A new survey from New Zealand's National Cyber Security Centre (NCSC) has revealed that 53% of small-to-medium businesses (SMEs) have been targeted by cyber threats in just the past six months. That's a dramatic rise from 36% a year earlier, confirming what cybersecurity experts have been warning for years: this can happen to anyone.
The NCSC's Mission Enablement Director Michael Jagusch highlighted a troubling disconnect in the findings. While businesses are "keenly aware of the threat," they don't understand how best to protect themselves. Many believe they're "already doing enough", which is a dangerous misconception that's leaving New Zealand businesses vulnerable. At NSP, we have seen it first hand with our customers, and our concern has grown significantly.
Cyberattacks have historically been viewed as "big business problems," but we know this is no longer true, perhaps it never was.
SMEs are increasingly attractive targets because:
They hold valuable data (financial information, customer details, intellectual property) but lack the layered defences of enterprise organisations
They're perceived as easier to breach, with smaller IT teams and limited cybersecurity budgets
They provide access to bigger players through supply chain attacks, one SME's compromise can lead to wider network exposure
They often underestimate their risk, creating security gaps that criminals exploit
Jagusch revealed that most attacks involve social manipulation, not sophisticated hacking:
"The most common threats reported to us through the research were scam calls and phishing... cyber criminals will normally try to do the least amount of work possible. If I can just ask you for your password and you give it to me, that is far easier than hacking into a system."
This aligns with global data from IBM showing that 95% of breaches globally involve some form of human error or social engineering. The NCSC survey confirms phishing and scams remain the dominant attack methods, techniques that require convincing emails, spoofed domains, or phone calls rather than advanced technical skills.
For some of our clients, as recent as this week, social engineering has been the preferred hacking method. This is not just some written scare tactic to our audience, this is very real and we cannot stress enough how urgent it is to action, now.
The survey revealed a critical weakness in New Zealand's SME cybersecurity posture. This false sense of security is one of the biggest threats to SME resilience.
Thinking cybersecurity is "sorted" because you have antivirus software or a firewall is like assuming a lock on the front door protects your whole house, while leaving the windows wide open.
Here are the facts:
Threats are accelerating: A 17% rise in targeting year-on-year is significant and shows no signs of slowing
Phishing dominates: Low-cost, high-reward attacks remain cybercriminals' favourite weapon
SMEs are under-resourced: Almost half of SMEs still rely on staff without specialist training to handle cybersecurity
Critical basics are missing: Two-factor authentication and data backups are still not universal, despite being low-cost, high-value defences
If we haven't said it enough in this article, New Zealand SME's are certainly a target to cyber criminals. Cyberattacks are no longer just an IT issue, they're a business continuity crisis.
The consequences of a breach extend far beyond the initial attack:
Immediate impact:
Downtime: Even short disruptions can cripple productivity and revenue
Data loss: Critical business information may be permanently compromised
Operational chaos: Staff unable to access systems, customers unable to transact
Long-term consequences:
Reputation damage: Clients, customers, and partners lose trust quickly and permanently
Financial losses: From ransom payments to legal costs, regulatory fines, and lost sales
Regulatory pressure: Privacy breaches must be disclosed, with compliance implications
Competitive disadvantage: Recovery time allows competitors to gain market share
Inaction is more expensive than action. We always emphasize that businesses should take a proactive stand, rather than reactive.
The encouraging news is that SMEs don't need enterprise-level budgets to meaningfully improve their cybersecurity posture. Based on the NCSC's recommendations, global best practices and what NSP do on a daily for our customers, here are the critical priorities:
1. Make Two-Factor Authentication non-negotiable
As Jagusch emphasized, 2FA is "a relatively simple, but really effective way of adding another layer of protection." Even if passwords are compromised, 2FA prevents unauthorized access. Yet it's still not consistently implemented across New Zealand businesses.
Action: Enable 2FA on all business-critical systems today, email, banking, cloud services, and administrative accounts.
2. Implement regular, and verified backups
Backups are only useful if they work when you need them. The NCSC identified regular backups as one of the "most impactful steps" businesses can take.
Action:
Schedule automated daily backups
Store copies offline or in secure cloud environments
Test restore procedures monthly
Ensure backups are isolated from main networks to prevent ransomware encryption
3. Train staff to recognize social engineering
Since humans remain the primary attack vector, regular training is essential. This isn't a one-time session, it's an ongoing commitment like workplace health and safety.
Action:
Conduct monthly phishing simulations
Train staff to identify red flags in emails, calls, and messages
Create clear reporting procedures for suspicious communications
4. Assess security gaps with a structured framework
Adopt a recognised model like the NIST Cybersecurity Framework to ensure comprehensive coverage across five critical areas: Identify, Protect, Detect, Respond, Recover.
Action:
Conduct a baseline security assessment
Identify critical assets and vulnerabilities
Prioritize improvements based on risk and impact
Document policies and procedures
5. Build a culture of cybersecurity
Cybersecurity cannot live in IT silos, it must be integrated into daily operations and leadership priorities.
Action:
Include cybersecurity in board and executive discussions
Establish clear governance and accountability
Allocate appropriate budget and resources
Regularly review and update security measures
One of the survey's most concerning insights is that many SMEs still rely on staff without specialist expertise to make cybersecurity decisions. This approach is both risky and unsustainable.
As NSP, we wouldn't perform heart surgery, so why are businesses still expecting their general IT team to handle cybersecurity without specialist support?
Here is what we can do for you:
vCISO (Virtual Chief Information Security Officer): Enterprise-grade expertise tailored to SME budgets
Managed Detection and Response (MDR): 24/7 monitoring and incident response
Security assessments: Professional evaluation of current defences and risks
Staff training programs: Specialist-designed awareness and response training
With over half of SMEs targeted in just six months, the question isn't if your business will face an attack, it's when. If we have to keep saying it, we will, your business is at risk. The NCSC survey should is both a reality check and the roadmap for immediate action.
This requires leadership at every level:
IT Managers must push for stronger controls and comprehensive training programs.
Business Owners must view cybersecurity as an enabler of trust and business continuity, not just a cost centre.
Boards and Executives must integrate cybersecurity into governance discussions and strategic planning.
Organizations that act now gain multiple advantages:
Protected data and operations: Reduced risk of costly breaches and downtime
Customer trust: Demonstrated commitment to data protection
Competitive positioning: Resilience becomes a market differentiator
Compliance readiness: Prepared for evolving regulatory requirements
Business continuity: Maintained operations during security incidents
Those who delay face, inevitable disruption, financial loss, and reputational damage when, not if, an attack succeeds.
The NCSC survey proves that businesses are not too small to be target, and that they are not doing enough. The numbers are very real:
If more than half of SMEs in New Zealand are being targeted within a six-month window, your business is almost certainly in the crosshairs and you are not. doing. enough.
The time for action is now:
Today: Enable 2FA on critical systems
This week: Test your backup and recovery procedures
This month: Conduct staff phishing simulation training
Ongoing: Treat cybersecurity as a business-critical function, not an IT afterthought
Cybersecurity isn't just about defence, it's about resilience, trust, and long-term business success. In an increasingly connected economy, your security posture directly impacts your ability to compete, grow, and serve customers.
The NCSC survey provides both the warning and the roadmap. The question remaining is simple: Are you ready to act? Though, we shouldn't be asking this anymore. You have to be ready.
Need expert guidance? If you're unsure where your SME stands, professional cybersecurity partners can help. From security assessments and staff training to managed detection and response services, specialized support provides enterprise-grade expertise tailored to SME realities and budgets.
Schedule a session with us to discuss where you are, and where you need to be and if you want to go forward, we will be your technology partner. This is obligation free.