Most business leaders in Asia believe their organisations are prepared for a cyberattack, but a new report from Commvault suggests that confidence often fades during a real-world incident. The study, titled The State of Data Readiness – Continuous Business in Focus, highlights a significant gap between perceived readiness and actual resilience when enterprises face cyber threats.
Commissioned by Commvault and conducted by Tech Research Asia, the report surveyed organisations across the region, including in Singapore and Malaysia. While 90% of Singaporean firms and nearly as many in Malaysia claimed to be prepared, only 27% and 37% respectively were able to respond effectively when a breach occurred. Meanwhile, 12% admitted they had no clear response plan and were left scrambling.
Gareth Russell, Field CTO for APAC at Commvault, noted that preparation alone is not enough. “One thing is very clear. Once a breach occurs, even the most meticulously crafted plans can fall apart,” he said. “In today’s dynamic and increasingly complex digital landscape, maintaining continuous operations is non-negotiable. Organisations must elevate their cybersecurity maturity by regularly testing incident response plans, auditing AI tools for risk, and building strong data management foundations. Resilience isn’t a one-time effort; it must be embedded into the fabric of everyday operations.”
Resilience gap grows as attacks and data sprawl increase
The findings come as the Asia Pacific region continues to face the highest volume of cyberattacks globally. According to IBM’s threat intelligence report, the region was the most attacked in 2024. At the same time, many organisations are grappling with a sharp increase in data volume and complexity. Data across Asia grew by 40% in the past year, with 63% of businesses now operating in hybrid or multi-cloud environments.
Despite this shift, 38% of organisations say they lack full visibility into the relationships, metadata, and dependencies within their cloud infrastructure—details that are critical to any coordinated recovery effort.
The report also found that 72% of executives believe their organisations could recover from a cyberattack within five days. Nearly a quarter expect to do so in just one day. However, IT leaders estimate that it typically takes three to four weeks to restore even a minimal level of operations.
Although 85% of companies have incident response plans, only 30% test all their mission-critical workloads. This lack of preparation often results in serious consequences. According to the survey:
- 83% experienced data exfiltration
- 50% lost access to all their data
- Only 40% managed to recover 100% of their data
Organisations with lower recovery maturity were more than twice as likely to fail to recover fully and were 34% more likely to be locked out of systems entirely.
Michel Borst, Area Vice President for Asia at Commvault, said the gap between confidence and capability is dangerous. “Boards and executive teams are placing big bets on digital and AI transformation, but recovery is where those bets are won or lost,” he said. “Confidence without capability can lead to business failure when the worst happens. What organisations need is minimum viable readiness—a baseline level of cyber resilience so they can respond, recover, and resume operations following an attack.”
Growing pressure from compliance and regulation
Beyond technical recovery, the post-breach environment is becoming increasingly complex due to growing regulatory demands. The report found that 52% of organisations in Asia are subject to at least four different compliance regimes, including frameworks like APRA and SoCI. A further 10% were unsure of their regulatory obligations.
Cross-border data transfer regulations are also creating compliance challenges, with 53% of organisations reporting conflicting requirements across different geographies. This has made compliance readiness a critical part of broader cyber resilience planning.
As the region continues to embrace cloud adoption and digital transformation, Commvault’s findings suggest that many businesses still have a long way to go in bridging the gap between planning and practice.
