The biggest risk factor is sitting in a coffee shop
When Cisco surveyed organisations for its Cybersecurity Readiness Index, 84% cited remote login as their highest risk factor. Not ransomware. Not nation-state actors. The simple act of staff opening laptops in cafes, airports, and living rooms and connecting to whatever network is available.
Cisco’s director of cyber security for Australia and New Zealand, Corien Vermaak, was blunt: “The fact that people can login from home and from the coffee shop has become a major concern.”
This should alarm every business owner who has normalised hybrid work without hardening the security around it. The tools to fix it are cheap. The cost of not fixing it is not.
What actually happens on public Wi-Fi
CyberCX senior manager of security Jed Laundry breaks public Wi-Fi threats into three categories: passive interception, where attackers observe device identifiers and unencrypted traffic; active interception, where encrypted traffic is broken to capture session data; and active exploitation, where device misconfigurations are targeted directly. The first is common. The second is growing. The third is becoming easier as attack tools proliferate.
Attackers also set up fake networks mimicking nearby businesses. Norton’s research on New Zealand behaviour found two-thirds of 1,000 surveyed Kiwis had logged into email, social media, or banking from public hotspots. About 200 admitted submitting credit card details over public networks. Only 14% used a VPN, and nearly half had never heard of one.
Norton’s Mark Gorrie described the classic man-in-the-middle attack: “Someone is essentially looking at that traffic. Because a lot of what you’re sharing is unencrypted, that does present a security risk.” Reliance Networks notes these setups are well-documented in cafe and coworking environments.
Netsafe’s chief online safety officer Sean Lyons warns that small businesses are not exempt simply because they are small: “The data they store is of value to other people.” Attackers cast wide nets. They do not check your revenue before compromising your credentials.
The numbers are getting worse
CERT NZ’s Q1 2024 report recorded 1,537 incidents with direct financial losses of $6.6 million, an 84% increase from the previous quarter. Phishing and credential harvesting accounted for 699 incidents, or 36% of all reports.
By Q3 2024, incident volumes surged to 1,905 reports, up 58% from Q2. Phishing climbed 70%. Unauthorised access rose 80%.
The NCSC’s annual figures put total reported losses at $21.6 million for 2023/24, with a cumulative $121 million since 2017. Both agencies consistently note that cybercrime is significantly underreported. The 2025 Cyber Threat Report found the NCSC dealt with roughly one incident per day with potential to cause national harm.
Meanwhile, only 2% of New Zealand organisations achieved a “mature” cybersecurity rating, below the global average of 3%. Some 85% reported a shortage of skilled cybersecurity personnel.
No MFA probably means you are already breaching the Privacy Act
Grant Thornton’s analysis is stark: “Without MFA, you’re probably in breach of the Privacy Act.” The Office of the Privacy Commissioner recommends multifactor authentication for all organisations regardless of size. If an unauthorised party accesses business data and MFA was not in place, penalties start from $10,000 and have reached over $168,000. That is before incident response costs, legal fees, and client notification.
Microsoft’s own data shows MFA blocks more than 99.9% of account compromise attacks. It is free or near-free on most platforms. The barrier is not cost. It is management discipline.
Grant Thornton identifies the cultural root: “We wait until there’s been a breach before we take the risk seriously.” A pervasive “she’ll be right” attitude toward passwords and authentication persists across Kiwi businesses. More than 35% of breaches involve third parties, meaning your exposure extends to every supplier and contractor connecting to shared systems from unsecured networks.
Mobile data is cheaper than a breach investigation
The NZITF’s Barry Brailey notes that many remote work security setups were never properly designed. They were temporary COVID-era fixes that became permanent without being hardened.
CyberCX’s Laundry adds a critical nuance: consumer VPNs like NordVPN or ExpressVPN may not reduce risk at all. “You’re not actually reducing any of these risks, you’re just moving them around, because the same techniques could be used by the VPN provider.” His firm’s own policy is that staff use mobile data rather than public Wi-Fi. The reasoning is simple: “The cost of providing mobile data is less than the cost of investigating potential incidents and responding to breaches.”
The practical checklist for any business owner is short. Issue staff mobile data plans or hotspots. Require corporate VPN for remote access. Enforce MFA on every application. Formalise the policy so compliance is not optional.
Grant Thornton’s framing deserves the last word: “Whatever you save by not investing in cybersecurity will be a drop in the ocean if your organisation experiences a major data leak.” Every unsecured cafe session is a bet that your business will not be the next statistic. The odds are shortening every quarter.
Sources
- RNZ: Companies and organisations underprepared and overconfident, says cyber security firm (2024-04-03)
- CyberCX: Is it safe to use public Wi-Fi networks?
- RNZ: Public wi-fi ‘represent a security risk’
- RNZ: Small businesses not exempt from cyber-attacks, internet watchdog Netsafe says (2025-05-19)
- Reliance Networks: Securing the ‘Third Place’ Office
- Grant Thornton: Privacy Act – One small tweak that can make a big difference
- Grant Thornton: NZ’s cyber wake-up call – Is your business at risk?
- NZITF: Cyber hygiene more important than ever