What every New Zealand business owner needs to know about AI-powered attacks, ransomware, and the threats targeting your business right now.
2025 was a turning point for cybersecurity. For the first time, 75% of small and medium businesses now rank cyberattacks as their number one business risk, surpassing economic concerns.
The reason is simple: attacks are faster, smarter, and more automated than ever. AI isn't just a tool for defenders anymore. Criminals are using it to craft perfect phishing emails, clone voices in seconds, and automate entire attack chains from reconnaissance to data theft.
This report compiles the latest data from the world's leading cybersecurity research teams and New Zealand's own NCSC. Every stat is sourced. Every recommendation is actionable.
The biggest threats facing NZ businesses in 2026 aren't sophisticated nation-state attacks. They're AI-enhanced versions of basic attacks exploiting basic security gaps. The good news? Basic defences, properly implemented, still block the vast majority.
Lost to deepfake fraud in the US in 2025 alone. That's 3x the $360 million lost in 2024. Source: DeepStrike
An employee at international engineering firm Arup was invited to a video conference call with what appeared to be senior management. Every person on the screen was an AI-generated deepfake. The employee was instructed to transfer funds. The company lost $25 million before the fraud was detected.
1. Establish a code word between executives and finance staff for urgent requests
2. Always call back on a known number to verify any financial request
3. Implement a verbal verification policy for any transfer over $1,000
4. Train staff on deepfake awareness (15 minutes is all it takes)
5. Never rely solely on video or voice to authenticate someone's identity
Global ransomware damage is projected to reach $74 billion in 2026, up from $57 billion in 2025. By 2031, it's projected to hit $275 billion annually, with attacks happening every 2 seconds.
The ransomware business model has evolved. Attackers now use "double extortion" as standard: they steal your data first, then encrypt your systems, then threaten to publish the stolen data publicly unless you pay. Even if you pay, 93% of victims still have their data leaked.
83% get hit again
93% still lose their data
Only 22% recover within 24 hours
Average cost: $5.08 million
Internal detection saves $900K avg
AI/automation saves $1.9M vs non-users
Proper backups = zero ransom
Testing = known gaps fixed
1. Maintain offline, tested backups (the only guaranteed defence against ransomware)
2. Close exposed RDP ports immediately (the #1 ransomware entry point)
3. Patch critical vulnerabilities within 48 hours
4. Implement network segmentation to limit lateral movement
5. Have a documented incident response plan, and test it
The fastest observed breakout time in 2025. From initial access to full network control. Source: CrowdStrike 2026 Global Threat Report
CrowdStrike observed an attacker going from first foothold to controlling the entire network domain in 27 seconds. This is the speed AI-enabled attacks now operate at.
Palo Alto Unit 42 found the fastest cases went from initial access to data leaving the network in just 72 minutes. That's 4x faster than the previous year.
The average time for a cybercriminal to break out from their initial foothold and move laterally across the network dropped to 29 minutes in 2025 — 65% faster than 2024.
If an attacker gains a foothold in your network, you have minutes to detect and respond — not days. Manual detection alone is no longer sufficient. You need: proactive testing to find vulnerabilities before attackers do, monitoring and alerting to catch intrusions fast, and a tested incident response plan so your team knows what to do.
ManageMyHealth, the platform used by NZ medical practices for patient records, was hit by a ransomware attack in late December 2025. The "Kazu" group stole 108GB of data including clinical notes, lab results, vaccination records, and medical photographs. They demanded US$60,000 in ransom.
The Privacy Commissioner launched a formal inquiry. Multiple general practices across NZ were affected. The real cost will run into millions in legal fees, notification costs, and lost trust.
Under the Privacy Act, NZ businesses must report serious privacy breaches to the Privacy Commissioner within 72 hours. You must keep personal data secure against loss, misuse, and unauthorised access. Failure to do so can result in compliance notices, mandatory public disclosure, Human Rights Review Tribunal referral, and fines up to $10,000 per individual who obstructs investigations.
Blocks 99.9% of automated credential attacks. Use app-based (not SMS). Enforce for all users, not just admins.
Can you actually restore? Backups that exist but don't work are the same as no backups. Test a restore this week.
Check if RDP, VPN, or admin panels are internet-facing. Use Shodan.io to see what's visible. Close or restrict immediately.
42% of exploited vulnerabilities were weaponised before public disclosure. Automate patching where possible.
Remove ex-employees, reduce admin accounts, apply least privilege. Identity is the #1 attack surface in 2026.
Prevents attackers from sending emails as your domain. Check with MXToolbox.com. Your IT person can fix this in 30 minutes.
Security awareness training reduces phishing success by 86% after one year. Start with a 15-minute team session.
Code words, callback procedures, and dual-approval for transfers over $1,000. The only reliable defence against deepfakes.
A documented plan tested annually. Who calls who? Who pulls the plug? Who contacts the Privacy Commissioner? Don't figure this out during a crisis.
Your IT team keeps systems running. A pentester finds what they miss. 90% of breaches exploited basic misconfigurations that testing would have caught.
| Security Practice | Vulnerable Business | Protected Business |
|---|---|---|
| Authentication | Passwords only. MFA on some accounts. | MFA enforced everywhere. App-based, not SMS. |
| Patching | "We'll get to it." Weeks or months delayed. | Critical patches within 48 hours. Automated. |
| Access Control | Multiple global admins. Ex-staff still have access. | Least privilege. Quarterly reviews. Offboarding checklist. |
| Backups | Exist somewhere. Never tested a restore. | Automated. Tested quarterly. Offline copy. |
| Incident Response | "We'll figure it out if it happens." | Written plan. Team knows roles. Tested annually. |
| Security Testing | Never tested. "Our IT guy handles it." | Annual pentest by independent tester. Fix and re-test. |
| Staff Training | None, or one-off. "Don't click dodgy links." | Regular phishing sims. Deepfake awareness. Culture. |
| Monitoring | No logging. Can't tell if someone is in the network. | Audit logging. Alerts on suspicious activity. Someone watches. |
| Deepfake Defence | No protocols. No awareness. No training. | Code words. Callback verification. Staff trained. |
The gap between a vulnerable business and a protected one is rarely about money. It's about applying a handful of practices consistently. Most of the actions in this report are free. A penetration test costs a fraction of a breach. The question isn't "can we afford to test?" It's "can we afford not to?"
Forensic investigation: $15-40K
System rebuild: $20-60K
Legal & regulatory: $10-30K
Business downtime: $20-80K+
Reputation damage: Unquantifiable
Total: $100K-$500K+
Security assessment: Free (ours is)
Penetration testing: Varies by scope
Staff awareness training: Often free
MFA, patching, backups: Free
Policy & governance: Time only
Total: A fraction of a breach
Every stat in this report points to the same conclusion: the businesses that test their defences before an attacker does are the ones that survive.
20 questions. 4 minutes. Get your A-F grade across 6 security domains with a personalised radar chart, risk exposure in NZD, and a prioritised action plan.
Get Your Free Score →Every business has different security challenges. Book a free 15-minute chat and we'll recommend the right approach — no obligation.
Mustafa Demirsoy
Founder & Hacker, WeHack
wehack.co.nz | info@wehack.co.nz | 022 091 7242
148 Durham Street, Tauranga 3110