The $173K Question: Why NZ Businesses Can't Ignore Cybersecurity

Kiwi business owners often believe they're too small to be noticed by cybercriminals. The latest NCSC research proves otherwise. When 43% of cyber attacks in New Zealand target SME businesses and the average breach costs $173,000 NZD, size doesn't matter to attackers – vulnerability does.

Despite ranking cybersecurity as their third biggest concern, only 7% of small businesses feel prepared for an attack. This disconnect between awareness and readiness creates a perfect opportunity for criminals. And they're taking advantage – 36% of SMEs experienced a cyber incident in the six months predating NCSC's research.

I'm going to walk you through what NCSC's 2024 research means for your business. You'll see why NZ small businesses make attractive targets, what pushes breach costs higher, and practical security steps that don't require enterprise resources. The threat might be real, but so are the solutions.

The Harsh Reality: Key Findings from NCSC Research

The numbers from NCSC's 2024 research tell a story that should worry every business owner in New Zealand. With 97% of all NZ businesses falling into the SME business category, we're talking about the backbone of our economy being under threat.

Why New Zealand SMEs Are Prime Targets for Cyber Attacks

Let's look at the targeting statistics: 43% of all cybersecurity incidents in New Zealand are directed at SMEs. This is a deliberate strategy rather than random change. Cybercriminals recognise that SME businesses often lack the security resources of larger enterprises - and there’s simply more of them to target.

The frequency is alarming too. Over a third (36%) of small businesses experienced at least one cyber security incident in the past six months alone. So it’s not a question of if you'll be targeted, but when.

NCSC’s findings present a devastating financial impact. The average data breach costs SMEs approximately $173,000. This could be potentially game-ending for some of New Zealand’s businesses. These costs come from multiple directions: system recovery, lost business, regulatory penalties, customer notifications, and damage to your reputation.

But here's the most concerning statistic: despite the clear danger, only 7% of SMEs feel very prepared for a cyber incident and only 37% have any form of incident response plan in place.

Why SMEs Remain Vulnerable

So why do some many SME businesses remain exposed? The NCSC research highlighted several key barriers:

Common Misconceptions

The "too small to target" myth remains persistent. Many business owners still believe their operation isn't significant enough to attract attackers. But the reality is that cybercriminals are increasingly opportunistic. They don't care about your brand recognition – they care about how easily they can get in.

Another common misconception is that basic antivirus software and occasional password changes are sufficient protection when it simply just isn’t.

Barriers to Implementation

The NCSC research identified several practical barriers that prevent businesses from taking action:

• Simple forgetfulness (25% of SMEs)
• Believing current measures are adequate (24%)
• Cost concerns
• Lack of time and expertise
• Uncertainty about which measures would be most effective

These are understandable challenges. Running a small business means juggling countless priorities, and cybersecurity can seem complex and expensive.

The Mindset Problem

Perhaps the biggest barrier is a fundamental mindset problem. Many SME decision-makers view cybersecurity as a technical issue rather than a business risk management issue. When framed that way, it becomes easier to delegate or defer.

The shift needed is to recognise that cybersecurity is directly tied to business continuity. Just as you wouldn't operate without insurance or fire safety measures, you shouldn't operate without basic cyber protections. The $173,000 question isn't whether you can afford to invest in security but whether you can afford not to.

The True Cost of a Data Breach

When a breach happens, the costs spiral quickly. Understanding these factors helps illustrate why the average hit of $173,000 isn't exaggerated:

Breakdown of Key Cost Factors

1. Size & Scope of the Breach: The more records compromised, the higher the costs. Sensitive information like financial data or personally identifiable information drives costs even higher.
2. Detection & Response Time: The longer it takes to discover and contain a breach, the more damage occurs. Without monitoring systems, breaches can go undetected for months.
3. Regulatory & Compliance Costs: Different regions have varying data protection laws, which can include severe fines. Litigation from affected individuals adds substantial costs.
4. Notification Expenses: Informing affected individuals isn't just good practice – it's often legally required. This includes drafting notifications, setting up call centres, and handling inquiries.
5. Remediation Costs: This covers forensic investigations, security improvements, and possibly compensation to affected individuals.
6. Reputation & Customer Loss: Perhaps the most damaging long-term effect is the loss of customer trust and business.
7. Business Operations: Systems being taken offline or disrupted leads to lost productivity and revenue.

Why These Costs Hit SMEs Harder

To put it bluntly, larger enterprises can absorb cybersecurity incidents more easily. They have dedicated security teams, larger IT budgets, and often cyber insurance. For SMEs, a major breach can threaten the entire business.

Small businesses typically have thinner profit margins, less cash reserves, and fewer resources to manage reputation damage. When customers leave due to a security incident, SMEs feel that loss immediately and deeply.

The aftermath of a breach also diverts precious staff time away from core business functions at a time when you can least afford the distraction.

Practical Steps to Reduce Your Risk and Costs

The good news? You don't need enterprise-level resources to significantly improve your security posture. Here are the measures that deliver the highest return on investment:

Essential Security Measures with High ROI

1. Update Password Policies: The NCSC research showed that only 48% of SMEs use password managers. Implementing one is a low-cost, high-impact improvement that makes strong, unique passwords manageable.
2. Enable Multi-Factor Authentication (MFA): This simple step dramatically reduces the risk of unauthorized access, even if passwords are compromised. Make it mandatory for all accounts, especially email and financial services.
3. Keep Systems Updated: Regular patching closes security holes that attackers frequently exploit. Set up automatic updates wherever possible.
4. Implement Application Controls: Restrict what software can run on your systems. This prevents malicious applications from executing even if they manage to get onto your devices.
5. Regular Backups: Ensure your critical data is backed up regularly and test that you can actually restore from these backups. This is your insurance policy against ransomware.

Need more advice? Check out my colleague’s quick tips for improving your cybersecurity.

Incident Response Planning

Only 37% of SMEs have an incident response plan, yet this is one of the most cost-effective security measures. A basic plan doesn't need to be complex:

• Document who to contact and what steps to take when an incident occurs
• Include contact information for key personnel, IT support, and relevant authorities
• Outline steps for containing different types of incidents
• Establish communication procedures for staff, customers, and suppliers

Having this information ready before you need it can dramatically reduce response time and limit damage.

Consider Business Continuity

Understanding your recovery point objective (RPO) and recovery time objective (RTO) for business-critical systems is crucial. In simple terms:

• How much data can you afford to lose? (RPO)
• How long can systems be down before business is severely impacted? (RTO)

These questions help prioritise your security investments and recovery efforts. They're frequently overlooked but have major implications for how you respond to an incident and what it ultimately costs you.

Taking Action: Next Steps for SME Leaders

The NCSC research makes it clear – New Zealand's SME businesses need to take cybersecurity seriously. But that doesn't mean it has to be overwhelming or prohibitively expensive.

Start with these immediate steps:

1. Assess your current security posture: Be honest about where your vulnerabilities lie. The CERT NZ Critical Controls provide a good starting framework.
2. Implement the high-impact, low-cost measures first: Password managers, MFA, regular backups, and security awareness training give you the biggest security boost for minimal investment.
3. Create a basic incident response plan: Even a simple document is better than nothing.
4. Consider cyber insurance: While not a replacement for security measures, it can help mitigate financial impacts if the worst happens.
5. Engage with security professionals: Even a one-time consultation can provide valuable guidance tailored to your specific business needs.

Remember, cybersecurity isn't about eliminating all risk – that's impossible. It's about reducing risk to a manageable level and being prepared to respond effectively when incidents occur. The criminals targeting New Zealand businesses are counting on your inaction. Prove them wrong.

Want to learn more about protecting your business? CERT NZ offers excellent resources specifically for small businesses. You can also reach out to our team at The Instillery for a no-obligation chat about your security concerns.