In 2011, a severe snowstorm hit Aotearoa New Zealand. Thousands turned to MetService's website for critical weather updates and found it offline. Not because of high website traffic but because of a cyber-attack. At the exact moment the public needed that service most, it wasn't there.
That wasn't a story about stolen data. It was a story about broken trust. And more than a decade later, the threat landscape has only intensified.
The National Cyber Security Centre's 2025 report paints a confronting picture. In a single year, the NCSC triaged 331 critical incidents, roughly one event of potential national significance every day. Direct financial losses reached $26.9 million, with a further $47.9 million in harm narrowly averted through intervention.
New Zealand's geographical isolation offers no protection in cyberspace. State-sponsored actors like Volt Typhoon are quietly pre-positioning inside critical infrastructure, using legitimate system tools to remain undetected for years. Ransomware-as-a-Service has professionalised cybercrime, giving low-skill operators access to sophisticated attack tools. And the emergence of autonomous AI that can discover unknown vulnerabilities and write working exploits has compressed the window between discovery and weaponisation from weeks to hours.
The asymmetry is structural, and it's accelerating.
Despite these sophisticated threats, most successful breaches still exploit preventable weaknesses. Unpatched software with fixes available since 2017; weak or reused passwords without multi-factor authentication; cloud misconfigurations that create unintended exposure. These are the primary entry points. Failing to patch a 2018 vulnerability is equivalent to leaving your front door unlocked while installing sophisticated alarm systems on your windows.
Alarmingly, our latest 2026 Cybersecurity Index: The Resiliency Gap, reveals that when a nefarious party does get through that front door or any other gap, only 32% organisations have a practiced business continuity plan. Meanwhile most leaders expect the business to be back up and running again as usual in a matter of hours or days whereas the reality is weeks or even months. What organisations fail to understand is that compliance doesn't equal security, and dashboards don't equal resilience.
Building genuine digital resilience requires an integrated approach across three pillars.
These pillars compound: vulnerability management finds flaws, breach simulation validates whether controls catch them, and strong foundations ensure containment when something gets through.
Digital resilience doesn't require a multi-year transformation programme to begin. Five practical steps can start reducing risk immediately: move to continuous controls assurance and replace hope with evidence:
The current focus on AI across boardrooms and leadership teams is an opportunity. Use it to secure investment in security fundamentals. Attach uplift work to AI programmes that already have budget. Start seeing your environment the way an attacker does.
Strategic investment in baseline security controls will deliver greater resilience than technology alone. But it requires leadership commitment to a culture where security is everyone's responsibility and that is where readiness isn't claimed, but proven.
With an exponential increase in volume and velocity of cyber-attacks, how resilient are our organisations?
