A new report from New Zealand’s National Cyber Security Centre (NCSC) has identified critical gaps in the cybersecurity readiness of small and medium-sized enterprises (SMEs) across the country.
The “SME Cyber Security Behaviour Tracker 2024” highlighted that while most SMEs recognise the importance of cybersecurity, many remain unprepared for cyber threats.
The report indicated that 55% of SMEs consider cybersecurity a priority, yet only 48% feel adequately prepared for a potential cyber incident.
Michael Jagusch, director of mission enablement at the NCSC, noted that while the importance of cybersecurity is widely acknowledged, it often takes a back seat to other business concerns.
“Businesses are aware that cyber security is critical, but other concerns are taking priority,” he said, as reported by IT Brief, adding that many SMEs only act after they have experienced an attack.
The survey, which polled 349 IT and operations managers within SMEs, found that 36% had been hit by cyberattacks within the past six months.
Among those affected, 57% implemented new cybersecurity measures, in contrast to only 27% of those who had not been attacked.
Jagusch commented on the reactive nature of many businesses – focusing on addressing the problem after the fact rather than preventing it in the first place.
“While it’s good to see some actions being taken up, the more future-oriented ones aren’t,” he said.
The study also revealed that more than a third (35%) of SMEs do not regularly back up their data, and 23% fail to keep their software consistently updated.
Jagusch noted that this lack of basic cybersecurity practices is often due to businesses not knowing where to begin. To address this, the NCSC has introduced a tool on its “Own Your Online” website to help businesses assess and improve their cybersecurity strategies.
The NCSC plans to continue supporting SMEs with tools and guidance aimed at encouraging more proactive cybersecurity practices. The goal is for the 2025 report to show improved cybersecurity practices across the sector
The initiative is designed to help SMEs streamline their cybersecurity efforts, allowing business owners to focus on operations while mitigating security risks.
Jagusch said that the NCSC’s goal is to help businesses prioritise key cybersecurity practices without overwhelming them.
“Our goal is to save [businesses] time by helping identify what cyber security practices they should focus on,” he said.
A separate study by Kordia, a New Zealand telecommunications provider, explored the effects of cyberattacks on larger organisations.
The report found that 36% of large businesses experienced significant operational disruptions due to cyber incidents in 2023, with 29% reporting breaches involving personal data.
Other key findings from the survey show that 28% of attacks were linked to security failures from third-party vendors, and 70% of executives said they would consider paying a ransom if faced with a cyber extortion attempt.
The Kordia study also highlighted the broader economic and personal toll of cyberattacks, particularly the strain on employees within affected organisations and the potential for supply chain disruptions.
