So Richard Marles, Australia's Deputy Prime Minister and Defence Minister, has been making waves with some pretty frank talk about cybersecurity. And yeah, I know, you're in New Zealand, he's an Aussie politician, why should you care?
Because the cyber threats hitting Australia don't stop at the Tasman Sea. And frankly, we're seeing the same patterns right here in Aotearoa.
In October 2025, Australia released their latest Annual Cyber Threat Report. Marles didn't sugarcoat it: "Cyber-enabled espionage and crime are not a hypothetical risk, but a real and increasing danger to the essential services we all rely on."
Translation: This isn't theoretical anymore. It's happening, right now.
Australia's numbers are eye-watering:
84,700 cybercrime reports in a year, that's one every 6 minutes
Small businesses lost an average of $56,600 per incident (up 14%)
Individuals lost an average of $33,000 (up 8%)
Cyber security incidents that ASD responded to jumped 11% from the previous year
We’re not doing any better.
New Zealand's National Cyber Security Centre (NCSC) Q1 2025 report shows financial losses hit $7.8 million in just three months, up 14.7% from the previous quarter. That's the second-highest quarterly loss we've ever recorded.
Let that sink in. Seven point eight million dollars, in three months and that's only what got reported.
Tom Roberts, NCSC's Response and Investigations Team Lead, put it bluntly: "The true scale of losses is likely to be much greater, since only a fraction of incidents are reported."
The breakdown:
1,369 cybersecurity incidents in Q1 2025 alone
486 scams and fraud cases (still the most common attack)
440 phishing and credential harvesting incidents (up 15%)
228 unauthorized access incidents (up 11%)
And here's the kicker: over half of the reported financial losses hit businesses. Law firms and real estate agencies are getting hammered because they handle money transfers all day long.
We share more than rugby rivalries with Australia. We share:
Similar business ecosystems
The same time zone (mostly)
Comparable digital infrastructure
And unfortunately, the same cybercriminals' target lists
But here's what makes us an even juicier target: we're smaller. Less scrutiny. Fewer resources. A lot of Kiwi businesses still think "we're too small to be a target."
Wrong. You're the perfect size to be a target.
When ransomware groups hit Australian businesses, they're testing tactics. When they find what works, they move across the region. We're not an afterthought , we're next on the list.
In his October interview with ABC, Marles pointed out that cybercriminals specifically target businesses through:
Legacy IT systems , old systems are basically open doors
Third-party contractors , your suppliers' security becomes your security problem
Delayed software updates , every unpatched system is a welcome mat
Sound familiar? Because I guarantee at least one of those applies to your business right now.
Look, I could give you the usual lecture about updating software and using strong passwords. You've heard it. But here's what the Australian report , and our own NCSC data , really tell us:
Stop using old systems as a cost-saving measure That Windows Server from 2012? It's not saving you money. It's a ticking time bomb. Legacy systems are how most of these attacks start.
Your contractor's security is your security That third-party who accesses your network? Their security practices matter as much as yours. One compromised contractor login and suddenly your data is on the dark web.
Have a plan for when (not if) something happens Notice I said "when." The NCSC handled 1,369 incidents in just one quarter. Your turn will come. The question is whether you'll be ready.
Actually install updates Yeah, it's boring. Yeah, it might mean a server restart at an inconvenient time. You know what's more inconvenient? Explaining to clients why their data is gone.
Here's the good news: you don't have to figure this out alone. New Zealand has solid resources that actually want to help:
National Cyber Security Centre (NCSC)
Guidance for businesses of all sizes
Minimum Cyber Security Standards that came into effect October 30, 2025
Phishing Disruption Service (forward dodgy links to phishpond@ops.cert.govt.nz)
NCSC's Cyber Security Framework Covers the basics everyone should have:
Multi-factor authentication on everything
Regular backups (tested ones, not theoretical ones)
Software updates within 48 hours of release
Security training for your team (real training, not a checkbox exercise)
Regular threat updates
Free tools and checklists
And unlike those "best practice" frameworks that require a PhD to understand, these are actually written for real businesses.
Here's where we come in - this is literally what we do all day.
We'll look at what you've got, tell you honestly where the gaps are, and prioritise what actually matters. No selling you things you don't need.
Think of it as having a security team without hiring a security team. We monitor, patch, update, and sort problems before they become expensive disasters.
Something's already gone wrong? We help you contain it, clean it up, and make sure it doesn't happen again.
Getting your backups actually working (tested, not hoped-for)
Sorting your multi-factor authentication
Training your team on what to watch for
Fixing those legacy systems that are basically time bombs
We're not going to sell you a "comprehensive cybersecurity solution" with "next-generation AI-powered threat detection." We're going to help you do the basics properly, because that stops 90% of attacks.
The numbers don't lie. Whether it's Australia's $56,600 average loss for small businesses or New Zealand's $7.8 million in quarterly losses, this isn't a "them" problem. It's an "us" problem.
And here's the thing that should really worry you: the NCSC reported over 7,122 cybersecurity incidents in their inaugural year. That's not government agencies being paranoid. That's actual attacks. On actual New Zealand organizations.
State-sponsored actors from Russia and China are actively targeting critical infrastructure, telecommunications, and supply chains. If you're thinking "but we're just a small business in New Zealand”, that's exactly why you're a target. You're less likely to have sophisticated security, more likely to have access to larger clients, and perfect for testing attacks.
We're a small country and we like to think we're under the radar. But to cybercriminals, we're just another target with potentially weaker defences than our bigger neighbours.
The question isn't whether you'll face a cyber threat. It's whether you'll be ready when it happens.
And if those numbers, businesses losing $50k-60k per incident, $7.8 million gone in three months, don't motivate you to sort your security out, I'm not sure what will.
Want to talk through your actual security setup? Not in a "scare you into buying stuff" way, but in a "let's make sure you're not an easy target" way? That's what we're here for.