For many small and medium-sized businesses (SMBs) in New Zealand, cyber security has traditionally been viewed as a concern for large organisations with extensive IT resources. However, recent findings from the National Cyber Security Centre (NCSC) show that cyber criminals are increasingly targeting businesses of all sizes, making cyber security a critical business priority for SMBs. (NCSC NZ)
According to the NCSC’s Cyber Threat Report 2025, 53% of New Zealand SMEs experienced a cyber threat during the first half of 2025, a significant increase from 36% in the previous year. The report also noted that nearly 6,000 cyber security reports were received during the 2024/25 financial year, with hundreds assessed as incidents of potential national significance. (NCSC NZ)
One of the biggest misconceptions among small businesses is the belief that they are too small to be targeted. In reality, cyber criminals often view smaller organisations as attractive targets because they may have fewer security controls, limited resources, and less formal cyber security policies. The NCSC warns that organisations can be targeted directly, become collateral damage, or simply be viewed as an easy opportunity by attackers. (NCSC NZ)
Many of the threats facing SMBs are not highly technical attacks but rather scams designed to exploit people and business processes. Phishing emails, fake invoices, impersonation scams, and fraudulent payment requests remain among the most common attack methods. Recent SME cyber security tracking found that social engineering tactics account for the majority of reported cyber incidents affecting smaller businesses. (heimdallinfosec.co.nz)
Ransomware continues to be a major concern. Criminal groups now operate sophisticated ransomware services that can be purchased or rented by other attackers, making these threats more accessible and widespread. At the same time, supply chain attacks are becoming increasingly common, where attackers compromise a trusted software provider, cloud platform, or service partner to gain access to multiple organisations at once. The NCSC identifies supply chain compromise as one of the most significant emerging risks facing New Zealand organisations. (NCSC NZ)
The good news is that many cyber incidents can be prevented through practical security measures. Multi-factor authentication (MFA), regular software updates, secure backups, strong password policies, employee awareness training, and clear incident response procedures remain among the most effective ways to reduce risk. These measures are often affordable and can significantly improve an organisation’s security posture. (NCSC NZ)
As cyber threats continue to evolve, cyber security is becoming a business resilience issue rather than simply an IT responsibility. For New Zealand SMBs, investing in cyber security helps protect customer data, maintain business continuity, reduce financial risk, and preserve trust. Organisations that take proactive steps today will be better positioned to navigate an increasingly complex threat landscape tomorrow.
References
- National Cyber Security Centre (NCSC) Cyber Threat Report 2025 – https://www.ncsc.govt.nz/insights-and-research/cyber-threat-reports/cyber-threat-report-2025/
- NCSC Cyber Threat Report 2025 (PDF) – https://www.ncsc.govt.nz/assets/insights/cyber-threat-report/NCSC-CyberReport2025-FINAL.pdf
- NCSC Key Judgements for 2025 – https://www.ncsc.govt.nz/insights-and-research/cyber-threat-reports/cyber-threat-report-2025/key-judgements-for-2025/
- Own Your Online (NCSC Small Business Guidance) – https://www.ownyouronline.govt.nz/
- NCSC Quarterly Cyber Security Insights Reports – https://www.ncsc.govt.nz/insights-and-research/insights-reports/
