5 Cybersecurity Mistakes NZ Small Businesses Make (and How to Fix Them)

Cyber-attacks aren't just a big-corporate problem. Most attacks today are automated — bots scanning the internet for any business with a weak spot, regardless of size. In New Zealand, CERT NZ receives thousands of incident reports from individuals and businesses every year, and small businesses are squarely in the firing line because they're often the least protected.

The good news: the most common mistakes we see are also the cheapest to fix. Here are the five we run into most often when we do a free IT checkup — and exactly how to close each gap.

1. "We're too small to be a target"

This is the most dangerous assumption in small business. Attackers don't hand-pick victims — they cast a wide net and hit whoever has an open door. A tradie, a café, a school, a plumbing firm: to a bot, you're just an IP address with an unpatched system or a reused password.

The fix Shift your mindset from "why would they target us?" to "what would happen if they did?" Then put the basics below in place. You don't need an enterprise budget — you need the fundamentals done properly.

2. Weak and reused passwords

When the same password is used across email, banking and software — and it's something guessable — one leak unlocks everything. Attackers buy lists of stolen passwords and try them automatically across hundreds of services ("credential stuffing").

The fix Use a password manager so every account gets a long, unique, random password and nobody has to remember them. It's the single highest-impact, lowest-cost security upgrade most businesses can make.

3. No multi-factor authentication (MFA)

Even a strong password can be phished or leaked. Multi-factor authentication (also called 2FA) adds a second step — usually a prompt on your phone — so a stolen password alone isn't enough to get in.

The fix Enable MFA on every account that offers it, starting with email, banking, and any admin logins. It blocks the overwhelming majority of account-takeover attempts.

4. Putting off software updates

"Remind me tomorrow" is how a lot of breaches start. Updates aren't just new features — they patch security holes that attackers actively exploit, often within days of a flaw becoming public.

The fix Turn on automatic updates for operating systems, browsers and apps. For a business with more than a handful of devices, a managed patching service keeps everything current without anyone having to remember.

5. Backups that don't actually work

Many businesses think they're backed up — until they try to restore and find the backup was incomplete, out of date, or itself encrypted by ransomware. A backup you've never tested is a hope, not a plan.

The fix Follow the 3-2-1 rule: at least 3 copies of your data, on 2 different types of media, with 1 copy kept off-site (or in the cloud). Then test a restore regularly so you know it works before you need it.

The bottom line

None of these fixes are expensive or complicated — but they're the difference between a minor scare and a business-stopping incident. If you're not sure where your gaps are, that's exactly what our free IT checkup is for: we'll assess your setup and give you an honest, plain-English picture of your risks.