According to a study by Veeam and McKinsey, three out of four companies globally (74%) base their cybersecurity strategy on reactive and basic measures. Moreover, 30% of Chief Information Officers (CIOs) believe their organization is above average in data threat resilience, although in reality this applies to less than 10% of firms. Meanwhile, active and thoughtful strengthening of cyber resilience delivers tangible results. As shown by the Data Resilience Maturity Model (DRMM), organizations investing in this area recover resources seven times faster, experience three times shorter downtimes, and lose four times less data than their competitors.
Cyberattacks are a common and real threat to every business, and their occurrence should be viewed not in terms of “if” or “when,” but “how many times” they will happen. In this context, companies’ incorrect self-assessment regarding their ability to effectively resist cybercriminals is particularly worrying. The Veeam Ransomware Trends and Proactive Strategies 2025 report reveals that 69% of entities hit by ransomware in the last year declared full readiness to repel such attacks before the incident. After the attack, this conviction dropped by 20%, and among CIOs even by 30%.
Often, companies discover their vulnerabilities only when it is too late and they become victims of cyberattacks. Then the cost of this ignorance can be astronomical. IT downtime caused by cyberattacks costs Global 2000 companies over $400 billion annually. A single enterprise may face losses of up to $200 million due to business interruptions, reputation damage, and operational disruptions.
No Protection Without Diagnosis
In this reality, a thorough assessment of incident preparedness becomes the starting point for effective action. Not coincidentally, diagnosing current security levels is one of the key requirements of the EU NIS2 directive. Its provisions impose an obligation on companies to conduct regular risk analyses, audits, and implement technical and organizational measures ensuring business continuity.
One tool that can assist in this evaluation is the Data Resilience Maturity Model. It allows organizations to determine their current maturity level and identify actions to strengthen data resilience. DRMM analyzes three key areas: strategy, people and processes, and technology. Based on this, a company is classified into one of four maturity categories — from reactive and manual (Basic), through intermediate (Intermediate), advanced (Advanced), to best-in-class (Best-in-Class).
What Sets the Best Apart?
The Veeam and McKinsey report finds that 74% of surveyed firms fall into the two lowest maturity levels, meaning they implement less than half of best practices related to data management, security, and cyber resilience. Conversely, only 8% of respondents are classified as Best-in-Class. These companies have a comprehensive data protection strategy and automated backup and recovery procedures. Their resilience efforts combine advanced technical safeguards with appropriate processes, organizational culture, and strong governance — not merely IT infrastructure improvements.
This translates into measurable benefits. Firms at the highest maturity level recover data on average seven times faster than competitors, experience three times shorter operational downtimes, and lose four times less data following security breaches. They also achieve about 10% higher annual revenue growth on average.
Budgets Are Growing — But Not in the Right Places
Reaching a high maturity level requires time, consistency, and investment. The Veeam report shows that in 2025, 94% of companies increased spending on data recovery, and 95% on preventive measures. This is positive, but merely raising budgets is insufficient. In practice, organizations still allocate more funds to preventing attacks than to recovering resources afterward (31% vs. 28% of the IT budget, respectively). Such allocation may lead to situations where, despite implemented protections, companies cannot quickly resume operations. Yet, the speed of response ultimately determines the scale of losses and the restoration of customer trust.
Companies achieving the highest data resilience share one trait: they operate not only according to plan but continuously improve it. They treat cyber resilience not as a single project but as an organizational competence embedded in daily processes, work culture, and data mindset. As a result, cyber maturity becomes not only a risk management tool but also a real competitive advantage.
Author: Tomasz Krajewski, Sales Technical Director for Eastern Europe at Veeam
