What Do Half of New Zealand's SMEs Have in Common? They've Been Cyber-Attacked.

A new survey from New Zealand's National Cyber Security Centre (NCSC) has revealed that 53% of small-to-medium businesses (SMEs) have been targeted by cyber threats in just the past six months. That's a dramatic rise from 36% a year earlier, confirming what cybersecurity experts have been warning for years: this can happen to anyone.

SMEs in New Zealand are prime targets

The NCSC's Mission Enablement Director Michael Jagusch highlighted a troubling disconnect in the findings. While businesses are "keenly aware of the threat," they don't understand how best to protect themselves. Many believe they're "already doing enough", which is a dangerous misconception that's leaving New Zealand businesses vulnerable. At NSP, we have seen it first hand with our customers, and our concern has grown significantly. 

Why SMEs have become attractive targets

Cyberattacks have historically been viewed as "big business problems," but we know this is no longer true, perhaps it never was.

SMEs are increasingly attractive targets because:

• They hold valuable data (financial information, customer details, intellectual property) but lack the layered defences of enterprise organisations

• They're perceived as easier to breach, with smaller IT teams and limited cybersecurity budgets

• They provide access to bigger players through supply chain attacks, one SME's compromise can lead to wider network exposure

• They often underestimate their risk, creating security gaps that criminals exploit

Social engineering over technical hacking

Jagusch revealed that most attacks involve social manipulation, not sophisticated hacking:

"The most common threats reported to us through the research were scam calls and phishing... cyber criminals will normally try to do the least amount of work possible. If I can just ask you for your password and you give it to me, that is far easier than hacking into a system."

This aligns with global data from IBM showing that 95% of breaches globally involve some form of human error or social engineering. The NCSC survey confirms phishing and scams remain the dominant attack methods, techniques that require convincing emails, spoofed domains, or phone calls rather than advanced technical skills.

For some of our clients, as recent as this week, social engineering has been the preferred hacking method. This is not just some written scare tactic to our audience, this is very real and we cannot stress enough how urgent it is to action, now.

What the survey reveals about NZ's cyber crime

The survey revealed a critical weakness in New Zealand's SME cybersecurity posture. This false sense of security is one of the biggest threats to SME resilience.

Thinking cybersecurity is "sorted" because you have antivirus software or a firewall is like assuming a lock on the front door protects your whole house, while leaving the windows wide open.

Here are the facts:

• Threats are accelerating: A 17% rise in targeting year-on-year is significant and shows no signs of slowing

• Phishing dominates: Low-cost, high-reward attacks remain cybercriminals' favourite weapon

• SMEs are under-resourced: Almost half of SMEs still rely on staff without specialist training to handle cybersecurity

• Critical basics are missing: Two-factor authentication and data backups are still not universal, despite being low-cost, high-value defences

Okay sure, let's play the devils advocate - What happens if you do, nothing?

If we haven't said it enough in this article, New Zealand SME's are certainly a target to cyber criminals. Cyberattacks are no longer just an IT issue, they're a business continuity crisis.

The consequences of a breach extend far beyond the initial attack:

Immediate impact:

• Downtime: Even short disruptions can cripple productivity and revenue

• Data loss: Critical business information may be permanently compromised

• Operational chaos: Staff unable to access systems, customers unable to transact

Long-term consequences:

• Reputation damage: Clients, customers, and partners lose trust quickly and permanently

• Financial losses: From ransom payments to legal costs, regulatory fines, and lost sales

• Regulatory pressure: Privacy breaches must be disclosed, with compliance implications

• Competitive disadvantage: Recovery time allows competitors to gain market share

Inaction is more expensive than action. We always emphasize that businesses should take a proactive stand, rather than reactive.

5 Steps SMEs can take today

The encouraging news is that SMEs don't need enterprise-level budgets to meaningfully improve their cybersecurity posture. Based on the NCSC's recommendations, global best practices and what NSP do on a daily for our customers, here are the critical priorities:

1. Make Two-Factor Authentication non-negotiable

As Jagusch emphasized, 2FA is "a relatively simple, but really effective way of adding another layer of protection." Even if passwords are compromised, 2FA prevents unauthorized access. Yet it's still not consistently implemented across New Zealand businesses. 

Action: Enable 2FA on all business-critical systems today, email, banking, cloud services, and administrative accounts.

2. Implement regular, and verified backups

Backups are only useful if they work when you need them. The NCSC identified regular backups as one of the "most impactful steps" businesses can take.

Action:

• • Schedule automated daily backups

  • Store copies offline or in secure cloud environments

  • Test restore procedures monthly

  • Ensure backups are isolated from main networks to prevent ransomware encryption

3. Train staff to recognize social engineering

Since humans remain the primary attack vector, regular training is essential. This isn't a one-time session, it's an ongoing commitment like workplace health and safety.

Action:

• • Conduct monthly phishing simulations

  • Train staff to identify red flags in emails, calls, and messages

  • Create clear reporting procedures for suspicious communications

4. Assess security gaps with a structured framework

Adopt a recognised model like the NIST Cybersecurity Framework to ensure comprehensive coverage across five critical areas: Identify, Protect, Detect, Respond, Recover.

Action:

• • Conduct a baseline security assessment

  • Identify critical assets and vulnerabilities

  • Prioritize improvements based on risk and impact

  • Document policies and procedures

5. Build a culture of cybersecurity

Cybersecurity cannot live in IT silos, it must be integrated into daily operations and leadership priorities.

        Action:

• • Include cybersecurity in board and executive discussions

  • Establish clear governance and accountability

  • Allocate appropriate budget and resources

  • Regularly review and update security measures

Should you seek expert advice?

One of the survey's most concerning insights is that many SMEs still rely on staff without specialist expertise to make cybersecurity decisions. This approach is both risky and unsustainable.

As NSP, we wouldn't perform heart surgery, so why are businesses still expecting their general IT team to handle cybersecurity without specialist support?

Here is what we can do for you:

• vCISO (Virtual Chief Information Security Officer): Enterprise-grade expertise tailored to SME budgets

• Managed Detection and Response (MDR): 24/7 monitoring and incident response

• Security assessments: Professional evaluation of current defences and risks

• Staff training programs: Specialist-designed awareness and response training

Our challenge to all New Zealand SMEs

With over half of SMEs targeted in just six months, the question isn't if your business will face an attack, it's when. If we have to keep saying it, we will, your business is at risk. The NCSC survey should is both a reality check and the roadmap for immediate action.

This requires leadership at every level:

• IT Managers must push for stronger controls and comprehensive training programs.

• Business Owners must view cybersecurity as an enabler of trust and business continuity, not just a cost centre.

• Boards and Executives must integrate cybersecurity into governance discussions and strategic planning.

The competitive advantage of proactive security

Organizations that act now gain multiple advantages:

• Protected data and operations: Reduced risk of costly breaches and downtime

• Customer trust: Demonstrated commitment to data protection

• Competitive positioning: Resilience becomes a market differentiator

• Compliance readiness: Prepared for evolving regulatory requirements

• Business continuity: Maintained operations during security incidents

Those who delay face, inevitable disruption, financial loss, and reputational damage when, not if, an attack succeeds.

Your next steps: From awareness to action

The NCSC survey proves that businesses are not too small to be target, and that they are not doing enough. The numbers are very real:

If more than half of SMEs in New Zealand are being targeted within a six-month window, your business is almost certainly in the crosshairs and you are not. doing. enough.

The time for action is now:

• Today: Enable 2FA on critical systems

• This week: Test your backup and recovery procedures

• This month: Conduct staff phishing simulation training

• Ongoing: Treat cybersecurity as a business-critical function, not an IT afterthought

Security as a strategic enabler

Cybersecurity isn't just about defence, it's about resilience, trust, and long-term business success. In an increasingly connected economy, your security posture directly impacts your ability to compete, grow, and serve customers.

The NCSC survey provides both the warning and the roadmap. The question remaining is simple: Are you ready to act? Though, we shouldn't be asking this anymore. You have to be ready.

Need expert guidance? If you're unsure where your SME stands, professional cybersecurity partners can help. From security assessments and staff training to managed detection and response services, specialized support provides enterprise-grade expertise tailored to SME realities and budgets.

Schedule a session with us to discuss where you are, and where you need to be and if you want to go forward, we will be your technology partner. This is obligation free.