A new report from New Zealand tech firm Kordia has highlighted growing concerns among New Zealand businesses about AI-generated cyber threats, with 28% of large organisations ranking them as a major risk.
However, only 6% of reported cyber incidents in the past year were directly linked to AI-driven attacks.
The findings come from Kordia’s annual New Zealand Business Cyber Security Report, which surveyed 295 businesses with at least 50 employees.
The report sheds light on the scale and nature of cyber threats in 2024:
Alastair Miller (pictured), principal security consultant at Aura Information Security, a Kordia-owned cyber security firm, said AI is making cybercriminals more efficient and increasing the frequency of social engineering attacks.
“AI has lowered the cost of entry and time investment needed by cybercriminals to craft, refine, and adapt social engineering campaigns. As a result, we’re seeing a surge of businesses reporting attacks involving sophisticated email phishing, something that we expect will continue to increase,” he said.
AI is transforming both cyber threats and security defences. The report noted an increase in AI-powered cyberattacks, particularly in phishing campaigns that use automation and personalisation to deceive employees.
Miller highlighted risks associated with the unsanctioned use of AI tools by employees, with 16% of surveyed businesses citing improper AI usage as a key cybersecurity challenge.
“Employees are either accessing AI tools like ChatGPT without company knowledge or are not following any guidelines around data management to prevent exposure of company data to AI training models – for example, by feeding the AI with commercially sensitive or private information,” he said. “In fact, our report indicated 6% of cyber incidents involved an AI-related data breach, so even though AI implementation is rather new, we’re already seeing some of the consequences of poor AI usage in this country.”
While AI is being exploited by cybercriminals, it is also being used to strengthen cyber defences. AI-enhanced security tools can improve threat detection and incident response, but Miller cautioned against over-reliance.
“There’s been much hype around what AI cyber security can achieve for a business’s security defences, and while AI absolutely has its place when it comes to defending against cybercrime, it still requires human oversight to ensure that it’s working effectively,” Miller said.
Financially motivated attacks remain a persistent issue. According to the report, 14% of cyber incidents in 2024 involved financial extortion, and 9% resulted in a ransom or payment demand being made.
Miller said the actual number of ransom payments could be higher, as businesses often do not disclose such payments.
“Financial gain is the primary motivator for cybercriminals, and the reality is that many New Zealand businesses are ill-prepared, or unable, to respond and recover to incoming attacks and find themselves in a position where paying is the easiest way to make the problem go away,” he said.
The report identified key weaknesses in cyber security preparedness among New Zealand organisations:
Kordia’s report recommended that businesses focus on five key areas in 2025:
Commenting on the findings, New Zealand’s privacy commissioner, Michael Webster, highlighted concerns about data security risks posed by third-party providers.
“The law is very clear that when an agency outsources services to a third-party provider, the agency remains responsible for ensuring the data remains secure and used in a way that is compliant with the Privacy Act,” he said.
The Office of the Privacy Commissioner has issued guidelines to help businesses understand their responsibilities when working with external providers.
