Businesses’ attitudes to cyber security shifting, but more work to be done

While businesses’ attitudes to cyber security are shifting, 3 in 5 small businesses believe they should be doing more to keep secure online, says CERT NZ.

29 June 2021

According to research from the government cyber security agency CERT NZ, the majority of small businesses with an online presence understand the importance of protecting their website.

Over half (54%) of those surveyed said their organisation is concerned about cyber security, and 46% are trying to learn more about keeping their online business safe.

Despite this, some small businesses are not taking action to secure themselves.

Only 38% believe their business adequately invests in cyber security, and just 34% believe their business has put a lot of thought and planning into being cyber secure. Most concerning, under half (45%) have processes in place to prevent a cyber attack.

“Cyber security is a hot topic following a number of high profile attacks hitting the headlines recently, and they demonstrate no one is immune from being targeted,” says Rob Pope, Director of CERT NZ.

“The silver lining is that these events have put online security at the front of businesses’ minds, and are generating more open conversations.  It’s encouraging that businesses are gaining greater awareness of the mitigations they need to put in place to minimise cyber security threats.”

CERT NZ saw a 65% increase in the number of cyber security reports made by individuals, small businesses and large organisations in 2020 compared to 2019.

“However, our research indicates businesses don’t know where to begin boosting their cyber resilience. Time and money may be a barrier, but prevention is the best and least costly form of defence,” says Mr Pope.

“A large percentage of incidents reported to CERT NZ could have been prevented simply with a long strong password and the use of two-factor authentication, which provides an extra layer of security for logins.”

Basic steps can make a big difference. Simple actions businesses can take include:

  • Regularly installing updates on software and devices to prevent attackers exploiting vulnerabilities
  • Backing up business and customer data on a segregated network so if it’s lost or stolen you can recover it quickly
  • Having a password manager
  • Enabling logging to keep records for investigative purposes
  • Monitoring logs for unusual activity
  • Having an incident response plan so you’re prepared if the worst happens

“As organisations are adopting digital services at pace, they may be looking to invest more into their cyber security. To help business leaders and IT professionals decide where to best spend time and money, CERT NZ has created a list of the minimum cyber security requirements for businesses based on cyber related events over the previous 12 months.”

The 10 critical controls

More advice from CERT NZ about how to keep your business cyber secure


The online survey was conducted by CERT NZ and Colmar Brunton in two tranches, the first between 3 July to 12 July 2020, and the second from 30 November to 13 December 2020, amongst 508 businesses with less than 20 employees. This includes 274 businesses with 0 to 5 employees and 234 businesses with 6-19 employees. Results have been weighted to be representative and the figures are averages of the two tranches.