.jpg)
The National Cyber Security Centre’s Cyber Threat Report 2025 offers a sobering view of the threat landscape facing New Zealand organisations. The message is clear: cyber risk is no longer hypothetical, isolated, or limited to large enterprises. It is persistent, evolving, and affecting organisations of all sizes and sectors.
At IT Partners, we work closely with organisations navigating these risks every day. Below, we highlight the most important insights from the report and what they mean in practice for business leaders.
State-sponsored cyber actors are actively targeting New Zealand organisations, including those outside government and critical infrastructure.
These actors are highly sophisticated, well-resourced, and motivated by espionage, disruption, or strategic advantage rather than financial gain alone.
What’s important to understand is that you don’t need to be “important” to be targeted. Many organisations are compromised because they are part of a supply chain, hold valuable information, or represent an easy entry point to something larger.
What this means for leaders:
Cyber security is no longer just an IT issue. It’s a governance and risk issue that requires visibility at the executive and board level.
The report highlights the continued rise of ransomware-as-a-service, which allows cybercriminals to rent tools and infrastructure, dramatically lowering the barrier to entry.
Combined with automation and AI, attackers can now scale attacks faster than ever.
In the past year alone, the NCSC recorded $26.9 million in direct financial losses from reported cyber incidents, with the true cost likely far higher when operational disruption and reputational damage are included.
What this means for leaders:
Cyber incidents are no longer rare events. Organisations must plan for disruption and assume incidents will occur, not if but when.
Threat actors are increasingly targeting vendors, service providers, and software dependencies to gain indirect access to their real targets
Even organisations with strong internal controls can be impacted through third parties.
This includes managed service providers, cloud platforms, and widely used enterprise software.
What this means for leaders:
Understanding cyber risk must extend beyond your own environment. Supplier assurance, access controls, and shared responsibility models are critical.
Despite the sophistication of some attackers, many successful compromises continue to rely on known weaknesses: unpatched systems, weak credentials, and lack of multi-factor authentication.
The report reinforces a consistent theme we see across our client base: strong cyber resilience depends more on doing the basics well, consistently, than on deploying the latest tools.
What this means for leaders:
Investment should prioritise fundamentals such as patching, identity security, backup strategies, and incident response readiness before advanced tooling.
The NCSC is explicit about the audience for this report: leaders making strategic decisions about risk, investment, and organisational resilience.
Cyber security outcomes are shaped by governance, resourcing, and culture, not just technology.
Organisations that detect incidents early, respond decisively, and recover quickly consistently limit harm more effectively than those focused solely on prevention.
At IT Partners, we work alongside organisations to turn cyber security from an abstract risk into something practical and manageable. That often starts with getting the fundamentals right: patching, identity security, backups, and visibility, and then building from there. We help teams understand what matters most in their environment, improve their ability to detect and respond to incidents, and put realistic plans in place for recovery when things don’t go to plan. Just as importantly, we support leaders with clear insight into their cyber risk posture, so decisions about investment and priorities are informed, not reactive.
The Cyber Threat Report 2025 reinforces what we see every day: cyber resilience isn’t about eliminating risk entirely, it’s about being prepared, informed, and able to respond with confidence.
If you’d like to talk through what the report means for your organisation, or sense-check your current level of cyber preparedness, we’d welcome a conversation. Get in touch with the IT Partners team to discuss how we can support you.
.jpg)
