The question business leaders ask most frequently about cybersecurity is: "When should we start taking this seriously?"
If you're asking the question, you're already behind.
You cannot build a moat for your castle in the middle of a siege. Defensive preparations must happen before the attack, not during it. This principle applies equally to medieval fortifications and modern cybersecurity - yet organisations consistently delay security investments until faced with active threats or after experiencing breaches.
According to the National Cyber Security Centre, New Zealand organisations reported 1,249 cybersecurity incidents in Q3 2025 alone, with direct financial losses reaching $12.4 million. The majority of these organisations had adequate resources to implement security controls before incidents occurred. They simply hadn't prioritised the investment - until it was too late.
This article examines why cybersecurity preparedness cannot be deferred, what "building your moat" actually means in practical terms, and how to assess whether your defences would withstand an attack.
Medieval castle defenders understood a fundamental principle: defensive infrastructure takes time to build and must be in place before enemies arrive. Once the siege begins, your defences are what they are. You fight with what you prepared, not what you wish you had.
During a siege, castle defenders cannot:
Construct new walls or towers
Dig moats or build drawbridges
Train soldiers in combat techniques
Stockpile food, water, and supplies
Establish communication systems
Create escape routes or reinforcement plans
These preparations must happen during peacetime. Once under attack, defenders work with existing capabilities - adequate or not.
Modern cybersecurity operates identically:
During a ransomware attack, you cannot:
Implement backup systems that should have existed
Deploy security monitoring you never configured
Train staff on incident response procedures they've never seen
Establish relationships with incident response partners
Create communication plans for customers and stakeholders
Document systems and dependencies you should have mapped
Your incident response is constrained by the preparations you made beforehand. The security controls, monitoring systems, backup procedures, and response capabilities you have at the moment of attack determine the outcome.
The organisations that recover quickly from cybersecurity incidents - containing damage, restoring operations, and resuming business - are those that prepared comprehensively before the incident occurred.
The castle analogy is useful, but what does cybersecurity preparedness actually entail for modern New Zealand businesses?
You cannot defend what you don't understand. Comprehensive risk assessment identifies:
Critical assets and dependencies: What systems, data, and processes are essential to business operations? Which systems depend on which others? Where are single points of failure?
Threat landscape: What attacks target your industry? What methods do attackers use? What vulnerabilities commonly affect businesses similar to yours?
Current security posture: What controls are in place? What gaps exist? How would your current defences perform against realistic attack scenarios?
Business impact scenarios: What would happen if specific systems were compromised or unavailable? What's the financial impact? Operational consequences? Regulatory implications?
This assessment provides the foundation for all subsequent security decisions. Without it, you're guessing about priorities and hoping you've addressed the most important risks.
Organisations that conduct comprehensive cyber risk assessments before incidents occur can make informed decisions about where to invest security resources for maximum risk reduction.
Medieval castles didn't rely on a single wall - they used concentric layers of defence. Outer walls, inner walls, moats, towers, and keep all provided redundant protection. If attackers breached one layer, others remained.
Modern cybersecurity requires the same approach:
Perimeter security: Firewalls, network security, and access controls preventing unauthorised access to your environment.
Endpoint protection: Security controls on individual devices ensuring laptops, desktops, and mobile devices are properly secured and monitored.
Identity and access management: Multi-factor authentication, least-privilege access, and regular access reviews ensuring only authorised users can access systems and data.
Data protection: Encryption, data loss prevention, and classification controls protecting sensitive information even if other defences fail.
Security monitoring and detection: 24/7 Security Operations Centre (SOC) monitoring identifying threats that bypass preventive controls.
Backup and recovery: Isolated, tested backups enabling recovery even if primary systems are encrypted or destroyed.
No single control provides complete protection. Layered defence ensures that when one control fails - as eventually it will - others contain the threat.
Castle defenders didn't just build walls - they posted watchmen, established alarm systems, and trained rapid response forces.
Modern equivalent: you need capability to detect threats quickly and respond effectively when they occur.
Continuous monitoring: Security events happen 24/7, not just during business hours. Attacks often occur at night, on weekends, or during holidays when organisations assume no one is watching.
Without continuous monitoring through Managed Detection and Response (MDR) services, threats operate undetected for hours, days, or weeks - expanding access, exfiltrating data, and establishing persistence.
Documented incident response procedures: When alerts fire and threats are detected, who responds? What actions do they take? How are decisions made? How is leadership notified?
Written procedures documented and tested before incidents ensure coordinated response rather than chaos.
Established relationships: During active incidents, you need immediate access to:
Incident response expertise
Legal counsel familiar with breach notification requirements
Forensic analysis capabilities
Communication support for stakeholders
These relationships must exist before incidents. You cannot establish them while under attack.
Castle defenders conducted regular drills, testing response to different attack scenarios. Garrison soldiers trained. Supply chains were verified. Communication systems were exercised.
Cybersecurity requires equivalent testing:
Tabletop exercises: Simulated incident scenarios walked through with relevant stakeholders, identifying gaps in response procedures before real incidents expose them.
Backup restoration testing: Verifying that backups actually work and can restore systems within required timeframes. Many organisations discover backup failures during ransomware attacks - when it's too late to fix them.
Penetration testing: Simulated attacks identifying vulnerabilities that can be exploited. Better to discover weaknesses through controlled testing than during actual attacks.
Security awareness testing: Phishing simulations and security training ensuring staff can recognise and report threats rather than enabling them.
Organisations that regularly conduct tabletop exercises identify and address response gaps before incidents occur - when fixes are straightforward rather than desperate.
Castle defences required ongoing maintenance. Walls needed repair. Moats needed dredging. Supplies needed replenishing. Garrison soldiers needed training.
Cybersecurity requires continuous management:
Patch management: Security vulnerabilities are discovered continuously. Systems must be updated regularly to close known weaknesses before attackers exploit them.
Access reviews: User accounts and permissions accumulate over time. Regular reviews remove access for departed employees, contractors, and those who no longer require access to specific systems.
Security policy updates: As business changes - new systems, new processes, new threats - security policies must adapt. Static policies become ineffective as environments evolve.
Monitoring and optimisation: Security controls require ongoing tuning. False positive rates must be managed. Detection rules need refinement. Policies require adjustment based on operational feedback.
This ongoing management ensures security remains effective as your business and threat landscape change.
Despite understanding the importance of security preparedness, organisations consistently delay investment until forced by incidents or external pressure.
The normalcy bias is a cognitive phenomenon where people underestimate the likelihood and impact of disasters because they haven't personally experienced them. "It hasn't happened to us yet, so it probably won't" becomes the implicit assumption.
This creates several problematic patterns:
"We're too small to be targeted": Size is irrelevant. Automated attacks target thousands of organisations simultaneously. Attackers don't select targets based on size - they exploit vulnerabilities wherever found.
"We don't have anything worth stealing": Every organisation has valuable data - customer information, financial records, employee data, business intelligence. Even if data has limited market value, ransomware encrypts it regardless, demanding payment for restoration.
"We have antivirus and a firewall": Basic security controls are necessary but insufficient. Modern attacks bypass traditional controls regularly. Comprehensive security requires layered defence, not point solutions.
"We'll address it next budget cycle": Security incidents don't wait for convenient timing. Delaying investments doesn't reduce risk - it extends the period of vulnerability.
"We haven't had incidents, so we must be secure": Absence of detected incidents doesn't mean absence of threats. Many breaches remain undetected for months. Not knowing you've been compromised is different from being secure.
Organisations that delay security investment until incidents occur face significantly worse outcomes than those prepared in advance.
When ransomware strikes an unprepared organisation:
No backup strategy: Primary systems are encrypted. Backups - if they exist - are either encrypted alongside primary systems or haven't been tested and cannot restore.
Recovery timeline: Days or weeks to rebuild systems from scratch, manually reinstalling applications and attempting to recover data from various sources.
Data loss: Critical business data may be permanently lost if backups are inadequate or corrupted.
Decision paralysis: No documented procedures. Unclear authority. Conflicting opinions about whether to pay ransom, how to communicate with customers, when to notify regulators.
Reactive spending: Emergency incident response costs 3-5x normal rates. Rushed security implementations cost more and work less effectively than planned deployments.
Business disruption: Extended downtime affects revenue, customer relationships, regulatory standing, and market reputation.
When ransomware strikes a prepared organisation:
Isolated backups: Clean backups exist, isolated from production environment. Recovery time objective is documented and has been tested.
Recovery timeline: Hours or days to restore from backups, following documented procedures with known recovery points.
Data loss: Minimal, contained to changes since last backup (typically hours, not days or weeks).
Clear procedures: Documented incident response plan. Known authority and decision rights. Pre-established communication templates.
Controlled costs: Existing incident response relationships provide predictable costs. Prepared controls contain damage, reducing overall incident cost.
Operational resilience: Faster recovery minimises business disruption. Customer impact is contained. Regulatory notification - if required - demonstrates due diligence.
The difference in outcomes is dramatic. Preparation doesn't prevent all incidents, but it fundamentally changes their impact.
The cybersecurity threat environment continues to intensify for New Zealand businesses across all sectors and sizes.
Threat sophistication is increasing: Attacks that previously required significant expertise are now automated and deployed at scale. Ransomware-as-a-service enables attackers with minimal technical skill to launch sophisticated attacks.
Attack surface is expanding: Cloud adoption, remote work, and digital transformation create new potential entry points. Organisations have more systems, more data, and more complexity - each introducing security considerations.
Regulatory expectations are tightening: Privacy Act 2020 requirements, cyber insurance mandates, and customer security expectations all demand demonstrated security controls and incident response capabilities.
Geopolitical instability creates uncertainty: While predicting specific threat actors or targets is speculation, geopolitical tensions correlate with increased cyber activity. Organisations should focus on resilience regardless of threat source.
Supply chain dependencies increase risk: Attacks targeting suppliers, service providers, or partners can affect your organisation even if your direct controls are strong. Resilience requires understanding and managing third-party risks.
The question isn't whether cyber threats will affect your industry or organisation - it's whether you'll be prepared when they do.
Assessing your current security posture requires honest evaluation:
Risk awareness:
Have you conducted comprehensive cyber risk assessment in the past 12 months?
Can you identify your most critical systems and data?
Do you understand which threats are most likely to affect your organisation?
Can you quantify the business impact of likely security scenarios?
Preventive controls:
Are all endpoints (laptops, desktops, mobile devices) managed and secured?
Is multi-factor authentication required for all remote access and privileged accounts?
Are security patches deployed systematically with documented timeframes?
Are security configurations based on recognised frameworks (CIS, NIST, Essential Eight)?
Detection capabilities:
Do you have 24/7 security monitoring of your environment?
Can you detect threats in minutes or hours rather than days or weeks?
Are security events analysed by experts who distinguish genuine threats from noise?
Response readiness:
Do documented incident response procedures exist and have they been tested?
Can you restore critical systems from backups within defined timeframes?
Have you tested backup restoration in the past 6 months?
Do you have established relationships with incident response providers?
Ongoing management:
Are security controls monitored and updated continuously?
Do regular access reviews remove unnecessary privileges and former employee access?
Are security policies updated as your business and threats evolve?
If you cannot confidently answer these questions affirmatively, your defences have identifiable gaps that should be addressed before incidents expose them.
For organisations recognising the need to strengthen security posture, the path forward is systematic:
Conduct comprehensive cyber risk assessment evaluating:
Current security controls and their effectiveness
Critical assets and dependencies
Threat landscape relevant to your organisation
Gaps between current state and appropriate security posture
Business impact of realistic security scenarios
This assessment provides evidence-based understanding of your risk exposure and priorities for improvement.
Not all security improvements provide equal risk reduction. Prioritise investments based on:
Business impact if specific risks materialise
Likelihood of occurrence
Cost and complexity of mitigation
Regulatory and insurance requirements
Interdependencies with other improvements
Effective prioritisation ensures limited resources address highest-impact risks first.
Certain security controls provide disproportionate risk reduction relative to implementation effort:
Multi-factor authentication prevents credential-based attacks - one of the most common breach vectors.
Isolated, tested backups enable recovery from ransomware and destructive attacks regardless of other control failures.
Endpoint security ensures devices accessing your systems meet security requirements and can be monitored for threats.
Security awareness training reduces human-factor risks that technical controls cannot fully address.
These foundational controls should be prioritised for early implementation.
Preventive controls reduce likelihood of successful attacks but cannot eliminate risk entirely. Detection and response capabilities limit damage when prevention fails:
Managed Detection and Response (MDR) provides 24/7 security monitoring, expert threat analysis, and coordinated response to detected incidents.
Incident response planning and testing ensures prepared response rather than improvisation during crises.
Tabletop exercises identify gaps in response procedures before real incidents expose them.
Security is not a project with an end date - it's an ongoing programme:
Regular risk assessments (annually at minimum, more frequently after major changes)
Continuous security monitoring and threat detection
Ongoing vulnerability management and patch deployment
Regular testing of backup and recovery procedures
Periodic review and refinement of security policies
This continuous improvement ensures security remains effective as your business and threats evolve.
Most New Zealand SMEs cannot justify full-time security expertise - yet they face the same threats as larger enterprises.
Managed cybersecurity services provide access to enterprise-grade security capabilities without enterprise-scale investment:
Security Operations Centre (SOC) monitoring: 24/7 threat detection and response by security experts, providing capability most organisations cannot maintain internally.
Virtual CISO (vCISO) services: Executive-level security leadership and governance without full-time hire expense.
Vulnerability management: Regular identification and prioritised remediation of security weaknesses.
Incident response: Expert support during security incidents, from initial containment through recovery and lessons learned.
Ongoing security management: Continuous monitoring, policy updates, and optimisation ensuring security remains current.
These services enable organisations to build and maintain comprehensive security posture scaled to their size and risk profile.
The fundamental principle is simple: you cannot build defences during an attack. Preparation must happen before the siege begins.
Organisations experiencing cybersecurity incidents fall into two categories:
Those who prepared: They recover quickly because backup systems work, response procedures are documented and tested, security controls contain damage, and relationships with incident response providers enable immediate expert support.
Those who didn't prepare: They face extended downtime, permanent data loss, emergency spending at premium rates, regulatory consequences, and potential business viability threats.
The difference isn't luck, size, or industry - it's preparation.
According to the National Cyber Security Centre, cyber incidents affecting New Zealand businesses continue to increase in frequency and financial impact. Waiting to implement security controls until after experiencing incidents means accepting preventable damage.
Your security posture today determines your outcome when incidents occur tomorrow. The question is whether that posture is adequate - and whether you're willing to assess and address gaps before they're exploited.
You can't build a moat during a siege. The time to prepare is now, while you have the luxury of planning rather than the pressure of crisis response.
If you cannot confidently answer whether your organisation would detect and respond effectively to a ransomware attack, business email compromise, or data breach, professional risk assessment provides the clarity needed to strengthen your security posture.
NSP provides comprehensive cyber risk assessments for New Zealand organisations, evaluating current security controls, identifying critical gaps, and providing prioritised roadmaps for improvement.
Our assessments deliver:
Complete evaluation of security posture against recognised frameworks
Identification of critical assets, dependencies, and single points of failure
Business impact analysis of realistic security scenarios
Prioritised remediation roadmap based on risk and business impact
Evidence satisfying cyber insurance and regulatory requirements
Beyond assessment, we provide the security capabilities needed to strengthen your defences:
24/7 SOC monitoring and threat detection
Incident response planning and support
vCISO services for strategic security governance
Vulnerability management and remediation
Tabletop exercises testing incident response readiness
Book your cyber risk assessment consultation to understand your security preparedness and identify gaps before incidents expose them, or call 0508 010 101 to discuss your security requirements.
We serve organisations throughout New Zealand with 100% NZ-based expertise, providing the security capabilities SMEs need to withstand modern cyber threats.
The siege is coming. The question is whether your defences will be ready.