New Zealand SMEs are being urged to make cyber security a top priority as hackers increasingly use AI to supercharge criminal activity.
The 2026 Kordia New Zealand Business Cyber Security Report has found the number of AI-related cyber attacks is soaring as new technology creates opportunities for more sophisticated breaches.
Of 250 medium-to-large businesses surveyed, 44 per cent have reported falling victim to cyber crime in the past year. It has prompted a warning for businesses of all sizes to be aware of the risks, with the report declaring: “Every New Zealand organisation must treat cyber security as a strategic priority, not a cost centre, to safeguard economic stability and societal trust in the digital age.”
For SME owners, the challenge is in protecting their businesses without the aid of an IT security team, and rolling out AI without lowering barriers to entry for criminals.
‘Shadow AI’ Heightens The Risk Of A Cyber Attack
The prevalence of ungoverned AI use within workplaces is creating a significant data risk for New Zealand businesses. 43 per cent of business leaders have told Kordia accidental data exposure via AI is their top concern, and with good reason, 14 per cent of reported hacks last year were the result of AI vulnerabilities, double the year before.
“Insider threats, whether accidental or malicious, have always been a factor in cyber incidents and data breaches,” says Patrick Sharp, General Manager of Kordia-owned Aura Information Security. “But ‘shadow AI’- the unauthorised use of AI tools by employees – is growing into a massive problem.
Individual staff members are copying confidential data into AI systems – information they would never put into Google – without understanding the risks and without guidance from their organisation.” This includes tasks like drafting contracts or analysing financial spreadsheets.
The awareness gap is mirrored in figures from the National Cyber Security Centre’s SME Behaviour Tracker, which found only 25 per cent of SMEs consider cyber security a high priority and only 50 per cent felt they were prepared for a cyber attack.
The technical nature of breaches has also evolved. Rather than seeking backdoors through software vulnerabilities, attackers are increasingly focused on identity theft. “Attackers don’t hack in, they log on,” the report notes.
Data from the NCSC shows 75 per cent of successful Business Email Compromise attacks – where criminals impersonate executives – bypass safeguards like SMS-based multi-factor authentication. Hackers use AI to automate the interception of credentials, then gain full access to business accounts, allowing them to redirect invoices and monitor private communications undetected.
AI-generated Phishing Is Catching Out Alert Employees
AI has eliminated many of the ‘tells’ that savvy employees learned to recognise as phishing, where access is gained by someone clicking an email link. Kordia confirms 80 per cent of phishing material is now AI-generated, and without poor grammar or spelling has achieved a 54 per cent click-through rate, nearly five times higher than traditional phishing methods.
In New Zealand, the NCSC 2025 Cyber Threat Report warns that attackers are now deploying flawless te reo Māori in phishing campaigns to successfully exploit trust within the business community. Once in, personal information remains a key target for cyber criminals. 17 per cent of hacked businesses said personally identifiable information was accessed or stolen. A similar number, 21 per cent, worried about stolen data leading to blackmail or extortion.
No SME Can Afford To Fall Victim To An Online Breach
While the overall number of cyber attacks in New Zealand fell last year – from 59 to 44 per cent of businesses – the cost per hack is rising. NCSC research indicates the average cost of a data breach for a Kiwi SME is now $173,000. Q3 of last year saw a 118 per cent spike in direct financial losses, to a total of $12.4m.
Beyond the immediate hit to the bank balance, the operational fallout can also be severe, particularly for smaller businesses with limited cashflow. The Kordia data shows 61 per cent of businesses face major operational disruption after a breach, and face further costs in insurance premiums, legal fees and fines. Almost 1 in 10 victims received a ransom request and 42 per cent decided to pay.
Take Steps To Move Beyond Traditional Safety Measures
To stay ahead of these evolving threats, experts suggest SMEs move beyond traditional checklists and adopt specific, high-impact security measures with more resilient frameworks.
- Hardware-Based Authentication: Moving away from SMS codes to physical hardware keys or passkeys that AI cannot easily intercept, effectively closing the ‘logging on’ loophole.
- Seek Qualified Advice: SMEs without a cyber security expert on staff are advised to seek specialist advice and ensure suppliers are also professionally managing risk.
- Defined AI Use Policies: Implementing clear rules on which AI platforms are sanctioned for business use to prevent data leakage.
That includes keeping across employee attempts at ‘vibe-coding’ software solutions using AI assistants like Claude Code, since, without specialist training, it’s easy to leave open a back door for hackers. Ben Thompson, CEO and co-founder of Employment Hero says while SMEs should welcome innovation, it must be strategic:
“Every day our teams are finding new ways to use AI to drive efficiencies and deliver solutions,” he says. “But there are serious technical issues that vibe coded ‘replacements’ don’t consider: the sensitive data that HR platforms handle with stringent security, the constant regulatory changes business owners need to stay ahead of, or the consistent updates and platform maintenance.” Patrick Sharp says while businesses address their own cyber security vulnerabilities, governments have a role to play too. “How prepared are we, and are we investing enough into our collective cyber defence?” he asks. Surveyed businesses called for more education on cyber security best practice, harsher fines for failing to protect personal data and outlawing the payment of ransoms to cyber criminals.
