Cybersecurity is an ongoing challenge for New Zealand businesses of all sizes.
Data from the National Cyber Security Centre1 suggests that more than half of New Zealand businesses are experiencing cyber threats, and scams and frauds are on the rise.
The financial loss to New Zealanders due to online security threats last year was around $1.6 billion – and we know cybersecurity issues are underreported.
It’s why Cyber Liability Insurance, paired with robust cyber security measures is so important. Delta’s cyber policy provides policyholders with wraparound services that minimise the risks of a cyber-attack on businesses.
Cyber-attacks can cost companies thousands in lawyer fees, ransoms and reputational damage. While insurance is there to help protect businesses against these costs, more can be done to minimise the risks and to save money, stress and time in the event of a cyber-attack.
So which threats should New Zealand business be on the lookout for in 2025?
Cybersecurity risks on the rise
Our Cyber underwriting and cyber insurance claims experts aren’t seeing entirely new threats. What they have noticed that ‘old crimes’ are becoming more sophisticated with new technology, and it’s catching businesses out.
Social engineering, upgraded
Artificial Intelligence (AI) is making ‘old-fashioned’ scams and frauds harder to detect. Poor grammar is no longer a good indicator of a scam email and AI is even being used to create deepfakes of CEOs and stakeholders to trick staff into handing over more data, sharing sensitive information or authorising payments.
System hacks
System hacks, where hackers gain unauthorised access or control over a computer system, are still one of the most common cyber-attacks we see. Often, system vulnerabilities are exploited so that hackers can steal important information (like customer data) and sell it on the dark web.
Poor response times
Endpoint Detection and Response (EDR) can sometimes generate false positives, but each alert or potential threat should still be carefully analysed. We’ve noticed that some vendors/External Service Providers (ESPs) or EDR users have not responded to EDR alerts quickly enough, resulting in avoidable breaches. This highlights a growing trend of over-reliance on third-party services, which can leave gaps in protection.
What is EDR?Endpoint Detection and Response (EDR) is a cybersecurity technology which monitors endpoints – physical devices connected to a network such as desktops and laptops – for evidence of threats. EDR technology is a step up from antivirus technology. EDR can monitor endpoints, hunt for as-yet-unknown threats, and automatically quarantine or remediate the threat before it spreads. While it is powerful technology, it is not a silver bullet and shouldn’t be used like a ‘set-and-forget’ system. Businesses should have more than one line of defence against cyber-attacks. |
Five tips for protection against cyber attacks
1. Check Multi-Factor Authentication (MFA) is applied everywhere |
MFA has been around for decades, but many companies have inconsistently applied it. Weak spots could be work-from-home laptops accessing the system or external project management software. MFA offers an extra layer of security. Even if a hacker gets hold of a password, they’re less likely to be able to access systems and information because they’re unlikely to be able to meet the second authentication requirement. NZ companies should ensure they’ve got MFA applied as a compulsory measure on all system access points. Providing staff with a password manager tool that works for them can help improve MFA compliance. |
2. Audit systems regularly |
Businesses should audit their systems regularly and ensure that all software, like operating systems, firewalls and routers, are patched and updated. Third-party providers, such as Managed Service Providers (MSP), should also be audited to ensure the company is still getting the best services. Look at what services the MSP offers and understand the limitations of liability. While many NZ businesses don’t have a lot of leverage here, asking questions and understanding what services are (and are not) included can go a long way. The short version: keep providers honest and take a hands-on approach to cyber security. Independent security assessors can assist here. |
3. Implement and test backups |
Ransomware attacks happen frequently, and they can have a huge impact on an organisation. Having (and testing) backups can minimise the problems caused by data and systems being stolen or disrupted. Ensure that data and systems are backed up offline. These backups should be current and highly organised so that the company can easily and cost-effectively restore lost data and get back to work as soon as possible. |
4. Run simulations |
Just as organisations run fire and earthquake drills, cyber simulations are a great way to test cyber readiness and preparedness. When a cyber-attack occurs, companies need to react quickly to reduce the potential damage. Running a simulation provides dedicated time to practice the company’s response in that situation. It is also an opportunity to check that manuals and contact details are up-to-date and practical. Scenarios could include:
Simulations enable the company to be battle-hardened against cyber attacks. It’s also an opportunity to educate the wider team – surveys suggest that NZ teams aren’t as cyber savvy as their IT and cyber security leaders think.2 |
5. Cyber security insurance |
Point five is, of course, cyber security insurance. Insurance shouldn’t be a company’s first line of defence, but it is a key part of an organisation’s cybersecurity system. Delta’s cyber liability insurance includes access to benefits such as 24/7 rapid response from IT security experts and access to our panel of risk management partners. While cybersecurity threats aren’t a new challenge, they are becoming more sophisticated and they’re costing New Zealand companies more. By being aware of the latest risks and tricks, and through taking regular action and precautions, businesses can reduce the risk and the costs associated with cyber-attacks. |
1 https://www.ncsc.govt.nz/news/
2 https://datacom.com/nz/en/discover/press-release/cybersecurity-index-reveals-dangerous-employee-disconnect
