Technology, media and telecommunications|Rick Shera
23.3.26

When, Not If: Preparing Your NZ Business for a Cyber Attack

Back to Insights page
When, Not If: Preparing Your NZ Business for a Cyber Attack

In today's digital landscape, the question for New Zealand businesses isn't if you'll be targeted by a cyber attack, but when. Despite robust preventative measures, the reality is that sophisticated threats are constantly evolving, and a breach can happen to anyone. The good news? While you can't always stop an attack, you can absolutely minimise the fallout and damage by being prepared.

Think of it like an earthquake – we live in a shaky isle, and while we can't prevent them, we can build resilient structures and have clear plans for what to do when one hits. Cyber resilience is no different.

So, let's talk about the essential preparatory steps your NZ business should be taking now to ensure you're ready to respond effectively when a cyber incident occurs.

1. The Blueprint for Chaos: Incident Response Planning (IRP)

This is your absolute foundation. An Incident Response Plan (IRP) is a detailed roadmap outlining what your organisation will do before, during, and after a cyber attack. It’s not a document to gather dust; it’s a living guide.

Key elements of a robust NZ-centric IRP:

  • Identification: How will you detect an attack? What are the alarm bells?
  • Containment: How will you stop the spread of the attack and isolate affected systems?
  • Eradication: How will you remove the threat from your environment?
  • Recovery: How will you restore systems and data to normal operations?
  • Post-Incident Review: What lessons will be learned to prevent future incidents?

Official Guidance:

  • NCSC NZ: The National Cyber Security Centre offers NZ-specific playbooks and incident management advice.
  • NIST Framework: Internationally, the NIST Cybersecurity Framework provides the gold standard for incident response stages.

2. Practice Makes Perfect: Desktop Exercises

Having a plan is one thing; knowing it works under pressure is another. Desktop exercises involve walking through hypothetical attack scenarios with your leadership team and IT providers.

Why these are vital:

  • Identify Gaps: They expose weaknesses in roles and communication before a real crisis hits.
  • Build Muscle Memory: Your team learns to react instinctively rather than panicking.
  • Test Communication: Who calls the CEO at 2:00 AM? Who talks to the bank?

3. Financial Shield: Cyber Insurance

Cyber insurance is rapidly becoming a non-negotiable for Kiwi businesses. It provides financial protection against the costs of a breach, which can easily spiral into the hundreds of thousands.

What it typically covers:

  • Forensics & Legal: The cost of finding out what happened and your legal obligations.
  • Business Interruption: Lost income while your systems are down.
  • Privacy Act Fines: Assistance with regulatory issues under the Privacy Act 2020.

4. Navigating the Legal Maze: The Privacy Act & Legal Counsel

NZ’s Privacy Act 2020 mandates that if you have a "notifiable privacy breach" (one that causes or is likely to cause serious harm), you must report it to the Office of the Privacy Commissioner (OPC) and the affected individuals.

Your preparatory steps:

  • Legal Counsel on Retainer: Have a firm with cyber expertise ready to go. You don't want to be "shopping" for a lawyer while your data is being leaked.
  • Breach Thresholds: Ensure your team knows what constitutes "serious harm" under NZ law.

5. Managing the Narrative: Public Relations (PR)

A cyber attack is a reputation crisis as much as a technical one. How you communicate to your customers, staff, and the public will define your brand's future.

Key PR preparations:

  • Crisis Comms Plan: Draft templates for emails to customers and media statements.
  • Single Source of Truth: Designate one spokesperson so the message remains consistent.
  • Transparency: Being honest about what you know (and what you don't) builds more trust than silence.

6. The Top Down: Board & Leadership Preparedness

Cyber security is no longer "just an IT problem." The Institute of Directors (IoD) NZ emphasizes that boards have a fiduciary duty to manage cyber risk.

What boards need to do:

  • Set Risk Appetite: How much downtime can the business actually survive?
  • Resource Allocation: Ensure the IT team has the budget for offline backups and security monitoring.
  • Oversight: Regularly review the IRP and the results of recent desktop exercises.

In Conclusion: Be Resilient, Not Just Reactive

The digital threat landscape is unforgiving, but preparation is a powerful tool. By investing in planning, insurance, and practice now, you ensure that a "hack" is a manageable business disruption rather than a terminal event.

Authors

Read bio
Rick Shera
+64 9 309 1938rjs@lojo.co.nz

Related articles

No items found.
See all