A quarter (24%) of New Zealand businesses say inappropriate use of AI by employees is one of their biggest cyber security challenges, according to new research from Kordia.
In 2025, while digital transformation and AI continued to reshape the way New Zealanders live and work, cyber threats expanded rapidly as well. AI-powered cybercrime is rapidly increasing globally, with phishing incidents increasing by 1200% since 2022. Currently, organizations are targeted every 39 seconds, resulting in $18 million in losses every day worldwide.
These trends are also reflected domestically, with recent large-scale breaches putting cybersecurity firmly in the spotlight.
“Individual staff members are copying sensitive data into AI systems without understanding the risks or receiving guidance from their organization. This is information they would never enter into Google.”
Now in its 10th year, 2026 Cordia New Zealand Business Cyber Security Report After surveying approximately 250 companies (50 or more employees), we found:
- The number of cyberattacks carried out using AI vulnerabilities more than doubled, from 6% in 2024 to 14% in 2025.
- Almost half of businesses (44%) say they suffered a cyberattack in the past 12 months, down from the previous year (59%).
- Almost a fifth (17%) of cyber incidents resulted in personal information being accessed or stolen.
- One in five (19%) businesses affected by a cyber incident are facing financial extortion by cybercriminals, up from 14% in 2024.
- One in ten (8%) paid a ransom or extortion demand. However, 42% of companies that were asked to pay ransom paid the ransom. Additionally, one-third (32%) of businesses said they would consider paying out such a claim.
- One-fifth (21%) of businesses affected by a cyberattack said they experienced business interruption, including the inability to access systems or service customers.
Redefining the “insider threat”
One in four companies (24%) say inappropriate use of AI is among their top three challenges to improving cybersecurity, up from 16% a year ago. Patrick Sharp, general manager of Kordia-owned Aura Information Security, said this is often due to vulnerabilities caused by companies deploying AI systems without due consideration to security.
“Insider threats, whether accidental or malicious, have always been a factor in cyber incidents and data breaches,” Sharp said.
“But shadow AI, the misuse of AI tools by employees, is evolving into a major problem. Individual employees are copying sensitive data into AI systems without understanding the risks or receiving guidance from their organizations. That information should never go into Google.”
“Business leaders tell us it keeps them up at night. Almost half (43%) say employees accidentally exposing data or AI-driven processes is the biggest cyber risk to their business, making it their top concern by a wide margin.”
“Furthermore, many New Zealand and international organizations are deploying sanctioned AI tools without adequate security governance and practices in place.”
A decrease in cyber attacks has been reported
The percentage of businesses reporting experiencing a cyberattack has decreased to 44% in 2025, compared to 59% the year before.
This appears to support data from the National Cyber Security Center (NCSC) Cyber Threat Report 2025. The report recorded 5,995 incidents in 2024/25 compared to 7,122 in 2023/24.
Sharp points out that while the NCSC reports that the number of cases is decreasing, the financial impact is increasing. According to the NCSC, direct economic losses of $12.4 million were reported in the third quarter of 2025, an increase of 118% from the previous quarter.
“Organizations need to spend time developing and implementing response strategies long before an incident occurs,” Sharp said. “Who will manage incidents, who will make decisions based on severity, who will communicate with staff, customers and regulators, when and how?
“Working with government agencies like the NCSC and the Privacy Commissioner is not just about transparency; it also helps the New Zealand government and businesses understand the scale and impact of this criminal activity,” he said.
Many companies agree. A third (36%) want reporting requirements for businesses affected by major cyber-attacks, similar to what Australia has introduced.
“As difficult as it may be, it is important that business directors and executives recognize their responsibilities before a breach occurs. New Zealand has a large pool of passionate and talented cybersecurity professionals who can guide effective business advice on cyber resilience.”
Personal information remains the gold standard
As recent major breaches have shown, personal information remains one of the key targets for cybercriminals. One-fifth (17%) of businesses say their personally identifiable information has been accessed or stolen, and an equal number (21%) are concerned that this stolen data could lead to extortion or extortion.
Worryingly, one in three companies say they are willing to pay a ransom to cybercriminals.
“No one wants to face a ransom demand, but it can look like they’re trying to solve an immediate problem,” Sharp said.
“However, there is no guarantee that cybercriminals will honor the transaction after the ransom is paid, for example, they may resell the stolen data.Paying the ransom ensures that extortion remains a reliable form of income for cybercriminals, and as long as it works, they will keep doing it.”
“The best strategy is to work with experts to build cyber resilience so you can continue operating and recover from incidents without succumbing to criminal demands.”
Business costs of low resilience
The financial and other costs of a cyber attack cannot be underestimated. Nearly two-thirds (61%) of businesses that faced a cyber incident experienced business interruption.
Cybercriminals are increasingly targeting supply chains, as business interruptions can be effectively used for ransom demands. This was demonstrated by the high-profile cyber attack on Jaguar Land Rover (JLR) in the UK last year. A fifth (20%) of New Zealand businesses said their supply chain had been disrupted by a cyber attack.
Several high-profile overseas examples over the past year, including Japan’s Asahi breach and the UK’s Marks & Spencer, show that cyberattacks can have a significant impact on operations.
Other costs borne by victims of cyberattacks include insurance claims (17%), regulatory fines (11%), and litigation (9%).
When and where should the government intervene?
Businesses also heard their views on the government’s role in improving New Zealand’s cybersecurity posture. According to Sharp, cyber resilience is an important issue for both businesses and nations, and there is a real role for governments to play.
“New Zealand’s cybersecurity laws lag significantly behind our global peers,” Sharp said.
“Following the JLR hack, the UK government stepped in with a £1.5 billion loan to prevent the collapse of a huge ecosystem of small and medium-sized businesses and protect the thousands of jobs that make up JLR’s supply chain,” he explained.
“A similar attack on New Zealand’s shores is not inconceivable. How prepared are we? Are we investing enough in our collective cyber defenses?”
The top government support request from businesses was for additional education programs on cybersecurity best practices (38%). Businesses also want tougher penalties and fines for companies that don’t protect personal data (36%) and laws that make it illegal to pay ransoms to cybercriminals (27%).
Steps to resilience: What New Zealand businesses should focus on in 2026
- Security starts at the top
Directors and executives face increased legal and commercial responsibility for cyber resilience, as incidents can disrupt operations, undermine trust, and increase financial costs. Strong cyber security relies on risk awareness, informed decision-making, and confidence that controls are correctly specified and effective.
Cybercrime is complex and constantly changing. Organizations should seek appropriate advice and set clear expectations with their suppliers to ensure that cyber risks are managed professionally.
- Upskill your workforce for an AI-first world
Organizations must update their training, policies, and processes to reflect evolving AI cyber threats. Staff should understand how modern scams such as vishing and deepfakes work and have clear guidance on acceptable AI uses.
Coding, supply chain, and data processing practices must also be updated to ensure that data is properly classified and protected and that third-party AI uses of data remain under your control.
Cloud services and remote work have removed traditional network boundaries. Attackers are now using highly targeted, AI-driven social engineering to target user identities rather than infrastructure.
Strong identity controls such as phishing-resistant multi-factor authentication (MFA), least privilege access, continuous verification, and robust password reset processes can help prevent account takeovers and significantly reduce risk. Remember: Most attackers log on, not hack.
- Multi-layered protection and detection control
Attacks typically involve a combination of techniques, exploiting design flaws, code bugs, and pressure on people. Organizations require a combination of multi-layered security controls, validation of their effectiveness, proper monitoring, and practical incident response.
a complete copy of 2026 Cordia New Zealand Business Cyber Security Report Available from the Cordia website.
Kordia operates across New Zealand, Australia and the Pacific, delivering mission-critical technologies in areas such as cloud, cyber security, broadcasting and maritime communications.
