The State of Data Readiness – Continuous Business in Focus report, commissioned by Commvault and conducted by Tech Research Asia, surveyed 408 business and IT leaders in ANZ. While the majority of respondents believe they have strong plans in place to recover from a cyberattack, the report shows that confidence may be misplaced.

Only 12% of business leaders rated their organisation’s ability to operate effectively during a cyber incident as “excellent”, while nearly a quarter rated themselves as “bad” or “terrible”. Despite 80% of leaders believing recovery could be achieved within five days of an attack—and nearly a quarter expecting full restoration within just one day—IT teams reported it typically takes four weeks to restore even basic operations. One in five organisations said full recovery takes an average of 45 days—almost double the global average of 24 days.

“The data is clear—many ANZ organisations still treat cyber resilience as a post-incident task, and not a strategic priority,” said Martin Creighan, Vice President, Asia Pacific at Commvault. “The rising frequency and impact of cyberattacks across the region should serve as a wake-up call. With recovery times stretching into weeks, the risk to business continuity has never been higher. Resilience must be driven from the boardroom—not just the IT team.”

The report found 70% of organisations experienced a cyberattack in the past year, with most involving ransomware demands. Despite 54% of organisations claiming to have a strict “no payment” policy, 15% still paid a ransom—highlighting the pressure organisations face when systems go down and data is at risk.

In addition to ransomware impacts, the report found:

• 74% of companies experienced data exfiltration
• 33% lost access to all data
• Only 32% recovered 100% of their data

The findings point to critical gaps in preparedness. While most organisations (70%) reported having an incident response plan, only 30% test all mission-critical workloads—leaving blind spots that can significantly delay recovery.

“True resilience doesn’t begin at the point of attack—it is built long before,” said Gareth Russell, Field CTO, Asia Pacific at Commvault. “We need to shift from a response mindset to a readiness mindset. Leaders must ask the hard question: ‘If we were hit tomorrow, how quickly and how cleanly could we recover?’ If that answer isn’t clear, then investment and focus are urgently needed.”

Compounding the risk are growing compliance challenges. The report shows 62% of organisations are now operating in hybrid or multi-cloud environments, but more than half of Australian (54%) and New Zealand (63%) businesses say they lack full visibility into their cloud infrastructure—an essential component for coordinated recovery.

Regulatory pressures are also mounting. One-third of ANZ businesses are subject to at least four compliance regimes, such as APRA CPS 234 or the Security of Critical Infrastructure (SoCI) Act. Alarmingly, 27% of respondents said they don’t know what’s required for full compliance.

In an increasingly complex threat landscape, the report argues that resilience requires more than just backup and disaster recovery technology—it demands strong governance, compliance readiness, and clear visibility across the enterprise.

The State of Data Readiness – Continuous Business in Focus report is available now, offering detailed insights into cyber recovery, regulatory preparedness, and the future of resilience in the ANZ region.