It started with a single email.
In 2015, Te Wānanga o Aotearoa, one of New Zealand’s largest tertiary education providers, fell victim to a business email compromise (BEC) scam resulting in a loss of $120,000. The fraudsters infiltrated the institution’s email system and deceived staff into transferring funds to illegitimate accounts.
This is just one example of how cybercriminals exploit human error – and why businesses across New Zealand are waking up to the need for better cybersecurity awareness training.
The question is: Are your employees prepared to spot and stop cyber threats before they cause real damage? If not, it’s time to take action.
This guide covers everything you need to know about protecting your workforce from cyber risks – we’ll break down how NZ businesses can train their workforce to recognise threats, defend against cyber risks, and comply with New Zealand’s cybersecurity standards.
“Cybercrime is now the biggest financial threat to New Zealand businesses, costing the economy an estimated $250 million per year.” – NZ Government Cybersecurity Report, 2025
Cyber threats in New Zealand are evolving at an alarming rate. Cybercrime is now costing New Zealand businesses over $195 million a year, with attacks targeting everything from small startups to major corporations.
Yet, despite the rising threat, a staggering 60% of NZ businesses admit their staff aren’t properly trained to deal with cyber risks.
If your employees can’t confidently spot a phishing email or know what to do in the event of a ransomware attack, your business is at serious risk ⬇️
When a cyberattack hits, businesses don’t just lose data – they lose money, time, and trust. The consequences can include:
HR managers need to understand cybersecurity compliance requirements to protect both employee data and organisational integrity 👇
Regulations require NZ businesses to implement comprehensive risk management and incident response plans to protect sensitive data and critical infrastructure.
✅ Develop a clear cybersecurity framework that identifies risks, maps out controls, and includes a response strategy
✅ Conduct regular risk assessments to identify weak points in your IT infrastructure
✅ Establish internal policies for reporting and managing security risks, ensuring all employees know their role in cybersecurity defense
Cyber threats evolve rapidly, and waiting for an attack to happen before taking action isn’t an option. NZ cybersecurity regulations stress the need for real-time threat monitoring and regular vulnerability assessments for businesses to stay ahead of emerging risks.
Under the NZ Privacy Act 2020, businesses must ensure that personal and sensitive data is stored, transmitted, and processed securely. This includes adopting encryption, access controls, and regular auditing to prevent breaches.
⚠️ Cybercriminals target improperly secured data, leading to costly breaches. A single data leak could expose customer details, violate privacy regulations, and result in hefty fines – not to mention damage your reputation.
A clear, well-rehearsed incident response plan is essential for minimising the impact of a cyberattack. Regular cyber incident response training ensures employees know how to react in real-time, reducing downtime and financial losses.
Small and medium-sized enterprises (SMEs) in NZ are particularly vulnerable due to limited cybersecurity resources. Hackers often target SMEs because they tend to have:
Cyber resilience training is essential for SMEs to protect themselves against increasingly sophisticated threats.
✅ Phishing attacks: Fraudulent emails that trick employees into revealing login credentials
✅ Ransomware: Malware that locks files until a ransom is paid
✅ Social engineering scams: Manipulative tactics that exploit human trust
✅ Business Email Compromise (BEC): Fake emails impersonating executives to request payments or sensitive information
✅ Weak passwords & credential theft: Employees reusing passwords across platforms create vulnerabilities
✅ Insider threats: Accidental or malicious data leaks by employees
Employees are the first line of defense against cyber threats, yet they’re also the most targeted. Why? Because human error is often the easiest way to break into an organisation’s systems. No matter how strong your IT security is, one accidental click on a phishing email or misplaced login credentials can bring an entire business to its knees.
Hackers know that technology alone won’t get them into your systems – but a well-crafted email, fake invoice, or cleverly disguised phone call might. Many cyberattacks don’t start with brute force hacking. Instead, they manipulate employees into handing over valuable information through phishing, social engineering, and business email compromise (BEC) scams.
Common mistakes that cybercriminals exploit:
✅ Clicking on malicious links in emails that look legitimate
✅ Downloading infected attachments that install malware
✅ Falling for fake invoices or fraudulent payment requests
✅ Using weak passwords or reusing the same credentials across platforms
✅ Sharing sensitive information over email, phone, or messaging apps
Even the most tech-savvy employees can be fooled. Cybercriminals prey on trust, urgency, and confusion to trick people into making mistakes.
👀 NZX Stock Exchange DDoS Attack (2020):
A cybercriminal group launched a massive Distributed Denial of Service (DDoS) attack, overwhelming NZX systems and disrupting trading for several days. The attackers demanded ransom payments, showcasing how even critical infrastructure is vulnerable to cyber extortion.
👀 Waikato DHB Ransomware Attack (2021):
Hackers gained access to the Waikato District Health Board’s systems, encrypting patient records and disrupting hospital operations. The breach was suspected to have started with a phishing attack, where an employee unknowingly clicked on a malicious link.
A company’s cybersecurity is only as strong as its least-informed employee. In an era where 91% of cyberattacks begin with phishing emails (according to Verizon’s Data Breach Investigations Report), employees are both the first line of defense and the biggest target for cybercriminals.
Phishing emails are getting more sophisticated – many now mimic real brands, use personal details, and avoid traditional red flags. Employees must learn how to spot:
💡 Example: A hacker pretends to be your CEO and emails an employee requesting a “quick” money transfer. Would your team recognise this as fraud, or would they comply?
✅ Weak passwords are the easiest way for hackers to break into accounts. Employees should be trained to:
💡 81% of hacking-related breaches are due to stolen or weak passwords (Verizon DBIR).
With hybrid and remote work now the norm, employees need to protect company data outside the office. Training should cover:
Hackers often target remote workers by compromising home networks, unsecured personal devices, and weak VPN access.
Data breaches can be catastrophic – both financially and reputationally. Employees must understand:
A strong cybersecurity culture encourages employees to report anything suspicious – whether it’s an unexpected email, a strange system login, or an unusual payment request. Employees should know:
🙌 The best organisations celebrate employees who report suspicious activity, rather than blaming them for mistakes.
HR managers play a crucial role in safeguarding their organisations against cyber threats. Employees are often the weakest link in cybersecurity, but with the right training, policies, and technology in place, they can become your strongest defense. Here’s how to build a cyber-resilient workforce.
One-size-fits-all training doesn’t cut it when it comes to cybersecurity. HR managers need to offer a mix of engaging, practical, and ongoing training methods to ensure employees absorb and retain cybersecurity knowledge.
✅ In-person workshops & seminars: Host interactive training sessions with real-world case studies, guest speakers, and group discussions to encourage engagement.
✅ Online learning platforms: Provide flexible, self-paced courses that employees can complete at their own convenience. Platforms like KnowBe4 and CyberCX offer NZ cybersecurity training tailored for different industries.
✅ Simulated phishing attacks: Did you know that 91% of cyberattacks start with a phishing email? Running phishing simulations helps test employees’ ability to spot scams in real time and reinforces good habits.
✅ Gamification & incentives: Make learning cybersecurity fun by introducing quizzes, leaderboards, and small incentives for employees who excel. A little competition can make a big difference in engagement.
Cyber threats evolve constantly, and so should your training efforts. Cybersecurity training should never be a “one-and-done” event – it needs to be a regular part of your workforce’s professional development.
A well-trained workforce is less likely to fall victim to attacks. HR managers should collaborate with IT teams to align training with the latest cyber threat intelligence and keep it relevant to real-world threats.
How do you know if your training is effective? HR managers should track key performance indicators (KPIs) to ensure their cybersecurity programs are making an impact.
Data-driven insights will help HR teams refine their cybersecurity programs and identify areas for improvement.
Cybersecurity awareness starts at the top. If executives and managers don’t take cybersecurity seriously, employees won’t either. HR must work with leadership to:
✅ Make sure cybersecurity is a company-wide priority. Leadership should actively promote and participate in cybersecurity training
✅ Embed cybersecurity in company policies and workflows. This includes creating guidelines on password management, data handling, and incident reporting
✅ Secure a budget for cybersecurity training, tools, and resources. Investing in cybersecurity is far cheaper than dealing with the fallout of a cyberattack
The average cost of a data breach in New Zealand is $5.6 million, according to IBM’s 2024 Cost of a Data Breach Report. Preventing just one breach can save businesses millions.
Many cyber threats go unreported because employees fear blame or don’t realise they’ve been targeted. HR can foster a culture of transparency and vigilance by:
The faster threats are reported, the quicker IT teams can contain and neutralise them.
A few simple habits can make a huge difference in protecting company data. Reinforce these daily cybersecurity best practices:
✅ Locking computers when stepping away from desks to prevent unauthorised access
✅ Keeping software and devices updated to patch security vulnerabilities
✅ Verifying unusual requests (especially financial transactions) before responding
✅ Avoiding public Wi-Fi for work-related tasks unless using a secure Virtual Private Network (VPN)
✅ Using strong passwords and enabling multi-factor authentication (MFA)
Cybersecurity shouldn’t be left solely to IT. Every department – including HR – should play a role in defining security policies and training guidelines.
Training alone isn’t enough – businesses also need the right security tools to back up their workforce. HR should collaborate with IT to make sure:
✅ Multi-factor authentication (MFA) is required for all work-related logins
✅ Endpoint protection software is installed on all employee devices
✅ Secure cloud storage and encryption are in place for sensitive documents
✅ Real-time threat monitoring helps detect and block cyberattacks before they escalate
A mix of training, technology, and strong policies is the best defense against cyber threats. 🙌
Cyber threats aren’t going away – they’re evolving. New Zealand businesses are increasingly targeted by cybercriminals, and the weakest link is often human error. That’s why building a cyber-aware workforce isn’t just a nice-to-have; it’s essential.
Here’s what HR managers need to know ⬇️
The cost of not prioritising cybersecurity is steep – from financial losses and operational downtime to damaged reputations and regulatory penalties. But by investing in education, implementing best practices, and leveraging the right security tools, HR managers can turn their workforce into the strongest line of defense against cyber threats.
📢 Check out the Subscribe-HR Blog for more HR insights and strategies to future-proof your organisation