Many experts say that Kiwis are suffering in cyber.
Especially in the SME sector, which means family and private businesses.
Let us enumerate a few reasons for this, starting in New Zealand / Aotearoa.

First is general ignorance.
Kiwi managers and owners tend to ignore cyber risks. Many companies do nothing until they are in (or over) real trouble.
They are responsible for the company, employee and customer data, the company IP and reputation and the network and other assets.
Many owners and managers don’t understand that ultimately, they are responsible for cyber risks according to due diligence and due care.
They can transfer risks via contracting managers (employees), service providers or having cyber security insurance policies, but ultimately, they are the owners and managers of the companies. Those responsibility cannot be transferred.
According to this, they have the most to lose. For example, Governments learnt quickly that it is easy income to punish companies and managers if they do not know the rules and laws. Just think about GDPR and NZPA. They are learning from each other.

Second reason is relative unpreparedness of the authorities and other actors. We can find a new article almost every day in the Herald about a new trouble and sometimes it is written there that the authorities are not prepared and do not have the resources to properly help the victims. Their teams are overloaded and under resourced.
In addition, the authorities are almost always busy with rearranging the roles and responsibilities between various government services and organizations.

Third are the laws protecting kiwi businesses from cybercrime.
These are behind the regulations in other countries and continents. It is long due to get out the secret kiwi weapon of the last 200 years. Let us learn from the mistakes of others and make the better regulation here. The lawmakers are owning the cybercrime regulation refresh to kiwi businesses, and it is long overdue.

Fourth are the misconceptions at their IT service providers. Cyber security is not equal with the latest firewall or the newest anti-virus. Many service providers do not learn about cyber even though it became the daily and business critical issue for all their customers. They are following the example of their customers and do not have real cyber security protections in place. Respect to the ones who have.
What can you do with the latest and greatest tools if your employees are clicking on links without consideration or just walk away with your date on a USB stick?

The fifth is a myth. “New Zealand is far from the happenings of the world.” It was true before (and not always even then) before the internet age. Today every New Zealand business is just on click away from the harm.

There are a few external factors and reasons too we must understand.

New Zealand became a target of the bad actors as they learnt the reasons above. They can read and are actively looking for easy targets. So, we can expect more and more targeted attacks.

The other thing to understand that cybercrime became an organized industry and uses the best practices of the multinational companies, including in-house academies, self-service and in-person service desks (!), regular updates and patches, support teams, and so on. So, kiwis are not facing only script-kiddies and wannabe-hackers anymore. These are well organized operations spanning continents and time zones.

Artificial Intelligence will help the attackers and will help the defenders. We can see already a bunch of products on both sides of the defence lines. The operations will be more sophisticated on both sides, and we will experience more complexity.

The time has come to get ready very quickly for the new challenges as these are already on us.

The wise company owners and managers will establish a company cyber security program ASAP.