Cyber threats are on the rise, and small businesses are feeling the pressure. In this practical guide, cyber expert Vanessa Leite shares essential steps Kiwi SMEs can take to boost their cyber resilience — starting with the basics and building up.
It’s no surprise that cyber security has become more complicated and harder to manage in recent years. The Global Cyber Security Outlook 2025 report from the World Economic Forum highlights how much more complex the cyber world is becoming – and how this is affecting both businesses and governments around the world.
The report also shows that smaller organisations are finding it harder to stay cyber safe. In 2022, only five percent said their cyber security was not strong enough – but by 2025, that number had jumped to 35 percent.
Here in New Zealand, Datacom’s 2025 Business Outlook Survey found that cyber security is still a big concern. Over one-third of businesses said they had faced serious cyber attacks in the past year, rising to 53 percent for larger companies.
Kordia’s New Zealand Business Cyber Security Report tells a similar story. Nearly 60 percent of businesses with 50 or more staff were hit by a cyber attack or security issue in the past year. Email phishing was the most common method, causing 43 percent of the reported breaches.
The message is clear, cyber threats aren’t just increasing in number – they’re advancing faster and becoming harder to keep up with. No matter how big or small the organisation is, ignoring these risks can put business’s success and stability in danger.
The challenge for many small businesses is knowing where to start and how to make the most of their limited time and resources. Business owners often find that the recommendations they receive don’t align with their needs, with some being advised to implement costly, time-consuming solutions or processes that require expertise they don’t have.
That’s why I’ve teamed up with NZBusiness to share a practical set of recommendations for small businesses in New Zealand.
Level 1: Starting with the basics
If you’re a small organisation – perhaps just the owner and a few staff members – and primarily rely on tools like email, cloud storage (e.g. Google Drive or OneDrive), and other off-the-shelf SaaS apps such as Xero or Zoom, this is where you should begin (these are the must-haves for any small business):
- Use strong passwords and multi-factor authentication (MFA)
To keep your accounts secure, use strong, unique passwords and turn on Multi-Factor Authentication (MFA) wherever possible. A password manager like iCloud Keychain, Bitwarden or 1Password can help generate and store complex passwords, so you don’t have to remember them all. Small organisations should also encourage staff to sign in to tools using “Log in with Google” or “Log in with Microsoft” to reduce password reuse and make access easier. If you’re using Google Workspace or Microsoft 365, set them up as your main login system to manage access and security across your apps.
- Keep software updated
Keeping your devices and software up to date is one of the easiest ways to stay protected. Turn on automatic updates for your computers, phones, and commonly used apps like Chrome, Zoom, and Office 365. If automatic updates aren’t available, set a regular time – like weekly or monthly – to manually check and install them. For cloud apps like Google Drive, make sure they’re syncing properly and running the latest version on all your devices. This also means regularly closing apps, including the web browser, and restarting your computer to ensure updates are synced properly.
- Back up data regularly
Backing up your critical business data is essential to protect against data loss from cyber attacks, hardware failures, or accidents. Services like Google Drive, OneDrive, and Dropbox are great options for storage, but it’s also important to keep additional backups on other solution platforms, including external hard drives or network storage devices. Tools like Google Takeout, Dropbox and OneDrive Backup simplify exporting and saving your data to other cloud storage apps and external drives. Establish a regular backup schedule to ensure your important files are properly backed up and up-to-date.
- Install security software
Installing trusted antivirus software is important to keep your devices safe from malware and online threats. Ask your Internet provider if they have any deals on security software, or buy it from a reliable source. Make sure to keep the antivirus updated and set it to run automatically. Also, turn on firewalls on your devices and your router (the device often provided by your Internet provider) for extra protection.
- Cyber training
Help your team recognise cyber threats like phishing emails and develop good habits. CertNZ and NetSafe offer resources for business owners and end users to understand risks and protect themselves. They also provide incident reporting channels for help. The New Zealand Government’s Own Your Online initiative aims to raise awareness of cyber security for individuals and businesses. They have videos and easy-to-understand resources, which can be used to educate you and your team.
Although these recommendations are a great starting point, they are fairly basic and manual. If you’re ready to invest further and introduce more automation into your cyber security, take a look at this next level of recommendations.
Level 1+: Taking the next step
You’re still a small organisation, but now you may need custom applications instead of relying solely on off-the-shelf SaaS tools. You might start developing or integrating bespoke software to meet specific business needs. Your compliance requirements have also changed, as you’re now processing more critical information, or are about to collaborate with larger organisations that have more stringent security mandates. If that’s the case, consider the following in addition to Level 1 (for small organisations that are growing and ready to strengthen their cyber security even further):
- Secure configurations
Make sure all your devices, applications, and environments – such as cloud services – are securely set up. This includes removing or disabling software and services you don’t use, and changing any default usernames, passwords, and settings. Most common technologies have secure configuration guides or best practices provided by the vendor or trusted sources like the Center for Internet Security (CIS). You should apply these settings where possible and regularly check for any changes or gaps.
Consider working with a cyber security or IT provider who can run tools to check if your systems meet these best practices and help you stay compliant.
2. Activity monitoring
Enable logging on your devices and software so you can track what’s happening – like who logged in, when, and what they did. Regularly reviewing these logs can help you spot unusual activity early, such as unauthorised access or suspicious behaviour. Many systems include basic logging tools that are easy to turn on. It’s also a good idea to set up automatic alerts for important security events – like failed login attempts, unusual access patterns, or changes to user permissions – so you can respond quickly if something goes wrong.
- Incident response plan
Having a written incident response plan helps you act quickly if something goes wrong – such as a data breach, phishing scam, or malware infection. Your plan should outline who does what, how to get help, when to report and to whom, how to restore your systems, etc. Even a simple checklist is important, especially if you are dealing with larger organisations that may require you to have formal procedures in place.
- Cyber insurance
Cyber insurance can help cover the cost of recovery after a cyberattack – such as data recovery, legal fees, and lost revenue due to business interruption. Businesses that rely heavily on digital systems or store sensitive information should explore cyber insurance, as insurers often provide additional benefits. These may include an initial security posture assessment during the onboarding activities and technical support in the event of an incident.
Related: The rising threat of cybercrime to small business, and why insurance matters
These are foundational security measures – simple, yet powerful. When done right, they can make a big difference to businesses overall security and readiness. As cyber threats continue to increase, it’s key for businesses in New Zealand of all sizes to take proactive steps to protect their data, operations, and customers.
