I've been thinking a lot about web forms lately. Not the sleek, modern ones you see on SaaS platforms, but the ones that have been quietly humming along on manufacturing portals for 15, sometimes 20years. The warranty registration pages. The RMA submission systems. The supplier onboarding forms that someone built in 2008 and nobody's really touched since.
Here's the thing: these forms are everywhere in manufacturing, and they're collecting genuinely sensitive data, financial records, login credentials, supplier information, intellectual property details, while often running on infrastructure that predates most of our current security thinking.
A new study paints a sobering picture. Roughly 85 percent of manufacturing organizations experienced at least one form-related security incident in the past two years. And 42 percent suffered a confirmed data breach specifically through form submissions.
Those aren't small numbers. They're not edge cases. They represent a systemic vulnerability that we've been collectively underestimating.
The Data Problem Nobody Talks About
When people think about data security risks, they usually picture healthcare with its PHI or financial services with payment card data. Manufacturing doesn't generate the same headlines. But that's part of the problem. It creates a false sense of security.
Consider what manufacturing forms collect:
- 58 percent gather financial records.
- 61 percent capture authentication credentials.
- 36 percent process payment card information.
That's substantial. And it doesn't even account for what I'd argue is manufacturing's most valuable, and least protected, asset: intellectual property. Design specifications, bills of materials, warranty details, customer configurations. All this flows through forms, often on systems that predate modern input validation standards.
I think we've been looking at this wrong. The question isn't whether manufacturing data is as sensitive as healthcare data. It's whether the protections match the actual value of what's being collected. And increasingly, the answer is no.
Why Legacy Systems Create Unique Vulnerabilities
Let me be specific about what we're dealing with. Manufacturing has a particular architecture problem that other industries don't face in quite the same way. A typical manufacturer might have forms embedded in their ERP system, their MES platform, their supplier portal, their customer-facing warranty system, and half a dozen distributor interfaces.
Many of these were built on different platforms, at different times, by different teams, some of whom may have left the company years ago.
Now, the research is clear that bots and SQL injection are the primary attack vectors against manufacturing forms. About 61 percent of organizations report significant bot activity, and 47 percent have dealt with SQL injection attempts.
These aren't sophisticated attacks. They're bread-and-butter techniques that modern form platforms handle routinely. But legacy systems? They often lack basic input sanitization. They weren't designed with these threats in mind because these threats didn't exist, or weren't as prevalent, when they were built.
Let me reconsider that framing slightly. It's not just that legacy systems lack modern protections. It's that they're often actively difficult to protect. You can't easily bolt a WAF onto a form that's embedded deep in a 20-year-old ERP customization. You can't implement proper input validation without potentially breaking integrations that nobody fully understands anymore. The technical debt compounds.
Data Sovereignty Wrinkle
Something that surprised me in the data: 80 percent of manufacturing respondents rate data sovereignty as critical or very important. That's only slightly behind financial services and healthcare. And it makes sense when you think about it.
Manufacturers with global supply chains deal with export controls, regional data residency requirements, and cross-border compliance in ways that create real complexity.
But here's where it gets messy. You can have a corporate policy about data residency, but if your supplier portal is running on a server that was set up in 2012 and nobody's quite sure where the backups go, you've got a governance problem. The forms collecting this data often exist outside the clean architectural diagrams that IT presents to auditors.
I'm not entirely sure we've fully grappled with the implications of this gap. Manufacturers often have ISO 27001 certification. They may have PCI compliance for their payment processing. But the actual form-level controls, where data enters the system, where it's validated, where it's logged, can be surprisingly disconnected from these frameworks.
What Actually Needs to Change
In my experience, the manufacturers who are handling this well tend to do a few things differently.
First, they've inventoried their forms. Not just the ones IT knows about, but the warranty portal that marketing commissioned in 2015, the distributor form that sales set up with a third-party tool, the RMA system that's been running on an aging server in the corner of the data center. You can't secure what you don't know exists.
Second, they've implemented wrapping or front-ending strategies for legacy forms. Rather than trying to rebuild everything, which is expensive and disruptive, they've put modern validation and logging layers in front of existing systems. It's not perfect, but it dramatically reduces exposure.
Third, they've started treating form security as a supply chain issue. Because that's what it is. Your forms are touchpoints with suppliers, customers, and partners. A breach there doesn't just expose your data. It potentially compromises relationships and trust across your entire business network.
I want to be honest about something. The reason these legacy forms persist isn't that manufacturers don't care about security. It's that rebuilding them is genuinely hard. It requires understanding systems that may have outlived the people who built them. It requires budget that competes with production needs. It requires coordinating across business units that may not share priorities.
But 85 percent incident rates and 42 percent breach rates suggest we've run out of runway. The question isn't whether to address legacy form security. It's whether to do it proactively or wait until an incident forces the issue.
On second thought, maybe that's too binary. The real path forward is probably incremental: identify the highest-risk forms, implement protective layers where possible, and build toward a more coherent architecture over time. Perfect shouldn't be the enemy of better.
What I do know is this: the forms themselves aren't going away. Manufacturing runs on data exchange with suppliers, customers and partners. That data has to flow somewhere. The organizations that figure out how to secure these touchpoints, especially the legacy ones, will have a meaningful competitive advantage. And the ones that don't will eventually become cautionary tales.
The warranty portal from 2008 is still taking submissions. The question is whether you know what's happening to that data when it arrives.
Frank Balonis is the Chief Information Security Officer and Senior VP of Operations and Support at Kiteworks.
