Top 5 Cyber Threats for Kiwi Business in 2025

The five cyber threats hitting NZ SMEs hardest in 2025, from phishing and ransomware to supply chain attacks, with practical steps to reduce your risk.

Top 5 Cyber Threats for Kiwi Business in 2025

A staff member at an Auckland accounting firm opens an email that looks like it came from their managing partner. It asks them to pay an urgent invoice before the bank closes. The logo is right, the signature is right, the tone is right. They pay $18,000. The partner never sent it.

Stories like this land at CERT NZ every week. The attackers are not always sophisticated, but they are persistent, and small and medium businesses make easy targets because they often lack a dedicated security team. Here are the five threats Kiwi businesses should understand going into 2025, and what you can do about each one.

What is the most common threat right now?

Phishing remains the front door for most attacks. CERT NZ’s quarterly reports consistently show phishing and credential harvesting as the highest-volume incident category, and the messages keep getting harder to spot.

The old tells are fading. Spelling mistakes and clumsy grammar are rare now that attackers use generative AI to draft clean, on-brand emails. A phishing message in 2025 might reference a real project, copy your supplier’s invoice format, or arrive as a text message about a parcel delivery.

The defences that work:

  • Multi-factor authentication on every account that supports it, especially email and banking.
  • A verification habit for any payment change. If a supplier emails new bank details, ring them on a number you already have.
  • Reporting that is easy. Staff need a one-click way to flag a suspicious email without feeling silly.

Why ransomware still hurts smaller businesses

Ransomware encrypts your files and demands payment for the key. The headlines focus on hospitals and large corporates, but attackers increasingly hit SMEs because the security is weaker and the business often cannot survive a week offline.

What has changed is the model. Many groups now run “double extortion”: they steal a copy of your data before encrypting it, then threaten to publish it if you do not pay. Even a business with good backups faces a privacy breach and the obligation to notify under the Privacy Act 2020.

Paying is a poor option. There is no guarantee you get your data back, and it marks you as a business that pays. The better position is one where you do not have to choose:

  • Keep at least one backup offline or immutable, so ransomware cannot reach it.
  • Test that you can actually restore from those backups. An untested backup is a guess.
  • Patch quickly. Many ransomware infections start with a known vulnerability that had a fix available for months.

How attackers get in through your suppliers

Supply chain attacks have moved from a niche concern to a mainstream one. Instead of attacking you directly, the attacker compromises a piece of software you trust, or a vendor that has access to your systems, and rides that trust inside.

A managed software update, a plugin on your website, or a third-party tool with admin access to your network can all become the route in. For a Kiwi SME this is hard to manage alone because you cannot audit every vendor.

Practical steps:

  • Keep an inventory of which third parties have access to your systems and what level of access they hold.
  • Remove access the moment a contract ends or a tool is retired.
  • Ask suppliers, especially IT vendors, how they secure their own environment. A serious provider will answer plainly.

Are business email compromise scams getting worse?

Yes, and they are among the most expensive incidents reported in New Zealand. Business email compromise (BEC) is the scenario from the opening of this article: an attacker uses a fake or hijacked email account to trick someone into moving money or changing payment details.

BEC works because it targets people and process rather than technology. There is often no malware to detect. The attacker has simply studied your business, learned who approves payments, and timed the request well.

The controls are mostly procedural:

  • Require two people to approve payments above a set amount.
  • Treat any change to bank details as a red flag that needs phone verification.
  • Lock down email forwarding rules. Attackers often set up quiet auto-forwarding to watch conversations.

The cost of these scams in New Zealand runs into the tens of millions each year across reported cases, and the real figure is higher because many go unreported.

What about weak passwords and unmanaged devices?

The least glamorous threat is often the one that lets everything else happen. Reused passwords, accounts with no MFA, and personal phones or laptops connecting to business data create gaps that attackers scan for constantly.

When staff work from home, from cafes, or from their own devices, the boundary of your business stretches well beyond the office in Wairau Valley or wherever you are based. Each unmanaged device is a small piece of your attack surface.

Sensible baseline controls:

  • A password manager so staff stop reusing the same three passwords everywhere.
  • MFA enforced as policy, not left to individual choice.
  • Device management that lets you wipe a lost or stolen phone remotely and confirm that laptops are encrypted and patched.

Pulling it together

None of these five threats requires a six-figure security budget to address. Phishing, ransomware, supply chain risk, business email compromise, and weak account hygiene all respond to the same handful of disciplines: MFA everywhere, tested backups, fast patching, a payment verification habit, and knowing which devices and vendors touch your data.

The hard part is doing these consistently while you also run the business. That is where a managed IT partner earns its keep, by making good security the default rather than a project you keep meaning to start.

If you would like a clear picture of where your business stands against these threats, the team at iT360 is happy to talk it through. We work with SMEs across New Zealand and can tell you plainly what is worth doing first.

Make the plan real

Get a technology partner who can help execute.

Talk to iT360