Commvault has revealed new findings showing a significant gap between perceived cyber readiness and actual resilience in Asia. The report, titled The State of Data Readiness – Continuous Business in Focus, was commissioned by Commvault and conducted by Tech Research Asia. It surveyed organisations across Asia, including Singapore and Malaysia.
The results showed that most business leaders believe they are prepared to recover from a cyberattack. However, when an incident does occur, many organisations are caught off guard. In Singapore, only 27% of enterprises were able to respond effectively, while in Malaysia the figure was slightly higher at 37%. Around 12% of organisations in both markets admitted they had no clear response strategy and were left reacting in panic.
The study highlights a growing disconnect between confidence and actual response capability. Nine in ten organisations surveyed in Singapore and nearly as many in Malaysia believed they could manage a cyber breach. But in practice, only about one in three was able to mount an effective response.
Gareth Russell, Field CTO for APAC at Commvault, said, “One thing is very clear. Once a breach occurs, even the most meticulously crafted plans can fall apart. In today’s dynamic and increasingly complex digital landscape, maintaining continuous operations is non-negotiable. Organisations must elevate their cybersecurity maturity by regularly testing incident response plans, auditing AI tools for risk, and building strong data management foundations. Resilience isn’t a one-time effort; it must be embedded into the fabric of everyday operations.”
Misaligned expectations and gaps in recovery
The report also points to a disconnect between business expectations and operational realities. While 72% of business leaders in Asia believed they could recover from a cyber event within five days, and 23% expected full recovery within one day, IT leaders noted that it typically takes three to four weeks to restore even a basic level of business operations.
This overconfidence is compounded by a lack of thorough testing. While 85% of organisations have an incident response plan, only 30% test all their mission-critical workloads. As a result, when breaches occur, the consequences are often severe. The survey found that 83% of companies experienced data exfiltration, 50% lost access to all data, and only 40% were able to recover all of it.
Organisations with lower recovery maturity were more than twice as likely to fail to retrieve all their data and 34% more likely to be completely locked out of systems.
Michel Borst, Area Vice President for Asia at Commvault, noted, “Boards and executive teams are placing big bets on digital and AI transformation, but recovery is where those bets are won or lost. Confidence without capability can lead to business failure when the worst happens. What organisations need is minimum viable readiness—a baseline level of cyber resilience so they can respond, recover, and resume operations following an attack. Resilience must be operationalised—tested often, automated where possible, and embedded into the everyday rhythm of the organisation. In today’s threat landscape, anything below that minimum viability threshold is unacceptable.”
Rising compliance pressures add complexity
Beyond operational impact, regulatory pressure is also increasing. More than half of the organisations surveyed (52%) are subject to at least four regulatory or compliance acts, such as Australia’s APRA and SoCI. Alarmingly, 10% of respondents said they did not know what regulations their organisation needed to comply with.
Cross-border data transfers have become another challenge, with 53% of respondents stating they face conflicting regulatory requirements across different jurisdictions. As a result, cyber resilience today requires more than just technical capability—it also demands compliance readiness.
The findings underscore the growing need for organisations to not only improve their technological defences but also to align business expectations, operational capabilities, and regulatory obligations. Without this alignment, even well-prepared organisations may find themselves exposed when a breach occurs.
