Is your IT strategy risky or reliable? Find out with our FREE e‌Book!​‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍​‍​‍​‍‍​‍​‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌‍‍‌‌‍​‍​‍​‍​​‍​‍‌‍‍​‌​‍‌‍‌‌‌‍‌‍​‍​‍​‍‍​‍​‍​‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‍‌‌‍‍‌‌​‌‍‌‌‌‍‍‌‌​​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​​‍‌‍‌‌‍‌‍‌​‌‍‌‌​‌‌​​‌​‍‌‍‌‌‌​‌‍‌‌‌‍‍‌‌​‌‍​‌‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‍‌‌‍‌​​‌‌‍​‌‌‍​‍​‌‍​​​​‌​‍‌​‌‌​​​​‍‌​‌​‌‍‌‌‌‍​‍‌‍​​‍‌​‌​‌‍‌‌​‌‍‌‍​‍​‍‌‌‍​‌​‍‌‌‍​‌‍‌‍​‍‌‌‍​‌‌‍‌‍‌‍​‌‌‍​‌‌‍‌​​‌‌​‌‍​‍‌​‌​‌‌​‍​‌‍‌‍​‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌‍‌​‌‍‌‌‌‍‍‌‍​‌‍‌‍​‌‌‍‌​​‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‌​‌‍‍‌‌‌​‌‍​‌‍‌‌​‌‍​‍‌‍​‌‌​‌‍‌‌‌‌‌‌‌​‍‌‍​​‌​‍‌‌​​‍‌​‌‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‌‍‍‌‌‍‌​​‌‌‍​‌‌‍​‍​‌‍​​​​‌​‍‌​‌‌​​​​‍‌​‌​‌‍‌‌‌‍​‍‌‍​​‍‌​‌​‌‍‌‌​‌‍‌‍​‍​‍‌‌‍​‌​‍‌‌‍​‌‍‌‍​‍‌‌‍​‌‌‍‌‍‌‍​‌‌‍​‌‌‍‌​​‌‌​‌‍​‍‌​‌​‌‌​‍​‌‍‌‍​‍‌‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌‍‌​‌‍‌‌‌‍‍‌‍​‌‍‌‍​‌‌‍‌​​‍‌‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‌​‌‍‍‌‌‌​‌‍​‌‍‌‌​‍‌‍‌​​‌‍‌‌‌​‍‌​‌​​‌‍‌‌‌‍​‌‌​‌‍‍‌‌‌‍‌‍‌‌​‌‌​​‌‌‌‌‍​‍‌‍​‌‍‍‌‌​‌‍‍​‌‍‌‌‌‍‌​​‍​‍‌‌
myITmanager
Am I At Risk?
Let's Talk

Why Cyber Security Still Feels Unclear for NZ SMEs

This article is part 1 of the myITmanager Cyber Security Clarity Series, sharing business-first insights to help New Zealand SME businesses move from uncertainty to structured, resilient cyber security.

Most New Zealand business leaders know cyber security matters. What many still struggle with is knowing whether what’s in place is enough.

Why does cyber security feel unclear for NZ SMEs?

Cyber security often feels unclear because businesses take fragmented actions such as tools, training and policies without a structured framework. This makes it difficult to understand risk, prioritise effectively and feel confident in their security posture. 

This isn’t a failure of effort. It’s a gap in understanding. That lack of clarity shows up clearly in the data. Around 73% of New Zealand small businesses say they are worried about cyber crime, yet only about 37% are planning to improve their cyber security protection.*

This gap doesn’t exist because businesses don’t care. It exists because many don’t know what “good” looks like or how to move forward with a clear direction. Knowing cyber risk exists is one thing. Knowing whether your business is adequately protected is another. 

👉 Curious how clear your cyber posture really is?
Find out your Cyber Risk Score in a few minutes

*Source: New Zealand insurer and SME cyber sentiment research (2023–2024)

High concern, low confidence

Cyber risk is no longer theoretical for New Zealand businesses. Ransomware, phishing and online fraud are now part of the operating environment for organisations of every size. At the same time, expectations are rising, from insurers, partners and customers, around what “good” security looks like.

This is where the idea of cyber resilience becomes important. It’s not just about preventing attacks. It’s about understanding your exposure, responding effectively, and continuing to operate if something does go wrong.

Despite this, trust remains low. Many SMEs sense risk but struggle to translate that awareness into clear decisions or meaningful next steps. The result is hesitation not because leaders are ignoring the issue, but because it’s difficult to judge whether current protections are appropriate, prioritised or defensible.

Why uncertainty persists, even when action has been taken

One of the most common reasons cyber security still feels unclear is that it’s often approached in fragments.

Businesses take sensible first steps:

  • Investing in security tools
  • Providing staff training
  • Introducing policies and guidelines.

Individually, these actions make sense. Collectively, they don’t always add up to feeling secure. Without an overarching structure, it becomes difficult to see how everything fits together or where the real gaps might be. 

Leaders are left asking:

  • Which risks matter most for our business?
  • Are we focusing on the right things, or just the visible ones?
  • How would we explain our security posture to an insurer, partner or client? 
  • What should we prioritise next?

When these questions don’t have clear answers, cyber security becomes something that creates concern rather than confidence.

In short

Most NZ SMEs don’t lack cyber security intent; they lack a framework that turns effort into assurance.

Cyber security isn’t just a technical problem

For many SMEs, the challenge isn’t technical capability; it’s clarity and alignment.

Cyber security has implications across the business, including:

  • Business continuity
  • Customer trust
  • Insurance and compliance
  • Reputation and long-term growth. 

When security lacks structure, decision-making is driven by assumption rather than visibility. 

Then risk accumulates quietly, often unnoticed until something goes wrong. The hallmark of good cyber security is it should reduce uncertainty, not add to it.

Why this matters now

Cyber threats continue to rise across New Zealand, while expectations from insurers and partners are increasing. Doing something about cyber security is no longer enough, businesses need to know whether what they’re doing is:

  1. Appropriate for their size and risk profile
  2. Focused on the right priorities
  3. Capable of standing up to scrutiny if required.

For most NZ SMEs, “good cyber security” doesn’t mean enterprise-grade systems. It means having protections that are appropriate for the size, risk profile and reliance on technology of the business and being able to explain that position. That level of assurance doesn’t come from tools or training alone - it comes from structure.

Where to from here?

If cyber security still feels unclear, the answer isn’t to panic or purchase another product. It’s to step back and understand how your current approach is working and where the gaps are.

👉 Get an objective view of your cyber risk, without technical jargon
Find out your Cyber Risk Score

This short, non-technical assessment helps you understand where you stand and what practical steps to take next.

The team at myITmanager see this pattern consistently - businesses that care deeply about cyber security but lack a clear way to assess whether their efforts are enough.

In Part 2, we explore why tool-led cyber security so often fails to deliver and what’s missing when security is treated as a collection of products rather than a structured approach.

👉 Read Part 2: Why tool-led cybersecurity falls short (coming soon!)
👉 Download the NZ Cyber Insights Report

Written by Troy Russell

In his role at myITmanager, Troy leverages his unique insights to identify growth opportunities and foster strategic partnerships. His ability to navigate the rapidly evolving technology landscape ensures that clients receive forward-thinking advice tailored to their specific needs.

View similar resources

View all
Article

66% Surge in Cybercrime Losses: A Wake-Up Call for NZ Businesses

CybersecurityOtherManaged Services
Article

Cyber Resilience is the new Cybersecurity

Cybersecurity
Article

Cyber Insurance Basics: What Every Business Needs to Know

Cybersecurity