When speaking with small and medium-sized business owners in New Zealand, one of the most common beliefs I hear is that cyber criminals are only interested in big companies. There is a sense that banks, government agencies, or international firms are the true targets, and that a small business has little to worry about. Unfortunately, the evidence paints a very different picture.
Cyber attacks are not only common against small businesses, they are increasing in both frequency and severity. According to research, 58 percent of all cyber attacks are directed at small and medium-sized businesses, and in New Zealand the average cost of a breach for an SMB sits at around $21,500. That might not sound catastrophic compared to the figures reported for large enterprises, but for many small businesses it is enough to cause serious financial harm. Margins are often slim, cashflow is tight, and there is little room to absorb an unexpected bill for recovery, downtime, and reputational repair.
The real cost for small businesses
To put this into context, when a small business suffers a breach the money lost is not simply a ransom or a fine. It is also the lost productivity while systems are down, the cost of external IT help, the need to rebuild or restore data, and the impact on staff who cannot work normally. Customers may walk away, either temporarily or permanently, because they no longer trust the business with their information. For many owner-operators, this kind of disruption is devastating.
In 2024 New Zealand businesses collectively lost $6.6 million to scams and cyber incidents, a figure that had increased by 84 percent on the year before. One in three New Zealand SMEs reported a cyber attack within the space of six months. These are not isolated events. They are happening every day to organisations of all sizes and across all industries.
Examples close to home
It is often easier to relate to stories than statistics. One Auckland homeware retailer, known publicly as AKL Retail, faced a ransomware attack that locked both their online store and their customer database. The attackers demanded a payment of $50,000 to release the data. Overnight, the business could no longer take online orders, fulfil customer requests, or even access its own sales history.
In another case, a medium-sized company in the Waikato was compromised after attackers exploited a supplier’s remote access system. Sensitive financial and client data was stolen and the company was left facing reputational damage alongside the direct costs of incident response.
Even larger organisations have suffered heavily. Christchurch-based cryptocurrency exchange Cryptopia was breached in 2019, losing around $24 million worth of assets. The company went into liquidation and never recovered. While Cryptopia was not an SMB, the lesson is clear: a single cyber incident can topple even a growing technology company, so the impact on a small family business could be fatal.
The threats you face
Most cyber threats that affect New Zealand SMBs are not particularly sophisticated. Phishing emails remain the most common, tricking staff into clicking links or opening attachments that lead to malware. Ransomware has become a growing problem, with criminals encrypting data and demanding payment for its release. Business email compromise and invoice fraud are also widespread, where attackers pose as trusted suppliers or staff members and redirect payments to fraudulent accounts.
It is important to remember that insider mistakes are another major factor. Staff can accidentally delete data, misconfigure systems, or fall victim to scams, all of which can result in real financial and reputational harm.
What good looks like
The good news is that protecting your business does not need to be prohibitively expensive or complex. Starting with the basics can make an enormous difference. Using strong, unique passwords, turning on multi-factor authentication, regularly backing up data and testing those backups, keeping software updated, and running short awareness sessions for staff are simple measures that reduce risk significantly.
For businesses looking to take security further, a formal cyber policy and an incident response plan provide structure for how to respond when something goes wrong. Access permissions should be reviewed regularly, and cyber insurance can help to soften the financial blow when an incident does occur. Independent audits or assessments, such as the SMB1001 certification, give confidence to owners, staff, customers, and even insurers that a business is taking security seriously.
Do not wait until it is too late
Too many business owners only look at cyber security after an attack has already taken place. Common phrases we hear after incidents include, “We thought we were too small to be a target”, or “We assumed our IT provider was monitoring everything”. By then, the damage is done, and the costs are far higher than they would have been if simple steps were in place beforehand.
Cyber criminals are not concerned about the size of your company. They are looking for the easiest opportunity. If your systems are left unprotected, your business will be an attractive target regardless of how small you think it is.
Final thought
Cyber security should not be seen as an optional extra for small businesses. It is as fundamental as locking the doors to your office or shop at the end of the day. The figures show that the financial and reputational damage is real, and the examples here in New Zealand demonstrate that it can happen to anyone. By taking small, practical steps now, you can protect your livelihood, your staff, and your customers, and ensure that your business is not the next cautionary tale.
