How to Protect Your NZ Workforce Against Cyber Threats

It started with a single email.

In 2015, Te Wānanga o Aotearoa, one of New Zealand’s largest tertiary education providers, fell victim to a business email compromise (BEC) scam resulting in a loss of $120,000. The fraudsters infiltrated the institution’s email system and deceived staff into transferring funds to illegitimate accounts.

This is just one example of how cybercriminals exploit human error – and why businesses across New Zealand are waking up to the need for better cybersecurity awareness training.

The question is: Are your employees prepared to spot and stop cyber threats before they cause real damage? If not, it’s time to take action.

This guide covers everything you need to know about protecting your workforce from cyber risks – we’ll break down how NZ businesses can train their workforce to recognise threats, defend against cyber risks, and comply with New Zealand’s cybersecurity standards.

Everything You Need to Know About Cybersecurity for NZ Businesses in 2025

“Cybercrime is now the biggest financial threat to New Zealand businesses, costing the economy an estimated $250 million per year.” – NZ Government Cybersecurity Report, 2025

The growing number of NZ cybersecurity incidents

Cyber threats in New Zealand are evolving at an alarming rate. Cybercrime is now costing New Zealand businesses over $195 million a year, with attacks targeting everything from small startups to major corporations. 

Yet, despite the rising threat, a staggering 60% of NZ businesses admit their staff aren’t properly trained to deal with cyber risks.

If your employees can’t confidently spot a phishing email or know what to do in the event of a ransomware attack, your business is at serious risk ⬇️

• Ministry of Health Ransomware Attack (January 2024): A ransomware attack crippled hospital IT systems, delaying critical patient care and forcing a nationwide review of cybersecurity protocols in the public health sector.
• Major NZ Bank Data Breach (June 2024): A leading bank suffered a breach exposing thousands of customer records, highlighting vulnerabilities in financial cybersecurity measures.
• Auckland Infrastructure Cyber Attack (March 2025): A targeted cyberattack disrupted essential public transport and utility services, showcasing the importance of securing critical infrastructure.
• Widespread Business Email Compromise (BEC) Scams (Early 2025): Numerous businesses reported fraudulent emails impersonating executives, leading to financial losses and stolen credentials.

What this means for your NZ business

When a cyberattack hits, businesses don’t just lose data – they lose money, time, and trust. The consequences can include:

Financial repercussions

• Incident response costs, legal fees, and regulatory fines
• Loss of revenue due to system downtime and operational disruptions
• Higher cybersecurity insurance premiums

Operational repercussions

• Disrupted workflows and service delays
• IT infrastructure repairs and recovery efforts
• Strain on internal resources to handle the breach

Reputational repercussions

• Customer distrust and negative media coverage
• Loss of business partnerships
• Damage to employer brand and difficulty attracting top talent

What NZ regulation says about cybersecurity

HR managers need to understand cybersecurity compliance requirements to protect both employee data and organisational integrity 👇

Robust risk management frameworks

Regulations require NZ businesses to implement comprehensive risk management and incident response plans to protect sensitive data and critical infrastructure.

✅ Develop a clear cybersecurity framework that identifies risks, maps out controls, and includes a response strategy

✅ Conduct regular risk assessments to identify weak points in your IT infrastructure

✅ Establish internal policies for reporting and managing security risks, ensuring all employees know their role in cybersecurity defense

Continuous monitoring & vulnerability assessments

Cyber threats evolve rapidly, and waiting for an attack to happen before taking action isn’t an option. NZ cybersecurity regulations stress the need for real-time threat monitoring and regular vulnerability assessments for businesses to stay ahead of emerging risks.

Data protection & secure storage

Under the NZ Privacy Act 2020, businesses must ensure that personal and sensitive data is stored, transmitted, and processed securely. This includes adopting encryption, access controls, and regular auditing to prevent breaches.

⚠️ Cybercriminals target improperly secured data, leading to costly breaches. A single data leak could expose customer details, violate privacy regulations, and result in hefty fines – not to mention damage your reputation.

A proactive Incident Response Plan (IRP)

A clear, well-rehearsed incident response plan is essential for minimising the impact of a cyberattack. Regular cyber incident response training ensures employees know how to react in real-time, reducing downtime and financial losses.

The rising risk for small & medium enterprises (SMEs)

Small and medium-sized enterprises (SMEs) in NZ are particularly vulnerable due to limited cybersecurity resources. Hackers often target SMEs because they tend to have:

• Weaker security defenses compared to larger enterprises
• Limited IT staff or outsourced cybersecurity services
• Lower awareness among employees, making them easy phishing targets

Cyber resilience training is essential for SMEs to protect themselves against increasingly sophisticated threats.

Which cyber-threats do NZ workforces face?

✅ Phishing attacks: Fraudulent emails that trick employees into revealing login credentials

✅ Ransomware: Malware that locks files until a ransom is paid

✅ Social engineering scams: Manipulative tactics that exploit human trust

✅ Business Email Compromise (BEC): Fake emails impersonating executives to request payments or sensitive information

✅ Weak passwords & credential theft: Employees reusing passwords across platforms create vulnerabilities

✅ Insider threats: Accidental or malicious data leaks by employees

How these threats target employees specifically

Employees are the first line of defense against cyber threats, yet they’re also the most targeted. Why? Because human error is often the easiest way to break into an organisation’s systems. No matter how strong your IT security is, one accidental click on a phishing email or misplaced login credentials can bring an entire business to its knees.

Hackers know that technology alone won’t get them into your systems – but a well-crafted email, fake invoice, or cleverly disguised phone call might. Many cyberattacks don’t start with brute force hacking. Instead, they manipulate employees into handing over valuable information through phishing, social engineering, and business email compromise (BEC) scams.

Common mistakes that cybercriminals exploit:

✅ Clicking on malicious links in emails that look legitimate

✅ Downloading infected attachments that install malware

✅ Falling for fake invoices or fraudulent payment requests

✅ Using weak passwords or reusing the same credentials across platforms

✅ Sharing sensitive information over email, phone, or messaging apps

Even the most tech-savvy employees can be fooled. Cybercriminals prey on trust, urgency, and confusion to trick people into making mistakes.

👀 NZX Stock Exchange DDoS Attack (2020):

A cybercriminal group launched a massive Distributed Denial of Service (DDoS) attack, overwhelming NZX systems and disrupting trading for several days. The attackers demanded ransom payments, showcasing how even critical infrastructure is vulnerable to cyber extortion.

👀 Waikato DHB Ransomware Attack (2021):

Hackers gained access to the Waikato District Health Board’s systems, encrypting patient records and disrupting hospital operations. The breach was suspected to have started with a phishing attack, where an employee unknowingly clicked on a malicious link.

How to Build a Cyber-Aware Workforce

A company’s cybersecurity is only as strong as its least-informed employee. In an era where 91% of cyberattacks begin with phishing emails (according to Verizon’s Data Breach Investigations Report), employees are both the first line of defense and the biggest target for cybercriminals.

Why employees play a key role in cybersecurity defense

1. Cybersecurity isn’t just an IT problem, it’s a people problem. Hackers aren’t just trying to break into systems through firewalls; they’re manipulating human behaviour to gain access. This is why social engineering attacks – like phishing, CEO fraud, and fake tech support scams – continue to be so effective.
2. Employees are the first line of defense. The faster an employee spots and reports a cyber threat, the less damage it can do. Yet, without proper training, many employees wouldn’t recognise a suspicious email until it’s too late.
3. Ongoing cybersecurity awareness training is critical. Cyber threats evolve daily. What worked last year won’t cut it today. Regular training ensures employees stay up to date with new threats, attack tactics, and best practices.
4. Cybersecurity must be part of daily routines. Employees should develop security-conscious habits – like double-checking unexpected payment requests, locking screens when away from desks, and using multi-factor authentication (MFA) for all logins.

What should you train your employees on for cybersecurity defense?

How to identify phishing attempts and social engineering scams

Phishing emails are getting more sophisticated – many now mimic real brands, use personal details, and avoid traditional red flags. Employees must learn how to spot:

• Urgent requests for payments or sensitive data
• Fake email addresses that look almost like a trusted sender
• Suspicious links and attachments
• Requests to bypass normal security protocols

💡 Example: A hacker pretends to be your CEO and emails an employee requesting a “quick” money transfer. Would your team recognise this as fraud, or would they comply?

Best practices for password security and Multi-Factor Authentication (MFA)

✅ Weak passwords are the easiest way for hackers to break into accounts. Employees should be trained to:

• Use long, unique passwords for each system
• Store passwords securely (never in a notebook or sticky note!)
• Enable multi-factor authentication (MFA) wherever possible
• Recognise credential phishing attacks, where hackers steal passwords via fake login pages

💡 81% of hacking-related breaches are due to stolen or weak passwords (Verizon DBIR).

How to secure remote work environments

With hybrid and remote work now the norm, employees need to protect company data outside the office. Training should cover:

• Avoiding public Wi-Fi when handling company data
• Using a VPN to encrypt internet connections
• Locking devices when stepping away from the screen
• Ensuring home networks are secured with strong passwords and firewall protection

Hackers often target remote workers by compromising home networks, unsecured personal devices, and weak VPN access.

Handling sensitive customer and company data responsibly

Data breaches can be catastrophic – both financially and reputationally. Employees must understand:

• What constitutes sensitive data (customer details, financial records, employee info)
• How to share and store data securely (e.g., encrypted email, cloud security)
• Why public cloud sharing (like Google Drive links) can be risky
• The dangers of accidental leaks, such as sending the wrong attachment to the wrong recipient

Proper procedures for reporting suspicious activity

A strong cybersecurity culture encourages employees to report anything suspicious – whether it’s an unexpected email, a strange system login, or an unusual payment request. Employees should know:

• Who to contact (IT, security teams)
• How to report phishing emails (flagging in Outlook, forwarding to IT)
• Why no concern is “too small” to report – early detection can stop an attack before it spreads

🙌 The best organisations celebrate employees who report suspicious activity, rather than blaming them for mistakes.

8 Cyber Threat Defense Tips for HR

HR managers play a crucial role in safeguarding their organisations against cyber threats. Employees are often the weakest link in cybersecurity, but with the right training, policies, and technology in place, they can become your strongest defense. Here’s how to build a cyber-resilient workforce.

Choose the right cybersecurity training format

One-size-fits-all training doesn’t cut it when it comes to cybersecurity. HR managers need to offer a mix of engaging, practical, and ongoing training methods to ensure employees absorb and retain cybersecurity knowledge.

✅ In-person workshops & seminars: Host interactive training sessions with real-world case studies, guest speakers, and group discussions to encourage engagement.

✅ Online learning platforms: Provide flexible, self-paced courses that employees can complete at their own convenience. Platforms like KnowBe4 and CyberCX offer NZ cybersecurity training tailored for different industries.

✅ Simulated phishing attacks: Did you know that 91% of cyberattacks start with a phishing email? Running phishing simulations helps test employees’ ability to spot scams in real time and reinforces good habits.

✅ Gamification & incentives: Make learning cybersecurity fun by introducing quizzes, leaderboards, and small incentives for employees who excel. A little competition can make a big difference in engagement.

Provide frequent cybersecurity training

Cyber threats evolve constantly, and so should your training efforts. Cybersecurity training should never be a “one-and-done” event – it needs to be a regular part of your workforce’s professional development.

• Quarterly refresher courses for general employees to stay informed about emerging threats
• Annual deep-dive training for IT and security teams to strengthen their expertise
• Real-time phishing drills to test readiness and reinforce best practices
• Regular updates to keep training content engaging, relevant, and aligned with the latest cyber threats

A well-trained workforce is less likely to fall victim to attacks. HR managers should collaborate with IT teams to align training with the latest cyber threat intelligence and keep it relevant to real-world threats.

Measure the success of your cybersecurity training

How do you know if your training is effective? HR managers should track key performance indicators (KPIs) to ensure their cybersecurity programs are making an impact.

• Monitor employee participation and engagement – Are people attending training sessions? Are they completing online courses?
• Conduct post-training assessments and phishing simulations – Gauge how well employees retain information and apply it in real-life situations.
• Review incident reports – Have there been fewer security breaches or phishing clicks since the training began?

Data-driven insights will help HR teams refine their cybersecurity programs and identify areas for improvement.

Get leadership buy-in

Cybersecurity awareness starts at the top. If executives and managers don’t take cybersecurity seriously, employees won’t either. HR must work with leadership to:

✅ Make sure cybersecurity is a company-wide priority. Leadership should actively promote and participate in cybersecurity training

✅ Embed cybersecurity in company policies and workflows. This includes creating guidelines on password management, data handling, and incident reporting

✅ Secure a budget for cybersecurity training, tools, and resources. Investing in cybersecurity is far cheaper than dealing with the fallout of a cyberattack

The average cost of a data breach in New Zealand is $5.6 million, according to IBM’s 2024 Cost of a Data Breach Report. Preventing just one breach can save businesses millions.

Encourage employees to report cyber incidents

Many cyber threats go unreported because employees fear blame or don’t realise they’ve been targeted. HR can foster a culture of transparency and vigilance by: 

• Promoting a “See Something, Say Something” culture. Make it clear that reporting suspicious activity is a responsibility, not an admission of fault
• Creating an anonymous reporting system for employees to flag potential cyber threats without fear of repercussions
• Recognising and rewarding employees who identify and prevent security incidents. Publicly acknowledging good cybersecurity habits reinforces the importance of vigilance

The faster threats are reported, the quicker IT teams can contain and neutralise them.

Implement cyber hygiene best practices

A few simple habits can make a huge difference in protecting company data. Reinforce these daily cybersecurity best practices:

✅ Locking computers when stepping away from desks to prevent unauthorised access

✅ Keeping software and devices updated to patch security vulnerabilities

✅ Verifying unusual requests (especially financial transactions) before responding

✅ Avoiding public Wi-Fi for work-related tasks unless using a secure Virtual Private Network (VPN)

✅ Using strong passwords and enabling multi-factor authentication (MFA)

Create an organisation-wide cybersecurity strategy

Cybersecurity shouldn’t be left solely to IT. Every department – including HR – should play a role in defining security policies and training guidelines.

• Appoint cybersecurity champions across different teams to reinforce best practices
• Establish clear security policies on data access, mobile device use, and remote work security
• Invest in cybersecurity awareness training tools to keep employees up to date on threats

Use the right tech for stronger security

Training alone isn’t enough – businesses also need the right security tools to back up their workforce. HR should collaborate with IT to make sure:

✅ Multi-factor authentication (MFA) is required for all work-related logins

✅ Endpoint protection software is installed on all employee devices

✅ Secure cloud storage and encryption are in place for sensitive documents

✅ Real-time threat monitoring helps detect and block cyberattacks before they escalate

A mix of training, technology, and strong policies is the best defense against cyber threats. 🙌

Takeaway

Cyber threats aren’t going away – they’re evolving. New Zealand businesses are increasingly targeted by cybercriminals, and the weakest link is often human error. That’s why building a cyber-aware workforce isn’t just a nice-to-have; it’s essential.

Here’s what HR managers need to know ⬇️

1. Cybersecurity training isn’t a one-time event—it must be continuous, engaging, and role-specific
2. Simulated phishing tests and interactive training are proven ways to boost employee vigilance
3. Leadership buy-in is essential – cybersecurity awareness starts from the top
4. A strong reporting culture encourages employees to speak up about suspicious activity without fear of blame
5. Technology + training = best defense – multi-factor authentication, endpoint protection, and cloud security should back up employee education

The cost of not prioritising cybersecurity is steep – from financial losses and operational downtime to damaged reputations and regulatory penalties. But by investing in education, implementing best practices, and leveraging the right security tools, HR managers can turn their workforce into the strongest line of defense against cyber threats.

📢 Check out the Subscribe-HR Blog for more HR insights and strategies to future-proof your organisation