What the 2025 NCSC SME Tracker means for NZ small businesses

The latest NCSC SME Cyber Security Behaviour Tracker is out, and it’s a wake-up call for owners and managers who’ve been hoping “a tool” would be enough. In short: more New Zealand SMEs are facing cyber threats, those threats are mostly social engineering (people tricks), and the impact is getting heavier.

What changed this year?

More than half of SMEs (53%) say they experienced at least one cyber threat in the past six months, up from 36% last year. This is a big jump driven largely by very small firms (0–5 FTE). If you run a small team, you’re now statistically more likely to be targeted than not.

How are attackers getting in?

It’s overwhelmingly people-focused. The top four incident types were scam calls (32%), phishing (18%), impersonation scams (12%), and invoice scams (11%). Added together, that’s 73% of events and all classic social-engineering plays. Translation: criminals aren’t “hacking your firewall”; they’re tricking staff on the phone, in email, or around payment process changes. (Phishing = deceptive emails/websites that steal credentials. Impersonation/invoice scams = faked identities or altered payment details.)

Impact is getting heavier.

Fewer incidents are “minor,” and severe harm jumped from 2% to 8% year-over-year. Time loss and stress still dominate, but larger SMEs are also more likely to lose information or money. If you’re treating cyber as a nuisance rather than a business risk, that posture is getting harder to defend

Are SMEs changing behaviour?

Some, yes, but not fast enough. Only 28% of organisations took new security actions in the last six months (down a point from 2024). The good news: adoption of practical moves is ticking up; more firms are verifying payment changes via a second channel and creating incident response plans (both up +12%), plus steady gains in MFA, strong passwords, and regular backups. These are the boring basics that actually work.

One hard truth: many incidents never reach the right help. After attacks, SMEs are far more likely to contact their bank than report to government. Only 7% reported to the NCSC, despite the clear value of intel-sharing and coordinated disruption. If you want fewer scams in the ecosystem, reporting is part of the job.

What this means for your business

1. Test, train, and test again. Social engineering is the main risk, so focus your spend on people: role-based training, realistic phishing simulations, and payment-change drills. Back that with clear playbooks (who does what when things look off). If it feels like “soft stuff,” remember 73% of incidents sit right there.

2. Backstop humans with process. Require an out-of-band verification for any request to change bank details (call a known number, not the one in the email). Make it muscle memory. The firms doing this are rising for a good reason.

3. Harden the easy wins. Turn on MFA for email, finance, and anything that holds customer data. Update app and patch operating system promptly. Keep off-site backups that are tested. These aren’t buzzwords; they’re cheap insurance that stops common attacks cold.

4. Have a plan, not just tools. An incident response plan (who to call, how to contain, when to notify) shrinks downtime and stress. You don’t need a SOC to start; you need a one-page plan your team can follow under pressure. Adoption is up, so join that curve.

5. Report it. Tell your bank and also report to NCSC/CERT NZ. It helps you, and it helps take down active campaigns that might hit your suppliers or customers next.

How Heimdall Infosec can help (without blowing the budget)

Heimdall exists for this exact space: cost-effective, tailored security for SMEs.

We offer a free initial consultation to provide you an idea of threats to you, potential vulnerabilities and key risks.

We then recommend a full assessment of your organisation so we can identify what matters most and prioritise the next steps together.

Based on that assessment, we implement the controls that reduce your risk the most. In many cases this includes people-centric controls, payment-change verification to block business email compromise, MFA on critical accounts, patching and configuration hygiene, backup checks with test restores, and a right-sized incident response plan your team can follow under pressure, but the exact plan reflects your environment and risk tolerance.

Our aim is simple: reduce real-world risk and help you pass the “sleep at night” test.

If you want a pragmatic, no-nonsense plan that fits your business, let’s talk. We will keep it focused, measurable, and sustainable. No silver bullets, just the steps that work.