Threat Of AI Cyber-Attacks A Top Concern For NZ Businesses, New Research Reveals

11 March 2025 - New independent research from Kordia has today revealed that over one quarter (28%) of New Zealand large organisations consider AI generated cyber-attacks to be a top threat to their businesses, despite only 6% of cyber breaches being attributed to an AI-generated attack.

Of the 295 businesses with more than 50 employees surveyed as part of Kordia's annual New Zealand Business Cyber Security Report:

• Almost two thirds (59%) of New Zealand businesses were subjected to a cyber-attack or incident in 2024
• 43% of all cyber-attacks and incidents were caused by email phishing
• Almost 1 in 10 businesses compromised by a cyber incident paid a ransom or extortion demand
• 16% of cyber incidents resulted in the compromise or theft of personally identifiable information (PII)
• 22% of cyber incidents caused operational disruption
• 19% of cyber incidents related to a breach or attack on a third-party

Alastair Miller, Principal Security Consultant at Kordia owned Aura Information Security, says the findings reflect the proliferation of AI technology, resulting in an increase in social engineering and phishing attacks against businesses.

“AI has lowered the cost of entry and time investment needed by cybercriminals to craft, refine and adapt social engineering campaigns. As a result, we’re seeing a surge of businesses reporting attacks involving sophisticated email phishing, something that we expect will continue to increase.”

Miller says the report reveals that financial gain is a clear motivator behind attacks on Kiwi businesses.

“Money is the motivator. That’s why it’s unsurprising to see stolen personal information, IP, commercially sensitive data and business disruption amongst the list of impacts faced as a result of a cyber incident. These are all things that cybercriminals can leverage to put pressure on businesses to pay a blackmail or extortion demand,” Miller continues.

Despite this, many of the businesses surveyed are still not implementing basic cyber security, or elevating cyber security as a top risk for the company’s board.

“It’s disappointing to see New Zealand businesses lagging behind – around one third of businesses say they don’t do any reporting on cyber risk to their board of directors, and around half haven’t practiced their cyber security response plan,” says Miller.

“Bearing in mind that the businesses we surveyed are amongst some of the largest in the country and the biggest employers, we’d have liked to have seen more evidence of a focus on cyber issues.

“This report reveals that despite concerns around cybercrime and the devastating impacts it can have on Kiwi businesses, it’s still not being taken seriously enough. Building and maintaining a strong cyber security posture comes down to doing the basics right, taking a risk-based approach, and always keeping one eye on the horizon for new and evolving threats.”

The rise of AI: A double-edged sword for New Zealand businesses

The report reveals the extent to which AI is reshaping behaviours and attitudes around cyber security for New Zealand businesses, as well as the evolving nature of cybercrime.

“AI-generated cyber-attacks are the new frontier of cybercrime,” explains Miller. “The democratisation of increasingly sophisticated AI technology has catapulted the effectiveness and speed of cybercrime to extraordinary new heights.”

Miller points to the recent uptake of large language models in AI-generated phishing attacks as an example. Not only has it enabled greater personalisation and adaptability by mimicking writing styles or contextualising messages in a timely manner, but it’s also enabled greater levels of automation, resulting in a highly scalable and incredibly efficient tactic for cybercriminals.

Of the 59% of respondents who said their business suffered a cyber-attack or incident in 2024, 43% of those were compromised by an email phishing attack.

“Those numbers are high, and we know that they can be attributed in large part to a rise of AI-generated cybercrime tactics.”

But cybercriminals aren’t the only cause for concern for New Zealand businesses when it comes to AI. More than a quarter (28%) of respondents cited AI generated cyber-attacks as a threat to their business’s security posture.

Miller says that shadow AI – the unsanctioned use of AI tools by employees in the workplace – has heightened concerns around employees putting businesses at risk. One in four (25%) respondents cited employee awareness and behaviour as a top challenge to improving their cyber security posture, and one in six (16%) respondents cited improper use of AI as another top challenge.

“Employees are either accessing AI tools like ChatGPT without company knowledge or are not following any guidelines around data management to prevent exposure of company data to AI training models, for example, by feeding the AI with commercially sensitive or private information. In fact, our report indicated 6% of cyber incidents involved an AI-related data breach, so even though AI implementation is rather new we’re already seeing some of the consequences of poor AI usage in this country.

“Vendors are increasingly incorporating AI technologies into enterprise software and moving towards an “opt out” model, meaning their AI functionality is automatically switched on. So, businesses really need to have some sort of policy or guidelines around proper AI usage for their business, because it is in fact becoming ubiquitous.”

Miller says that for many New Zealand businesses, the focus has been on leveraging AI to create cost and resource efficiencies.

He says AI can be a useful tool in cyber defence, for example AI-integration in monitoring solutions can help improve threat detection, streamline security operations and ease the manual workload of security and IT teams. But Miller cautions against AI being perceived as a “silver bullet.”

“There’s been much hype around what AI cyber security can achieve for a business’s security defences, and while AI absolutely has its place when it comes to defending against cybercrime, it still requires human oversight to ensure that it’s working effectively.“Our advice is to take a strategic approach to AI cyber security tools with proven use cases, rather than buying into trends and bold claims. These should supplement, not replace, the cyber security basics.

"Our research reveals that almost half of all New Zealand businesses lack any sort of policy or guidelines to protect their business from AI data breaches. For businesses that’re concerned about the threat of AI, this is a fantastic place to start when implementing AI successfully.”

Show me the money: Weighing the costs of recovery, rebuild and ransoms

Kordia’s survey reveals that around one in six (14%) cyber incidents affecting New Zealand businesses involved financial extortion, while one in ten (9%) cyber incidents resulted in the victim paying a ransom or payment demand.

Miller says that while the numbers appear small, they are likely to be much higher.

“Financial gain is the primary motivator for cybercriminals, and the reality is that many New Zealand businesses are ill-prepared, or unable, to respond and recover to incoming attacks and find themselves in a position where paying is the easiest way to make the problem go away,” says Miller.

“Unfortunately, it’s sometimes cheaper to pay a ransom or payment demand, than fork out for the cost of operational and wider business disruptions that commonly result from these types of attacks, not to mention the expenses associated with recovery and rebuild.”

Miller says that the report’s findings are indicative of the type of data malicious actors are after, flagging personal information as a lucrative target for cybercriminals financially extorting their victims.

One in six (16%) respondents revealed that personally identifiable information (PII) was accessed or stolen as a result of a cyber-attack or incident, which Miller says reflects what cybercriminals are motivated by when breaching businesses.

“Data is currency, and double extortion has become the new norm as attackers have evolved their tactics to squeeze even more from their victims. Rather than simply encrypting a business’s data to force a payment, cybercriminals are also stealing PII and commercially sensitive material, adding reputation damage and privacy breaches to their list of threats."

Miller says there’s a dangerous trend emerging here. Not only does paying a ransom incentivise cybercriminals to continue to extort their victims, but there’s also no guarantee that paying a ransom will achieve the desired result, or that those same cybercriminals won’t exploit those known vulnerabilities and simply attack again.

Australia recently introduced legislative reforms to tackle the issue of rising ransomware and cyber extortion payments. The Cyber Security Act introduces mandatory reporting requirements for Australian businesses to enhance transparency and enable authorities to understand the scale of the problem and combat cyber threats more effectively.

“New Zealand does not currently have an equivalent to Australia’s Cyber Security Act which came into force in November 2024,” says Miller. “While the New Zealand Government has issued strong guidance and policies on the issue, without some sort of mandatory reporting, it’s very hard to get a sense of the true impacts of cybercrime and cash flowing to cybercriminal entities.”

Complacency is a cyber-risk: room for improvement for NZ businesses

Miller says that New Zealand businesses that want to improve their security posture should ensure they're doing the basics right. But the results from the survey suggest this isn’t the case. Of the 295 businesses surveyed:

• Two thirds (67%) have not performed a penetration test in the past 12 months
• One in five (20%) do not monitor or log activity in their network
• Less than half (39%) always conduct a risk assessment when onboarding new technologies
• One quarter (26%) do not have any cyber security awareness/training in place.
• One third (33%) were unaware if there was a single source of identity management for the business
• One third (33%) were unaware of any vulnerability management programme in the business to support activities like patching

“Cyber security works best with a layered approach – so if one control fails, there is another in place to continue protecting your most important data and systems. For example, having multifactor authentication on logins is one simple way to add an extra layer of defence against identity attacks,” says Miller.

“We know that cybercriminals often log in with stolen credentials, rather than hacking their way into your business, so having a single source of identity management, for example, would significantly reduce the likelihood of an attacker slipping in unnoticed.”

Miller says that conversations about cyber security should begin in the boardroom.

“The good news is that New Zealand businesses are increasingly recognising that cyber security isn’t an ‘IT problem’, it's both a strategic business enabler and an enterprise-wide risk management issue.”

Cyber-attacks are a case of “when, not if” and Miller says that given boards play a critical role in a company’s incident response management before, during and after an incident, getting this right is a great place to start for businesses and boards who want to strengthen their security posture.

“We know that nearly two thirds of Kiwi businesses have suffered a cyber-attack in the past year, so having a cyber incident response plan should be imperative.

“But the work doesn’t stop there; you must also regularly practise your plan to verify it is fit for purpose. Unfortunately, New Zealand businesses have succumbed to complacency here too.

“Our survey has revealed that despite 86% of businesses having a cyber security incident response plan, only around half have practised it.”

Cyber smarter, not harder: Core focus areas for New Zealand business in 2025

In addition to “getting the basics right”, Kordia recommends New Zealand businesses focus on five core areas in 2025:

• Risk assess AI, and other emerging technology: Major breakthroughs in AI present both risk and opportunity for cyber security. Businesses should assess what data or systems may be impacted by AI usage and determine whether their benefits outweigh any risk, and privacy considerations, as well as be across any upgrades to those tools or changes in policy. A similar risk assessment should apply to all emerging technologies introduced into the corporate environment.
• Factor third-parties into business continuity plans: Third-party cyber threats are becoming more commonplace as more New Zealand businesses adopt SaaS platforms and cloud-based operations. All organisations should have a robust business continuity and cyber response plan in place which can be activated in the event of a major provider suffering a cyber-attack or incident. In addition to this, businesses need to understand what data and systems their providers provide or access so that they can implement contingency plans should there be an outage.
• Take a risk-based approach to security investments: The security market is flooded with the latest products claiming to fix all a business’s security issues. Businesses should prioritise cyber security investment where it will be most effective, and this requires first assessing and understanding their core cyber risks. Kordia’s research reveals many businesses' lack of understanding about security risks, so this will be a big challenge to improving cyber security.
• Treat identity as a security foundation: Identity attacks are on the rise as more businesses move to the cloud and social engineering tactics (such as phishing) continue to ramp up. Reviewing identity and access management processes and systems, implementing single sign on, segregating admin functions and enforcing phishing resistant MFA (multi-factor authentication) are just some of the way ways New Zealand businesses can secure the perimeter from identity-based attacks.
• Prepare for quantum, the next wave of encryption: Increasingly advanced quantum computers have the ability to break through encryption currently used to protect electronic communications. While quantum may seem like tomorrow’s problem, organisations - particularly those in industries such as critical infrastructure, finance and health - should consider what impacts quantum might have on their risk profile, and on the data they store. Kordia’s advice is to begin at the board level, with a 3-year outlook on how the business might prepare ahead of any major developments in quantum computing in the next decade.

About Kordia 

Kordia is a leading provider of innovative technology solutions to a wide range of corporate and government clients throughout New Zealand, Australia, and the wider Pacific. With more than 65 years’ experience in keeping New Zealand connected, Kordia is continually evolving its product and service offering to meet the changing needs of businesses in an always-on world. Today, Kordia’s offering in the mission-critical technology space spans cloud, cyber security, modern workplace, media, broadcast, maritime, and more. Underpinning all Kordia does is its people – a team of more than 480 technology experts who are trusted by some of New Zealand’s biggest brands to keep them connected and secure online. As a State-Owned Enterprise, Kordia is a proudly New Zealand owned business that exists to help Kiwi businesses create, innovate, flourish and thrive, and provide value to the shareholder. For more information visit: www.kordia.co.nz

© Scoop Media