Source: Radio New Zealand
Almost one in two large businesses were successfully attacked by cybercriminals in the last year. Unsplash / RNZ
AI-empowered cybercriminals are attacking businesses at unprecedented speeds with more than 80 percent of phishing emails containing AI-generated content that is difficult to detect.
Kordia’s 10th annual New Zealand Business Cyber Security Report indicates 44 percent of large businesses were successfully attacked in the past 12 months, and 61 percent suffered a serious business disruption, including extortion in one-in-five cases.
Vulnerabilities exploited
“This year’s survey actually showed that we had a lot more voice-based and video-based attacks reported by participants,” Kordia-owned Aura Information Security general manager Patrick Sharp said, adding that biometric data had been used for a long time to authenticate users.
“One of the problems with using things like voice or your face as a form of authentication is that you can never change it.”
Harsher penalties and ecucation
Top of the wish list was for government-supported, educational programmes to raise cyber security awareness, with harsher penalties for businesses who failed to protect data and mandatory reporting requirements for businesses hit by major attacks.
“To date, New Zealand’s privacy laws have not been as punitive as other countries’ when it comes to privacy breaches,” it said.
For example, New Zealand penalties of up to NZ$10,000 were available for a small number of offences – compared to maximum penalties of more than A$50m in Australia.
“The EU, UK and Australia are all explicitly tying cyber resilience to director accountability, expanding mandatory incident reporting, and moving from voluntary guidance to enforceable standards,” it said.
“These are decisive moves to unify government and business standards to defend against the scourge of state and criminal threat actors assaulting their countries.”
Global trends
Among Kordia’s findings was a Microsoft Digital Defence Report 2025, which found AI-assisted phishing campaigns achieved click-through rates of around 54 percent, compared with 12 percent for traditional phishing emails.
Sharp said AI-assisted attacks preyed on people’s emotions.
“They’ll try to get you to do something because they have ingratiated themselves with you, or because they’re threatening, or because they’re trying to pressure you to do something. So if you feel pressure to do something, if you feel slightly uncomfortable about it, there’s not someone you know or anything like that. Just don’t trust it,” he said.
McKinsey reported phishing volumes increased 1200 percent from 2022 to 2025, targeting an organisation every 39 seconds with a daily economic loss totalling $18m.
New Zealand’s concerns
Kordia’s survey of business leaders found 24 percent were concerned about the misuse of AI in their business, with improper use among the top three cyber-security priorities.
Survey respondents were focused on improving or implementing employee training, maintaining best practice, higher security and software for detection with more frequent updates and improved response coordination.
Threat perceptions varied by business size.
Smaller organisations with 50-99 employees were most concerned about phishing and ransomware attacks leading to extortion, with organisations with 100-200 employees concerned over AI misuse and malicious insider threats.
Larger businesses with 201-500 employees were most concerned about distributed denial-of-service (DDoS) attacks, which could disrupt operations, while those with more than 500 employees saw AI-generated cyber-attacks as a major threat.
Half of the business leaders said they would be willing to pay a ransom to a cyber criminal, and 8 percent of them had paid a ransom over the past year.
Insurance costs reflect risks
“Companies are certainly still using insurance, but it’s not the first thing they should be doing. The first thing companies should be doing is trying to reduce their risk down to the minimum level possible,” Sharp said.
While 17 percent of businesses made a claim on their cyber insurance over the past year, the cost of insurance was beyond the reach for many businesses, who were absorbing the costs, which included the loss of sensitive information, interrupted supply chains, fines and extortion.
A third of the businesses who suffered an attack estimated it took two months to resolve the issue, while a third doubted they could recover from a major attack.
Yet, 25 percent had not taken steps to secure the data, had no cyber security awareness programmes or had not practiced an incident response plan.
The World Economic Forum indicated the surge in successful attacks was compounded by a widening skills gap, with just 14 percent of organisations employing the right cyber talent, as the skills gap grew by 8 percent since 2024.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
