The fantasy versus the spreadsheet
If your board has a cyber recovery plan, there is a better than even chance it is fiction. Not because it does not exist on paper, but because the assumptions underpinning it bear no relationship to reality.
A Commvault study of 408 ANZ business leaders found 80% expect their systems restored within five days of a cyberattack. Nearly a quarter believe they could be back up in a single day. IT leaders at the same organisations paint a starkly different picture: a minimum of four weeks for operational recovery, with 55% requiring more than a week just to restore key functions. Twenty percent report average recovery times of 45 days.
That is not a rounding error. It is a boardroom operating on assumptions that would collapse on first contact with an actual incident.
Fewer attacks, bigger damage
Kordia’s 2026 NZ Business Cyber Security Report found 44% of large businesses were successfully attacked in the past year, down from 59% the year before. That sounds like progress until you look at the financials. Financial extortion rose to 19% of affected businesses, up from 14%. Of those who received ransom demands, 42% paid. A further 32% said they would consider it.
The NCSC’s own data confirms the trend. Direct losses totalled $26.9 million in 2024/25, up from $21.6 million, even as total incident reports fell from 7,122 to 5,995. Attackers are getting more selective and more effective. In Q3 2025 alone, the NCSC reported $12.4 million in losses, up 118% from the previous quarter.
Plans that have never been opened under fire
Having a response plan is not the same as having a tested one. Seventy percent of ANZ organisations claim to have incident response plans, but only 30% regularly test all mission-critical systems. Among those who were hit, 74% experienced data exfiltration and only 32% recovered 100% of their data.
Kordia’s data is equally blunt: 61% of affected businesses suffered serious operational disruption, 20% saw supply chain interruption, and a third estimated full resolution took more than two months. A third doubted they could recover from a major attack at all.
Patrick Sharp, General Manager of Kordia-owned Aura Information Security, puts it plainly: “Organisations need response strategies practised long before incidents occur, including assigned roles, decision-making thresholds, and communication plans.”
The people who would execute the plan are burning out
Datacom’s State of Cybersecurity Index found 71% of security leaders believe employees are adequately informed about cyber risks. Only 51% of employees agree. That perception gap matters because these are the people who would actually execute a recovery. Worse, just 26% of NZ security leaders have business continuity plans in place, compared to 38% in Australia.
The staffing picture is dire. Sixty-one percent of NZ security teams are experiencing cyber burnout. Cisco’s Cybersecurity Readiness Index found 85% of NZ organisations reported a shortage of skilled people, with 42% carrying more than 10 vacant cyber security positions. Just 2% achieved a mature cybersecurity readiness rating, below the already grim 3% global average.
AI is widening the gap from both sides
On offence, more than 80% of phishing emails now contain AI-generated content and phishing volumes have increased 1,200% since 2022. Internally, 43% of businesses now identify employees accidentally exposing data through AI-driven processes as their biggest cyber risk.
On recovery, AI makes things worse, not better. Fastly’s research found AI-first businesses take nearly seven months on average to recover from a cybersecurity incident, roughly 100 days longer than non-AI-first organisations. The attack surface is growing faster than the capacity to defend it.
Personal liability is coming
The Institute of Directors warns that 19% of NZ businesses say cyber security is not perceived as an important risk area by their board, and only 50% of boards receive independent assurance over cyber resilience annually. The 2026 NZ Government Cyber Security Strategy signals a shift toward treating cyber resilience like health and safety, with potential criminal liability for directors up to $500,000 and corporate penalties up to 2% of turnover or $5 million.
For boards still treating cyber as an IT problem, the maths is about to change. A five-day recovery fantasy written into a business continuity plan will not hold up as a defence when the actual downtime stretches to six weeks, the data is gone, and the regulator wants to know what the board knew and when. The window to close the gap between the plan and reality is narrowing fast.
Sources
- IT Brief NZ: ANZ businesses overestimate cyber readiness amid resilience gap (2025)
- RNZ: One in two large businesses successfully attacked by cybercriminals in last year (2025)
- Kordia: Biggest AI cyber threat may be coming from inside your business (2025)
- Scoop/Kordia: Staff AI misuse now key cyber risk for NZ firms (2025)
- RNZ: Companies and organisations underprepared and overconfident, says cyber security firm (2024)
- IoD NZ: The results are in – cyber resilience must be a boardroom issue (2025)
- IT Brief NZ: AI-first firms hit by slower, costlier cyber recoveries (2025)