News Articles
Cyber Security Awareness Training delivered to the team at Flintoffs Chartered Accounts
April 2025
It was a pleasure to run a cyber security awareness training session for the team at Flintoffs Chartered Accountants.
One of the focuses of the training is on encouraging you to use 2FA and long and unique pass phrases and to start using a password manager.
Some of the staff feedback from the session:
"Very informative. Real life cases are great", "Very interesting & helpful"
"I liked that you provided information around how to report scams, as it isn't always clear what you should do especially when your have encountered a 'smaller' scale scam"
And it was very pleasing to get the following testimonial from Jo Thomson (second form the left in the photo above), Director of Flintoffs Chartered Accountants, after the service engagement:
“We were thoroughly impressed with Andrew's cyber security awareness training service.
His friendly and organised approach made the session not only informative but also enjoyable.
Andrew's engaging style ensured that our staff were fully involved and understood the importance of cyber awareness.
His professionalism was evident as he provided a fantastic rundown of our current security position and clear, actionable steps were fed back to us to protect our business.
We feel much more secure thanks to Andrew's expertise. Highly recommended!”
An article by Ben Kepes that encourages businesses to work on their cyber security basics.
Published 12 March 2025 on Ben Kepe's Diversity blog here. The Kordia report that Ben references is here. And you can find Ben on LinkedIn here.
Ben is one of the very earliest advocates for cloud computing (years ago I attended one of his cloud computing courses in Wellington), and Ben has many years of governance experience, with board roles on high profile NZ and overseas enterprises. But best of all, he is a thoroughly decent and pragmatic guy. And he believes in NZ manufacturing. Check out his iconic outdoor clothing business Cactus Outdoor.
Ben has kindly given me permission to reproduce his article in full here.
Cybercrime report highlights increasing AI-risks
Let’s start with a confession: If you’d told me a decade ago that I’d be talking about AI-driven cyber-attacks as an everyday business risk, I would have laughed. Not because I didn’t take cyber threats seriously – I’ve always been pretty aware that the internet was the new goldrush and, much like historical gold rushes attracted crooks, so to does the World Wild West have its fair share of bad actors. But the game has changed, back then the idea of AI-powered hacking felt like something out of a bad sci-fi movie. Yet here we are in 2025, and not only is AI-generated cybercrime real, but it’s also evolving faster than most businesses can keep up with.
The latest research published by Kiwi State Owned Enterprise Kordia (disclosure, I’m on the board) shows that cybercriminals are getting smarter, faster, and – thanks to AI – way more efficient. Almost two-thirds of businesses in New Zealand were hit by a cyber-attack last year. Email phishing remains the biggest culprit, accounting for nearly half of all breaches, and it’s getting harder to spot. Once upon a time, phishing emails were full of bad grammar, weird formatting, and the occasional Nigerian prince and/or long-lost uncle. Now, AI can generate highly convincing, personalized messages that look like they came straight from your CEO or bank. Cybercriminals don’t need to be technical geniuses anymore – AI does the heavy lifting for them.
That’s what makes this moment different. Cybercrime used to be about exploiting software vulnerabilities; now, it’s about exploiting human psychology. And as AI tools become more advanced, attacks will only become more sophisticated. The rise of deepfake scams, AI-powered malware, and automated hacking tools means that businesses have to be more vigilant than ever. But here’s the kicker: despite the rising threats, many businesses are still not taking cybersecurity seriously enough. The bad guys are getting smarter, and for understandable (though ill-advised) reasons, Kiwi businesses aren’t taking it sufficiently seriously.
One of the more shocking findings from the Kordia research is that a third of businesses don’t report cyber risks to their board. That’s like running a company without tracking revenue or ignoring fire safety in a warehouse full of explosives. Cybersecurity isn’t just an IT issue – it’s a business survival issue. Every company, no matter its size or industry, should be treating cyber risk like they treat financial risk. Yet, for some reason, it’s still seen as a “tech problem” that gets pushed to the side until disaster strikes. As someone who sits on a variety of boards, I am happy that my boards all have good oversight of cybersecurity risk, but this seemingly isn’t the case more generally.
As we’ve seen from historical breaches, when disaster does strike, it’s not pretty. Ransomware attacks have become a lucrative business for cybercriminals, with almost one in ten compromised businesses opting to pay a ransom. The logic seems simple – pay the hackers, get your data back, move on. But in reality, paying a ransom is like feeding a stray cat and expecting it not to return. Once criminals know you’re willing to pay, you become a bigger target. And worse, there’s no guarantee you’ll even get your data back or that they won’t leak it anyway.
The financial damage of a cyber-attack is one thing, but the reputational damage can be even worse. Customers trust businesses with their personal data, and once that trust is broken, it’s incredibly difficult to rebuild. Just ask any company that’s had to send out the dreaded “we regret to inform you” email after a data breach. Nobody wants to be on the receiving end of that PR nightmare, yet too many businesses still think, “It won’t happen to us.”
Spoiler alert: it absolutely will.
Cyber-attacks are no longer a case of “if” but “when.” Businesses need to stop treating cybersecurity as an afterthought and start embedding it into their core strategy. That means doing more than just installing antivirus software and calling it a day. It means, most importantly, reflecting on the human-level risks – training employees to recognize phishing attempts, running regular security drills, and ensuring that cyber risks are discussed at the highest levels of the company. It means having a response plan in place – because once an attack happens, there’s no time to scramble.
One of the biggest mistakes businesses make is assuming that cybersecurity is too complicated or too expensive to prioritize. But the reality is that the basics go a long way. Things like multi-factor authentication, strong password policies, and keeping software updated can prevent a huge chunk of cyber-attacks. Yet, research shows that many companies still aren’t doing these simple things. More than two-thirds of businesses haven’t conducted a penetration test in the last year. A fifth don’t even monitor their networks for suspicious activity. That’s like leaving your front door wide open and hoping burglars just happen to respect your personal space.
It’s easy to feel overwhelmed by all the headlines about AI-driven threats, ransomware gangs, and cybercrime syndicates operating like Fortune 500 companies. But the good news is that cybersecurity doesn’t have to be an unsolvable puzzle. It’s about building good habits, staying informed, and treating digital security with the same importance as physical security. You wouldn’t leave your office doors unlocked overnight, so why leave your company’s data unprotected?
As AI continues to evolve, so too will the threats. But instead of playing defense all the time, businesses need to take a proactive approach. That starts with recognizing that cybersecurity isn’t just an IT issue – it’s a business issue, a leadership issue, and, ultimately, a people issue. If it’s not being discussed at the board level, it’s already a problem.
So here’s the takeaway: get ahead of it now. Because in the world of cyber threats, “I’ll deal with it later” is just another way of saying, “I hope it doesn’t happen to me.” And hope, as we all know, is not a strategy.
