A new study released by cyber resilience and data protection solutions provider Commvault exposes the number of organisations in Australia and New Zealand discarding their official policies when faced with panic from actual ransomware incidents.
The study, ‘The State of Data Readiness – Continuous Business in Focus’, has revealed that 70% of the 408 ANZ business leaders surveyed experienced a cyber-attack in the last 12 months, with nearly all facing a ransomware demand.
While 54% of these organisations in Australia and New Zealand had formal “no payment” policies regarding ransomware attacks, 15% still opted to pay the ransom when targeted.
“The fact that some companies are willing to pay, despite the risks and the policy, is a sign that they feel they don’t have a viable alternative,” Gareth Russell, Commvault Field CTO for Asia Pacific, said.
“That’s not resilience—that’s desperation.”
Regarding recovery, 80% of respondents believe they can restore operations within five days following a cybersecurity incident, while 23% anticipate a complete recovery in just one day.
However, IT leaders indicate that it typically takes around four weeks to regain even a basic level of business operations, with 55% requiring more than a week.
The report has also revealed that 20% of ANZ businesses take an average of 45 days to fully recover from a cyber incident, nearly twice the global average of 24 days.
For many organisations, the disruption following an attack goes beyond data issues and also involves compliance challenges. 34% of ANZ organisations are governed by at least four different regulatory and compliance frameworks, such as APRA and SoCI. Meanwhile, 27% are uncertain about what is needed for their companies to achieve full regulatory compliance.
Cybercriminals who are paid are more likely to attack the same organisation again, and making a payment does not ensure complete data recovery.
The Commvault report recommends that organisations move away from reactive responses and instead proactively invest in backup solutions, regular testing, and comprehensive cyber resilience strategies.
“True resilience doesn’t begin at the point of attack; it is built long before,” Russell said.
“We need to shift from a response mindset to a readiness mindset where one must ask the hard questions: ‘If we were hit tomorrow, how quickly and how cleanly could we recover? ’If that answer isn’t clear, then investment and focus are urgently needed.”