Lack of risk assessments exposing Kiwi businesses to cyber attacks - Kordia

A new report from government-owned cybersecurity consultancy and infrastructure provider Kordia highlights the growing threat of cyber attacks and the alarming rate at which New Zealand companies are succumbing to these threats. 

The New Zealand Business Cybersecurity Report 2025 reveals that nearly two-thirds of New Zealand businesses experienced a cyber attack or incident in 2024, with a significant portion of these incidents resulting in financial extortion and ransom payments.

The prevalence of cyber attacks

The Kordia survey, which included 295 businesses with more than 50 employees, found that 59% of respondents suffered a cyber attack or incident in 2024. This high incidence of cyber attacks underscores the reality that these events are no longer a matter of "if" but "when" for New Zealand businesses. The most common cause of these incidents was email phishing, accounting for 43% of all cyber attacks and incidents. This trend is attributed to the increasing sophistication of phishing attacks, often facilitated by AI technology, which allows for greater personalization and automation of malicious emails.

The role of AI in cyber attacks

AI has become a double-edged sword for New Zealand businesses. On one hand, AI can enhance cybersecurity by improving threat detection and streamlining security operations. However, it also lowers the barriers for cybercriminals, enabling them to craft more sophisticated and scalable attacks. 

Over a quarter of surveyed businesses (28%) view AI-generated cyber attacks as a significant threat, despite only 6% of breaches being directly attributed to AI-related incidents. This disparity highlights the growing concern about AI's potential impact on cybersecurity, particularly as AI tools become more accessible and widespread.

Financial extortion and ransom payments

Financial gain remains the primary motivator for cybercriminals targeting New Zealand businesses. The report indicates that around one in six (14%) cyber incidents involved financial extortion, with one in ten (9%) resulting in the victim paying a ransom. While these numbers may seem relatively low, experts warn that they likely underestimate the true scale of the problem. Many businesses may not report ransom payments due to fear of reputational damage or legal repercussions.

The decision to pay a ransom is often driven by the cost-benefit analysis of recovery versus disruption. For some businesses, paying a ransom may seem like the quickest and cheapest solution to restore operations and avoid further financial losses. However, this approach can create a dangerous precedent, incentivising cybercriminals to continue their extortion tactics. Moreover, there is no guarantee that paying a ransom will ensure the return of stolen data or prevent future attacks.

Comparison with international practices

In contrast to New Zealand, Australia has recently introduced legislative reforms to tackle the issue of rising ransomware and cyber extortion payments. The Cyber Security Act mandates reporting requirements for businesses affected by cyber attacks, enhancing transparency and enabling authorities to better combat these threats. New Zealand lacks similar legislation, relying on voluntary reporting and guidance from the government. This gap in regulation makes it challenging to accurately assess the scope of cybercrime and the financial flows to cybercriminal entities.

Challenges in cybersecurity preparedness

Despite the growing threat landscape, many New Zealand businesses remain unprepared. The survey revealed significant gaps in cybersecurity practices:

Lack of penetration testing: Two-thirds of businesses have not conducted a penetration test in the past year.

Insufficient monitoring: One in five do not monitor network activity.

Inadequate risk assessment: Less than half always conduct risk assessments when introducing new technologies.

Cybersecurity awareness: A quarter of businesses lack any cybersecurity awareness or training programs.

These findings suggest that while New Zealand businesses recognise the importance of cybersecurity, they often fail to implement basic security measures effectively.

“It’s disappointing to see New Zealand businesses lagging behind – around one third of businesses say they don’t do any reporting on cyber risk to their board of directors, and around half haven’t practiced their cyber security response plan,” says Alastair Miller, Principal Security Consultant at Kordia owned Aura Information Security.

“Bearing in mind that the businesses we surveyed are amongst some of the largest in the country and the biggest employers, we’d have liked to have seen more evidence of a focus on cyber issues,” he added.

Miller says there’s a level of complacency around security in cloud environments, with businesses thinking they are safe because their data and applications are hosted on public cloud platforms which have in-built security measures.

“A lot of people, especially when they move to the cloud, don't think what will happen if our cloud providers get attacked,” he says. We often sit down and they talk about their business continuity plan and disaster recovery plan. They've got quite good plans for their buildings, servers and maybe some laptops. You say, what happens if your cloud service falls over? They stare at you blankly and go, but they're a cloud service. They don't fall over.”

Risk assessments should be undertaken when businesses migrate to the cloud, he says.

Recommendations for improvement

To enhance their cybersecurity posture, New Zealand businesses should focus on several key areas:

Risk assessment for emerging technologies: Businesses should evaluate the risks and benefits of AI and other emerging technologies, ensuring that their use aligns with company policies and privacy considerations.

Third-party risk management: With more businesses adopting cloud-based services, it is crucial to integrate third-party providers into business continuity plans and understand the data and systems they access.

Risk-based security investments: Prioritize security investments based on identified core risks rather than following trends in the security market.

Identity security: Implement robust identity and access management systems to protect against identity-based attacks, which are increasingly common.

Preparation for quantum computing: Begin planning for the potential impacts of quantum computing on encryption and data security, particularly for industries like finance and healthcare.

“Cyber security works best with a layered approach – so if one control fails, there is another in place to continue protecting your most important data and systems. For example, having multifactor authentication on logins is one simple way to add an extra layer of defence against identity attacks,” says Miller.

“We know that cybercriminals often log in with stolen credentials, rather than hacking their way into your business, so having a single source of identity management, for example, would significantly reduce the likelihood of an attacker slipping in unnoticed.”