Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
New research reveals the scope of cyber threats to Kiwi businesses, with one in 10 admitting to paying a ransom in the wake of a cyber attack.
Email phishing has emerged as the major vector allowing malicious actors into the networks of New Zealand businesses, with 43 per cent of all cyber incidents gaining initial access via phishing.
On top of that, according to IT provider Kordia’s latest New Zealand Business Cyber Security Report, 59 per cent of businesses in the country faced some form of cyber attack in 2024.
Perhaps more worrying, 16 per cent of all attacks saw personally identifiable information compromised in some manner. Additionally, 22 per cent of attacks cause a business disruption.
Third-party hacks are also a common source of cyber breaches – 19 per cent of all attacks against New Zealand businesses originated somewhere in their supply chain.
According to Alastair Miller, principal security consultant at Kordia-owned Aura Information Security, artificial intelligence is one of the drivers behind the growing threat of phishing- and social engineering-based attacks.
“AI has lowered the cost of entry and time investment needed by cyber criminals to craft, refine and adapt social engineering campaigns,” Miller said in a statement.
“As a result, we’re seeing a surge of businesses reporting attacks involving sophisticated email phishing, something that we expect will continue to increase.”
The motivation behind the increasing attacks targeting businesses in New Zealand is largely financial.
“Money is the motivator. That’s why it’s unsurprising to see stolen personal information, IP, commercially sensitive data and business disruption among the list of impacts faced as a result of a cyber incident. These are all things that cyber criminals can leverage to put pressure on businesses to pay a blackmail or extortion demand,” Miller said.
Shadow AI a rising problem
While artificial intelligence certainly assists cyber criminals, Kiwi business owners are nonetheless overestimating the threat. Despite only 6 per cent of attacks being AI-generated, 28 per cent of businesses see AI-generated attacks as the major threat they’re facing in the cyber realm.
That said, the use of shadow AI is a cause for concern.
“Employees are either accessing AI tools like ChatGPT without company knowledge or are not following any guidelines around data management to prevent exposure of company data to AI training models, for example, by feeding the AI with commercially sensitive or private information,” Miller said.
The increase of built-in AI in many applications is another point of contention.
“Vendors are increasingly incorporating AI technologies into enterprise software and moving towards an ‘opt-out’ model, meaning their AI functionality is automatically switched on,” Miller said.
“So, businesses really need to have some sort of policy or guidelines around proper AI usage for their business because it is, in fact, becoming ubiquitous.”
One of the main drivers of this rise in attacks, however, is not based on AI attacks or advanced phishing techniques but a lack of investment in cyber security basics.
Sixty-seven per cent of New Zealand businesses have not performed any penetration testing in the last six months, while one in five fail to log or monitor network activity. Only 39 per cent of businesses conduct risk assessments, and 26 per cent don’t have any formal training or awareness programs in place.
“Cyber security works best with a layered approach – so if one control fails, there is another in place to continue protecting your most important data and systems. For example, having multifactor authentication on logins is one simple way to add an extra layer of defence against identity attacks,” Miller said.
Identity management is another friction point, with one-third of businesses unaware if they employed a single source of identity management.
“We know that cyber criminals often log in with stolen credentials rather than hacking their way into your business, so having a single source of identity management, for example, would significantly reduce the likelihood of an attacker slipping in unnoticed,” Miller said.
Kordia’s research is based on polling of 295 businesses with more than 50 employees.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
