The latest National Cyber Security Centre (NCSC) report paints a stark picture for New Zealand’s cyber security landscape. According to the December 2025 update, organisations across the country — from government agencies to SMEs — are facing a rapidly intensifying wave of cyber threats.
- The National Cyber Security Centre (NCSC) Cyber Threat Report 2025 was published today.
Key Findings from the Report
-
Over the past year, NCSC handled around 6,000 incident reports, of which more than 300 were deemed to have potential national impact.
-
Attackers are now more diverse: state-linked actors, financially-motivated crime groups, and hacktivists all increased their activity.
-
The cost of cybercrime soared: direct financial losses hit NZ$ 26.9 million, a sharp jump from previous years — with the true cost likely much higher once downtime, recovery, and reputational damage are considered.
-
Small and medium-sized businesses (SMBs) are particularly vulnerable: many reported at least one cyber threat during the year, with many lacking basic protections like multi-factor authentication and reliable backups.
-
Attack vectors are evolving: supply-chain compromises, vendor-account takeovers, cloud and VPN infrastructure intrusion, and politically or ideologically motivated disruption campaigns are increasingly common.
What’s Driving the Surge
The increased activity reflects a global trend where cyber threats are becoming more automated, more readily accessible, and more opportunistic. For New Zealand in 2025:
-
State-sponsored actors are targeting digital infrastructure for intelligence, long-term access or disruption — not just financial gain.
-
Financially motivated criminals continue to exploit weak cyber hygiene — ransomware remains a major threat, especially affecting organisations without layered defences or incident response plans.
-
Supply chains and third-party dependencies are growing in importance — attackers increasingly exploit vendors, service providers or software dependencies as entry points.
-
Many successful attacks still exploit basic misconfigurations and human vulnerabilities: unpatched systems, reused passwords, exposed remote-access, and poor monitoring remain common factors.
Why This Matters for Cloudtria Clients
As a provider of cloud-based security and advisory services, Cloudtria’s clients — particularly SMEs and mid-sized organisations — are squarely in the crosshairs. The report underscores that no business is too small to be targeted.
Moreover, the real cost of an incident often far exceeds the immediate financial hit: downtime, lost productivity, reputation damage, and the cost of recovery and remediation can be crippling.
In this environment, compliance and reactive security are not enough. What’s needed is cyber resilience: proactive security hygiene, layered defences, continuous monitoring, and, critically — a tested incident response plan.
Key Steps for Improving Cyber Resilience in 2026
Based on the report and best practices for New Zealand organisations, Cloudtria recommends:
-
Zero-trust access controls and MFA — especially for remote access, VPNs, and cloud resources.
-
Regular patching and vulnerability management — ensure operating systems, applications, and cloud workloads are up-to-date with security patches.
-
Supply-chain and third-party risk assessments — evaluate vendors, service providers and dependencies for security posture before integration.
-
Implement layered security — not just perimeter defence: include endpoint detection, network monitoring, identity protection, and data-backup strategies.
-
Formal incident response planning & simulations — assume breaches will occur; have a plan that includes detection, containment, recovery, and communication.
-
Security awareness training — educate staff on phishing, social engineering, and secure operational practices.
Final Thoughts
The NCSC’s 2025 report is a wake-up call: cyber threats in New Zealand are growing in volume, sophistication, and impact. For organisations of all sizes, doing the bare minimum is no longer sufficient. Investing in resilience — through layered defences, continuous monitoring, and rigorous incident response planning — is no longer optional.
At Cloudtria, we’re committed to helping you stay ahead of these evolving threats. If you’d like to review your current security posture or develop a tailored resilience plan for 2026, we’d be glad to help.
