Commvault Study Reveals Majority of Business Leaders in Asia Think They Are Prepared for Cyberattack But Panic After Breach 

Commvault, a leading provider of cyber resilience and data protection solutions for the hybrid cloud, has announced the findings of its annual report, “The State of Data Readiness – Continuous Business in Focus,” uncovering critical trends that could inform the success or failure of business continuity strategies for executive leaders and boards across Asia.

The study, which was conducted by Tech Research Asia and commissioned by Commvault, reveals that the majority of surveyed business leaders in Asia, including in Singapore and Malaysia, believe they have the right plans in place to recover from a cyberattack, but when those plans were put to the test, their ability to be resilient post-breach did not come close to hitting the mark. As a result, it is evident that a critical gap exists between readiness and resilience, which can be crippling for enterprise organisations trying to serve customers and protect brand reputations following an attack.

The survey further reveals that while 9 in 10 organisations in Singapore and nearly as many in Malaysia believe they can withstand a cyber breach, that confidence crumbles under pressure. When tested, only a third of organisations could rally an effective response. Many were left scrambling—with 12% admitting they had no playbook, only panic.

This resilience gap is especially alarming as Asia Pacific was once again the most attacked region globally in 2024, according to IBM’s threat intelligence report.  As organisations accelerate their cloud adoption, data sprawl is growing at an exponential rate—while emerging AI regulations and tightening compliance requirements are forcing enterprises to rethink how they build and sustain resilience.

Furthermore, according to the Commvault report, data volumes across Asia grew by 40% in the last one year, with 63% of organisations now operating in hybrid or multi-cloud infrastructures. Shockingly, 38% of organisations say they lack full visibility into the relationships, metadata, and dependencies across their cloud environments—visibility that’s essential for a coordinated and effective recovery.

“One thing is very clear. Once a breach occurs, even the most meticulously crafted plans can fall apart,” said Gareth Russell, Field CTO for APAC at Commvault. “In today’s dynamic and increasingly complex digital landscape, maintaining continuous operations is non-negotiable. Organisations must elevate their cybersecurity maturity by regularly testing incident response plans, auditing AI tools for risk, and building strong data management foundations. Resilience isn’t a one-time effort; it must be embedded into the fabric of everyday operations.”

Cyber Confidence Versus Recovery Reality

Expected recovery timelines also reveal expectations that are out of line with reality across the region. 72% of business leaders in Asia believe they can recover within five days of a cybersecurity event, and nearly a quarter (23%) expect full recovery in just one day. However, the reality is starkly different: IT leaders report it takes at least three to four weeks to restore even a minimum level of business operation.

While a majority (85%) of organisations have incident response plans (IRPs), only 30% test all mission-critical workloads – leaving significant blind spots in cyber recovery. Consequently, when breaches occur, the impact is often severe:

• 83% of companies experienced data exfiltration.
• 50% lost access to all data.
• Only 40% recovered 100% of their data.

Commvault also found that rganisations with low recovery maturity were more than twice as likely to fail to recover all data and 34% more likely to be locked out completely.

“Boards and executive teams are placing big bets on digital and AI transformation, but recovery is where those bets are won or lost,” said Michel Borst, Area Vice President for Asia at Commvault. “Confidence without capability can lead to business failure when the worst happens. What organisations need is minimum viable readiness—a baseline level of cyber resilience so they can respond, recover, and resume operations following an attack. Resilience must be operationalised—tested often, automated where possible, and embedded into the everyday rhythm of the organisation. In today’s threat landscape, anything below that minimum viability threshold is unacceptable.”

Commvault Discovers: The Compliance Burden Is Growing

For many organisations, the chaos after a breach extends beyond just data—it also revolves around compliance. As regulators tighten data protection and operational continuity rules, 52% of organisations are now subjected to at least four different regulatory and compliance acts such as APRA and SoCI, and another 10% currently ‘don’t know’ what their companies need to be fully regulatory compliant.

In parallel, organisations are facing multiple requirements for cross-border data transfers, with 53% of organisations stating they already experience conflicting regulatory requirements for their data across different geographies. Resilience today requires more than technology—it demands compliance readiness, too.

For the detailed Commvault report findings, please access here.