New Zealand urged to boost cyber security as threats diversify

New Zealand organisations are being urged to bolster their defences against cyber security threats, as recent analysis highlights that even entities perceived to be low-profile are not immune from attacks. The National Cyber Security Centre (NCSC) has identified a complex threat landscape, driven by financial, ideological and espionage-related motivations.

Threat landscape

The latest NCSC Cyber Threat Report outlines that threats are no longer limited to high-profile or affluent targets. The report notes increased activity from state-sponsored actors, financially motivated criminals, and hacktivists. Supply chain vulnerabilities and unpatched systems continue to be commonly exploited tactics.

"Many New Zealand businesses and organisations make the mistake of assuming they are not big enough, not wealthy enough or not critical enough to be a target," said Michael Jagusch, Chief Operating Officer, National Cyber Security Centre.

Key findings

Five dominant trends, or 'judgements', characterise the risks faced by New Zealand in the past year. Firstly, state-sponsored actors remain persistent in targeting entities in the country. Secondly, the increasing commercialisation of cybercrime has resulted in more advanced tools being accessible to a wider range of actors. Thirdly, hacktivists have expanded their activities in response to international conflicts. The exploitation of digital supply chains and organisational dependencies has also been observed, revealing blind spots in many organisations. Finally, unpatched software and known vulnerabilities remain a significant route for attackers.

"In the changing geostrategic environment there are a range of reasons - from financial motivation to espionage and hacktivism - why an organisation in New Zealand may be targeted," said Jagusch.

Incident statistics

NCSC data covering the period from July 2024 to June 2025 shows a total of 5,995 reported incidents. Of these, 4,343 were reported by individuals and 1,321 by organisations, with the remainder unspecified. Notably, 331 incidents were classified as having potential national significance, defined as those with the capacity to affect large groups of New Zealanders.

Out of these significant incidents, 82 were connected to suspected state-sponsored actors, down from 110 in the previous year. However, financial or criminally motivated incidents increased to 137, compared to 65 a year earlier.

Persistent risks

Jagusch highlighted that the nature of incidents being reported has evolved, even as their volume has shifted. While overall incident numbers have fallen, the quantity of incidents regarded as nationally significant has remained stable. The Centre attributes this to a persistent presence of hostile actors seeking to exploit both prominent and less-visible vulnerabilities.

"These are not an exhaustive list, but they are the most prominent, noteworthy and recurrent issues we have seen in the 2024/2025 reporting year," said Jagusch.

Actionable advice

The report aims to support decision-makers within organisations by supplying insights and prompting critical questions about their cybersecurity readiness. It encourages organisations to challenge assumptions about their exposure and take a proactive approach to protecting their digital assets.

"The report is designed to equip decision makers with the context and questions to ask, so they can ensure their organisation is thinking about how these risks may affect them." said Jagusch.