SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Untitled design 4
#
Virtualisation
#
Data Protection
#
Advanced Persistent Threat Protection

You can’t protect what you can’t see: Rethinking data resilience in a fragmented world

Fri, 21st Nov 2025
By Dave Russell, Senior Vice President, Head of Strategy, Veeam

As organisations rely on increasingly complex IT networks and third-party providers, hidden vulnerabilities put data resilience and business continuity at greater risk.  

With sprawling data estates and an ever-increasing number of third-party suppliers, organisations are struggling to keep up, inadvertently leaving gaps in their data resilience for threat actors to exploit. Australian organisations are feeling the strain – the most recent Office of the Australian Information Commissioner (OAIC) report reflected a 15% increase in data breach notifications compared to the previous six months. While organisations continue to face information security challenges, data breach detection and reporting are improving. 

But where should organisations start? 

It might not be the answer they want to hear, but they need to start from the bottom up. With the sheer scale of data estates and third-party networks, a patchwork approach will simply make matters worse. Instead of responding reactively to threats and compliance changes, organisations need to approach data resilience holistically. Otherwise, the gaps will only multiply.  

Data's growing pains 

Well, you don't know what you don't know, right? For organisations looking to address their data estates, the priority is getting an accurate view of their full landscape. Data is on a trajectory of exponential growth. With AI now firmly in the picture, this is only going to ramp up further. If organisations don't act now, they'll never be able to catch up.  

For many, the introduction of AI has required more than a few changes to their approach to data, storage, and toolsets. The pace of adoption means many have implemented changes without fully standardised governance, unintentionally creating new siloes as different departments use AI in different ways. Organisations may think they can see everything, but they're missing the full picture. 

After all, there's little point in applying new risk management practices if you're missing out on swathes of your IT estate or entire elements of your technology stack simply because you don't know they're there. 

Exploring the thinking inside the box 

Unfortunately, enterprise data sprawl is by no means limited to an organisation's owned and operated tech stack. The interrogation into data estates must also include third-party solutions. ASIC found that 44% of organisations do not manage third-party or supply-chain risk at all. Smaller businesses are even more vulnerable – seven in 10 (69%) small firms report minimal or no capability to manage supplier cybersecurity risk. 

This lack of oversight is not hypothetical. Third-party providers are often engaged to offload some of the pressures faced by organisations - deploying solutions that promise reliability and uptime. But this often leads to too much focus on the outcome rather than the infrastructure delivering it. In the several high-profile breaches or incidents in Australia the last year alone, the root cause was traced to a third-party platform for some.  

Organisations sometimes assume that everything they need covered is handled by suppliers, yet without a defined Shared Responsibility Model, they risk creating significant gaps in their data resilience. 

With Australia's own tightening Cyber Security Act and Notifiable Data Breach scheme explicitly calling out the need to manage third-party risks, organisations need to take a closer look at how their suppliers are delivering their solutions. 

Is regulation falling short? 

Despite regulations being introduced across the globe to try and tackle data resilience, research on the data resilience of large enterprises from McKinsey has highlighted that many organisations still fall short. 30% of organisations believe they are more resilient than their actual benchmarked capabilities, and this knowledge gap is due largely to a lack of awareness of the sheer scope of data estates and third-party suppliers. 

It's not necessarily that regulations don't go far enough; it's that organisations simply haven't interrogated their data estates or third parties in as much detail before. In Australia, the OAIC has repeatedly highlighted that multi-party breaches are a key reason for the growing complexity, scale, and cost of local data breaches. And those costs are rising fast: the average cost of a data breach in Australia has risen by 5.7% in 2024 to AUD $4.26 million. 

Tackling it from the ground up 

So, what to do? Rather than waiting for a threat actor to take advantage one of these gaps, blind spots, or backdoors, organisations must find and close them. This will be no small task, but it is vital for addressing data-resilience shortcomings effectively. 

This should take the form of critical assessments of not just internal data-resilience measures, but also those of suppliers, to expose vulnerabilities and dependencies. Weak links in the third-party supply chain, hidden data siloes, and any other gaps need to be identified and addressed before a threat actor can take advantage of them. 

Make no mistake, it's a broad job that can't be done alone. Assessing and improving data resilience at this scale requires collaboration across not just the business, but third-party suppliers as well. In Australia, where 44 per cent of organisations admit to doing nothing to manage third-party risk, the need for structured frameworks is pressing. 

Having the right framework to follow makes all the difference. For example, the Data Resilience Maturity Model is a vendor-neutral industry standard that provides a self-assessment and roadmap for building resilience over time. Following the cross-functional approach set out by models like this, organisations can bring together IT, security, and compliance teams to ensure all areas of their data estate and supplier network are covered. 

Vitally, once these measures are introduced, organisations need to keep testing. Maturing data resilience isn't a one-and-done job; it's a continuous cycle of learning and adapting as threats evolve. Regular, comprehensive testing might feel like a burden but it will be nothing compared to the impact of a real attack. 

As they say, when one door closes, another one opens. Just make sure they aren't left open for threat actors to walk through. 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Hack The Box launches AI cyber range & unveils red team certification
Dynatrace expands AWS integrations & wins LATAM partner award
Asahi delays results as ransomware attack disrupts operations
Keeper Security named Overall Leader in non-human identity management
ATEN unveils secure KVM switches with 5K video for defence use

Top stories

GovHack awards celebrate open data innovation in 2025
Bodd secures AUD $15 million to drive global 3D scanning growth
Digimune & MY CYBER GUARD launch Aussie ID shield
DivisionHex launches new framework to streamline exposure management
HP predicts surge in AI-driven cyber threats & cookie theft by 2026