Kordia’s latest research has unveiled alarming statistics about the surge in AI-driven cyber-attacks targeting Kiwi businesses. NZBusiness sits down with Horatiu Petrescu, Senior Security Advisor at Kordia-owned security consultancy, Aura Information Security, to discuss the evolving threat landscape and what practical measures your business can implement to significantly strengthen your defences against cybercriminals.
Cyber-crime is more prevalent than many businesses realise, and few are willing to admit when they’ve been targeted. In March, Kordia released its New Zealand Business Cyber Security Report Cyber Security Report that revealed a significant increase in AI-powered attacks on businesses. Nearly two-thirds of surveyed organisations reported experiencing a cyber incident within the past 12 months. More alarmingly, over a quarter of businesses said they offered no cybersecurity training to staff.
According to Horatiu, this lack of preparedness is a major concern.
“AI has supercharged the capabilities of cyber criminals, making attacks faster, more sophisticated, and harder to detect,” he says.
Phishing remains one of the most common entry points for attackers. While poorly written emails were once easy to spot, artificial intelligence now allows threat actors to mimic the language and tone of CEOs and colleagues with striking accuracy.
“All phishing emails follow a pattern. They try to provoke urgency, fear, or uncertainty. Recognising that attackers use this for emotional manipulation is key to avoiding traps,” says Horatiu.
As cyberattacks grow more convincing, businesses must shift their focus from simply detecting threats to proactively preparing their people and systems to respond effectively.
Attackers commonly use phishing tactics to harvest login credentials, allowing them to move across systems unnoticed. From there, they may access sensitive data, financial information or client records.
“A common misconception is that hackers need a lot of sophistication to break into complex systems. In reality, it’s often as simple as one employee clicking a fraudulent link. That’s the window into the fortress,” says Horatiu.
Small and medium-sized enterprises are particularly at risk. Many lack the technical expertise or resources of larger organisations, making them attractive targets. According to Horatiu, the solution lies in a layered defence.
“Think of it like James Reason’s Swiss Cheese Model. Each layer has holes, but when you stack them together, the gaps are covered. This is called defence-in-depth and it’s about combining visibility, smart technology, and human awareness.”
Despite this, one-third of surveyed businesses do not report cyber risks to their Boards on a regular basis, and 67 percent have never conducted a penetration test.
A penetration test, sometimes referred to as a ‘pen test’, is a simulated cyberattack carried out by ethical hackers.
It identifies vulnerabilities in systems before bad hackers can exploit them.
“It’s a basic health check for your digital systems, yet most SMEs aren’t doing it. Often it’s because they’re unaware or assume it’s too costly,” Horatiu says.
Preparation is just as important as prevention.
Kordia recommends that businesses conduct annual incident response tabletop exercises.
These simulated scenarios help teams practise their technical response, decision-making and communication under pressure.
“These exercises create muscle memory. When the real thing happens, your team knows exactly what to do.”
One of the most overlooked elements of incident response is communication.
Many businesses hesitate to inform clients, stakeholders or the media following a breach. However, failing to communicate can be just as damaging as the incident itself.
Unlike in Australia or the United States, where stronger regulations and penalties are in place, New Zealand’s cyber regulations remain comparatively relaxed. Horatiu expects that to change.
“In our previous reports, businesses actually expressed a desire for tighter regulation because it forces security to the top of the agenda.”
Until those regulations are introduced, SMEs have both an opportunity and a responsibility to lead the charge. Kordia recommends taking a risk-based approach, identifying your most critical digital assets, and prioritising protections accordingly.
For businesses unsure where to start, Horatiu recommends free resources such as Own Your Online, a New Zealand government initiative that provides simplified guidance for small businesses and individuals.
“The toolkit covers everything from password management to backup procedures. It’s a great starting point.”
For New Zealand SMEs, the stakes are simply too high to be treating cybersecurity lightly and it should not be an afterthought.
“Cybersecurity isn’t something you implement once and forget. It’s ongoing, it’s layered, and it requires buy-in from every staff member. The sooner businesses embed it into their operations, the better prepared they’ll be for whatever’s coming next.”
Whether it is investing in training, setting up protection tools, or conducting simulated incident exercises, the first step is to get started. Cyber threats are evolving, but so too are the tools and knowledge available to defend against them.
As Horatiu puts it, “It’s no longer a matter of if, but when. The good news is, there’s plenty that businesses can do, starting today.”
Three steps your business can take today
While AI-driven threats may sound daunting, Horatiu believes there are clear and practical steps that SMEs can take to build resilience.
- Cybersecurity awareness training: Education remains one of the main tools available. “Training, which includes phishing exercises, should be run quarterly or at least twice a year. It needs to include real examples that people can relate to. Walk them through how breaches happen and make it relevant to their role,” Horatiu says.
- Password hygiene: Encouraging staff to use unique and complex passwords is essential. Reusing the same password across platforms remains a widespread and dangerous habit. “Using a reputable password manager makes life easier and safer. And multi-factor authentication is a must. It’s your last line of defence.
- Email protection tools: Since phishing emails remain the most common method of attack, businesses should invest in email protection tools, especially ones that utilise AI to better detect threats. These solutions scan messages for suspicious links, sender anomalies, and content patterns before a user has the chance to interact with them.
“Advanced email scanning tools used to be expensive, but there are now cost-effective business options available that offer excellent protection,” says Horatiu.
