What the Latest Cybersecurity Data Means for Your NZ Business 

Written By Netcare

Our Director of Information Security, Franc, keeps a close eye on the latest cyber threat reports coming out of both Australia and New Zealand, including the Quarterly Cyber Security Insights from New Zealand’s National Cyber Security Centre.

It helps our team stay aware of the scams, tactics and risks that are emerging in the real world, so we can help our clients avoid the traps that are catching other businesses out. 

And the latest report is a good reminder of why this matters. 

Between July and September 2025, the National Cyber Security Centre responded to 1,249 cyber security incidents across New Zealand. That’s thousands of disrupted inboxes, compromised systems, and frustrated business owners in just three months. The financial impact was significant. 

During the same period, reported cyber incidents resulted in $12.4 million in direct financial losses - more than double the previous quarter, representing a 118% increase. 

But the most surprising part is how many of these incidents started. Not with a sophisticated hack or a complex cyber attack. 

But with something much simpler:

➡️Access to an email account.

When Email Becomes the Front Door 

Once attackers gain access to an email inbox, they can quietly watch how a business operates without anyone realising something is wrong. They observe conversations, invoices, payment requests, and communications with suppliers. 

Then, at the right moment, they act. 

  • A payment instruction is altered. 

  • An invoice is changed. 

  • A staff member receives what looks like a legitimate request to transfer money. 

This type of attack is known as Business Email Compromise (BEC), and it was responsible for $6.4 million in financial losses during the quarter

For a small business or medical practice, even a single fraudulent payment can be devastating. And beyond financial loss, it can also damage trust.  

Why Medical Practices and Small Businesses Are Attractive Targets 

Cyber criminals rarely target organisations because they are large. They target organisations because they are accessible

Healthcare providers, clinics, and small to medium businesses often manage important systems such as: 

  • patient information 

  • financial data 

  • supplier payments 

  • appointment systems 

  • staff communication platforms 

These systems are essential for daily operations. That makes them valuable to attackers. 

At the same time, smaller organisations often have fewer internal IT resources and less time to monitor potential threats. 

Cyber criminals know this. 

According to the NCSC, of the incidents analysed: 

  • 38% were linked to cybercrime groups motivated by financial gain 

  • 28% were linked to state-sponsored actors 

  • 34% could not be clearly linked to a known attacker 

This tells us something important. Not every cyber-attack is highly sophisticated. Many simply take advantage of opportunities when systems or security are weaker. 

The Quiet Rise of Malware

Another trend the NCSC highlighted was a 36% increase in malware-related incidents compared to the previous quarter. 

Malware is harmful software designed to sneak into your computer or network to steal information, spy on activity, damage systems, or give attackers control without you knowing. 

It can enter a business in surprisingly ordinary ways, such as: 

  • email attachments that look legitimate 

  • downloads from infected files or websites 

  • compromised websites 

  • fake software updates that appear genuine 

Once malware gets into a system, it can start doing damage quietly in the background. It may capture passwords, monitor activity, or open the door for attackers to access the system later. 

In many cases, businesses only realise something is wrong when systems start behaving strangely - or when attackers already have access. 

The Good News: Most Incidents Are Preventable

Despite the rising numbers, most of the incidents reported were lower-severity events.

Out of the 1,249 incidents reported

  • 5 were significant incidents 

  • 27 were moderate incidents 

  • 67 were routine incidents 

  • 1,101 were minor incidents 

That tells an important story. 

Most cyber incidents are not dramatic, movie-style hacks. They are everyday digital risks that grow into bigger problems when the right protections aren’t in place. 

With the right systems, processes, and awareness, many of these incidents can be prevented or contained before they cause serious disruption. 

Cybersecurity Is Now a Business Essential

For medical practices and small to medium businesses, cybersecurity is no longer something that can sit on the “future improvements” list. 

It has become part of running a modern organisation. 

Just as businesses invest in physical security, financial controls, and insurance, protecting your digital systems is now another important layer of protection. 

Simple measures such as: 

  • strong authentication 

  • secure email systems 

  • monitored networks 

  • staff awareness training 

  • reliable backups 

..can significantly reduce risk. 

And just as importantly, having experienced people available when something does go wrong can mean the difference between a minor disruption and a major financial loss.

Explore Our Cybersecurity
Netcare
Next

Why Peace of Mind Is the Real Value of Good IT Support