Many also had an overly optimistic view of how long it would take to restore data and get systems back up and running.
Forty per cent expect to recover from a major cyber incident within days. Yet real‑world cases demonstrate the opposite. Recovery often takes weeks to months, Datacom chief information security officer Collin Penman says.
“An example of this is the 2025 ransomware attack at Jaguar Land Rover in the UK, which halted production for five weeks, with full recovery taking nearly five months,” Penman says.
Closer to home, prescription management platform MediMap took weeks to restore its usual service after its systems were breached in February.
Penman says even when a company holds a wargame day, it sometimes leaves its top brass with an expectations gap. “The leadership team sees an eight-hour exercise and thinks a full restoration could be done in that time frame. They don’t take into account the cybersecurity team’s weeks of preparation.”
Regardless, he’s a fan of such “table-top” drills and the gnarlier and more frequent the better, to minimise panic and chaos when a real attack hits.
“A plan that’s never been tested isn’t a plan – it’s a document. Resilience is built through realistic practice that creates muscle memory, so response becomes automatic, coordinated and fast.”
The survey also found that data sovereignty is a growing concern. Half of New Zealand organisations (51%) had concerns about where their data was stored, with 48% having saying the issue affected their cybersecurity planning.
Kirkpatrick says data sovereignty – or data being stored within New Zealand – has always been important for some customers for regulatory reasons.
In the increasingly unstable geopolitical environment, there’s now a risk of “kinetic” attacks – three AWS data centres were hit in the United Arab Emirates during the first days of the Iran conflict – alongside the longstanding cyber threats.
And in some jurisdictions, privacy laws and other regulations are a moving feast.
Kirkpatrick says it’s important to know where your data is physically stored, especially if you’re a small-to-medium business using SaaS (software as a service or software run in the “cloud” or across a series of data centres around the world). Agreements can be wrangled with most SaaS providers for data to be stored within NZ, he says.
Burnout
Forty-three per cent of respondents reported signs of cybersecurity burnout in their teams.
Penman pins this rising trend on AI.
Artificial intelligence has raised the quality of phishing scams and other attempts to find a way past an organisation’s defences.
Phishing used to be dominated by text messages or emails written in telltale broken English.
Now, Datacom’s security experts are seeing the rise of “vishing”, or using deepfake voice calls to try and trick someone into handing over their logon details. If hackers can capture a few snippets of someone talking, then AI can be used to synthesise their voice during a phone call.
AI has also drastically increased the volume of attacks, adding to cybersecurity staff’s stress.
Another factor is the wack-a-mole situation of dealing with “shadow AI”, Kirkpatrick says.
An organisation might think it has an orderly, well-secured setup, with staff using a company-approved AI assistant in corporate data-only mode, when in fact many are using their own choice of chatbot, and some departments might have a whole “skunkworks” setup, using an unapproved AI for a special project.
Read the full report here.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
