GTB IT Solutions
Knowledge worker at laptop.

Your staff are the target. Here’s what New Zealand businesses need to know

July 9th, 2026

Cyber criminals used to focus on breaking through technical defences — firewalls, software vulnerabilities, weak passwords. Those attacks still happen. But the fastest-growing threat is different: attackers are now targeting your people directly, using sophisticated, personalised messages designed to trick even careful, experienced staff.

Phishing staff training in New Zealand has never mattered more — because the attacks have never been harder to spot.

Why are cyber attackers targeting employees, not systems?

Technical defences have improved. Most businesses now have antivirus software, firewalls, and multi-factor authentication in place. Attackers have adapted.

It’s faster and cheaper to trick a person than to crack a system. A convincing email that gets one staff member to click a link or share a login can bypass every technical control you’ve invested in.

New Zealand’s 2026 Kordia Business Cyber Security Report put it plainly: “Attackers don’t hack in, they log on.” NCSC research found 53% of New Zealand SMEs experienced a cyber threat in the first half of 2025. This is not a large-enterprise problem. Small and medium businesses are targeted precisely because they hold valuable data and often have fewer defences in place.

What do modern phishing attacks look like?

The tell-tale signs most people learned to watch for — spelling mistakes, strange email addresses, generic greetings — are largely gone.

AI now generates phishing emails that are personalised, fluent, and contextually convincing. Chatbot-written phishing emails go unnoticed in 74% of cases. Attackers use AI to reference real names, job titles, suppliers, and current events at scale.

The attacks have also spread beyond email:

  • Fake invoice emails that appear to come from a known supplier, asking you to update payment details

  • Executive impersonation — an email that looks like it’s from your CEO or accountant, creating urgency around a payment or data request

  • Collaboration tool phishing — fake alerts from Microsoft Teams, SharePoint, or OneDrive that lead to credential-harvesting sites

  • QR code scams — increasingly common on physical mail, delivery slips, and parking notices

  • Phone-based attacks (vishing) — someone calls pretending to be IT support or a supplier, asking for login details

 

A staff member who was good at spotting suspicious emails two years ago may no longer be. The threat has moved faster than awareness.

What’s the real cost of getting it wrong?

The average cost of a data breach for a Kiwi SME is now $173,000, according to NCSC research. That figure covers direct financial loss, operational disruption, and reputational damage. Beyond the immediate cost, there’s a legal dimension too.

Under the Privacy Act 2020, New Zealand businesses must report serious data breaches to the Privacy Commissioner and notify affected individuals — expected within 72 hours of becoming aware. Legal guidance is clear that regular staff training is part of what “reasonable steps” to protect personal data looks like in practice.

Worth noting: most cyber insurance policies GTB has reviewed also require some form of regular staff training and security awareness as a condition of cover. If your team hasn’t been trained, your policy may not pay out when you need it.

A phishing attack that leads to a data breach is not just a financial risk. It’s a compliance risk and potentially an insurance risk too.

Can you train people to spot attacks that AI has designed to fool them?

Yes — and the evidence is clear.

Around one in three employees is susceptible to phishing at baseline. Organisations that implement security awareness training see susceptibility drop by over 40% within 90 days, and up to 86% within a year. (source)

The key is training that is ongoing and personalised — not a one-off video that staff click through and forget. Effective phishing training includes:

  • Simulated phishing campaigns — realistic test emails sent to staff so they practise spotting attacks in a safe environment

  • Tailored learning — training that focuses on each person’s specific risk areas, not a generic course for everyone

  • Dark web monitoring — alerts when staff credentials appear in data breaches before attackers can use them

  • Policy management — simple, accessible security policies that staff can actually find and sign

Does leadership make a difference?

Yes — significantly. When managers and business owners take security awareness seriously, their teams follow. When they don’t, staff don’t either.

Some business owners run their own training sessions for their team. Delivered well, that can be great and signals that security matters. The honest trade-off is time and consistency: preparing material, keeping it current, and running sessions regularly takes real effort, and most business owners have limited capacity for it.

GTB also offers customised one-hour team training sessions, tailored to your business and industry. These work well as a starting point, a refresh, or alongside an ongoing managed programme. Talk to us if that’s useful.

What is human risk management in cyber security?

Human risk management (HRM) is a cyber security approach focused on reducing the risk posed by human error and social engineering attacks. It combines personalised security awareness training, simulated phishing campaigns, dark web monitoring, and policy management to make staff more resilient to targeted attacks.

For New Zealand businesses, HRM also supports compliance with Privacy Act 2020 obligations around staff training and breach prevention — and helps satisfy the training requirements that many cyber insurance policies now include.

HRM is one part of GTB’s wider cybersecurity services for New Zealand businesses.

I’m a medical centre; does this affect me?

Yes. The recently issued Health NZ Security checklist for health service providers requires at least baseline compliance, or your funding could be affected.

Standard 2.1 Induction Training

  • Baseline – Induction course delivered by GTB HRM

  • Better or Best - Induction course delivered by GTB HRM

Standard 2.2 Ongoing Awareness

  • Baseline – GTB one-hour team training sessions, run annually

  • Better or Best – Ongoing GTB HRM for all staff

GTB can fully support your practice in achieving and maintaining Baseline or higher across almost all the standards.

How does GTB’s Human Risk Management service work?

GTB’s HRM service is delivered through the uSecure platform and set up and run by GTB. We handle the initial configuration, ongoing phishing simulations, and staff training sessions — and we make sure you receive regular reports on how your team is tracking. The reports give you that visibility — following up with any staff who need a nudge is a straightforward management conversation from there.

The programme follows four stages:

  1. Evaluate — a quick gap analysis assesses where each staff member’s risk areas are

  2. Educate — personalised training courses prioritise the highest-risk areas first

  3. Calculate — real-time reporting shows your business’s human risk score and tracks improvement over time

  4. Demonstrate — compliance reports document your training efforts for audits, insurance, and Privacy Act purposes

 

GTB clients across Kāpiti, Horowhenua  and the Wellington region use HRM to meet their Privacy Act obligations, train their teams on real-world threats, and reduce the risk of a costly breach.

Talk to GTB about protecting your team

If you’d like to understand how Human Risk Management could work for your business — or if you hold personal data and want to know where you stand under the Privacy Act — we’re happy to have that conversation.

Call us on 04 297 1040, email [email protected], or get in touch here.

Subscribe to our regular comms email

  • No Spam, max of two emails a month.
  • Interesting information
  • Keep up to date with IT
  • Leave at anytime

Other Posts You'll Like