08-07-2025
ANZ businesses overestimate cyber readiness amid resilience gap
A new study by Commvault has shown that most business leaders in Australia and New Zealand overestimate their preparedness for cyberattacks, with many experiencing confusion and delays following incidents.
The annual report, titled "The State of Data Readiness – Continuous Business in Focus", was commissioned by Commvault and conducted by Tech Research Asia. It draws on the views of 408 business leaders across the region and examines the readiness of organisations to handle cyber threats and maintain business continuity.
The findings reveal a critical difference between perceived and actual resilience. While most organisations believe they have robust plans to recover from cyberattacks, only 12% rate their ability to operate effectively during an incident as 'excellent'. Nearly a quarter rate themselves as 'bad' or 'terrible' when it comes to resilience during a cyber event.
Widespread attacks
According to the study, 70% of organisations in Australia and New Zealand experienced a cyberattack in the past year. Almost all were subjected to ransomware demands. Interestingly, while 54% of surveyed companies have policies not to pay ransoms, 15% of those still made payments when faced with real-world incidents.
Expectations among business leaders around recovery times diverge significantly from reality. 80% expect systems to be restored within five days of a cybersecurity event. Almost a quarter believe their organisation can recover fully in a single day. In practice, IT leaders report it takes an average of four weeks to reach even a minimum level of operational recovery, with 55% of organisations requiring more than a week to restore key functions. Notably, 20% of respondents say it takes their business an average of 45 days to fully recover from a cyber incident, compared to a global average of 24 days.
This mismatch underscores a resilience gap that presents particular challenges for organisations as they confront rising attack volumes and operate within the context of some of the world's strictest cyber and privacy regulations. Growth in cloud adoption and data sprawl, combined with emerging requirements such as artificial intelligence rules and increasing compliance pressures, mean that resilience strategies must continually adapt. "The data is clear - many ANZ organisations still treat cyber resilience as a post-incident task, and not a strategic priority," commented Martin Creighan, Vice President, Asia Pacific. "The rising frequency and impact of cyberattacks across the region should serve as a wake-up call. With recovery times stretching into weeks, the risk to business continuity has never been higher. Resilience must be driven from the boardroom - not just the IT team," added Creighan.
Rising complexity and compliance
While data growth in the region slowed moderately at 27%, the complexity of IT infrastructures increased. 62% of organisations now operate in hybrid or multi-cloud environments. However, over half of companies in both Australia (54%) and New Zealand (63%) report lacking full visibility into their cloud environments, including relationships, metadata, and system dependencies. This level of visibility is necessary for a coordinated and effective recovery when incidents occur.
Compliance issues further complicate recovery efforts. 34% of businesses surveyed are subject to at least four different regulatory and compliance requirements, such as APRA and SoCI rules. 27% admit that they are uncertain about the regulations with which they need to comply to be fully legal. Additionally, 54% face conflicting regulatory regimes for cross-border data transfers, increasing the pressure to achieve resilience not only technologically but also through compliance readiness.
Incident responses lag
The research finds that although the majority (70%) of organisations have incident response plans, only 30% regularly test all mission-critical systems. This lack of comprehensive testing leaves concealed weaknesses in cyber recovery strategies.
The consequences of such gaps can be severe. Three quarters of companies surveyed (74%) have experienced data exfiltration, and one third lost access to all data following a cyber incident. Only 32% managed to recover 100% of their data after an attack. "True resilience doesn't begin at the point of attack, it is built long before," said Gareth Russell, Field CTO, Asia Pacific, Commvault. "We need to shift from a response mindset to a readiness mindset where one must ask the hard questions: 'If we were hit tomorrow, how quickly and how cleanly, could we recover?' If that answer isn't clear, then investment and focus are urgently needed." Added Russell.
The report is based on a survey of Chief Information Officers, Chief Information Security Officers, IT Leaders, decision makers, and their direct reports from across Australia and New Zealand. The snapshot highlights the continuing challenges faced by the region's organisations as they strive to strengthen cyber resilience in an evolving landscape.
