Between July 2023 and June 2024, the NCSC handled 7,122 cyber incident reports, with 6,779 involving individuals or small to medium businesses. Direct financial losses totalled $21.6 million. On top of that, the NCSC estimates it prevented around $38.8 million in harm through its detection and blocking services.

The losses came mainly from scams, phishing, credential theft and unauthorised access. Business email compromise was the most expensive category, with some individual incidents exceeding $100,000. Unauthorised access incidents cost an average of $25,500 each, up from $14,000 the previous year.

Why Your SMB is an Easy Target

Simple scams work: A huge number of incidents were scams, like fake investment opportunities and romance cons. They trick people, not tech.
Credential theft is rampant: Phishing and account-takeover attempts still top the charts. And if they get your password, they’re in.
Unauthorised access is costly: These break-ins cost businesses an average of $25,500 per incident, up from $14,000 in the previous year.
Big payouts hit hard: Law firms, real estate agents an anyone that is processing big payments are often targeted, with over 17 incidents losing over $100k each.

What the Report Suggests Businesses Should Do

The pattern in the NCSC data is consistent: most incidents succeed because of weak authentication, credential reuse, or staff clicking on phishing links. The mitigations are equally consistent.

MFA on email and cloud accounts stops the majority of credential-based attacks. Password managers reduce reuse across services. Email filtering and staff training on phishing recognition reduce the likelihood of the initial foothold being established. Tested backups limit the damage if something does get through.

None of these are expensive or complex at an SMB scale. The NCSC’s own resources at ncsc.govt.nz provide implementation guidance for each of them.

And yes, even if you start with just MFA, backups, and payment checks, you’ll be leaps ahead of many businesses. Studies show smaller firms often fail from lack of basics, not because they’re super vulnerable.

The Human Element Matters

We’re all busy. We all trust people, especially our team members. But cybercriminals don’t need fancy tools, they work by exploiting human trust. That’s why phishing, scams, and social engineering are so effective.

The best defence is to layer your defences and that starts with people. Keep training short, relevant, and realistic. Even a 1-minute drill once a quarter can make a huge difference.

Make Reporting Part of the Culture

Too many incidents go unreported and most often this is because of embarrassment, some because it’s “just life.” But when you report, you’re not alone. You’re helping the entire country build better defences . Plus, you get free insights and support from NCSC.

If something dodgy happens, report it, even if it’s just “someone clicked a link”.

Take a Step Today

Pick 2–3 quick wins (try MFA, backups, phishing training)
Talk openly with your team about risks & reports
Make reporting simple, put incident contact info somewhere handy
Share wins, celebrate when someone spots a scam or reports something

It’s not about perfection. It’s about staying one step ahead.

Need Help?

We’ve got your back. We help businesses test and improve their defences with practical, affordable penetration testing services.

Book a free consultation with us today.

Cyberoptic Security Limited

Let’s make your business cyber-smart, not cyber-sorry.