Marsh alerts New Zealand SMEs to rising cyber threats

Cyber threats targeting New Zealand businesses are increasing, with social engineering scams, ransomware attacks, and IT disruptions posing significant risks.

According to industry reports, SMEs are particularly vulnerable due to limited cybersecurity resources, increasing technological dependence, and evolving attack methods.

As a result, industry experts – including Marsh and MinterEllisonRuddWatts – stress the importance of cyber insurance, employee training, and risk management strategies to safeguard businesses from financial and operational damage.

Cyber incidents top business risks for 2025

Cyber-related incidents have been identified as the most significant business risk for 2025, according to the latest Allianz Risk Barometer report.

The study highlighted concerns over ransomware, data breaches, and IT system failures, ranking them as the leading global threat. It gathered responses from 3,778 professionals, including CEOs, risk managers, insurers, and brokers from 106 countries.

For the fourth consecutive year, cyber risks were named the top business threat, with 38% of respondents listing it as their primary concern.

Understanding social engineering and its impact on SMEs

Social engineering is a cyberattack method that relies on human interaction to manipulate individuals into disclosing sensitive information, allowing unauthorised system access, or conducting fraudulent financial transactions. Instead of relying on technical hacking methods, attackers exploit trust and psychological tactics to bypass security measures.

Marsh noted that SMEs are particularly vulnerable to these types of attacks due to: 

• lack of cybersecurity awareness – many businesses do not provide formal training on recognising social engineering scams
• trust-based workplace culture – smaller teams may be more likely to accept requests without verifying authenticity
• limited cybersecurity infrastructure – many SMEs operate without the advanced security systems used by larger organisations
• employee errors – workers may inadvertently fall for fraudulent requests, leading to financial or data losses

Common types of social engineering attacks

Cybercriminals use a variety of tactics to manipulate employees and gain access to company resources. Some of the most prevalent methods include:

• phishing – deceptive emails containing malicious links or attachments designed to steal login credentials or install malware. Variations include smishing (text message scams) and vishing (voice phishing)
• business email compromise – fraudsters impersonate executives or vendors to request financial transactions or confidential data
• baiting – attackers leave infected USB drives or other malware-loaded devices in public areas, hoping employees will use them on work computers
• pretexting – scammers create fake scenarios to extract sensitive information under the guise of legitimacy
• tailgating – gaining unauthorised physical access to secured premises by following an employee through security checkpoints

Marsh said that recognising the warning signs of social engineering can help businesses mitigate risks – a reminder insurers and brokers could share with their business clients. Suspicious requests, unexpected emails, urgent demands, or inconsistencies in email addresses and document formatting are key indicators of a potential scam.

How SMEs can strengthen cybersecurity 

Marsh recommended several strategies to help SMEs strengthen their cybersecurity resilience:

• Employee training – conduct regular cybersecurity awareness sessions to educate staff on identifying and handling potential threats.
• Security protocols – implement policies for verifying financial transactions and managing sensitive data.
• Multi-factor authentication (MFA) – strengthen account security by requiring multiple authentication steps.
• Routine security audits – conduct regular assessments to detect vulnerabilities and update security measures.
• Creating a cybersecurity culture – encourage employees to verify requests and report suspicious activity without hesitation.

Cyber insurance’s role in managing social engineering threats 

Marsh emphasised that cyber insurance could help businesses recover from financial losses caused by social engineering fraud. Policies may include coverage for fraudulent transactions, data recovery costs, legal fees, and crisis management services.

Law firm MinterEllisonRuddWatts also advises businesses to work closely with cyber insurers and law enforcement when responding to security breaches, particularly ransomware attacks.

Steps to take after a social engineering attack 

Marsh said SMEs that suspect they have been targeted should take immediate action to minimise damage:

• Activate their incident response plan.
• Disconnect affected devices from networks.
• Review financial records for unauthorised transactions.
• Change passwords and access credentials.
• Document all details and collect evidence of the attack.
• Notify their bank and insurer.
• Report the incident to law enforcement and cybersecurity authorities.

For businesses with cyber insurance, insurers may provide dedicated response teams to assist with incident management and damage control, Marsh said.