What NZ Directors Must Know About Cyber Risk
Cyber attacks on New Zealand small and medium businesses are now common. Ransomware, email scams and attacks through cloud tools are no longer just a problem for large corporates. When systems are down, wages, bookings, production and customer services all stop. That is why boards are now expected to understand cyber risk and treat it like any other major business risk, not something left to the "IT person".
Many directors sign off risk registers, policies and insurance without a clear sense of how exposed the organisation really is. Hybrid work, cloud systems, remote access and third-party vendors change the risk profile quickly. If the board is not asking the right questions, it is easy to be blindsided by an attack that was entirely predictable.
In this article, we share practical, plain-English questions New Zealand directors can ask to test whether cyber risk is being managed in a business-like way. The aim is not to turn directors into security specialists, but to give you enough clarity to challenge, support and guide your management team while protecting revenue, reputation and day-to-day operations.
Setting the Tone From the Top on Cybersecurity
Board interest sets the tone. If directors ask smart cyber questions, management and staff pay attention. If they do not, security slips down the list.
On governance and accountability, directors can ask questions such as who is formally accountable for cybersecurity in the organisation, how often cyber risk appears on the board agenda, and whether cyber risk is clearly part of the overall risk register. These questions help confirm that cybersecurity is being treated as an ongoing business risk, not a one-off IT project.
You can also listen for how management talks about issues. Are they framed as business impacts, such as days of downtime, lost revenue, legal risk and brand damage? Or are they framed as "IT problems" that sit in a technical box? When cyber risk is described in operational and financial terms that matter to your business, it is more likely to receive the right level of attention and investment.
Cybersecurity should be tied to overall strategy, not treated as a separate add-on. Directors might ask whether there is a written cyber or information security strategy, how it supports growth plans and critical processes like payroll, bookings, logistics or clinical systems, and how security investments are prioritised. If you hear about buying tools without a clear link to key systems and data, that is a warning sign. Good cybersecurity programmes in New Zealand SMBs focus on the highest value data and services first.
Culture and staff behaviour matter just as much as technology. Directors can seek clarity on how often staff receive cyber awareness training, whether phishing simulations are run and lessons captured, whether there are clear and simple policies for remote work and use of personal devices, and how staff are encouraged to report something odd, such as a strange email or account alert. You are looking for signs that security is part of everyday habits. Regular short training, simple policies and open reporting work better than one long online course once a year.
Understanding Your Real Cyber Risk Exposure
To govern risk, the board needs a clear picture of what really matters. Start with the "crown jewels". Ask management which systems cannot be offline for more than a few hours, which data sets would cause the most harm if stolen or leaked (for example, customer, financial, health or IP data), and which processes must keep running even during an outage. This helps link cyber decisions directly to revenue, service delivery and regulatory obligations.
Then test whether there is an up-to-date view of the technology environment. Many New Zealand SMBs have a mix of cloud apps, older servers and staff signing up for tools on their own. Directors should understand whether there is an accurate inventory of systems, cloud apps and data stores, and how "shadow IT" such as unsanctioned apps paid for on a company card is identified and managed. Unseen systems often become the weak points that lead to avoidable incidents.
Threats and vulnerabilities need to be translated into business terms. Useful board-level questions explore what the most likely cyber threats are for your sector (such as ransomware, invoice fraud, business email compromise or supplier breaches), how each of these could realistically play out in your business, and for your main technical vulnerabilities, what the likelihood and impact would be and what is being done about them. This allows directors to compare cyber risks alongside other strategic and operational risks.
Risk appetite should also be clear. Directors can ask how the organisation would describe its cyber risk appetite and where that is documented, when it was last reviewed and what changed, and whether current controls and cyber insurance limits reflect the organisation's size, sector and reliance on digital systems. This is especially important in busier trading periods, when an outage would hurt most and cashflow or safety impacts would be felt more quickly.
Testing Cyber Resilience, Not Just Cyber Compliance
Many organisations have policies and tick boxes, but limited real resilience. Boards should look past the paperwork and understand how the organisation would actually respond on a bad day.
To separate compliance from reality, directors can ask which key cyber controls can be proven to be in place and working, how often those controls are tested, and how results are tracked over time. It is also useful to understand whether cybersecurity is run as an ongoing programme with clear metrics, or mainly driven by audits and questionnaires. A continuous improvement approach generally leads to fewer surprises and more predictable IT costs.
Incident response and recovery planning are core parts of cybersecurity in New Zealand organisations. Directors can ask whether there is a current, written incident response plan, who sits on the response team, and what the roles are for executives and directors. It is important to know when the last tabletop exercise was run to walk through a serious incident, how often backups and disaster recovery are tested, and how long it would realistically take to restore key systems in a peak period. These details link directly to downtime, customer impact and the ability to keep trading.
Third parties and cloud providers also carry risk. For many SMBs, most systems now sit with external vendors. Boards should understand which critical services rely on IT providers, cloud platforms or software vendors, how these suppliers are assessed from a security point of view before contracts are signed, and what security expectations are written into contracts and service level agreements. It is also sensible to ask whether critical New Zealand and overseas suppliers have their own incident response plans, and what your plan is if they have a breach affecting your data. You want confidence that management is not assuming vendors "have it sorted" without checking.
Key Cybersecurity Questions Every NZ Board Should Ask
It can help to keep a short, standard list of questions that directors use with management a few times a year. These can be adapted to suit your industry, whether you are in professional services, healthcare, construction, logistics or another common New Zealand SMB sector.
On current security posture, directors can ask:
- What the top five cyber risks to the business are right now and how each one is being treated.
- Which specific controls protect email, remote access and key cloud systems, and how management knows those controls are working in practice.
- Where the organisation is currently accepting risk because it lacks resources or capability.
On measurement and reporting, boards can agree what cyber metrics they will see regularly and how often. Scenario-based reporting, for example "what would happen if our main system was encrypted tomorrow", helps make the risk concrete. Directors can also ask how learnings from small incidents are used to improve processes and training, so that near-misses reduce the chance of major events.
On continuous improvement and investment, it is useful to understand what improvements have been made to the security posture in the last 12 months, what is planned for the next 12, where the organisation is relying on manual workarounds that could fail or be abused, and whether there is enough depth in internal capability. For some SMBs, models such as a managed cybersecurity provider or virtual CISO can provide broader coverage and more predictable costs than trying to build everything in-house.
These questions help directors test not just the current state, but the direction of travel.
Turning Board Questions Into a Practical Cyber Plan
When boards in New Zealand stay engaged on cybersecurity, the benefits flow through the whole organisation. Risk comes into clearer view, surprises are reduced and downtime is less likely. Customers, regulators and partners see a business that takes protection of data and operations seriously. In many cases, this also leads to smoother audits, improved trust with key clients and more predictable IT and security spending over time.
The next step for many boards is to make cyber a standing part of the broader risk framework. That can include a yearly deep-dive session on cyber risk, regular plain-English briefings tailored to the organisation, and clear links between cyber, business continuity and strategy. An external partner such as CorIT Tech, based in New Zealand and focused on supporting local SMBs, can assist with independent risk assessments, board education and practical cyber roadmaps, as well as managed cybersecurity services that complement internal teams without overwhelming budgets.
By approaching cybersecurity as an ongoing governance responsibility rather than a one-off project, New Zealand directors can better protect their organisations from disruption, support growth plans and demonstrate to stakeholders that cyber risk is being managed in a disciplined, business-focused way.
Protect Your Kiwi Business With Practical Cybersecurity Support
If you are ready to strengthen your digital defences, our team can help you tailor cybersecurity in NZ to suit your organisation's size, risks and compliance needs. At CorIT Tech, we work alongside your team to identify gaps, implement practical safeguards and provide ongoing monitoring so issues are caught early. Tell us a bit about your environment and goals, and we will outline clear next steps without the jargon. To start a conversation, simply contact us and we will respond promptly.
