Datacom acquires T4’s Auckland data centre
Datacom acquires T4's Auckland data centre, expanding its NZ sovereign footprint to five sites and surpassing $200m invested in local digital infrastructure to support AI-ready workloads.
Growing geopolitical tensions and rapid AI adoption are driving a broader and more aggressive cyber threat landscape in New Zealand. Yet many organisations are ill-prepared to recover when an incident strikes, creating a widening resiliency gap.
Datacom’s 2026 Cybersecurity Index reveals a widening resiliency gap across New Zealand organisations: security leaders are confident in their visibility of threats and their capacity to respond, yet far fewer have the tested continuity and recovery plans needed to withstand a major incident.
According to this year’s Cybersecurity Index – which draws on a survey of more than 700 security leaders across New Zealand and Australia – 73% of New Zealand security leaders say they have sufficient visibility of risks, vulnerabilities and compliance, and 78% believe they have the internal resources to deal with a cyber‑attack.
That confidence is not matched by plans for recovery: only 30% of New Zealand organisations have a business continuity or cyber incident response plan in place – a shortfall that exposes businesses to prolonged disruption when incidents occur.
“Organisations have invested heavily in monitoring and detection, but they are falling short when it comes to recovery, posing significant risk to operations. The priority now is not another dashboard but engineered resilience - from containment to stabilisation to rapid recovery,” says Mark Hile, Managing Director, Infrastructure Products, Datacom.
“That means rehearsed continuity plans, clear decision rights, and measurable time to resolution, not just time to detect. When an organisation can’t operate for days or weeks, the fallout is significant – customers lose access to essential services, supply chains stall, and trust in the brand erodes. Responding quickly enough to protect the people who rely on you is the part that needs far more attention,” he adds.
The Index reveals Australian organisations mirror New Zealand’s confidence levels (77% confident in visibility; 70% confident in resources), while similarly falling short on continuity planning, with only 32% having a plan in place. This points to a trans‑Tasman pattern: visibility has outpaced operational readiness.
Leaders across New Zealand and Australia are overly optimistic about their ability to manage cyber incidents, with four in ten (40%) are expecting to recover from a major cyber incident within days. Yet real‑world cases demonstrate the opposite with recovery often takes weeks to months. The research notes examples where production was halted for five weeks with full recovery taking nearly five months, while other incidents took around three weeks to contain and normalise operations.
“The gap between how quickly leaders believe they can recover and how long recovery actually takes is not a technology problem; it’s a preparedness problem,” says Collin Penman, Chief Information Security Officer, Datacom.
“An example of this is the 2025 ransomware attack at Jaguar Land Rover in the UK, which halted production for five weeks, with full recovery taking nearly five months. A plan that’s never been tested isn’t a plan – it’s a document. Resilience is built through realistic practice that creates muscle memory, so response becomes automatic, coordinated and fast.”
Data sovereignty is also emerging as a more prominent consideration for New Zealand organisations, particularly in light of geopolitical uncertainty and the rising demand for in-country AI compute capacity.
Half of New Zealand organisations (51%) are concerned about data sovereignty and the long-term viability of local compute, with 48% noting these concerns are affecting their cybersecurity practices and approaches.
Yet progress has been slow. Despite holding some of the most sensitive data, sectors in both countries, such as government, health and critical infrastructure, have been slow to priortise data sovereignty – leaving a gap that regulators and policymakers have yet to close.
Despite the gap that exists in business continuity and recovery planning, the top cybersecurity priorities for 2026 remain firmly focused on detection and prevention.
New Zealand organisations cited employee culture and training as the number one priority (16%), followed by data protection, threat detection and monitoring, and cyber strategy governance, all at 14%.
AI‑based attacks, including phishing, remain the top concerns for security leaders in both countries, reflecting the challenges organisations are facing. While AI-enabled attacks are not new threats as such, they are more effective, increasingly using automation, deepfakes and synthetic identities to scale attacks at machine speed, compressing attack timelines from weeks to hours.
Employee or user error is the third biggest concern, with 60% of organisations running mandated employee training and awareness programmes, and over half (56%) issuing regular communications on cybersecurity.
Legacy applications remain a systemic vulnerability – older by design and inherently less protected than modern platform-hosted workloads.
In line with the 2025 Cybersecurity Index results, the survey shows that responsibility for cybersecurity is still heavily concentrated in IT and security teams, rather than being viewed as part of the wider organisational remit, and 43% of New Zealand leaders reported signs of cybersecurity burnout in their teams.
Download the full 2026 Cybersecurity Index report: datacom.com/cybersecurityindex