Is your IT strategy risky or reliable? Find out with our FREE e‌Book!​‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍​‍​‍​‍‍​‍​‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌‍‍‌‌‍​‍​‍​‍​​‍​‍‌‍‍​‌​‍‌‍‌‌‌‍‌‍​‍​‍​‍‍​‍​‍​‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‍‌‌‍‍‌‌​‌‍‌‌‌‍‍‌‌​​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​​‍‌‍‌‌‍‌‍‌​‌‍‌‌​‌‌​​‌​‍‌‍‌‌‌​‌‍‌‌‌‍‍‌‌​‌‍​‌‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‍‌‌‍‌​​‌‌‍​‌‌‍​‍​‌‍​​​​‌​‍‌​‌‌​​​​‍‌​‌​‌‍‌‌‌‍​‍‌‍​​‍‌​‌​‌‍‌‌​‌‍‌‍​‍​‍‌‌‍​‌​‍‌‌‍​‌‍‌‍​‍‌‌‍​‌‌‍‌‍‌‍​‌‌‍​‌‌‍‌​​‌‌​‌‍​‍‌​‌​‌‌​‍​‌‍‌‍​‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌‍‌​‌‍‌‌‌‍‍‌‍​‌‍‌‍​‌‌‍‌​​‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‌​‌‍‍‌‌‌​‌‍​‌‍‌‌​‌‍​‍‌‍​‌‌​‌‍‌‌‌‌‌‌‌​‍‌‍​​‌​‍‌‌​​‍‌​‌‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‌‍‍‌‌‍‌​​‌‌‍​‌‌‍​‍​‌‍​​​​‌​‍‌​‌‌​​​​‍‌​‌​‌‍‌‌‌‍​‍‌‍​​‍‌​‌​‌‍‌‌​‌‍‌‍​‍​‍‌‌‍​‌​‍‌‌‍​‌‍‌‍​‍‌‌‍​‌‌‍‌‍‌‍​‌‌‍​‌‌‍‌​​‌‌​‌‍​‍‌​‌​‌‌​‍​‌‍‌‍​‍‌‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌‍‌​‌‍‌‌‌‍‍‌‍​‌‍‌‍​‌‌‍‌​​‍‌‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‌​‌‍‍‌‌‌​‌‍​‌‍‌‌​‍‌‍‌​​‌‍‌‌‌​‍‌​‌​​‌‍‌‌‌‍​‌‌​‌‍‍‌‌‌‍‌‍‌‌​‌‌​​‌‌‌‌‍​‍‌‍​‌‍‍‌‌​‌‍‍​‌‍‌‌‌‍‌​​‍​‍‌‌
myITmanager
Am I At Risk?
Let's Talk

Why Tool-led Cyber Security Falls Short for NZ SMEs

Part 2 of the myITmanager Cyber Security Clarity Series for NZ businesses

In Part 1, we explored why cyber security still feels unclear for many New Zealand SMEs. A common next step for businesses is to invest in tools. On the surface, this makes sense. Cyber threats are increasing, and the market offers no shortage of solutions promising protection. However, across New Zealand businesses, a consistent pattern is emerging: More tools aren’t translating into stronger cyber security outcomes.

The reality: tool adoption is increasing but risk isn’t reducing

Cyber security investment has grown steadily across New Zealand.

Businesses are adopting:

  • Endpoint protection
  • Email security
  • Multi-factor authentication
  • Backup and recovery solutions.

At the same time, official data continues to show that cyber incidents remain persistent and costly.

  • Over 7,900 cyber incidents were reported in New Zealand in a single year, with more than $18 million in direct financial losses
  • In just one quarter, $12.4 million in losses was reported, driven largely by email compromise and fraud. 
  • The National Cyber Security Centre (NCSC) continues to report thousands of incidents each quarter, with phishing and scams consistently the most common.
  • These numbers represent only visible incidents - many businesses experience disruption, loss or exposure that never gets formally reported.

This highlights a clear disconnect: Tool adoption is increasing but exposure and financial impact is not reducing at the same rate.

Why this happens

The issue isn’t the tools themselves. It’s how they are introduced.

Most NZ SMEs adopt cyber security incrementally:

  • A tool is added in response to a risk
  • Another is introduced after an incident or recommendation
  • Training is layered on separately.

Over time, this creates a reactive stack, not a structured approach.

The result is:

  1. Security controls that don’t align 
  2. Gaps between systems
  3. No clear prioritisation of risk.

The problem with “tool-led” cyber security

When cyber security is driven by tools, three problems tend to appear.

1. Protection is uneven

Some areas of the business are well protected. Others are not.

For example:

  • Strong email filtering, but weak identity controls
  • Good backups, but limited monitoring
  • Training in place, but no clear policies. 

Because tools are visible, coverage can feel stronger than it is.

2. Risk isn’t prioritised

Tools solve specific problems, but they don’t tell you which risks matter most. Without a structured view of risk, businesses often:

  • Focus on visible threats rather than likely ones 
  • Over-invest in some areas and under-invest in others
  • Struggle to explain why decisions have been made.

3. Assurance is hard to demonstrate

This is becoming increasingly important.

Insurers, partners and clients are asking:

“How is your cyber security managed?”

Not:

“What tools do you have?”

Without structure, this is a difficult question to answer.

What research is showing

Across New Zealand and globally, the same pattern is emerging.

  • Small businesses are now a primary target, with nearly half of cybercrime aimed at SMEs 
  • In several NZ surveys, over 50% of SMEs have been targeted within a six-month period 
  • Phishing and credential theft remain the most common attack methods, often relying on human behaviour rather than technical vulnerabilities.

What this shows is important:

Attacks are not always sophisticated, but they are consistent, targeted and effective.

And critically:

They exploit gaps - not the absence of tools

What changes the outcome

The difference between fragmented security and effective cyber resilience is not more tools. It’s how those tools, people and processes are brought together.

Effective cyber security requires:

  • A clear understanding of current risk
  • Prioritisation based on business impact
  • Alignment across systems and teams
  • Ongoing oversight and adjustment. 

Without this, security remains reactive. With it, security becomes something the business can understand, manage and explain.

Where to start

For most NZ SMEs, the shift begins with visibility.

Not another product but a clearer picture of where you stand today.

👉 Get an objective view of your cyber risk, without technical jargon

Find out your Cyber Risk Score

Cyber Risk Assessment
Live on our website now

This provides a structured view of:

  • Your current level of protection
  • Where gaps or inconsistencies exist
  • What to prioritise next. 

Looking ahead

If tools alone don’t deliver assurance, the next question is:

👉 What does a structured, SME-appropriate approach look like?

In Part 3, we will introduce SMB1001 - a framework designed specifically for New Zealand businesses to bring structure, visibility and assurance to cyber security.

Written by Troy Russell

In his role at myITmanager, Troy leverages his unique insights to identify growth opportunities and foster strategic partnerships. His ability to navigate the rapidly evolving technology landscape ensures that clients receive forward-thinking advice tailored to their specific needs.

View similar resources

View all
Article

Why Cyber Security Still Feels Unclear for NZ SMEs

Cybersecurity
Article

66% Surge in Cybercrime Losses: A Wake-Up Call for NZ Businesses

CybersecurityOtherManaged Services
Article

Cyber Resilience is the new Cybersecurity

Cybersecurity