By the time you notice something is wrong, the attacker has usually been in your environment for days - sometimes weeks.
The global median dwell time - the gap between an attacker gaining initial access and being detected - is 11 days, according to Mandiant's 2025 M-Trends report. Eleven days of undetected access. Eleven days of a criminal reading your emails, mapping your network, copying files, identifying your most valuable data, and in many cases, deleting your backups before deploying ransomware or exfiltrating everything they came for.
The signs are almost always there in hindsight. The challenge is knowing what to look for before the situation becomes obvious and by then, expensive.
On 30 December 2025, Manage My Health identified a cybersecurity incident involving unauthorised access to their platform. New Zealand businesses learned that a major health records system had been compromised affecting patient data across a wide network of medical practices. Nobody had noticed. Until they did.
This post explains what the warning signs look like, why most businesses miss them, and what you can do to find out whether something is already wrong in your environment right now.
The assumption most business owners have about cyberattacks is that they're obvious. Systems crash. Files disappear. A ransom demand appears on screen. Something dramatic happens.
That's how the story ends. The middle chapter is much quieter and much longer.
Modern attackers, particularly those running organised ransomware operations or business email compromise schemes, are not in a rush. They gain initial access - usually through a phished credential, an unpatched vulnerability, or compromised remote access - and then they wait. They watch. They move slowly and carefully through your environment, escalating privileges, identifying targets, and establishing persistence before they make any move that would be noticed.
This deliberate patience serves two purposes. First, it maximises what they can take or encrypt. Second, it makes forensic investigation harder after the fact - the longer the dwell period, the more the attacker's activity is buried in normal log noise.
The NCSC has been explicit that this pattern applies to NZ businesses. In the Q2 2025 Cyber Security Insights report, they noted attackers are increasingly calling IT helpdesks, impersonating staff using LinkedIn data and breach credentials, and attempting to reset passwords or weaken MFA - all activities designed to extend access quietly, not trigger alarms loudly.
What this means for your business: the absence of an obvious problem is not evidence that there is no problem. It's evidence that nothing obvious has happened yet.
These are the indicators that something may already be wrong in your environment. None of them is conclusive on its own. Several of them together, or any one of them combined with other context, warrants immediate investigation.
If someone on your team's account logs in from a location they've never been, at 3am on a Saturday, that's worth looking at. Modern attackers operate globally and don't respect business hours - in fact, they specifically target periods when IT staff are not around.
Most businesses have no visibility into this at all. They're not watching login logs, have no alerting on unusual access patterns, and would only know if the staff member themselves reported something odd. The attacker counts on exactly that.
Unusual login activity is one of the earliest and most reliable indicators of account compromise. In the Verizon 2025 Data Breach Investigations Report, stolen or compromised credentials were the initial access vector in more than 22% of all breaches globally.
This is a specific indicator of business email compromise - the attack type the NCSC called out as the most common and damaging facing NZ organisations right now. If an attacker has access to your email, they're reading your messages to understand what financial transactions are in progress, what clients are expecting payments, and where the best opportunity is to intercept funds.
Signs to watch for: emails showing as read when you haven't opened them, delayed delivery of emails that should arrive instantly, auto-forwarding rules you didn't set up, or unfamiliar devices appearing in your email account's sign-in history.
The NCSC specifically recommended NZ businesses - particularly law firms, who have been targeted with attacks on an almost daily basis - check whether auto-forwarding rules have been set up on email accounts without their knowledge. This is a standard attacker technique for maintaining silent, persistent access to communications.
Related to the above but worth calling out separately because it's so consistently missed. When an attacker compromises an email account, one of the first things they do is set up forwarding rules to receive a copy of all incoming and outgoing emails. This lets them monitor communications from outside the account, even if the password is eventually changed.
These rules don't trigger alerts. They don't slow down the email. They're invisible unless someone specifically looks for them in the account settings. Many businesses have had forwarding rules sitting on key email accounts for months before they were discovered - typically during a post-incident investigation, after the damage was already done.
Large volumes of data leaving your network at unexpected times - particularly late at night or on weekends - can indicate data exfiltration. Attackers stage data before extraction, often copying large amounts of files to a staging location within your environment first, then exfiltrating in a single large transfer.
This requires some level of network monitoring to detect. Most small businesses have no visibility into their outbound traffic patterns and would not notice this unless it was so large it affected performance.
Attackers running on your systems use resources - CPU, memory, network bandwidth. Cryptomining malware, in particular, consumes significant compute resources and often manifests as unexplained slowness across devices. Ransomware during its encryption phase will also slow systems noticeably before the ransom demand appears.
Slow systems get attributed to aging hardware, software updates, or "just one of those days." Sometimes that's accurate. When slowness is unexplained, persistent, or affects multiple devices simultaneously, it's worth investigating rather than accepting.
If someone on your team gets an MFA prompt or password reset request they didn't initiate, that's a direct signal that someone else is attempting to access their account. This is not ambiguous. The most charitable interpretation is that they accidentally clicked something; the more likely interpretation is that an attacker has their credentials and is attempting to log in.
The NCSC noted in 2025 that attackers are specifically targeting IT helpdesks with impersonation attempts - calling up pretending to be staff, using information from LinkedIn and prior breach data to sound legitimate, and asking for password resets or MFA changes. If your helpdesk receives these kinds of requests, there should be a verification protocol that doesn't rely solely on the caller's ability to recite known information.
One of the ways business email compromise is discovered is when a client calls to ask about an unusual email they received "from you." By this point the attacker has usually been in the account long enough to understand your client relationships, your writing style, and the transactions in progress - making their impersonation convincing enough that the client almost acted on it.
If a client flags something unusual, treat it seriously and immediately. This is a confirmed indicator of compromise, not a near-miss.
Document management systems, shared drives, and cloud storage platforms typically maintain access logs. If files - particularly financial records, HR data, or sensitive client documents - are being accessed outside of business hours by accounts that wouldn't normally access them, that's worth investigating.
This is also a classic indicator of insider threat activity, which accounts for a meaningful proportion of data breaches - sometimes malicious, more often negligent staff with excessive access permissions.
Devices turning themselves on and off. Applications crashing unexpectedly. Antivirus alerts triggering and then stopping. Mouse movements that seem autonomous. These can all be coincidental, and often are. But combined with other indicators, or occurring across multiple devices simultaneously, they can signal active malware or remote access tools operating in the background.
Here's the frustrating reality: the indicators above are only visible if you have some level of monitoring in place. And most NZ SMEs don't.
Without visibility into login activity across cloud applications, email account security settings, network traffic patterns, and endpoint behaviour, most of these signals are simply invisible. You'd only find out something was wrong when the attacker made a move you couldn't miss - the ransomware deployed, the funds transferred, the data published.
The NCSC recorded 5,995 incident reports in 2024/25 and acknowledged that this dramatically understates the real number - because most incidents are never reported, and a significant proportion are never detected at all. The businesses that discovered they'd been breached are the tip of the iceberg.
This is precisely why active monitoring isn't optional for businesses that hold valuable data, handle significant financial transactions, or have compliance obligations. Managed Detection and Response provides continuous visibility into your environment - 24/7, across endpoints, email, cloud applications, and network - specifically looking for the indicators that precede and follow a breach. It's the difference between finding out you were compromised eight months later and finding out in the first 24 hours.
Speed matters. Every hour an attacker remains undetected is an hour they're extending their access, exfiltrating more data, or moving closer to deploying ransomware. If you suspect something is wrong, the following steps apply.
Step 1: Don't panic - but do act immediately.
The instinct to fully understand the situation before taking action is understandable and counterproductive. You don't need to know exactly what happened before you start responding. Act on suspicion.
Step 2: Isolate, don't shut down.
If a specific device is behaving suspiciously, disconnect it from the network. Don't turn it off - this can destroy forensic evidence and, in some ransomware scenarios, trigger the encryption. Isolate the affected system from the rest of the network while keeping it powered on.
Step 3: Contact your IT provider or cybersecurity team immediately.
If you have a managed services provider or security partner, call them now. This is not an email situation. If you don't have an existing relationship and need immediate incident response support, NSP's team handles exactly this - reaching out early changes the outcome.
Step 4: Change credentials on all potentially affected accounts.
Particularly email, remote access tools, cloud applications, and admin accounts. Do this from a device that isn't connected to the potentially compromised environment if possible.
Step 5: Notify your cyber insurer.
If you have cyber insurance, notify them as soon as you suspect an incident - before you know the full scope. Most cyber insurance policies require notification within 48 to 72 hours of discovering a potential breach. Waiting until the investigation is complete before calling is one of the most common reasons claims are denied. As we covered in our post on the security baseline every NZ business needs before buying cyber insurance, early notification is a policy condition, not a courtesy.
Step 6: Assess your Privacy Act obligations.
If personal information may have been accessed or exfiltrated, you need to assess whether the breach is notifiable under the Privacy Act 2020. A breach is notifiable if it is likely to cause serious harm to affected individuals. The Privacy Commissioner expects notification within 72 hours of becoming aware of a notifiable breach - even if the investigation is still ongoing. Notify early and update as the picture becomes clearer.
Step 7: Document everything from the moment you suspect an incident.
Timestamps, what you observed, what actions you took, and when. This documentation is essential for forensic investigation, insurance claims, and Privacy Act notification. Start the record the moment something seems wrong.
Step 8: Don't communicate via potentially compromised channels.
If your email may be compromised, don't use it to discuss the incident. Use phone calls or a separate, unaffected communication channel for sensitive incident discussions.
New Zealand businesses have specific legal obligations when a breach involving personal information occurs and the timeline is shorter than most people realise.
Under the Privacy Act 2020, a notifiable privacy breach is one that is likely to cause serious harm to affected individuals. Serious harm includes financial loss, reputational damage, emotional distress, identity theft, or physical harm. When assessing whether a breach is notifiable, you consider the sensitivity of the information, the nature of the potential harm, and whether the information was protected by security measures.
The 72-hour expectation - The Privacy Commissioner's guidance is that notification should occur within 72 hours of becoming aware of a notifiable breach. This clock starts when you first have reason to believe a notifiable breach has occurred - not when the investigation is complete. If you're still investigating, notify and update.
Who you notify - Both the Privacy Commissioner (through the OPC's Notify Us system at privacy.org.nz) and the affected individuals. The notification to individuals should be clear, specific about what information was involved, and include guidance on what they should do to protect themselves.
The Privacy Amendment Act 2025 - From 1 May 2026, new requirements under IPP 3A apply to businesses that collect personal information indirectly - from sources other than the individual themselves. If your business is in this category, check your privacy policy and data collection practices against the new requirements.
Breaches that are handled promptly, with proper notification and transparent communication, fare significantly better in regulatory and reputational terms than those where organisations delayed action or attempted to manage the situation quietly. The Privacy Commissioner's case notes make this pattern clear.
There are practical steps any business can take today - before an incident - to assess whether their environment may already be compromised.
Audit email account security settings - Check every key email account for auto-forwarding rules that weren't set up by the account holder. Check sign-in history for unfamiliar devices or locations. Check whether MFA is enabled and whether any recent MFA changes were made without the account holder's knowledge.
Review who has access to what - Check your active user accounts against your current staff list. Accounts belonging to people who have left the business are a common attack vector and should be disabled immediately upon departure, not at some later convenient point.
Check your cloud application access logs - Most cloud applications maintain logs of user activity. Review these for unusual access patterns, particularly outside business hours, from unfamiliar locations, or from accounts that wouldn't normally access that data.
Verify your backups are intact - If an attacker has been in your environment for any period of time, one of their goals may have been to compromise your backups. Check that backups are running, that recent backups exist, and that a restoration test confirms the data is recoverable.
Run a security assessment - A cybersecurity assessment conducted by a qualified security professional looks for indicators of compromise as part of evaluating your security posture. It also tells you where your most significant gaps are - the gaps that make an undetected breach possible in the first place.
How long do attackers typically go undetected before being discovered?
The global median dwell time - the time between initial access and detection - is 11 days according to Mandiant's 2025 M-Trends report. For organisations without active monitoring, that figure can be significantly higher. Eight months of undetected access is not unusual in cases where detection was ultimately triggered by the attacker's final action rather than proactive monitoring.
If we have antivirus, wouldn't it detect an intruder?
Not necessarily. Modern attackers increasingly use "living off the land" techniques - exploiting legitimate tools and processes already present in your environment rather than introducing detectable malware. Antivirus looks for known malicious files; it does not detect a human attacker operating through legitimate credentials and native system tools. Active monitoring through MDR detects behavioural anomalies that antivirus misses entirely.
What's the first thing I should check if I think we've been compromised?
Email account security settings - specifically auto-forwarding rules and sign-in history. This is the most common and most easily missed indicator of ongoing compromise, and it can be checked without specialist tools by anyone with access to the email administration console.
Do we have to tell our clients if we've been breached?
If personal information about your clients was accessed or exfiltrated, and there is a reasonable belief that this could cause serious harm, yes - you are legally required to notify them under the Privacy Act 2020. The notification should be prompt, specific, and include guidance on steps they can take. Delaying notification in the hope that you can resolve it quietly is both a legal risk and a reputational one.
We haven't noticed anything unusual. Does that mean we're fine?
Not necessarily. The median dwell time of 11 days means attackers are specifically trying not to be noticed. The absence of obvious symptoms is not a clean bill of health - it's simply a reflection of what you can and can't see with your current level of monitoring. If you don't have active monitoring in place, you may simply not be looking in the right places.
What should we do if a staff member's email account has been sending messages they didn't write?
This is a confirmed business email compromise. Act immediately: change the password, enable MFA if it isn't already active, check and remove any auto-forwarding rules, check sign-in history, notify clients who may have received suspicious emails, contact your IT provider for a full audit of what was accessed and when, and report to the NCSC at ncsc.govt.nz. Time is critical - the attacker may still have access through other mechanisms even after the password is changed.
When should we contact the NCSC?
The NCSC encourages businesses to report incidents regardless of severity - even things that seem minor contribute to their understanding of the threat landscape and may help them protect other NZ businesses from the same attack. Report at ncsc.govt.nz. It is confidential, it does not automatically involve police unless you consent, and it is genuinely useful.
A free security consultation with NSP takes 30 minutes. We'll look at your current monitoring capability, your email security configuration, and your most significant exposure points and tell you what we see, not what you want to hear.
Or call us directly: 0508 010 101