Observations on the state of cyber readiness
As we approach 2025, Australia's business landscape stands at a pivotal juncture. While organisations anticipate the transformative potential of AI, generative AI, and large language models (LLMs), pressing concerns remain about the sheer volume of data these technologies will generate. Organisations must grapple with structuring, organising, and protecting this data to ensure business continuity and long-term success.
In response, Australian businesses are embracing the concept of cyber resilience—a shift from simply safeguarding critical data and systems to adopting a holistic view of their organisational assets. Cyber resilience involves not only protecting these assets but also ensuring they can be swiftly restored in the event of a cyber incident to maintain uninterrupted operations.
This evolution reflects a broader mindset shift: from focusing solely on achieving business continuity to striving for "continuous business." Driven by the persistent threat of ransomware and other cyber risks, this approach emphasises resilience through enhanced redundancy, seamless scalability, and reducing operational complexity. However, it's crucial to recognise that there's no one-size-fits-all solution. Organisations must take ownership of their cloud environments while tailoring their cyber resilience strategies to their unique needs and risks.
According to Commvault research, the average recovery time in Australia stands at 45 days, whereas the world average is 24 days. This needs to change, and will be a major focus for resilient and forward-looking organisations in 2025.
To that end, data immutability will only become more critical. Ransomware-as-a-Service (RaaS) has significantly lowered the barrier to entry for cybercrime, enabling even relatively inexperienced individuals to carry out sophisticated attacks, thus broadening the threat landscape. Artificial Intelligence has also given cyber criminals a new range of tools, in many cases allowing them to create more sophisticated attacks.
The widespread availability of RaaS kits has contributed to a sharp rise in incidents, threatening Australian organisations across industries, regardless of their size. In response, immutable data storage systems are emerging as a critical line of defence against RaaS-driven threats. By ensuring that data cannot be altered without authorisation, immutability prevents attackers from encrypting or tampering with information, even if they manage to breach systems. This capability disrupts ransomware operations and hinders their effectiveness.
As we move into 2025, the adoption of data immutability is set to play a pivotal role in mitigating ransomware risks and safeguarding data integrity. It will also strengthen Australia's broader cybersecurity resilience strategies.
Proving that an organisation's data is immutable may have a significant role to play in obtaining insurance too, especially as more regulations come into play and the risk of fines and official sanctions increases.
Last November, Australia enacted its most comprehensive cybersecurity legislation to date, introducing broad resilience measures across industries. The Act establishes new security standards for smart, interconnected devices including the addition of a Cyber Incident Review Board. It also mandates the reporting of ransomware payments to enhance transparency. While this does not alter the legality of paying a ransom, it may discourage payments that fund criminal activities and encourages organisations to invest in stronger cyber defences and resilience.
In terms of recovery from a cyber breach, the goalposts have moved here too, and will continue to do so. It is no longer sufficient to look at a restore in terms of a Recovery Point Objective and how long it will take to get systems back online and data uploaded. It is necessary to ensure that systems and data are completely clean and free from whatever malicious tools were used to attack the organisation. Once inside, many of the more sophisticated bots will move laterally through systems looking for other vulnerabilities and potentially valuable data. Therefore, we will see the concept of Minimum Viable Company will become widespread.
As the last Commvault State of Data Readiness report for Australia and New Zealand revealed, there is a big disparity between the expectations of board members and leaders, and those actually involved in restoring systems after a breach. While seventy-five percent of leaders want to be back in business after a cyber incident in five days or less, IT professionals engaged in the research reported that it takes their organisation between five and eight weeks to recover from a breach. A further 30 percent take more than three months to full recovery.
Therefore, the concept of a 'Minimum Viable Company' will be a crucial factor for organisations post-breach. This involves making a plan for running the business on as few systems as possible - just those that are absolutely essential – until other systems can be safely and methodically brought back online. This way the organisation can be secure in the knowledge that, should the worst happen, they have a viable means of maintaining continuous business operations, thus causing as little disruption as possible.
The goalposts are constantly moving, and companies need to be more vigilant than ever. 2025 will bring new challenges and opportunities, and it is essential that vendors, partners and their customers move forward together to stay ahead of the adversaries.
