Five Cyber Threats Targeting Small Businesses Right Now - And What to Do About Them

A staff member at your practice opens what looks like an email from your software supplier. It asks them to confirm login details via a link. They click it. By the time anyone realises something is wrong, your client records are in someone else's hands. This is not a worst-case scenario. It is happening to small healthcare and legal practices across New Zealand right now.

Cyber threats are not aimed exclusively at large organisations. Small practices are often easier targets because they hold valuable data - patient records, legal files, financial information - and typically have less security in place than a big corporate. The consequences of a breach can include regulatory obligations under the NZ Privacy Act 2020, reputational damage, and real financial loss. None of that is recoverable quickly.

The five threats worth understanding right now are phishing, ransomware, malware, weak account access controls, and unsecured devices. Phishing - fake emails or messages designed to steal login details - remains the most common entry point. Ransomware locks your files and demands payment to restore access. Malware quietly installs itself and can sit undetected for weeks, harvesting information. Weak passwords and accounts without multi-factor authentication (where a second verification step is required to log in, such as a code sent to a phone) leave doors open that should be closed. And devices connecting to unsecured networks, whether a staff member's phone on public Wi-Fi or an unpatched piece of office equipment, create vulnerabilities that are easy to exploit.

When these things are properly managed, your team does not need to think about them. Staff can work without second-guessing every email. Devices are kept up to date automatically. Access to sensitive systems requires more than just a password. Backups run without anyone having to remember to do it. If something does go wrong, there is a clear process: isolate the issue, report it to CERT NZ, notify the Office of the Privacy Commissioner if personal information has been affected, and restore from a clean backup. That kind of response is only possible if the groundwork has been done beforehand.

Most practices that get caught out by a cyber incident were not being reckless. They just had not had anyone look at their setup through a security lens. A review of how your team accesses systems, what devices are in use, whether backups are actually working, and where your data lives takes a few hours and costs far less than recovering from a breach. This is exactly what ITstuffed's cyber security work for NZ businesses covers, and it is where most practices find the gaps they did not know they had.

If you want a quick sense of where your practice stands, ITstuffed offers a 15-minute IT Fit Check - no preparation needed on your part. Book one here.