If your Macs and iPhones could talk, would they say “secure, patched and productive”… or “we’ve been on holiday since 2022”? New Zealand businesses are seeing more cyber incidents every year, but most of the damage still comes from very fixable basics like patching, email security and unmanaged devices.

06 Mar 2026

Why NZ SMEs Are Now Prime Cyber Targets (And What ‘Good’ Looks Like)

If you’ve been assuming cyber threats are someone else’s problem — a big bank’s, a government department’s, a company with an actual IT department — this section is for you.

The bad news: SMEs are now in the front row

According to independent research from Kordia, 59% of New Zealand businesses experienced a cyber-attack or incident in 2024. Not 59% of Fortune 500 companies. Not 59% of government agencies. 59% of businesses — here, in Aotearoa, across all sizes and sectors.

Email phishing was responsible for around 43% of those incidents — meaning the most common attack vector is still people clicking things they shouldn’t. And the financial damage is stacking up fast: Kiwis lost an estimated $1.6 billion to online threats in 2024, with losses growing more than 90% in just 12 months, according to the National Cyber Security Centre (NCSC).

To put that in perspective — that’s not slow-burn growth. That’s a threat landscape that nearly doubled in a single year.

What makes this particularly uncomfortable for SMEs is that roughly one in three businesses that reported an incident experienced enough disruption to affect their actual operations. Not annoying spam. Not a minor inconvenience. Real downtime, real disruption, real cost.

And the cost? Recent research puts the average bill for a cyber incident on a New Zealand small business at somewhere between $19,000 and $21,500. That’s not an IT budget line — that’s a new vehicle for the business. Driving away. And not coming back.

The good news: most wins are boring and completely doable

Here’s the part nobody puts in the headlines: the vast majority of successful cyber attacks exploit basic, fixable gaps. Unpatched systems. No multi-factor authentication. Unmanaged devices. Email domains with no spoofing protection.

The controls that stop a significant chunk of attacks aren’t exotic or expensive — they’re just unglamorous:

Patch your systems — keep operating systems and critical apps up to date
Turn on multi-factor authentication (MFA) — especially for Microsoft 365 and any remote access
Manage your devices — know what’s out there, lock down what’s on them, and be able to wipe them if needed
Lock down your email — configure SPF, DKIM and DMARC so your domain can’t be spoofed by someone trying to impersonate you

The challenge for most SMEs isn’t knowing what to do — it’s having the time and resources to actually do it consistently. That’s exactly what Imagetext’s managed services are built around. You don’t need to hire a full-time Chief Information Security Officer. You just need the right partner making sure the boring stuff gets done, every time, without you having to think about it.

Three questions your GM, owner or board should be able to answer right now

You don’t need a deep technical background to pressure-test your cyber posture. These three questions cut straight to it:

1. “If someone lost a laptop today, could we lock it and wipe it remotely?”

If the answer is “I’m not sure” or “probably not,” your devices aren’t under management. That’s a significant exposure — especially with hybrid and remote work now the norm. (This is what Mobile Device Management, or MDM, solves.)

2. “Can someone send an email that looks like it’s from our domain, but isn’t?”

If you don’t have DMARC, SPF and DKIM configured on your email domain, the honest answer is yes — and criminals know it. Domain spoofing is one of the most common tools used in invoice fraud and phishing. (Ask us to run a free check on your domain.)

3. “If we were hit tomorrow, do we know whom to call first — and what we’d do in the first hour?”

An incident response plan doesn’t need to be 40 pages long. It needs to exist, be written down somewhere outside the compromised system, and include names and phone numbers. If your answer is “we’d figure it out,” that’s the plan that costs the most.

Ready to find out where you actually stand?

Hit reply with ‘quick security sanity check’ , and we’ll line up a free 30-minute review of your current protections and the top 3 low-effort improvements — no sales pitch, no jargon, just a straight conversation about what’s working and what isn’t.

Sources: Kordia NZ Cyber Security Report 2024; National Cyber Security Centre (NCSC) Annual Report 2024; NCSC SME Cyber Security Behaviour Tracker 2025.