Hundreds of thousands of Kiwis have had their personal information accessed unlawfully, and some of it has been listed for sale on the dark web. Data breaches are being reported almost weekly, leaving everyday New Zealanders vulnerable to exploitation. And for the companies that have been breached, the result is significant reputational and financial damage.
It’s likely all the businesses affected will be investing heavily in cybersecurity right now, as they work to shore up the weak spots in their digital and physical infrastructure. Unfortunately, that’s an all-too-common problem in New Zealand: we wait until there’s been a breach before we take the risk seriously. This is very understandable, because it’s hard to justify investing in areas of your business that don’t make any money, particularly in tough economic times. Business owners naturally want to invest in boosting revenue, not on preventing what feels like an unlucky roll of the dice.
However, this recent spate of cyberattacks is not only about bad luck, it also reflects New Zealand’s track record of cybersecurity underinvestment and lack of regulation. Those of us in the industry know very well these factors have made Aotearoa an appealing target for threat actors. In addition, there’s sometimes a ‘she’ll be right’ attitude to passwords and multifactor authentication. You will almost certainly have experienced this at least once if you’ve worked in a few Kiwi businesses; “Just use my login, it’s my email address and the password is Admin2026.”
The data breaches we’ve seen in the first quarter of 2026 really drive home a couple of big lessons.
First, the breached companies were all in high-trust sectors holding the most sensitive types of personal information. This includes medical records, home addresses, and personal financial details.
Dealing in this type of information makes your organisation much more ‘ransomable’. The more sensitive the data your company holds, the more attractive a target it will be, and the more cybersecurity protections you need. Threat actors know a company will often pay a ransom to stop sensitive data being made public, but they’re not going to pay a hacker to prevent people’s grocery lists or Temu orders being leaked.
These breaches also highlight third-party and supply chain risk. More than 35% of breaches involve third parties, according to SecurityScorecard’s 2025 report. Any third party connected to your systems presents a major risk. Is your IT supplier ISO 27001 compliant? Is your technology provider secure? What about your file transfer software? Are you using white label products to provide file uploads and storage, or survey customers? Your organisation is only as secure as your least secure third party.
The unpleasant truth is every business is always at risk, because it’s impossible to create a 100% guaranteed watertight online environment. As businesses evolve their security practices, the threat actors are always trying to stay one step ahead.
But you can make an enormous difference by moving cybersecurity investment up from the very bottom of your priority list.
The process starts with identifying your company’s vulnerabilities through cyber maturity assessments and/or penetration (pen) testing. An expert will look at where your existing security measures might need strengthening or extending. A pen test is when a separate team attempts to get into your systems, which shows you which parts of the system can be shored up to reduce the weak points. It can also involve red-team and scenario exercises, which are the equivalent of a fire drill, where your company’s detection and response times are tested.
Alongside building stronger systems, you also need to plan in case a breach does occur. This can make a huge difference if you’re stung by a ransomware attack, for example. With no preparation in place, this can be an overwhelming and devastating experience. Should you fund the bad guys to regain control of your own systems? Ideally, you’ll never have to face that dilemma. Disaster readiness and business continuity planning can put you in a position of strength. If your systems are taken over, you can switch seamlessly to manual operations and data is all backed up so it’s never at risk of being entirely lost.
We have also found most Kiwi businesses need to do a better job of managing access to data. It’s essential the right people access the right data, only when it’s appropriate. No sharing logins, no logging in from unknown devices without checks, no unauthorised record changes.
One additional consideration: If your business processes debit or credit card transactions, you need to protect your customers’ card information in accordance with PCI DSS. This global standard is enforced by acquiring or merchant banks, with varying reporting requirements based on the volume of card transactions and defined merchant levels. Alternatively, you can consider adhering or implementing a broader framework to your business data (which includes card information) to achieve SOC 2 compliance.
Finally, you also need to make sure your third-party providers are taking cybersecurity as seriously, or even more seriously, than you’re taking it. When you’re looking for a new supplier that’s going to have anything to do with company systems, please don’t just pick the cheapest one.
New Zealand Inc has been underinvesting in cybersecurity for many years, so we will almost certainly keep seeing these breaches.
Unfortunately, whatever you save by not investing in cybersecurity will be a drop in the ocean if your organisation experiences a major data leak. The costs can be staggering, both direct and indirect, ranging from response costs to lost customers to legal fees. Cutting cybersecurity costs might be the most expensive way possible to save money. At least do an assessment and find out where your serious vulnerabilities lie, because doing nothing might resulting your company hitting the headlines for all the wrong reasons.
Only 5% of businesses have cyber insurance, even though everyone is at risk of a cyberattack – and the cost of an incident can sink your entire organisation.
If you only make one security tweak to your business, it should be this: turn on multifactor or two factor authentication. Multifactor authentication (MFA) is a simple change that can massively improve data protection. Without it enabled, your business or Not for Profit organisation could be in breach of the Privacy Act depending on the type of information you hold. What is multifactor authentication? Multifactor authentication means accessing a particular app or system requires more than one method of identification. Without MFA, you log on via one device, with a single set of credentials. MFA requires more from users based on three factors: Something you have, like a smartphone or a secure USB key Something you are, like a fingerprint or facial recognition. Something you know, like a password or PIN. For example, to log into Xero online, you enter your email and password. With MFA, you then need to confirm your identity another way – such as on your phone via the Xero app. If MFA is enabled for Microsoft Outlook and you log on using a device that isn’t trusted, you will also need to enter a security code that has been sent to a trusted email account or phone number. Whether it’s a text code, a fingerprint or a phone confirmation, MFA ensures more than one ID method is required to get into your important data. Most platforms and applications give you the option to switch it on through your security settings. It seems inconvenient – why would you bother? Single-factor authentication can make it much easier for a cybercriminal to compromise your bank accounts, accounting software, or business systems from anywhere in the world. All they need is your email address and password, which might have been stolen or leaked, or gained through phishing. With two-factor authentication, it becomes exponentially more difficult for malicious users to get access to your systems. According to Microsoft, there are more than 300 million fraudulent sign-in attempts on its cloud services daily: “All it takes is one compromised credential or one legacy application to cause a data breach.” It estimates that MFA can block more than 99.9% of account compromise attacks. If that seems too high, perhaps it is, but MFA is still highly effective; Google says its implementation of MFA halved the number of account compromises. When you have MFA enabled, it’s less concerning if your password is leaked or compromised. That alone won’t be enough to allow a hacker to gain access. Without MFA, you’re probably in breach of the Privacy Act The Office of the Privacy Commissioner recommends all organisations, regardless of their size to introduce MFA. When a breach occurs, one question often asked is whether an organisation has taken reasonable steps to protect the data they hold. If it is deemed the organisation did not take reasonable steps to protect its data, this could result in a breach of the Privacy Act. What’s reasonable depends on the size of the organisation breached and the scale and sensitivity of data it holds. No matter how small your business or charity might be, it almost certainly holds some personal information. It might be as basic as a list of members’ names, phone numbers and email addresses. Or perhaps it’s a more complex customer management system that includes payment details, health information or biometric data. As such, implementing the MFA is no brainer. Under the Privacy Act, every organisation or individual that holds data must collect it appropriately, keep it safe and allow the people it concerns to be able to access it (for more details, read the Privacy Principles). The Office of the Privacy Commissioner describes two-factor authentication as a bare minimum for small businesses or organisations that hold digital information. Without MFA in place, if someone unauthorised accesses your business data, you are likely to be in breach of the Privacy Act. This could lead to a penalty under the Act starting from $10,000; the most ever awarded is just over $168,000. The risks of a data breach go far beyond penalties, though. Your organisation may also experience potentially huge financial losses, reputational damage, and be forced to shut down. We know of one instance where a small online business experienced a data breach, and the cost of remediation and compliance was so high that dissolving the business was the best outcome. Cyber incursions are such a significant risk it’s hard to overstate their potential impact – yet many organisations are unaware of their responsibilities and risks. It’s all part of everyday risk management Cyber security can feel like a particularly thorny specialist topic that sits outside business as usual. But there’s a better way to think about it – cyber security is simply another risk management activity. It’s not separate or unique or different to other risks in your business, so managing it should equally be an everyday task. This means switching on MFA and getting everybody using it automatically, as well as keeping up to date with software patches and managing passwords effectively. Simple steps like these go a long way to protecting your organisation from breaches. In some cases, you might need to switch platforms to be able to access MFA for your organisation. We also occasionally see small regional organisations in areas that are digitally excluded, which can make this tricky. There may be workarounds available, or alternative platforms that can help. Create awareness and provide training We know that it can feel inconvenient to add MFA to apps you use frequently. If those who use your systems don’t understand the importance of using MFA, they may find this extra effort irritating, or try to switch it off. It’s essential to have all users on board. Education is the key – you need to explain to everyone why MFA is vital and why it is well worth the additional effort. You need to create awareness and provide training. According to research by Verizon, 82% of all cyber attacks “involved a human element”, and phishing scams still dominate social engineering attacks. We know that many small and medium enterprises and Not for Profits, don’t have in house IT and cyber expertise, however, being small or local doesn’t exempt you from the Privacy Act, so you still need to make the effort to not only enable MFA, but to understand your obligations under the Act, establish cyber security policies, and incorporate MFA into your overall approach to risk management.
Is your Not for Profit enterprise prepared for a cyberattack? If the answer is 'no', you're not alone. Our research report, Here for Good? uncovered some alarming statistics that highlighted cybersecurity as a major vulnerability in the sector
Get articles and updates relevant to your business and industry delivered directly to your inbox.
Keep an eye on your inbox for future insights relevant to you, your business and your industry.
