Cyber Crime
OPINION: New Zealand started 2026 with a series of high-profile cyber incidents, including significant health organisations, popular online community platform Neighbourly and a Napier law firm.
Let’s be clear what this means. In each case, a criminal broke into a business and stole data that the business was trusted to keep safe. Data that belongs to a real person. Data that can now be used to victimise that person or target their friends and family. This is nothing new, nor is limited to a handful of companies.
Ten years ago, Kordia recognised that there was a lack of good information about the New Zealand cyber landscape, so we started surveying businesses about their experience.
Released in March, the Kordia NZ Business Cyber Security Report 2026 shows that nearly half of all New Zealand businesses reported a cyber incident in the past 12 months. And 19% of those suffered a data breach, like the businesses that made the news earlier this year.
It’s clear from the incidents and our survey that many New Zealand organisations are not prepared for a cyber incident. They are putting themselves at risk, they are putting your data at risk, and in some cases, they are jeopardising the collective safety of all New Zealanders.
The New Zealand Government formally recognised our current standing in cyber security by releasing the 2026 Cyber Security Strategy in February this year, as well as consultation on enhancing the cyber security of New Zealand’s critical infrastructure. These clearly recognise the problem, including our very poor standing compared to other countries, and put forward a series of actions for Government and business to protect people’s data and New Zealand.
I was recently invited on Radio New Zealand’s Nine to Noon to help unpack this. Below are some further thoughts from me on what this means for companies and directors in New Zealand, along with some insights from our 2026 survey.
Low resilience, low confidence
The new strategy is very welcome and long overdue. Our report found that 30% of businesses still lack the confidence to recover from a major cyber-attack, and a third of cyber incidents took more than two months to resolve. With 61% of businesses that were impacted by a cyber incident suffering a serious business disruption, the flow-on impacts on New Zealand’s economy can be significant.
This was demonstrated in the Jaguar Land Rover (JLR) hack last year, when the UK Government bailed the company out with a £1.5 billion loan, to protect the thousands of jobs and many small businesses that make up JLR’s supply chain. Is New Zealand prepared to do the same if a significant New Zealand business suffer a similar attack?
As the cyber threat landscape continues to evolve, and the operational and financial consequences continue to grow, it’s clear that cyber security needs to be treated as a business priority, not a tick-box for the IT department.
Kiwi businesses still caving in to ransom demands
As the Manage My Health breach showed, financial extortion is still a popular way for cybercriminals to get a pay day. That’s because it works.
Of the businesses in our survey that faced a ransom demand, nearly half (42%) paid that ransom. As long as this keeps happening, cyber criminals will continue to demand ransoms – and it sends a signal to criminals worldwide that New Zealand is open for business.
All organisations should expect to be the target of a cybercriminal, but what happens during an attack comes down to how well you are prepared. It is critical that you are seeking and following expert advice on cyber security. This includes having and practicing an incident response plan at an executive level. How you communicate with clients, regulators and the public has an extraordinary impact on your business’s reputation should an attack occur and your ongoing licence to operate if your clients lose trust in your ability to keep data secure.
Cyber resilience starts right at the top
While the same old attacks still work, the cybercrime threat landscape is rapidly deteriorating. Attacks on cloud infrastructure has been steadily increasing for years. Voice and video social engineering significantly increased last year, and successful attacks on AI systems have doubled since last year. These forms of attack are often much more impactful, because organisations don’t have the tools or processes to detect them early.
So what can businesses do?
Most attackers don’t break in, they log in and use your own accounts and tools against you. It’s critical that your business has strong identity and access control systems, and robust processes for ensuring change requests are legitimate.
AI tools can be useful, but there are risks both with staff using unsanctioned AI and the business creating AI tools that have not been subject to security oversight – such that 24% of our survey respondents saw this as their biggest risk.
But, most importantly, cyber security needs to be ingrained into organisational risk management as a top priority – not just an executive leadership level, but also in the boardroom. One in five respondents in our survey said cyber security is not seen as an important business risk area by their board. That needs to change.
And the Government agrees. Amongst an extensive programme of work for government agencies, their strategy proposes to introduce regulation for critical infrastructure companies and financial penalties for businesses failing to protect customers’ personal information from cyber threats.
The strategy is a good starting point. It recognises the problem we face, reflects the measures that our survey respondents wanted from Government, and gives notice to company directors and executives that they need to get their house in order.
New Zealand businesses will continue to be at risk of and face cyber-attacks. We can either respond reactively and as individual business, paying ransoms and scrambling through crises. Or we can invest now in the governance, skills and systems that make us genuinely resilient.
Right now, the evidence suggests we have much work to do.