The Weekly
Brief

“Quishing” (QR-code phishing) has gone from rare to mainstream in New Zealand in about six months, and now accounts for roughly 1 in 10 cyber attacks across ESET's 250,000+ NZ users. It's showing up everywhere: fake NZ Post “pay a small fee to redeem your parcel” texts, unsolicited parcels containing a QR code designed to get you to scan, and stickers placed over legitimate codes on parking meters and “free Wi-Fi” signs in cafés and car parks.

Scan one and you're taken to a polished fake login or payment page — and because it opens on your phone, the usual desktop warning signs are harder to spot. For scale: ESET detected almost 200,000 cyber threats across its NZ users in the year to March 2026, and NCSC-commissioned research found more than half of NZ small businesses have already been exposed to a cyber threat.

CERT NZ — the agency most businesses know as the place to report a cyber incident or get plain-English security guidance — is being merged into the National Cyber Security Centre (NCSC). The change is rolling out in phases over the next couple of years, with the goal of giving New Zealand a single national agency and one “front door” for cyber security, instead of several overlapping bodies.

For now it's business as usual: you report incidents and find advice exactly as you do today. Over time, expect the CERT NZ brand, website and reporting channels to gradually shift under the NCSC.

Microsoft has quietly pushed genuinely useful security down into its cheaper plans. Safe Links — which checks a link at the moment you click it and blocks known-malicious sites — is now included in Business Basic and Standard (and Office 365 E1), and it now covers Teams messages and SharePoint files, not just email. Microsoft has also reshuffled its 2026 licence tiers, folding more protection (such as Defender for Office 365) into standard business and enterprise plans.

The catch: Microsoft 365 commercial prices rise globally from 1 July 2026. So most businesses will get better built-in protection automatically — alongside a higher bill.

New Zealand's Privacy Act gained a new information privacy principle — IPP 3A — which came into force on 1 May 2026. It covers personal information you collect indirectly: from somewhere other than the person themselves — think bought marketing or lead lists, data from third-party providers, or details about a person gathered from another business.

When that happens, you now have to take reasonable steps to tell the individual — as soon as reasonably practicable — that you've collected their information, what it's for, and who holds it. It applies only to information collected indirectly on or after 1 May 2026, and it brings NZ's privacy rules closer to the GDPR in Europe and Australia's regime.