Defending Aotearoa New Zealand from the Inside Out | NZSIS Brief Analysis
TL;DR
Aotearoa New Zealand is not digitally insulated by geography. The NZSIS Security Threat Environment 2025 report is not a cybersecurity centric report, but a wider assessment of national security. Even so, its findings on espionage, foreign interference, violent extremism and insider risk intersect directly with how I view digital defence.
As highlighted in SecurityBrief NZ, Editor Melvin Hipolito notes that polarisation and foreign states targeting New Zealand communities are already shaping the threat landscape. In the United States, I often disagreed with how recent administrations structured cybersecurity strategy, focusing too heavily on external nation state actors.
In Aotearoa New Zealand, I hear a similar sentiment when people assume geographic isolation provides protection. Both views miss the point. The safer posture is to assume breach and defend from the inside out, because business operations, resilience and trust depend on continuity even when, or if, an attacker is already inside the system.
Geography is not a control
I have heard the line that we are too small to be targeted or we are too far away more times than I can count, and while the wording shifts between a United States context and an Aotearoa New Zealand context the belief underneath is the same, that proximity offers protection and that headlines happen to other people, yet in practice the absence of a past breach is not a control and it is not evidence of immunity.
In the States I watched even larger companies grow numb to the constant cycle of breach reporting, and I heard mid sized firms explain that they were not interesting enough to draw attention, and in Aotearoa New Zealand I sometimes hear a local variant that geography will blunt the risk, yet the internet routes around distance and the threat actors route around assumptions, so the useful question is not whether someone would target us but how we will operate when they already have a foothold.
At a niche insurance company in the United States the leadership believed that because they were not on the Fortune 500 they were a smaller fish in a large pond and therefore less attractive, and the first signal that this belief had limits did not come from their own monitoring but from CISA who reached out to advise that dark web chatter suggested exfiltrated data from the company was being prepared for sale, which became the moment where the narrative had to shift from whether they were a target to how far an attacker had already travelled inside their environment.
When my team arrived the mood was a mixture of denial and hope, and the request was effectively that we prove the data was not theirs or that the actor had made a mistake, and the truth was awkward in that some of the dataset clearly came from their systems while other pieces were mixed together with records from unrelated firms which created confusion, yet the breach itself was real and the most confronting part for the executives was not the customer data which they had grown somewhat desensitised to, it was the proprietary internal material that mapped out how the business actually worked and which could give a competitor an advantage.
We delivered a clear timeline from the forensic work and I proposed a practical roadmap that assumed breach and then reduced blast radius around what mattered most, starting with the CRM that had been treated as an application rather than a crown jewel, and then extending the same approach to the other critical systems and infrastructure that kept revenue flowing.
Role based access reduced unnecessary reach, segmentation prevented easy lateral moves, host protections such as endpoint detection, application control and data loss prevention raised the cost of persistence, visibility and alerting closed blind spots that had allowed the intrusion to progress, and backups that were retained and tested gave the business an option that did not depend on the goodwill of an adversary, and across the programme we kept a steady focus on plain incident response practice and playbooks that hold up under pressure so the next decision under stress would be faster and cleaner.
There is a common line in our industry that the budget before a breach and the budget after a breach are different, and that can be true when the bottom line takes a hit, but the aim here was not to overspend or build a museum of tools, it was to use what they already owned in a disciplined way and to treat the inner workings of the company as the priority to protect, and interestingly the actor appears not to have been able to sell the dataset because it was mixed with other companies and lacked coherence which points to an inexperienced group, yet the lesson for the client was the same, secure from the inside out and measure success by the ability to continue operating when a control fails.
TL;DR of the field brief: an attacker struggled to monetise mixed data, client adopted an inside out posture focused on continuity rather than perfection.
The national picture in the New Zealand context reads similarly, since geographic distance does not slow online espionage, foreign interference or insider compromise, and the security posture that performs best over time is the one that starts by assuming a capable adversary can appear inside your network through cloud access, a supplier link, a phished identity or an internal mistake, and then builds layers around the crown jewels so that operations remain viable while you detect, contain and recover.
Threats without borders
The NZSIS Security Threat Environment 2025 report is framed around national security as a whole, not specifically cybersecurity. Still, the overlaps are clear. Below, I’ve placed three of the report’s highlighted risks beside their direct cybersecurity parallels, keeping the text lengths balanced so each perspective is given equal weight.
NZSIS warns that espionage is almost certainly occurring undetected, with hostile actors targeting intellectual property, critical infrastructure, and sensitive organisational knowledge. The report emphasises that New Zealand is being targeted more heavily than in previous years.
The report highlights attempts by outside actors to apply pressure through harassment, intimidation, phishing, or digital surveillance. These activities are designed to manipulate people and gain influence or access without breaching systems directly.
Some states and groups attempt to exploit insiders through bribery, deception, or coercion. The goal is to bypass external defences by turning a trusted identity into an active access path inside the organisation.
In cybersecurity, espionage translates into persistent access within a network, with adversaries quietly exfiltrating source code, customer data, or proprietary research. Both public and private sectors face the same digital persistence problem.
Harassment and phishing wear people down until they make mistakes. An employee under pressure may click a malicious link, approve an OAuth request, or disclose information, effectively becoming the attacker’s entry point.
In a tight economy, bribery or extortion can land differently with a stressed employee, especially when financial pressure, job insecurity, or personal obligations make risky decisions feel justifiable in the moment.
The overall message is clear: Aotearoa New Zealand is being targeted more than ever. Geography is not protection. The pragmatic move is to assume breach and build resilience from the inside out.
Resilience over perfection
Assume breach is not a slogan, it is an operating model, and in practice it means accepting that even the strongest controls will eventually be bypassed and then designing so that the breach does not decide the fate of the business. In Aotearoa New Zealand, where many organisations run lean and budgets are under pressure, this approach is often more realistic than chasing new tooling, because the real work lies in configuring what is already owned and aligning it with what matters most.
Three immediate steps make a measurable difference.
Backups as a last line of trust. Backups cannot be treated as a checkbox, they must be treated as the final guarantee that the organisation can recover, which means verifying that they are actually running, encrypted, and configured with immutability features such as object locking, while also ensuring that RBAC and MFA protect the policies that control them. It also means that alerts must be configured on any policy change, and restoration needs to be tested in a practical way, not just written into a plan or discussed in a meeting, but rehearsed with real data so the organisation knows that continuity can be achieved when everything else is under pressure.
Response plans tied to real operations. An incident response plan on paper is not enough, and every plan should have playbooks that have been tested against the top five business applications identified in the business impact assessment, because when one of those applications fails it is not an IT issue but a revenue and continuity issue. This requires clarity on who does what, and rehearsal so that when the time comes the organisation is not inventing a response on the fly but executing one that has already been proven to work.
Privilege access around the crown jewels. Many organisations believe they have privileged access covered because they monitor for domain admin activity, but in practice the more dangerous blind spot is often privileged access into applications such as claims systems, billing platforms, or custom services that drive the business itself. Those applications must be treated as crown jewels, which means that direct logins from laptops to backend servers should not be possible, and where mature PAM solutions are not in place, host based firewalls can help enforce the usage of secured jump boxes can provide a disciplined path that prevents or at least slows down privilege escalation and lateral movement.
From global experience I have seen many IT and security teams build strong foundations around infrastructure such as identity, networks, and endpoints, and that is a fantastic start because it establishes resilience at the core of the environment. The next step is to extend that same discipline to the applications that generate value for the organisation, recognising that these too can be targeted directly and therefore deserve to be treated as crown jewels. When those applications are given the same priority as domain controllers or identity providers, the organisation is much better positioned to withstand a breach without losing its ability to operate.
Resilience in a downturn does not mean doing nothing until budgets improve, it means taking the controls that already exist and tightening them, directing them toward what matters, and focusing energy where it reduces blast radius. Perfection is expensive, but survivability is achievable, and survivability is what allows the organisation to continue operating even when a breach occurs.
Geography Might be Small, the Attack Surface is Not
Being a small country of five million people does not mean Aotearoa New Zealand is too small to target. The NZSIS Security Threat Environment 2025 report makes it clear that targeting is increasing, not decreasing, and that our digital presence is not overlooked simply because our geographic presence is limited. Attackers go where data, money, and influence can be found, and New Zealand has all three. The trend line is moving upward, which means the prudent course is to assume breach, protect the crown jewels from the inside out, and measure success by how well the organisation continues to operate under pressure.
Get in touch