One quarter (28%) of New Zealand large organisations consider AI generated cyber-attacks to be a top threat to their businesses, despite only 6% of cyber breaches being attributed to an AI-generated attack, according to new research by Kordia.

Of the 295 businesses with more than 50 employees surveyed as part of Kordia’s annual New Zealand Business Cyber Security Report:

• Almost two thirds (59%) of New Zealand businesses were subjected to a cyber-attack or incident in 2024
• 43% of all cyber-attacks and incidents were caused by email phishing
• Almost one in 10 businesses compromised by a cyber incident paid a ransom or extortion demand
• 16% of cyber incidents resulted in the compromise or theft of personally identifiable information (PII)
• 22% of cyber incidents caused operational disruption
• 19% of cyber incidents related to a breach or attack on a third-party

Alastair Miller, Principal Security Consultant at Kordia-owned Aura Information Security, says the findings reflect the proliferation of AI technology, resulting in an increase in social engineering and phishing attacks against businesses.

“AI has lowered the cost of entry and time investment needed by cybercriminals to craft, refine and adapt social engineering campaigns. As a result, we’re seeing a surge of businesses reporting attacks involving sophisticated email phishing, something that we expect will continue to increase.”

Miller says the report reveals that financial gain is a clear motivator behind attacks on Kiwi businesses.

“Money is the motivator. That’s why it’s unsurprising to see stolen personal information, IP, commercially sensitive data and business disruption amongst the list of impacts faced as a result of a cyber incident.

“These are all things that cybercriminals can leverage to put pressure on businesses to pay a blackmail or extortion demand,” Miller continues.

Despite this, many of the businesses surveyed are still not implementing basic cyber security, or elevating cyber security as a top risk for the company’s board.

“It’s disappointing to see New Zealand businesses lagging behind – around one third of businesses say they don’t do any reporting on cyber risk to their board of directors, and around half haven’t practiced their cyber security response plan,” says Miller.

The report reveals the extent to which AI is reshaping behaviours and attitudes around cyber security for New Zealand businesses, as well as the evolving nature of cybercrime.

“AI-generated cyber-attacks are the new frontier of cybercrime,” explains Miller. “The democratisation of increasingly sophisticated AI technology has catapulted the effectiveness and speed of cybercrime to extraordinary new heights.”

Miller points to the recent uptake of large language models in AI-generated phishing attacks as an example. Not only has it enabled greater personalisation and adaptability by mimicking writing styles or contextualising messages in a timely manner, but it’s also enabled greater levels of automation, resulting in a highly scalable and incredibly efficient tactic for cybercriminals.

Of the 59% of respondents who said their business suffered a cyber-attack or incident in 2024, 43% of those were compromised by an email phishing attack.

“Those numbers are high, and we know that they can be attributed in large part to a rise of AI-generated cybercrime tactics.”

But cybercriminals aren’t the only cause for concern for New Zealand businesses when it comes to AI. More than a quarter (28%) of respondents cited AI generated cyber-attacks as a threat to their business’s security posture.

Miller says that shadow AI – the unsanctioned use of AI tools by employees in the workplace – has heightened concerns around employees putting businesses at risk.

One in four (25%) respondents cited employee awareness and behaviour as a top challenge to improving their cyber security posture, and one in six (16%) respondents cited improper use of AI as another top challenge.

“Employees are either accessing AI tools like ChatGPT without company knowledge or are not following any guidelines around data management to prevent exposure of company data to AI training models, for example, by feeding the AI with commercially sensitive or private information. In fact, our report indicated 6% of cyber incidents involved an AI-related data breach, so even though AI implementation is rather new we’re already seeing some of the consequences of poor AI usage in this country.”