Media Release
A quarter (24%) of New Zealand businesses say staff using AI improperly is one of their biggest cyber security challenges, according to new research from Kordia.
Now in its 10th year, the 2026 Kordia New Zealand Business Cyber Security Report surveyed nearly 250 businesses (of 50+ employees) and found that:
- The number of cyber-attacks carried out through AI vulnerabilities has more than doubled, from 6% in 2024 to 14% in 2025.
- Nearly half (44%) of businesses said they were subjected to a cyber-attack in the past 12 months – a decline from the previous year (59%).
- Nearly a fifth (17%) of cyber incidents resulted in personal information being accessed or stolen.
- One in five businesses (19%) impacted by a cyber incident faced financial extortion by a cybercriminal – an increase from 14% in 2024.
- One in 10 (8%) paid a ransom or extortion demand. However, of the companies that had a ransom demanded of them, 42% paid the ransom. Additionally, a third (32%) of businesses said they would consider paying such a demand.
- A fifth (21%) of businesses hit by a cyber-attack said they suffered disruption to their business (such as inability to access systems or serve customers).
Redefining ‘insider threat’
One in four (24%) businesses said improper AI use was among their top three challenges to improving cyber security, up from 16% the previous year. Patrick Sharp, General Manager of Kordia-owned Aura Information Security, says this is often down to vulnerabilities caused by businesses implementing AI systems without sufficient consideration of security.
“Insider threats, whether accidental or malicious, have always been a factor in cyber incidents and data breaches,” says Sharp.
“But shadow AI – the unauthorised use of AI tools by employees – is growing into a massive problem. Individual staff members are copying confidential data into AI systems – information they would never put into Google – without understanding the risks and without guidance from their organisation.
“Business leaders are telling us it’s keeping them up at night. Nearly half (43%) said employees accidentally exposing data or AI driven processes is the biggest cyber risk to their business, making it the top concern by quite a margin.
“In addition, many New Zealand and international organisations are implementing sanctioned AI tools without sufficient security governance and practices.”
A reported drop in cyber-attacks
There was a decline in the proportion of businesses reporting they’d been subjected to a cyber-attack: 44% in 2025, compared to 59% the year prior.
This seems to corroborate data from the National Cyber Security Centre’s (NCSC) Cyber Threat Report 2025, which recorded 5,995 incidents in 2024/25 compared to 7,122 in 2023/24.
Sharp points out that while the NCSC has reported that the quantity of incidents has been declining, the financial impact has been increasing. According to the NCSC, $12.4m in direct financial loss was reported in Q3 2025, up 118% from the previous quarter.
“Organisations need to work out a response strategy long before they’ve suffered an incident, and they need to spend time practising it. Who will manage the incident, who makes decisions according to the level of severity, and who, when, and how will you communicate with staff, customers, and regulators.
“Engaging with Government entities like the NCSC and the Privacy Commissioner isn’t just about being transparent. It also helps the New Zealand Government and businesses understand the scale and impact of this criminal activity.
“Many businesses agree. A third (36%) have called for mandatory reporting requirements for business impacted by major cyber-attacks, similar to what Australia has introduced.
“As challenging as it can be, it’s critical that business directors and officers recognise their accountability before they’ve been breached. There are many passionate and capable cyber security professionals in New Zealand who can guide effective business advice on cyber resilience.”
Personal information still the gold standard
As recent high-profile breaches have shown, personal information remains one of the key targets for cybercriminals. A fifth (17%) of businesses said personally identifiable information was accessed or stolen, and a similar number (21%) were worried about this stolen data leading to blackmail or extortion.
Concerningly, one in three businesses said they would be willing to pay a ransom to a cybercriminal.
“Nobody wants to be faced with a ransom demand, but they can appear to make the immediate problem go away,” says Sharp.
“However, once a ransom is paid, there’s no guarantee a cybercriminal will honour the deal. For instance, they might still re-sell any data they’ve stolen. Paying ransoms ensures extortion remains a reliable form of revenue for cybercriminals, and as long as it works, they will keep doing it.
“The best strategy is to work with the experts to build your cyber resilience, so you can continue operating and recover from an incident without having to give into criminal demands.”
The business costs of poor resilience
The costs – financial and otherwise – of suffering a cyber-attack cannot be understated. Nearly two-thirds (61%) of businesses that faced cyber incidents suffered a disruption to their business operations.
Cybercriminals are increasingly targeting supply chains, as disrupted operations can be effective leverage in ransom demands. This was demonstrated by the high-profile Jaguar Land Rover (JLR) cyber-attack in the UK last year. A fifth (20%) of New Zealand businesses said their supply chain was interrupted through a cyber-attack.
Several high-profile overseas examples from last year, such as the Asahi breach in Japan and Marks & Spencer in the UK, show the significant impact cyber-attacks can have on operations.
Other costs incurred by cyber-attack victims include insurance claims (17%), fines by a regulatory body (11%), and legal action (9%).
Where and when should Government step in?
Businesses also gave their thoughts on the role of Government in improving New Zealand’s cyber security posture. According to Sharp, cyber resilience is a matter of both business and national significance, and there is a real part for Government to play.
“New Zealand’s cyber security legislation lags far behind our global peers,” says Sharp.
“Following the JLR hack, the UK Government stepped in by underwriting a £1.5 billion loan. This was to prevent the failure of the huge ecosystem of small businesses, and protect the thousands of jobs, that make up JLR’s supply chain.
“A similar attack on New Zealand shores isn’t out of the question. How prepared are we, and are we investing enough into our collective cyber defence?”
The most requested form of Government support from businesses was more education programmes on cyber security best practice (38%). Businesses are also showing demand for harsher penalties and fines for business that fail to protect personal data (36%) and legislation to make it illegal to pay ransoms to a cybercriminal (27%).
Steps to resilience: What New Zealand businesses should focus on in 2026
1. Security starts at the top: Directors and executives are facing growing legal and commercial accountability for cyber resilience, as incidents can disrupt operations, damage trust, and carry increasing financial cost. Strong cyber security depends on risk awareness, informed decision-making, and confidence that controls are correctly specified and effective. Cybercrime is complex and ever changing – organisations must seek qualified advice and set clear expectations for suppliers to ensure cyber risk is being professionally managed.
2. Upskill your people for an AI-first world: Organisations need to update training, policies, and processes to reflect the evolving cyber threat of AI. Staff should understand how modern scams like vishing and deepfakes work and have clear guidance on acceptable AI use. Coding, supply chain, and data-handling practices must also be updated so data is properly classified and protected, and third-party use of AI with your data remains under your control.
3. Securing identity is key: Cloud services and remote working have removed traditional network boundaries. Attackers now target user identities instead of infrastructure, using highly targeted, AI-driven social engineering. Strong identity controls, such as phishing-resistant multi-factor authentication (MFA), least-privilege access, continuous verification, and robust password reset processes, can significantly reduce risk by preventing account takeover. Remember: most attackers don’t hack in, they log on.
4. Multi-layered protective and detective controls: Attacks typically string together a sequence of techniques, exploiting design flaws, code bugs, and pressured people. Organisations need a combination of layered security controls, validation of their effectiveness, appropriate monitoring, and practiced incident response.
Read the full report here.
