Media Release
 | 5 min read

Research shows half of surveyed Kiwi businesses suffered a cyber-attack in the past year

By  Kordia,
 21 March 2023

Independent research released by Kordia has found more than half (55%) of businesses surveyed with 100 or more employees suffered a cyber-attack or incident in the last year.  

Peter Bailey, Regional Cyber Security Business Manager at Kordia, says the research shows there is money to be made for cybercriminals targeting New Zealand. 
“New Zealand is not immune to the ravages of cybercrime. Our geographic isolation isn’t relevant when there is money to be made – we’re just as at risk as anywhere else in the world,” says Bailey.

“What that means is New Zealand organisations need to be well prepared to not only defend against incoming cyber-attacks, but also develop a response plan to ensure that if their organisation is successfully breached, they have the right things in place to recover quickly – ideally with their reputation and systems intact.”  


Top research insights:
•    55% of businesses surveyed were subject to a cyber-attack.
•    44% of business leaders say they would consider paying a ransom to a cybercriminal.
•    The top attack method is phishing which is responsible for more than 1/3 (37%) of attacks in the past 12 months
•    This is closely followed by third party cyber-attacks, and cloud misconfigurations and vulnerabilities - both at 28% 
•    Almost 1 / 4 of businesses attacked saw commercially sensitive data or intellectual property accessed or stolen 
•    1 in 5 said cyber-attacks caused a loss of future business or sales due to reputation damage
•    One in five businesses have no plan to deal with a cyber-attack.
•    Despite the success cybercriminals have had in New Zealand, five out of six (85%) businesses are confident in their cyber security safeguards.

Supply chains need more focus

Large businesses are feeling significant impacts from third-party cyber-attacks, with respondents reporting incidents coming through supply chain partners accounted for 28% of all attacks – second only to phishing.

“With business increasingly taking place online, there’s a complex array of third parties that enable digital operations to take place – from cloud and software vendors to online payment platforms and managed service providers. Many businesses entrust these third parties with access to their data and systems, but if they haven’t put the right cyber security measures in place, they could be putting your business at risk of a serious breach,” says Bailey.

“Businesses simply can’t afford to operate with a blind spot around their supply chain partners – they need absolute clarity around what third parties have access to, and the layers of security that exist around that access.”

Ransoms, fines, and legal action

The research shows New Zealand businesses leaders are willing to put their trust in cybercriminals. Nearly half (47%) of respondents believe it’s likely that cybercriminals will restore their data once a ransom is paid.

In New Zealand there is no penalty for paying a ransom, yet more than two thirds (68%) of large businesses leaders believe it should be illegal.

“The Government strongly recommends not paying, this is because there is no guarantee a hacker is going to comply even after they’ve been paid their ransom. They are criminals after all,” says Bailey.  

Bailey adds that nearly three quarters (73%) think we should introduce harsher financial penalties for businesses that fail to protect personal data. 

“For most businesses, the significant consequences of a cyber-attack are the disruption and productivity losses that come with being breached and operations being shut down. There is also the reputational damage that comes with being hacked and losing precious customer data or commercially sensitive intellectual property. 

“Further to this, many business leaders and board members across the country will be interested to see 7% of cyberattack victims are facing legal action by customers or other stakeholders. 

“There is a long, unpleasant list of consequences. It’s important all New Zealand businesses understand this and make cyber security an integral part of their business strategy,” says Bailey.

Confidence in the face of threats

Despite the number of businesses being successfully attacked, five out of six (85%) businesses are confident in their cyber security safeguards. Bailey says this is an interesting statistic. 

“Our research suggests there is a sense of confidence in the face of growing threats – with the vast majority of business leaders indicating that they feel confident that they have the right safeguards in place to protect their data. Confidence is particularly high among those who have experienced a threat or attack in the past, which could indicate that resilience is being taken seriously,” says Bailey.

“However, adversaries are continually adapting their attack methods, so it’s important that Kiwi organisations don’t rest on their laurels. Cyber security is a continuous exercise and needs to evolve to meet any operational changes. Yet there’s some evidence to suggest we’re slipping in this area - almost half of respondents have relaxed their cyber security to boost productivity in the past 12 months.”

“Another major concern is nearly one in five large businesses don’t have a cyber security awareness or training programme for employees. Given the continuously high volumes of phishing attacks, it’s no surprise that this remains a high risk for organisations with employees at risk of clicking on malicious links that grant access to threat actors." 

You can download the full cybersecurity research report here -