SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Realistic photo computer workstation office lock symbol cybersecurity nz business
#
Ransomware
#
MFA
#
Cloud Security

Why NZ Businesses Must Get Serious About Cybersecurity

Tue, 18th Nov 2025
By Geordie Stewart, Chief Information Security Officer, NSP

I spend a lot of time explaining to business owners why they got hacked. The conversation usually starts the same way: "But we're just a small company. Why would anyone target us?"

Then I must further explain that you weren't targeted. You were scanned, found vulnerable, and automatically exploited. Attackers don't care about your company size, your industry, or whether you're in Auckland or Invercargill. They care that your systems showed up in a search as exploitable. That's it.

New Zealand businesses are facing the worst cyber threat environment we've ever seen. Not because the attacks are more sophisticated, they're not. But because every organisation, from startups to government agencies, is now part of the same global attack surface. Your geographic isolation means nothing when you're using the same cloud platforms, payment systems, and digital supply chains as everyone else.

The question isn't whether you'll be targeted. It's whether you have basic controls in place that determine how badly you get hurt when it happens.


We're Still Making the Same Mistakes

Most breaches I respond to don't start with some sophisticated nation-state hacking technique. They start with something embarrassingly simple: a phished password, an unpatched system, an account without multi-factor authentication. Things every organisation knows they should fix but somehow never prioritises.

The pattern is consistent. Attackers don't need to be clever when so many organisations are still getting the fundamentals wrong. Business email compromise, credential theft, ransomware, these work because they exploit weak configurations, minimal monitoring, and inconsistent security hygiene. Not exactly cutting-edge stuff.

We've reached a point where cybercrime isn't an occasional disruption you read about happening to someone else. It's a daily operational risk. The companies that understand this are preparing accordingly. The ones that don't are counting on luck, and luck eventually runs out.


The Three Risks That Should Keep You Up at Night
 

Identity is Your New Perimeter (And It's Wide Open)

The move to cloud has fundamentally changed how security works. Your company's perimeter used to be a firewall you could point to. Now it's every single user account across Microsoft 365, Google Workspace, and whatever SaaS platforms you're running.

Compromise one set of credentials and an attacker gets email, files, financial systems, customer data, everything. One password.

Here's what worries me (as it should worry all): organisations think enabling MFA solves this. It helps, absolutely. But without conditional access policies, device health checks, and proper monitoring, MFA can still be bypassed. I've watched it happen. An account gets compromised despite MFA being "on," and the organisation had no idea for weeks because nobody was watching the logs.


Your Vendors Are Your Problem Now


If you're using managed service providers or outsourced IT support, and most businesses are, you need to understand something: their security problems become your security problems.

Your MSP has remote access to your systems. If they get compromised, you get compromised. It's that simple and we're seeing this play out more frequently. An attacker breaches a service provider and suddenly has a highway into dozens or hundreds of client networks.

Your security is only as strong as the weakest link in your supply chain. That MSP remote support tool? That vendor portal access? Those need to be treated as high-risk pathways, tightly controlled, and regularly audited. Most organisations have no idea who has access to what.


You're Not Ready for When Things Go Wrong


If your email went down right now, completely offline, inaccessible, what would happen? Who would you call? How would you call them if your contact list is in that email system? Who has authority to make decisions? What's your communication plan?

Most organisations can't answer these questions because they've never walked through it. They have an incident response plan somewhere, usually a document someone wrote two years ago that nobody's looked at since.

We treat health and safety with absolute seriousness in New Zealand. Fire drills, evacuation procedures, first aid training, all standard practice. But ask a business when they last tested their cyber incident response plan and you'll get blank stares.

An untested plan isn't a plan. It's a document that makes you feel better until you actually need it.


Five Things You Can Do This Week
 

Fixing these gaps doesn't require massive budgets or specialist teams. These five steps are achievable for every business in New Zealand. They're not exciting, but they work:

  • Enforce MFA and conditional access across every account

Not just admins, not just some users, but everyone. And make sure it's configured properly, not just technically "enabled."
 

  • Make sure every device accessing your systems meets basic health requirements

Unpatched, unmanaged devices shouldn't be able to connect to your network. Set a baseline and enforce it.
 

  • Turn on logging and monitoring for your cloud platforms

Especially Microsoft 365. You can't detect or respond to threats you're not tracking. Most breaches we investigate could have been caught early if someone was watching the logs.
 

  • Audit vendor access right now

List every external party with access to your systems. Review what access they have and whether they still need it. When did you last check this? If the answer is "never," start there.
 

  • Run a tabletop exercise with your team

Get everyone in a room and walk through a realistic incident scenario. Email's down. Systems are encrypted. What happens next? You'll find gaps in your plan within the first ten minutes.
 

None of this is expensive and none of it requires specialist knowledge you don't have. The barrier isn't capability, it's prioritisation.


The Companies That Will Thrive


2026 is going to separate the businesses that treat cybersecurity as core infrastructure from the ones that treat it as an IT problem they'll deal with later.

The threat isn't getting easier, attacks are increasing and customers, insurers, and regulators are demanding better protection. The organisations that get ahead of this now will have a genuine competitive advantage. The ones that delay will be managing a crisis while trying to explain to clients, partners, and media why they weren't prepared.

Cybersecurity isn't a technical issue anymore. It's a business resilience issue. You wouldn't run a business without insurance, without contracts, without basic financial controls. Security deserves the same level of attention because the consequences of getting it wrong are just as severe.

Get the basics right, test your readiness and treat security with the same seriousness you apply to every other operational risk. That's what separates resilient businesses from cautionary tales.

The question is: which one do you want to be?

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Keeper Security named Overall Leader in non-human identity management
ATEN unveils secure KVM switches with 5K video for defence use
Teleport wins AWS award for securing high-growth infrastructure
Cyber-extortion incidents surge as criminals target small firms
Prowler unveils graph-based tool to clarify cloud attack paths

Top stories

DivisionHex launches new framework to streamline exposure management
HP predicts surge in AI-driven cyber threats & cookie theft by 2026
Hack The Box launches AI cyber range & unveils red team certification
Dynatrace expands AWS integrations & wins LATAM partner award
Asahi delays results as ransomware attack disrupts operations