Only 12% rate their ability to operate effectively during an attack as ‘excellent’; nearly a quarter rate themselves as ‘bad’ or ‘terrible’
Commvault (NASDAQ: CVLT), a leading provider of cyber resilience and data protection solutions for the hybrid cloud, today announced the findings of its annual report, “The State of Data Readiness – Continuous Business in Focus”, uncovering critical trends that could determine the success or failure of business continuity strategies for executive leaders and boards across Australia and New Zealand (ANZ).
The study which was conducted by Tech Research Asia and commissioned by Commvault reveals that the majority of 408 business leaders surveyed in ANZ believe they have the right plans in place to recover from a cyber-attack, but their ability to be resilient post-attack did not come close to hitting the mark. As a result, it is evident that a critical gap exists between readiness and resilience, which can be crippling for enterprise organisations trying to serve customers and protect brand reputations following an attack.
The Resilience Illusion
70% of organisations experienced a cyber-attack in the last 12 months and almost all of them had been subject to a ransomware demand. Interestingly, 54% of companies have a ‘no payment’ ransomware policy and 15% of those still paid, revealing that reality trumps principles when the inevitable does happen.
Expected recovery timelines also reveal expectations that are out of line with reality across the region. 80% of business leaders in ANZ believe they can recover within five days of a cybersecurity event, and nearly a quarter (23%) expect full recovery in just one day. However, the reality is starkly different: IT leaders report it takes an average of four weeks to restore even a minimum level of business operation, with 55% taking more than a week. The report also calls out the fact that it takes 20% of ANZ businesses an average of 45 days to fully recover from a cyber incident- which is almost double the global average of 24 days.
This resilience gap is especially alarming as Australia and New Zealand face rising attack volumes, while also operating under some of the region’s most stringent cyber and privacy laws. As organisations accelerate their cloud adoption, data sprawl is growing at an exponential rate - while emerging AI regulations and tightening compliance requirements are forcing enterprises to rethink how they build and sustain resilience.
“The data is clear - many ANZ organisations still treat cyber resilience as a post-incident task, and not a strategic priority,” commented Martin Creighan, Vice President, Asia Pacific. “The rising frequency and impact of cyberattacks across the region should serve as a wake-up call. With recovery times stretching into weeks, the risk to business continuity has never been higher. Resilience must be driven from the boardroom - not just the IT team,” added Creighan.
Compliance Pressures Add to the Strain
While data growth in ANZ slightly slowed down (27%), complexity continues to rise - with 62% of organisations now operating in hybrid or multi-cloud infrastructures. Shockingly, more than half of organisations in Australia (54%) and New Zealand (63%) say they lack full visibility into the relationships, metadata, and dependencies across their cloud environments- visibility that’s essential for a coordinated and effective recovery.
For many organisations, the chaos after an attack extends beyond just data - it also revolves around compliance. As regulators tighten data protection and operational continuity rules, 34% of ANZ organisations are subject to at least four different regulatory and compliance acts such as APRA and SoCI, and another 27% currently ‘don’t know’ what their companies need to be fully regulatory compliant.
In parallel, organisations are facing multiple requirements for cross-border data transfers, with 54% of organisations stating they already experience conflicting regulatory requirements for their data across different geographies. Resilience today requires more than technology—it demands compliance readiness, too.
The Cyber Readiness Gap
While a majority (70%) of organisations have incident response plans (IRPs), only 30% test all mission-critical workloads – leaving significant blind spots in cyber recovery. Consequently, when attacks occur, the impact is often severe:
- 74% of companies experienced data exfiltration
- 33% lost access to all data
- Only 32% recovered 100% of their data
“True resilience doesn’t begin at the point of attack, it is built long before,” said Gareth Russell, Field CTO, Asia Pacific, Commvault. “We need to shift from a response mindset to a readiness mindset where one must ask the hard questions: ‘If we were hit tomorrow, how quickly and how cleanly, could we recover?’ If that answer isn’t clear, then investment and focus are urgently needed.” Added Russell.
For the detailed report findings, please access here."
Research Methodology
THE STATE OF DATA READINESS - CONTINUOUS BUSINESS IN FOCUS, ANZ 5th Edition, is a Tech Research Asia Insights Report, commissioned by Commvault. The study surveyed 408 ANZ organisations, drawing insights specifically from CIO/CISO, IT Leader, IT decision marker and direct reports in Australia and New Zealand, providing a focused snapshot of cyber resilience in the ANZ region.