You Do Not Need to Be a Security Expert
The short version: 59% of NZ businesses were attacked last year, but the biggest preventable gaps come down to five yes-or-no questions you can answer in 10 minutes. Every gap you find is a gap that an attacker, insurer, or the Privacy Commissioner will find too — but you found it first, and that means you can fix it on your terms. Book your free security health check to get a clear picture of where you stand. Read on for the five checks.
There is a persistent myth in cybersecurity that protecting your business requires deep technical expertise, expensive tools, and a dedicated team of specialists. For the majority of New Zealand businesses — the 530,000-plus small and medium enterprises that form the backbone of our economy — the biggest security improvements come from getting the basics right.
The challenge is that most business owners do not know which basics to focus on. Security advice tends to arrive as either vendor marketing dressed up as guidance, or dense technical frameworks written for practitioners with years of experience. Neither is useful when you are running a business and security is one item on a list of fifty competing priorities.
This article keeps the question simple: five yes-or-no checks. They require no tools, no technical background, and no more than ten minutes of honest reflection. These five checks cover the areas where preventable gaps most often show up — the kinds that lead to data breaches, regulatory penalties, insurance claim denials, and operational disruption.
The numbers make the case. According to the Kordia 2025 New Zealand Cyber Resilience Report, 59 percent of New Zealand businesses experienced a cyber attack or incident in 2024. CERT NZ recorded $7.8 million in direct financial losses to cybercrime in the first quarter of 2025 alone (CERT NZ, 2025). And 43 percent of attacks relied on email phishing as the primary vector (Kordia, 2025) — a technique that exploits people and processes, not sophisticated technology.
The most common attacks do not succeed because businesses lack advanced security tools. They succeed because foundational controls are missing. These five checks will tell you whether your foundations are in place.
Get a pen. Set a timer. Let us begin.
Check 1: Can You List Every System That Holds Customer Data?
The question: Right now, without checking, can you name every application, platform, database, spreadsheet, and cloud service that stores information about your customers, staff, or suppliers?
Why it matters: You cannot protect what you do not know you have. A data inventory is the starting point for every meaningful security and privacy activity — from access control to breach response to Privacy Act 2020 compliance. When the Office of the Privacy Commissioner asks what personal information you hold and where it is stored, "we are not entirely sure" is not an acceptable answer.
The reality is that data spreads further than anyone expects. Customer records live in your CRM, accounting software, email marketing platform, shared spreadsheets, and sometimes in personal devices or messaging apps. Staff records sit in payroll systems and managers' email folders. Supplier information is scattered across procurement tools and shared drives.
Only 31 percent of New Zealand small and mid-sized businesses have formal IT policies in place (ASI Solutions/NZ research) — and a data inventory is typically one of the first components of any policy framework. Without one, you are operating blind.
What "good" looks like: You maintain a documented list of every system that processes personal or sensitive information. For each system, you know what data it holds, who has access, where it is hosted, and whether it is covered by your backup and recovery processes. This does not need to be a complex database. A well-maintained spreadsheet is a perfectly acceptable starting point.
Score yourself: If you can produce this list within two minutes, or you know exactly where the document lives, give yourself a point. If you had to pause, guess, or realised there are systems you have not accounted for, that is a gap.
Check 2: Is Multi-Factor Authentication Turned On for Every Admin Account?
The question: For every account that has administrative or elevated privileges in your business — email admin, cloud platform admin, accounting software, website CMS, domain registrar — is multi-factor authentication (MFA) enabled?
Why it matters: MFA is the single most effective control against account compromise. It means that even if an attacker obtains a password through phishing, credential stuffing, or a third-party data breach, they cannot access the account without a second verification step. For administrative accounts, which have the power to change settings, access all data, and create or delete other accounts, the stakes are especially high.
The Kordia 2025 report found that 43 percent of cyber incidents involved email phishing as the attack vector. Phishing is primarily a credential-harvesting technique — attackers send convincing emails that trick users into entering their username and password on a fake login page. MFA breaks this attack chain. Even a successfully phished password is useless without the second factor.
In practice, admin accounts without MFA remain one of the most common gaps. The reasons are familiar: "we set it up quickly and meant to come back to it," or "the admin account is shared so MFA would be inconvenient," or simply "we did not realise it was available."
What "good" looks like: Every account with administrative privileges has MFA enabled, using an authenticator app or hardware key rather than SMS where possible. Admin accounts are assigned to named individuals, not shared. Former staff have had their access revoked. You review admin account lists at least quarterly.
Score yourself: If MFA is enabled on every admin account across every platform, and you are confident no shared admin credentials exist, give yourself a point. If there are exceptions, gaps, or accounts you are not sure about, that is a gap.
Check 3: When Was Your Last Backup Tested?
The question: Not when was your last backup taken — when did you last verify that you can actually restore from a backup? Do you know how long a full restoration would take, and have you confirmed the restored data is complete and usable?
Why it matters: Almost every business has some form of backup in place. Cloud platforms often include automatic backups. IT providers typically configure backup schedules as part of their service. The problem is that a backup you have never tested is a backup you cannot trust.
Ransomware is the clearest illustration. When an attacker encrypts your systems and demands payment, your backup is your recovery path. But if that backup has been silently failing, or if it covers application data but not configuration files, or if restoration takes five days when your business can only survive two offline, then you do not have a viable recovery option.
Approximately 50 percent of New Zealand organisations have not practised their response plan, according to the Kordia 2025 report. Backup restoration is a core component of any incident response, and if it has not been tested, your response plan has an untested dependency at its centre.
The cost of that untested dependency is not hypothetical. When the Waikato District Health Board was hit by Zeppelin ransomware in May 2021, the insurance claim reached NZD $16.5 million — and exceeded the policy limit (Reseller News; Te Whatu Ora). Clinical systems were offline for months. The DHB's cyber insurance premium subsequently jumped from $400,000 to $1.3 million per year. The incident started with ransomware. The cost escalated because recovery took far longer than anyone had planned for.
What "good" looks like: You conduct regular test restores — at minimum annually, and ideally quarterly for critical systems. You have documented the restoration process, including estimated recovery times. You know the difference between what is backed up and what is not. Your backups are stored separately from your production environment so that a ransomware attack on your network does not also encrypt your backup copies.
Score yourself: If you have tested a backup restore in the last twelve months and can state your recovery time with confidence, give yourself a point. If your last test restore was "probably a while ago" or "I think our IT provider handles that," that is a gap.
Check 4: Do You Have a Written Plan for When Things Go Wrong?
The question: If you discovered right now that your business had suffered a data breach or cyber attack, do you have a written incident response plan that tells your team exactly what to do in the first hour, the first day, and the first week?
Why it matters: Incident response under pressure is not the time for improvisation. When a breach occurs, decisions need to be made quickly: who to notify, what to contain, how to preserve evidence, when to engage legal counsel, whether to notify the Privacy Commissioner, and how to communicate with affected customers. Without a written plan, these decisions get made ad hoc, under stress, by whoever happens to be available.
The consequences of a poor response can exceed the impact of the incident itself. Under the Privacy Act 2020, organisations must notify the Office of the Privacy Commissioner if a breach poses a risk of serious harm. The notification must detail the breach, the data affected, and the steps taken in response. Organisations that cannot articulate their response face greater scrutiny and potential enforcement action.
The Kordia 2025 report found that approximately 50 percent of New Zealand organisations have not practised their incident response plan. A further finding revealed that around 33 percent of businesses conduct no board-level reporting on cyber risk at all (Kordia, 2025). Without executive visibility into incident preparedness, gaps persist until they are exposed by an actual incident.
Meanwhile, 16 percent of reported incidents resulted in personally identifiable information being compromised (Kordia, 2025). When personal data is involved, the regulatory and reputational consequences escalate significantly, and the quality of your response becomes a matter of public record.
What "good" looks like: You have a written incident response plan specific to your business. It names real people with real contact details, not generic roles. It covers containment, evidence preservation, notification paths, external notification (Privacy Commissioner, CERT NZ, affected individuals), communications, and recovery. The plan has been reviewed in the last twelve months and at least one practice run exercise has been conducted with the people who would execute it.
Score yourself: If you have a written, tested incident response plan that your team knows how to find and execute, give yourself a point. If the plan exists only in theory, has never been practised, or does not exist at all, that is a gap.
Check 5: Who Is Responsible for Security in Your Business?
The question: If someone asked "who owns cybersecurity in your organisation?" — is there a clear, specific answer? Not "IT sort of handles it" or "we all take it seriously" — an actual named person with defined accountability for your security programme?
Why it matters: Security without ownership is security without accountability. When no one is explicitly responsible, security tasks fall into the gaps between roles. Policies do not get written. Risk assessments do not get completed. Compliance obligations do not get tracked. Staff awareness does not get maintained. And when an incident occurs, there is no one to drive the response.
This is not about hiring a full-time security specialist. It is about designating a person — whether that is a general manager, an operations lead, or an external adviser — who has explicit accountability for ensuring that security basics are in place and that progress is being made.
The Kordia 2025 report found that 25 percent of organisations cite employee awareness as their top cybersecurity challenge. Awareness does not improve on its own. It requires someone to own the programme: selecting training content, tracking completion, running phishing simulations, and reinforcing good practices. Without an owner, awareness initiatives start strong and quietly fade.
The same principle applies to every other element of a security programme. Policies need an owner to keep them current. Risk registers need an owner to make sure treatments progress. Compliance requirements need an owner to track legislative changes. None of these activities are complex in isolation, but all require sustained attention — and sustained attention requires clear ownership.
What "good" looks like: There is a named individual who is accountable for your organisation's security position. That person has sufficient authority to make decisions, allocate budget, and raise risks to leadership. Their responsibilities are documented, and they report regularly to the business owner or board on the state of the security programme. If security ownership is outsourced to an external provider — such as a Virtual CISO engagement — the relationship is formalised with defined deliverables and reporting cadences.
Score yourself: If you can name the person who owns security in your business, and that person has defined accountability and reports on progress, give yourself a point. If security responsibility is vague, shared informally, or simply unassigned, that is a gap.
Your Score: What It Means
Add up your points from the five checks above.
5 out of 5 — Solid foundations. You are ahead of the majority of New Zealand businesses. Your basics are in place, which means you have a platform to build on. The next step is ensuring these controls are maintained, reviewed regularly, and maturing over time. A periodic independent assessment will confirm whether your self-assessment aligns with external findings.
3 or 4 out of 5 — Good progress, but gaps remain. You have made meaningful investment in some areas, but there are blind spots that an attacker or auditor would identify. The gaps you have found in this exercise are worth prioritising. Most can be addressed within weeks, not months, and many do not require significant budget — they require focus and ownership.
2 or fewer out of 5 — Time to take action. This score is more common than most business owners expect, and it is not unusual. The security landscape has changed rapidly, and many businesses have not had the guidance to keep pace. What matters is what you do next. The gaps you have identified represent real, exploitable vulnerabilities — the same gaps that cyber insurers, auditors, and the Privacy Commissioner will ask about.
Regardless of your score, completing this exercise puts you ahead of the curve. Awareness is the first step. The second is action.
What to Do With What You Found
Every gap you found in these five checks is a gap that an attacker, an insurer, or the Privacy Commissioner will find too. The difference is that you found them first — and that means you can fix them on your terms, not under pressure.
A free security health check takes 30 minutes and gives you a clear picture of where you are exposed and what the first steps look like. Your insurer, your clients, and the Privacy Commissioner will ask these questions — better to have answers before they do.
Book your free security health check — 30 minutes to find out where you stand and what to do about it.