Most cybersecurity advice starts with a scary statistic or a dramatic story. We’re going to skip both — because the real issue facing New Zealand businesses isn’t awareness. You already know cybercrime is rising. You’ve seen the headlines.
The issue is the gap between knowing it’s a problem and understanding exactly where your business is exposed. That gap is what this article is about.
Your Security Setup Is Probably Solving Yesterday’s Problem
The way most New Zealand businesses are protected today reflects how they operated three to five years ago — not how they actually work now.
Three years ago, your team worked from a single location on company-owned devices, connected to a single network. Your IT setup was built around that reality. Then, remote work became normal. Cloud platforms replaced local servers. Staff started using personal phones for work email. Suppliers got remote access to your systems. Third-party apps got connected to your Microsoft 365 tenancy one by one, often without a formal review process.
The security infrastructure that made sense in 2020 was never updated to reflect any of that.
This is the most common vulnerability we see across Auckland businesses — not a lack of tools, but tools that solve problems that no longer match the shape of the business. Your firewall is guarding a perimeter. Most of your data no longer crosses that perimeter.
The Part of Your Attack Surface Nobody Reviews
Businesses instinctively think about their own systems when they consider cyber risk. Rarely do they think about everyone connected to those systems.
Every supplier, contractor, cloud platform, and third-party application that touches your business data is part of your attack surface — whether you manage their security or not. An attacker who finds your own defences solid will look for a weaker entry point nearby. A supplier with poor security practices. A contractor whose access was never revoked after a project ended. A forgotten app is still connected to your core systems with permissions nobody remembers granting.
This is called supply chain risk, and it’s disproportionately underestimated by small and medium businesses in New Zealand. The assumption is that supply chain attacks happen to large enterprises. In reality, smaller businesses are frequently the target of supply chain attacks precisely because they’re connected to larger organisations — and are the softer entry point.
A useful audit to run right now: open your Microsoft 365 admin panel, navigate to integrated apps, and count how many third-party applications have active permissions. For most businesses, this number is higher than expected, and several will be unrecognisable.
Three Things Worth Doing That Most Businesses Haven’t
Separate your admin credentials from your daily-use account. Most business owners and IT managers use the same account for everything — reading emails, approving documents, and performing system administration. This means a single compromised password gives an attacker both your inbox and full administrative access to your environment. Maintaining a separate account used exclusively for admin tasks is a low-cost, high-impact change that significantly limits what an attacker can do with stolen credentials.
Write down what happens in the first hour of an incident. Not a full incident response plan — just the first hour. Who gets called? Who has the authority to take systems offline? Where are the backup credentials stored? What’s the IT support number? Most businesses have no answer to these questions until they need them urgently, which is the worst time to figure them out. A single page covering the first sixty minutes of response is more valuable than a comprehensive plan that exists only in theory.
Test your backup recovery, not just your backup. Running a backup and recovering from a backup are two different things. Many businesses discover their recovery process is broken, incomplete, or takes far longer than expected — just when they actually need it. A quarterly restore test, where you recover real data from your backup to confirm the process works end-to-end, costs an hour and provides genuine confidence rather than assumed confidence.
The Distinction Between Security and Resilience
These two words are used interchangeably, and they shouldn’t be. Security is about preventing incidents. Resilience is about how quickly you recover when prevention fails.
Both matter. But for most NZ small businesses, resilience is the more neglected of the two. There’s a tendency to invest in prevention tools — firewalls, antivirus, email filters — and assume that covers the problem. It covers part of the problem. What happens after an incident determines whether it’s a contained disruption or an existential one.
Resilience looks like tested backups, a documented response process, a support relationship where someone already knows your systems, and cyber insurance that actually covers your exposure. None of these is glamorous. All of them are what separates businesses that recover in hours from businesses that recover in weeks — or don’t fully recover at all.
The Question Worth Asking Before Something Goes Wrong
Not “are we protected” — that question almost always gets answered with false confidence.
The better question is: if something went wrong at 9am tomorrow, what would the next four hours look like?
If the honest answer involves uncertainty about who to call, whether the backups work, or how long it would take to get systems back online — that’s the gap worth closing. Not with panic, but with a straightforward conversation about what your business actually needs versus what it currently has.
