Kiwi Businesses: Here’s What the NCSC’s 2023–24 Report Means for You (And What You Can Do About It)
- Joseph Rapley
- Jun 24
- 3 min read
Between July 1, 2023 and June 30, 2024, the National Cyber Security Centre (NCSC) handled 7,122 cyber incident reports. Of those, 6,779 often involved individuals or small-to-medium businesses, leading to a jaw-dropping $21.6 million in direct losses.
Think about that: Kiwi businesses like yours lost over twenty million dollars, mainly from scams, phishing, credential theft and unauthorised access. That’s not just spreadsheets and systems but real money slipping away.
On top of that, NCSC estimates they stopped around $38.8 million in harm before it even happened—thanks to their blocking tools and advice. But most of that work is done after the fact. The real work needs to start with you.
Why Your SMB is an Easy Target
Simple scams work: A huge number of incidents were scams, like fake investment opportunities and romance cons. They trick people, not tech.
Credential theft is rampant: Phishing and account-takeover attempts still top the charts. And if they get your password, they’re in.
Unauthorised access is costly: These break-ins cost businesses an average of $25,500 per incident, up from $14,000 in the previous year.
Big payouts hit hard: Law firms, real estate agents an anyone that is processing big payments are often targeted, with over 17 incidents losing over $100k each.
Quick Fixes Any SMB Can Do Today
Here’s a no-nonsense checklist to lock down your business:
Threat | What You Can Do | Why It Works |
Scams & Fraud | Train your team. Do fake phishing tests | Builds awareness to stop them clicking! |
Credential Theft | Turn on MFA for email & apps | Passwords alone are not enough |
Unwanted Access | Patch, update, and back up regularly | Closes easy entry points |
Money Transfers | Require dual approval on big payments | No solo withdraw = no stolen funds |
Under-reporting | Report everything—even small incidents | Helps NCSC spot bigger threats |
And yes, even if you start with just MFA, backups, and payment checks, you’ll be leaps ahead of many businesses. Studies show smaller firms often fail from lack of basics, not because they’re super vulnerable.
The Human Element Matters
We’re all busy. We all trust people, especially our team members. But cybercriminals don’t need fancy tools, they work by exploiting human trust. That’s why phishing, scams, and social engineering are so effective.
The best defence is to layer your defences and that starts with people. Keep training short, relevant, and realistic. Even a 1-minute drill once a quarter can make a huge difference.
Make Reporting Part of the Culture
Too many incidents go unreported and most often this is because of embarrassment, some because it’s “just life.” But when you report, you’re not alone. You’re helping the entire country build better defences . Plus, you get free insights and support from NCSC.
If something dodgy happens, report it—even if it’s just “someone clicked a link”.
Take a Step Today
Pick 2–3 quick wins (try MFA, backups, phishing training)
Talk openly with your team about risks & reports
Make reporting simple—put incident contact info somewhere handy
Share wins—celebrate when someone spots a scam or reports something
It’s not about perfection. It’s about staying one step ahead.
Need Help?
We’ve got your back. We help businesses test and improve their defences with practical, affordable penetration testing services.
Book a free consultation with us today.
Cyberoptic Security Limited
Let’s make your business cyber-smart, not cyber-sorry.
