Introduction

In today’s hyper-connected business environment, where AI-driven systems, multi-cloud strategies, and edge computing dominate conversations, it’s tempting to chase every emerging risk with equal urgency. But when it comes to resilience, success doesn’t lie in doing everything, it comes from doing the right things.

Modern organisations face a complex threat landscape that is unforgiving and unpredictable. Whether it’s ransomware, supply chain disruptions, or the growing scrutiny around data sovereignty, trying to eliminate all risks is not only unrealistic, it’s impossible. True resilience begins by acknowledging the hard truth that not everything can be solved or prevented.

 Focusing On What Matters Most

Resilient organisations take a stepwise approach to risk. They don’t attempt to tackle every vulnerability at once. Instead, they prioritise based on impact and likelihood, ensuring that critical assets are protected, and recovery strategies align with business continuity objectives.

Resiliency continues to be a critical objective across organisations in APJ, as attacks are rising in both volume and sophistication. According to the Veeam 2025 Ransomware Trends Report, 89% of organisations globally had their backup repositories targeted by threat actors, a tactic increasingly common in ransomware campaigns. Alarmingly, less than 40% of organisations in APJ include backup verifications as part of their ransomware response playbook. It is therefore no surprise that while 90% of ransomware victims thought they were prepared before an attack, confidence dropped by 17% after an attack.

The takeaway? Even well-prepared organisations must constantly reassess what risks truly matter and act on them accordingly.

Resilience Starts With a Robust Risk Assessment

Every organisation, regardless of size or sector, must incorporate risk assessments as a regular operational discipline, not a once-a-year compliance checkbox. This means continuously evaluating gaps in backup repositories, backup integrity and recoverability.

Despite regulatory scrutiny increasing in APJ, many organisations are still unprepared. Nearly four in 10 organisations in APJ believe they need a significant overhaul to fully align IT operations with cybersecurity teams. Without strong foundations in data resilience, even the most advanced AI-driven defences can’t prevent reinfection or lateral movement post-incident.

To stay ahead, resilience planning must be adaptive. Risk evolves, and so should the controls we place around it. Whether it’s identifying ransomware dwell times (which are now under 24 hours in many cases) or tracking changes in regulatory expectations, regular reassessment is critical.

The Universality of Resilience Principles

No matter the industry or region, the underlying challenge is the same: how do you strengthen resilience without overengineering solutions or overwhelming your teams?

At Veeam, we’ve seen that organisations that focus their efforts achieve more meaningful outcomes. For example, those that partner with third-party experts like Coveware by Veeam during incident response were 156% less likely to pay a ransom, and even when they did, they paid 45% less than the median. This isn’t just a financial win, it’s a mark of operational maturity.

Resilience is not about perfection. It’s confidence built through smart, deliberate choices. Whether in Sydney or Singapore, New York or Munich, the principle holds: resilience is built by doing fewer things better, not everything all at once.

Making Smarter Choices With Limited Resources

As IT leaders face tightening budgets and rising expectations, they must be ruthless about prioritisation. According to joint research conducted by Veeam and McKinsey, 74% of organisations globally fall short of best practices in data resilience, and nearly a third of CIOs overestimate their maturity. The organisations that do it well? They recover from outages up to seven times faster and experience one-third as much downtime.

This doesn’t necessarily require large capital investment. In fact, for every US$1 spent on data resilience measures, companies often gain US$3 to US$5 in avoided downtime, legal exposure, and operational disruption. The ROI of smart prioritisation is clear.

Progress, Not Perfection

The pursuit of resilience isn’t about eliminating all threats. It’s about knowing where to act and acting decisively. The most resilient organisations don’t aim for perfection. They aim for a level of resilience that provides confidence. They identify their greatest risks, allocate resources effectively, and build internal alignment around what matters most.

As we look ahead, let’s shift the conversation from “how do we prevent everything?” to “how do we ensure what matters is protected, backed up and recoverable?” Because in the face of disruption, resilience is less about prevention, but confidence that impact is minimised as much as possible.