In today’s hyper-connected world, the fragmented nature of data networks presents a significant, often hidden, threat to cyber security. As organizations grapple with sprawling IT infrastructures and increasingly rely on third-party providers, the cracks in data resilience are widening, creating prime opportunities for malicious actors to exploit vulnerabilities. The challenge isn’t just about having more data, but about understanding where it lives and how it’s protected.
The stark reality is that you can’t protect what you can’t see. Companies are struggling to maintain a comprehensive view of their data estates, inadvertently leaving gaps that can be exploited. This problem is amplified by the rapid adoption of new technologies like AI, which, while offering immense benefits, can also introduce new silos and governance challenges.
Patchwork: Easy risk
Many organizations approach data resilience with a “patchwork” mentality, reacting to threats and compliance changes as they arise. However, this approach is insufficient in today’s complex landscape. Instead, a holistic strategy is needed — one that addresses data resilience from the ground up, considering the entire IT ecosystem.
The exponential growth of data, fueled by AI and other emerging technologies, is only exacerbating the problem. If organizations fail to gain control of their data estates now, they risk falling further behind, making it increasingly difficult to implement effective risk management practices.
Third-Party Risks: The Weakest Link
The problem extends beyond an organization’s internal infrastructure. The Veeam report highlights that a significant number of businesses fail to adequately manage third-party or supply-chain risk. According to ASIC, 44% of organizations do not manage third-party or supply-chain risk at all.
Smaller businesses are particularly vulnerable, with 69% reporting minimal or no capability to manage supplier cybersecurity risk. These third-party providers, often engaged to offload pressure and ensure uptime, can become the weakest link in the security chain, as evidenced by several high-profile breaches traced back to third-party platforms.
“Organisations sometimes assume that everything they need covered is handled yet without a defined Shared Responsibility Model, they risk creating significant gaps in their data resilience.”
Australia’s tightening Cyber Security Act and Notifiable Data Breach scheme explicitly call out the need to manage third-party risks, pushing organizations to scrutinize how their suppliers deliver their solutions.
Despite the increasing number of data resilience regulations, research from McKinsey reveals that many organizations still fall short of achieving true resilience. A startling 30% of organizations overestimate their own capabilities, largely due to a lack of awareness regarding the scope of their data estates and third-party relationships.
The issue isn’t necessarily that regulations are inadequate, but rather that organizations haven’t thoroughly interrogated their data estates or third-party relationships. The Australian OAIC has consistently emphasized that multi-party breaches are a key driver of the increasing complexity, scale, and cost of local data breaches. In fact, the average cost of a data breach in Australia has risen by 5.7% in 2024 to AUD $4.26 million.
The solution lies in proactively identifying and closing these gaps, blind spots, and backdoors before threat actors can exploit them. This requires critical assessments of both internal data resilience measures and those of suppliers, to expose vulnerabilities and dependencies.
Organizations must identify and address weak links in the third-party supply chain, hidden data silos, and other vulnerabilities. This is a broad undertaking that necessitates collaboration across the business and with third-party suppliers.
Frameworks like the Data Resilience Maturity Model provide a vendor-neutral industry standard for self-assessment and roadmap development. By adopting a cross-functional approach that brings together IT, security, and compliance teams, organizations can ensure comprehensive coverage of their data estate and supplier network.
However, implementing these measures is only the first step. Organizations must continuously test their resilience, adapting to evolving threats. Regular, comprehensive testing may seem burdensome, but it pales in comparison to the impact of a real attack.
The challenge of fragmented data networks and hidden cyber risks is not going away. As technology evolves and the threat landscape becomes increasingly complex, organizations must prioritize data resilience as a core business imperative. Failure to do so could have devastating consequences, not just financially, but also in terms of reputation and customer trust. The time to act is now, before the door is left wide open for threat actors to walk through.
