Almost two-thirds of companies say they could not last longer than five days if a cyber attack restricted their access to critical data. Only two-in-five organisations that suffered a cyber breach recovered all of their data.

These were just two worrying findings in the third annual State of Data Readiness report based on a survey of 376 businesses in Australia and New Zealand. The report by research and consulting firm Tech Research Asia (TRA) was commissioned by data management company Commvault.

Another worrying survey result was how slowly organisations could bounce back after a cyber attack. Just 42% reported a recovery within four weeks compared with 71% in 2021.

Experts say a major challenge facing organisations is the constantly shifting regulatory environment. Almost three-quarters (72%) of survey respondents must prepare for regulatory and legislative changes within the next year; 58% are already dealing with various data sovereignty regulations.

TRA director and tech analyst Tim Dillon said organisations need to ensure their technology platforms comply with a regulatory environment that lags business reality.

“There’s a cloud-fuelled technology landscape that has changed more rapidly than regulatory environments,” Dillon said.

“In many industry sectors, regulations have typically been reactive. The magnitude of the impact of some of these regulations — for example, recent Privacy Act amendments or cybersecurity and breach disclosure laws — are ‘whole of business’ issues with substantial heft.

“It’s no longer one or two aspects of the business operation that is impacted — it’s all of it.”

Commvault’s director of public sector and enterprise, Jonathan Hatchuel, said regular regulatory changes make it difficult for companies to know if they remain compliant.

“The challenge is further complicated by multiple data locations, remote users and multi-country, multi-industry regulatory domains within which companies now operate,” Hatchuel said.

“Disparate data infrastructure environments can potentially make it harder to ensure regulatory oversight and render cybersecurity policies ineffectual and difficult to manage.”

Hatchuel said increasingly sophisticated cyber attacks are making organisations’ tasks even more difficult.

“Cyber criminals are targeting both primary and secondary data sets, creating a triple data extortion threat of leakage, exfiltration and theft,” Hatchuel said.

“In some instances, attackers aren’t bothering to encrypt the targeted company’s data, instead moving directly to the threat of leaking the data to the public domain or even to competitors. This is making the recovery process more complicated and time-consuming and is the driver behind us building deception technology into the data protection environment.”

Dillon says data is “complex, increasingly unstructured, lives in different areas and created in more places”.

“What’s critical is where the data resides,” Dillon said. “Most organisations in ANZ have a multi-infrastructure environment for their data that sits across public clouds, private clouds and physical infrastructure. In a breach — or just in general — knowing what sits where, what’s been lost and what’s been recovered is a complex situation for many.”

Dillon said ‘software-as-a-service’ applications have added even greater complexity.

“It’s easy for organisations to deploy a cloud-based application outside of a formal IT environment creating pools of ungoverned — or at least more dispersed — data that isn’t always subject to effective security, governance and management.

“We’re creating more data from more sources and keeping it in more areas. That’s difficult to manage and recover, especially when using disparate tools and solutions that don’t always provide a holistic overview of data recovery.”

The federal government, led by home affairs minister Clare O’Neil, has made cybersecurity a key priority. Last week it announced that government agencies, utilities and corporates such as banks would be forced to undergo regular, government-coordinated counter-penetration and incident response exercises and fitness tests.

Hatchuel welcomes the Australian government’s muscular approach to cybersecurity.

“The National Office of Cyber Security is a welcome move by the government, given the need for a resilient national cyber ecosystem is more crucial than ever,” Hatchuel said.

“As businesses become more reliant on data and the digital economy, cyber attacks will continue to pose a significant risk.”

