IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Shadowy figure computer dark office digital locks warning cyber threats nz businesses
#
Ransomware
#
Advanced Persistent Threat Protection
#
Breach Prevention

Hidden cyberattacks & ransom threats rising for NZ businesses

Thu, 20th Nov 2025
Author image
By Catherine Knowles, News Editor

New Zealand businesses may be facing a much higher risk from cyberattacks than they realise, with many incidents occurring out of public view, according to NSP. The company warns that while some high-profile incidents attract national attention, the overwhelming majority of attacks never make headlines, leaving business leaders unaware of the threats they face.

Underreported attacks

NSP's Chief Information Security Officer, Geordie Stewart, says that the number of cyber incidents that become public represent only a fraction of the true figure. "For every cyber incident that makes the news, we believe at least ten more occur quietly," said Stewart, Chief Information Security Officer, NSP. "Some are handled internally, some resolved with external incident responders, and others are settled through ransom payments that never see daylight. Which means business leaders are making decisions about their security posture based on about 10% of the actual data."

Many incidents are resolved privately as organisations focus on containing damage and restoring operations, often with little to no external disclosure. Stewart notes that this tendency to avoid publicity creates an incomplete national picture of the actual cyber threat environment.

"CERT NZ does important work, but not every incident is reported to them, so the government cannot see the full picture," said Stewart. "We routinely see critical events that never appear in any public dataset. That invisibility creates a false sense of security across the market."

Ransom payments increasing

NSP's work indicates that ransom payments-often relating to ransomware attacks-are far more common in New Zealand than many business leaders believe. These payments are frequently made under significant pressure when systems crucial to business continuity are offline.

"We're aware of multiple New Zealand organisations that have paid six or seven-figure ransoms," said Stewart. "They're often paid under extreme pressure when business-critical systems are offline and continuity is at stake."

The victims include a broad range of sectors from professional services and manufacturing to retail. Many of these businesses never expected to become a target. Because these cases rarely enter the public record, there is a persistent underestimation of both the frequency and potential severity of such incidents among the wider business community.

Reactive security culture

Stewart draws a comparison between approaches to risk management in New Zealand and overseas. He observes that NZ organisations tend to address cybersecurity reactively rather than proactively. "In Europe, risk management is generally treated as a cost-benefit equation," said Stewart. "Boards expect structured analysis, documented controls, and periodic reviews that drive measurable improvements."

"In New Zealand, we see a more reactive approach. Some organisations become complacent until something happens to them personally. Only then do they rapidly implement controls that had been recommended for months or even years," said Stewart.

Such a reactionary strategy increases the likelihood of avoidable breaches and financial losses, as controls are often established only in response to a specific incident that has already caused damage.

Assessing real risks

There is a shift towards structured, data-driven risk assessments among New Zealand boards. Stewart adds that the combination of global cyber insurance breach data and live incident response experience gives a clearer picture of which controls truly mitigate risk.

NSP's Cyber Risk Assessment framework features a 32-point control review across people, process, and technology. This approach prioritises factors like identity security, device health, backup integrity, and human-factor resilience-areas statistically shown to matter most for prevention and mitigation.

"These aren't theoretical controls," Stewart said. "They're drawn from real cases: what actually fails in the wild, and what actually stops breaches."

He notes that many organisations are surprised to learn that a small number of vulnerabilities are responsible for the majority of their cyber risk. "Once you see the data, the path to improvement becomes obvious. More importantly, you understand what you're actually exposed to, not just what feels risky," said Stewart.

Future outlook

"Cybersecurity doesn't need to be complicated," said Stewart. "But it does require realism, and that starts with acknowledging that far more is happening in this country than most people realise. The businesses that understand this, that treat security as infrastructure, not an optional extra, will have a genuine advantage. The ones that keep waiting will eventually be forced to deal with it under the worst possible circumstances."
Related stories
Lancom gains AoG status for New Zealand government IT
Anthropic expands Claude AI tools for health & trials
Top 10 data governance best practices to implement today
Coding jobs squeezed as AI reshapes developer roles
Dropzone AI hires leaders to drive EMEA & APAC push

Top stories

Google unveils open UCP standard for AI-driven shopping
Flora & Fauna customers fund greener parcel deliveries
Rubrik launches CXO Visionaries for cyber & AI leaders
AI value proving elusive for many Australian firms
Google debuts Disco to test AI-powered GenTabs apps