Questions are ordered around the concerns most likely to prevent action: feeling too small to be targeted, not knowing where to start, limited resources, unclear ownership, policies people do not follow, sophisticated phishing, internal mistakes and misuse, fear of blame and difficulty securing lasting staff and leadership support.
We're too small to be a target — is that true?
No. Attackers do not need to select a small business personally for it to be exposed. Phishing, credential harvesting, malicious links, password reuse and internet scanning can be carried out at scale against any reachable account or system. NCSC-commissioned research published in September 2025 found that 53% of surveyed New Zealand SMEs had experienced a cyber threat in the preceding six months, up from 36% in the previous survey. More than half of businesses that experienced an attack reported at least some impact, including lost time, financial loss, operational disruption, reputational damage or access to sensitive information and accounts. Small businesses may have fewer systems than large organisations, but they can also have fewer people, less redundancy and less cash available for recovery. The answer is not to imitate a bank's security programme. It is to apply proportionate safeguards to the accounts, information, payments and services the business depends on most.
- micro and owner-operated business — Automated attacks can reach the business regardless of size, while one incident may consume a disproportionate amount of the owner's time and cash.
- small and medium business — Prioritise the systems, identities, suppliers and information that would most affect customers and operations if compromised.
- proportionate security — Scale the safeguards to actual information, exposure, dependency and possible harm rather than organisation size alone.
- realistic threat model — Plan for opportunistic phishing, credential theft, fraud and common internet attacks as well as targeted incidents.
We are not too small to be exposed to cyber threats. Automated and opportunistic attacks can reach any online account or system. Our security effort will be proportionate to the information, payments, accounts and services we depend on, with priority given to incidents that could seriously affect customers or stop the business operating.
It all feels overwhelming — where does a small business actually start?
Start with a short list of what the business cannot afford to lose: its main email and cloud accounts, customer and employee information, payment processes, website or booking system, critical suppliers and ability to restore data. Do not begin by trying to write twenty policies or buy a complex security platform. Own Your Online acknowledges that knowing where to start can be overwhelming and provides a free assessment that takes about five to ten minutes and produces a customised checklist divided into business basics, next-level protection and additional measures. Use that plan to select a small first group of actions: name an owner, enforce MFA on important accounts, install updates, use unique credentials and a password manager, protect and test backups, limit access and establish a simple reporting and incident-response route. Complete those actions, retain evidence that they work and then move to the next group.
- identify what matters — List critical accounts, information, payments, systems, devices, suppliers and business services.
- take a short assessment — Use the Own Your Online tool to produce a prioritised action plan rather than starting from a blank page.
- complete the basics — Focus first on MFA, updates, unique credentials, backups, access limits and incident reporting.
- work in stages — Finish, test and record a small set of controls before adding more complexity.
Do not try to solve cyber security all at once. First identify the accounts, information, payments and services the business depends on. Complete the Own Your Online assessment, assign one accountable owner and work through the highest-priority actions in stages. Finish and test the basics before buying more tools or creating more documents.
We don't have much budget or time — what is the minimum that really matters?
Limited time and money are genuine constraints, but the first layer of protection is usually consistent use of a few high-value controls rather than an expensive technology stack. Secure the main email, finance, cloud, social-media and administrator accounts with MFA. Keep operating systems, applications and internet-facing devices updated. Give people a password manager so every account can have a different credential. Maintain backups that are protected from the ordinary network and test that important information can be restored. Remove access promptly when roles or supplier relationships end. Give people one well-known way to report suspicious messages, accidental disclosures and lost devices, and maintain a short incident plan. NCSC research also found that some SMEs were failing to adopt 2FA and backups because they believed they were already doing enough. A realistic minimum therefore includes checking whether the basics are actually enforced and tested, not merely available.
- protect identities — Enforce MFA and unique credentials on the accounts most capable of affecting money, customers and operations.
- reduce common exposure — Install updates, remove unnecessary access and replace unsupported or default configurations.
- prepare to recover — Protect backups, test restoration and keep a short incident and communications plan.
- enable people — Provide a password manager, clear instructions, an easy reporting route and approved alternatives to insecure workarounds.
Our minimum is not a large security stack. It is consistent execution of the basics: MFA on important accounts, prompt updates, unique credentials through a password manager, restricted access, protected and tested backups, a simple reporting route and a short incident plan. A control counts only when it is enabled, used and tested.
Whose job is security in a small New Zealand business?
The owner or senior leader remains accountable for setting expectations, allocating resources and deciding which risks the business accepts. The Privacy Act requires the organisation to have at least one person fulfilling the privacy-officer role. An internal IT person or external provider may configure systems and advise on threats, but outsourcing technical work does not remove the organisation's responsibility for its information, staff, customers or suppliers. Managers must apply access and information-handling rules in their teams. Finance staff must verify payment changes. People with administrator access must protect elevated accounts. Every user must follow the policy and report concerns. NCSC says cyber security is no longer just an IT problem and that everyone should be invested in the organisation's security model. In a very small business, one person may hold several roles, but the responsibilities and backup contact should still be explicit.
- owner or senior leader — Owns business risk, approves policy, funds priorities and models the expected behaviour.
- privacy officer — Oversees Privacy Act compliance, privacy processes, complaints, requests and liaison with OPC.
- IT or external provider — Advises and implements agreed technical controls without replacing the business's accountability or decision authority.
- every authorised user — Uses systems safely, protects information and credentials, follows verification processes and reports concerns promptly.
Security is a shared responsibility with clear accountability. Senior leadership owns the risk and resources. The privacy officer oversees Privacy Act responsibilities. IT personnel and providers implement and advise on controls. Managers apply the rules in their teams. Every user protects the access and information entrusted to them and reports concerns promptly.
Why don't staff follow the security policy, and how do we fix that?
People often bypass a policy when it is difficult to find, difficult to understand, inconsistent with how work is actually performed or unsupported by usable tools. Other causes include competing deadlines, unclear ownership, leaders who ignore the rules, repetitive training, fear of admitting uncertainty and controls that prohibit an activity without providing a safe alternative. Treat non-compliance as a design signal as well as a people issue. Keep policies short and specific, explain the business and personal consequences behind important rules, provide approved tools, involve users in testing the process and build requirements into the workflow. NCSC recommends policies that are simple, short and easy to understand, regular interaction rather than a yearly training video, and a positive culture that makes security less of a chore. Deliberate misuse still requires an appropriate response, but recurring workarounds often indicate that the policy, system or incentive needs to change.
- clarity failure — The requirement is long, vague, hidden, contradictory or not connected to the user's real task.
- friction failure — The secure method takes longer, lacks tools or prevents legitimate work without an approved alternative.
- leadership inconsistency — Managers bypass the rule, reward speed over safety or create informal exceptions.
- practical correction — Simplify the rule, provide tools, integrate it into work, explain why it matters and test it with affected users.
When people repeatedly bypass a security rule, we will examine the rule, workflow, tools, incentives and training as well as individual behaviour. Policies must be short, accessible and relevant to real work. The secure method must be practical, and prohibited activities must have an approved alternative. Leaders must follow the same rules they expect others to follow.
Why do smart people still get caught by phishing and social engineering?
Phishing is designed to exploit context, trust and timing rather than a lack of intelligence. A message may imitate a familiar supplier, executive, bank, courier or customer; arrive while the recipient is expecting a payment or parcel; create urgency; or use information gathered from public profiles and earlier breaches. Workload, distraction and authority pressure can reduce the time available to notice inconsistencies. NCSC says many breaches involve human actions such as clicking links or opening files that provide attackers with credentials or system access. In Q1 2026, phishing and credential harvesting accounted for 47% of organisation incidents processed through NCSC's triage. The answer is layered protection: email filtering, MFA, independent verification of sensitive requests, password managers, regular examples of current scams and a reporting process that still helps after somebody has clicked. Training should build recognition and recovery behaviour, not test whether employees can be embarrassed.
- context and trust — Attackers imitate familiar people, brands, conversations and events to make a request appear routine.
- urgency and authority — Pressure, secrecy, deadlines and senior-person impersonation can discourage normal checking.
- layered prevention — Combine filtering, MFA, password management and independent process verification rather than relying on awareness alone.
- safe recovery — Make immediate reporting useful even after a link, attachment, password entry or payment action has occurred.
Phishing succeeds by exploiting trust, timing, authority and distraction, not simply ignorance. We use technical controls, MFA and independent verification alongside regular training. Anyone who suspects they have clicked, replied, entered a credential or approved a request must report it immediately. Early reporting is treated as a protective action.
How should we think about insider risk, snooping and honest mistakes?
Do not treat every internal incident as the same kind of behaviour. Malicious misuse includes deliberately accessing, disclosing, altering or stealing information for curiosity, advantage, revenge or fraud. Reckless behaviour may involve consciously bypassing a safeguard despite a known risk. Honest mistakes include sending information to the wrong recipient, clicking a convincing link or misunderstanding an unclear process. Control failures can also make the incident more likely by giving people excessive access, using shared accounts or failing to provide checks. OPC describes employee browsing and unauthorised internal use as one of the most common privacy breaches and expects organisations to limit access, use audit logs and reinforce legitimate-purpose rules. Contain and assess the privacy or security incident first. Any employment response should then consider intent, role, clarity of the policy, training, control design, actual harm and the employee's explanation through a fair process.
- deliberate misuse — Intentional snooping, disclosure, theft, alteration or circumvention for an unauthorised purpose.
- reckless conduct — Conscious disregard of a clear and understood safeguard or material risk.
- honest error — An accidental action influenced by confusion, workload, a convincing attack or an inadequate process.
- system and governance failure — Excessive access, missing checks, shared accounts, poor tools or unclear policy enable or amplify the incident.
We distinguish deliberate misuse, reckless behaviour, honest mistakes and control failures. Every incident is contained, recorded and assessed according to its privacy and security impact. Employment action, where considered, must take account of intent, role, policy clarity, training, system design, actual harm and the person's explanation and must follow a fair process.
Does blame make people more careful, or does it stop them reporting?
A business still needs consequences for deliberate or serious misconduct, but indiscriminate blame can make incident response slower and less effective. NCSC recommends rewarding positive behaviour rather than punishing mistakes and warns that negative reinforcement can cause people to hide issues because they fear punishment. A person who reports a malicious file immediately may give the response team time to isolate a device, revoke credentials or stop a payment. Someone who expects ridicule or automatic discipline may remain silent. Establish a simple reporting route, acknowledge reports promptly, tell the reporter what to do next and separate immediate containment from any later employment investigation. Make clear that prompt, honest reporting is expected and valued, while intentional concealment or malicious conduct may still be addressed through a lawful and fair process.
- early reporting — Treat rapid disclosure of a mistake, suspicious request or near miss as useful protective information.
- containment first — Secure accounts, systems, money and information before deciding whether an employment investigation is required.
- fair accountability — Reserve proportionate employment consequences for conduct established through a fair process rather than automatic blame.
- feedback loop — Acknowledge reports, explain outcomes where possible and use lessons to improve systems, training and policy.
Prompt and honest reporting is a protective action and will be encouraged. We will contain the incident before reaching conclusions about blame. Reporting a mistake does not create automatic immunity from accountability, but no employment outcome will be predetermined. Deliberate concealment or malicious misuse may be investigated through a lawful and fair process.
How do we get genuine staff and leadership buy-in?
Connect security to the work people already care about. Leaders need to see the relationship between human-targeted incidents and cash flow, customer trust, business interruption, staff stress and time lost. NCSC recommends using the organisation's own incident data to show the value of managing human risk and says leadership support is necessary for an effective awareness programme. Staff need to understand why a rule exists, receive the tools needed to follow it and have a voice in testing whether it works. Begin with visible leadership behaviour: executives use MFA, follow payment-verification rules, attend training and report their own suspicious messages. Publish a few meaningful measures, such as MFA coverage, reporting speed, restored backups and overdue access removal, without turning reporting numbers into punishment targets. Share improvements made because somebody raised a concern. Buy-in grows when security is practical, consistently modelled and connected to keeping the business and its people working.
- leadership — Connect security to business priorities, provide resources, model the rules and act on unresolved risk.
- managers — Reinforce secure processes in daily decisions and avoid rewarding speed or convenience that bypasses safeguards.
- staff and contractors — Involve users in testing requirements, explain why they matter and provide usable tools and feedback.
- credible evidence — Use incident impact, control coverage, exercises, near misses and completed improvements instead of fear alone.
Security buy-in starts with visible leadership behaviour and practical support. We will connect security requirements to customer trust, cash flow, continuity, workload and staff wellbeing; involve affected users in improving processes; provide the tools needed to comply; and show what changed because people reported risks or incidents.
What's my next step?
Common misconceptions
- A small business is too insignificant to encounter cyber threats. NCSC research found that 53% of surveyed New Zealand SMEs experienced a threat in the preceding six months. VERIFIED
- Cyber security is solely the IT provider's job. NCSC says it is no longer just an IT problem, and the business retains responsibility for its information and risk decisions. VERIFIED
- A business needs a large budget before it can take meaningful action. Own Your Online provides free, staged actions, while NCSC prioritises a limited group of high-value controls. INFERRED
- Smart or technically capable people cannot be phished. Social engineering can exploit context, timing, trust, urgency and authority regardless of general intelligence. INFERRED
- Annual online training is a complete human-risk programme. NCSC says awareness should involve regular, ongoing training and human interaction. VERIFIED
- People fail policy only because they are careless. Unclear requirements, missing tools, conflicting incentives and impractical workflows may also create insecure workarounds. INFERRED
- Every internal security incident is malicious insider activity. Privacy and security incidents can be accidental, deliberate or enabled by inadequate access and process controls. VERIFIED
- Employee snooping is harmless curiosity. OPC says unauthorised employee browsing is a privacy breach that can cause serious consequences including harassment and blackmail. VERIFIED
- Punishing every mistake makes people report sooner. NCSC warns that negative reinforcement can cause people to conceal incidents because they fear punishment. VERIFIED
- A person who reports after clicking is already too late to help. NCSC says immediate reporting after running a malicious file can be invaluable to protecting the network. VERIFIED
- A policy breach automatically justifies dismissal. Employment New Zealand requires a good reason, fair investigation and fair process, with an appropriate and reasonable response. VERIFIED
- Australia's Essential Eight, SMB1001 and ASD ISM are official New Zealand human-risk frameworks. They are not and should not be presented as New Zealand law or official New Zealand baselines. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Privacy Act 2020 IPP 5 reasonable security safeguards | Office of the Privacy Commissioner | The organisation holds personal information, including customer, employee, contractor or supplier information. | Ongoing while the information is held and whenever people, access, systems, suppliers, work practices or risks change. | |
| Privacy officer appointment | Office of the Privacy Commissioner | The entity is an organisation or agency subject to the Privacy Act. | Maintain at least one person fulfilling the privacy-officer role on an ongoing basis. | |
| Privacy Act limits on unauthorised use and disclosure | Office of the Privacy Commissioner | An employee, contractor or other user accesses, uses or discloses personal information. | Access, use and disclosure must remain limited to authorised organisational purposes and applicable Privacy Act grounds whenever the information is handled. | |
| Notifiable privacy breach arising from human error or misuse | Office of the Privacy Commissioner | An accidental or deliberate privacy breach has caused or is likely to cause serious harm to an affected individual. | Notify OPC and affected people as soon as practicable; OPC says notification should ideally occur within 72 hours after awareness of a notifiable breach. | Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000. |
| Good faith and fair process for employment action | Employment Relations Authority and Employment Court | The employer considers disciplinary action, disadvantage or dismissal following a security-policy breach, mistake or suspected misconduct. | Before deciding, raise the concern, provide relevant information and possible consequences, investigate fairly, allow a reasonable opportunity to respond and genuinely consider the response. | Employment remedies or penalties may apply depending on the action, process and resulting grievance. |
Sources
- More than half of New Zealand businesses experiencing cyber threats primary
- SME Cyber Security Behaviour Tracker 2025 primary
- Build security awareness in your organisation primary
- NCSC Critical Controls: Summary primary
- NCSC Cyber Security Framework primary
- Quarter One sees significant cyber incidents primary
- Q1 2026 data landscape: a closer look at NCSC incident numbers primary
- A business cyber security plan made easy primary
- Business online security assessment tool primary
- Top online security tips for your business primary
- Own Your Online — How to spot phishing primary
- Privacy Act 2020 Principle 5 — Storage and security of information primary
- Information for privacy officers primary
- The greatest threat in the workplace could be sitting next to you primary
- Sorting out privacy breaches primary
- NotifyUs of a serious privacy breach primary
- Employment New Zealand — Good faith primary
- Employment New Zealand — Misconduct primary
- Employment New Zealand — Disciplinary process primary
- Employment New Zealand — Dismissal primary
- r/newzealand discussion of a sophisticated NZ Post parcel scam forum
- r/newzealand discussion of scam-victim shame and reporting forum
- r/newzealand discussion of business dependence on IT systems forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.