies are enforced.
How quickly can file-level protection be deployed in an existing environment?
For most organizations, deployment takes days rather than weeks. Theodosian is designed to work alongside existing security infrastructure — Microsoft 365, cloud storage platforms, email systems — without requiring architectural changes. The 14-day pilot is specifically structured to demonstrate file-level protection active on your highest-risk data categories, with assessor-ready audit evidence generated automatically, so you can validate the capability before full deployment.