Small and medium-sized enterprises (SMEs) in New Zealand are underestimating their vulnerability to cyberattacks, even as they become primary targets for cybercriminals. Despite the growing risks, many businesses are not adequately prepared to defend against potential breaches, leaving them exposed to costly consequences.
Recent data from the National Cyber Security Centre (NCSC) reveals that a staggering one in three SMEs has experienced a cyberattack in the past six months. Even more concerning is that nearly 50% of all cyber incidents in New Zealand are aimed at small businesses. With an average data breach costing SMEs NZ$173,000, these incidents can have crippling financial consequences for small businesses operating on tight margins.
While awareness of cybersecurity is growing, many SMEs are still not treating it as a top priority. NCSC’s 2024 SME Behaviour Tracker highlights that only 55% of New Zealand’s small businesses consider cybersecurity a critical concern. Even fewer—less than half—feel prepared to handle a potential cyber incident.
“SMEs don’t know where to start when it comes to cybersecurity,” said Michael Jagusch, NCSC’s director of mission enablement, in a statement. A key issue is that small-to-medium business owners are busy with day-to-day operations, and cybersecurity often takes a backseat until it’s too late.
The NCSC’s findings are backed by research from AMI Insurance, which shows that 73% of small business owners are concerned about cyber threats, yet only 37% plan to enhance their cybersecurity measures in the next 12 months. Many owners mistakenly believe they are too small to be targeted or that they can recover quickly from an attack. This overconfidence leaves them exposed to preventable threats.
A recurring theme among SMEs is the tendency to take action only after a cyberattack has occurred. NCSC’s research shows that 57% of businesses made improvements to their cybersecurity following an attack. In contrast, just 27% of those that had not been attacked took proactive steps to protect their systems.
“Many small business owners are focusing on the ambulance at the bottom of the cliff, rather than building the fence at the top,” Jagusch warned. This reactive approach not only heightens the risk of future attacks but can also lead to significant business disruption.
The risks are exacerbated by poor cybersecurity practices across many SMEs. NCSC’s data shows that 35% of businesses do not regularly back up their data, and 23% fail to update their software, leaving critical systems exposed to attacks. These gaps can be costly, especially given the rapid evolution of cyber threats.
One of the main barriers preventing SMEs from investing in stronger cybersecurity measures is cost. AMI’s research found that 40% of small business owners cite financial constraints as the reason for not upgrading their security. For many, the decision to prioritise core business operations over cybersecurity appears necessary, even as the risks grow.
Despite the financial concerns, cybersecurity experts continue to emphasise the importance of proactive investments in this area. “Although many small business owners think they don’t need to up their cyber security, or that they won’t be significantly impacted, it’s clear that in this digital age, they may be leaving themselves exposed, and the risk is only growing as we conduct our lives and businesses increasingly online” said Paula ter Brake, AMI’s executive general manager for consumer brands.
In response to the growing threat, the New Zealand government and industry bodies are stepping up efforts to support SMEs. The NCSC’s “Own Your Online” initiative provides free tools and advice to help small businesses assess their cybersecurity and identify areas for improvement. This includes a tailored online assessment tool designed to give businesses a customised action plan for boosting their cyber resilience.
Meanwhile, insurance companies like AMI have rolled out cybersecurity insurance products tailored specifically to SMEs. These products offer support for incidents such as ransomware attacks and phishing schemes, as well as access to IT professionals who can help businesses recover quickly after an attack.
Larger regional trends also suggest that SMEs will need to strengthen their defences. In Australia and New Zealand, 88% of chief information officers expect cybersecurity to see the largest growth in technology investment by 2025, driven by increasing regulatory demands and high-profile cyber incidents.
As larger businesses ramp up their cybersecurity measures, SMEs risk becoming even more attractive targets for cybercriminals. The vulnerability of small businesses is growing in the digital age, and without proactive investments in cybersecurity, the financial and operational risks could be severe.
Cybersecurity is constantly evolving, and the risks are only going to increase as more business is conducted online. For SMEs, the message is clear: prioritising cybersecurity is no longer an option but a necessity for survival in an increasingly dangerous cyber landscape.
The growing number of attacks and rising financial costs serve as a stark reminder for New Zealand’s small businesses to act now—before it’s too late.