AI cyber threats on the rise, new report warns NZ businesses of risks

New research from Kordia has revealed that artificial intelligence (AI)-generated cyber-attacks are an increasing concern for New Zealand businesses, with over a quarter (28 percent) of surveyed organisations ranking them as a top threat. Despite this, only six percent of recorded cyber breaches were directly linked to AI-related incidents.

The findings, published in the annual New Zealand Business Cyber Security Report, paint a concerning picture of the evolving cyber threat landscape in 2024. Nearly two-thirds (59 percent) of businesses – with at least 50 employees – reported experiencing a cyber-attack or security incident in the past year, with email phishing remaining the leading attack vector, responsible for 43 percent of breaches.

The report speaks of the rapid proliferation of AI technology that is reshaping both cybercrime and cybersecurity strategies.

“AI has lowered the cost of entry and time investment needed by cybercriminals to craft, refine, and adapt social engineering campaigns,” says Alastair Miller, Principal Security Consultant at Aura Information Security, a Kordia company.

“As a result, we’re seeing a surge in sophisticated email phishing attacks, and we expect this trend to continue.”

Miller warns that the rise of AI-driven cybercrime is accompanied by another emerging issue – shadow AI, where employees use AI tools without company oversight.

“Employees are feeding AI models with commercially sensitive or private information without realising the risks. Our report indicated six percent of cyber incidents involved an AI-related data breach,” he says.

However, AI also has its merits in cybersecurity. Miller notes that AI-driven monitoring solutions can improve threat detection, streamline security operations, and reduce the workload on IT security teams.

“The key is to take a strategic approach and use AI to supplement, not replace, foundational cybersecurity practices.”

The report underscores financial gain as the key motivator behind cyber-attacks. Personal information, intellectual property, and commercially sensitive data are among the most targeted assets. One in six (16 percent) respondents reported that their business suffered a breach involving the theft of personally identifiable information (PII). Furthermore, 14 percent of incidents involved financial extortion, and nine percent of businesses admitted to paying a ransom demand.

Despite the financial and reputational risks, the report found that many businesses are still failing to implement basic security measures. One-third of surveyed organisations do not conduct regular cyber risk reporting at the board level, and half have never practiced their cyber incident response plans.

“This report reveals that despite growing concerns around cybercrime, many businesses are still unprepared,” Miller says.

“Cybersecurity is not just an IT issue – it’s a fundamental business risk that needs to be addressed at the board level.”

New Zealand businesses lagging in cyber preparedness

The report identifies several gaps in New Zealand businesses’ cybersecurity readiness:

• 67% have not performed a penetration test in the past 12 months.
• 20% do not monitor or log activity within their networks.
• 39% always conduct a risk assessment when onboarding new technologies.
• 26% do not provide any cybersecurity awareness training for employees.
• 33% were unaware if their organisation had a single source of identity management.
• 33% did not know whether a vulnerability management programme was in place.

“Cybersecurity works best with a layered approach – having multiple protective measures in place. For example, multi-factor authentication is a simple but highly effective way to prevent credential-based attacks.”

Looking ahead: Key focus areas for 2025

Kordia has outlined five key areas businesses should focus on to strengthen their cybersecurity posture in 2025:

1. Risk assess AI and emerging technologies – Businesses must evaluate the risks associated with AI adoption and ensure proper guidelines are in place.
2. Factor third-parties into business continuity plans – With many businesses relying on cloud and SaaS platforms, contingency plans must be in place for potential third-party breaches.
3. Take a risk-based approach to security investments – Organisations should focus security investments on areas with the highest risk exposure.
4. Treat identity as a security foundation – Enforcing strong identity and access management practices, such as phishing-resistant multi-factor authentication, can mitigate cyber threats.
5. Prepare for quantum computing threats – While quantum computing remains on the horizon, businesses – particularly in critical sectors – should start preparing for potential encryption vulnerabilities.

Miller stresses that businesses must shift from reactive to proactive cybersecurity measures.

“Cyber-attacks are a matter of ‘when, not if.’ The best defense is preparation – ensuring robust policies, implementing security measures, and regularly testing response plans.”