The Human Side of Cyber Security
New Zealand nonprofits confront a 53% surge in cyber threats to small organisations in early 2025, where AI-enhanced phishing exploits human habits and risks data breaches that could trigger mandatory notifications under rules taking effect in May 2026.
Key takeaways
- •Incidents against New Zealand SMEs rose sharply to 53% in the first half of 2025, with phishing linked to 43% of business attacks and human factors central to most breaches.
- •Nonprofits handling sensitive donor and beneficiary data face operational shutdowns and reputational harm, as seen in the March 2025 James Pascoe Group attack that forced cash-only retail across the country.
- •New IPP3A privacy obligations from 1 May 2026, combined with public-sector minimum standards since October 2025 and ACNC governance expectations, heighten the need for awareness cultures amid resource constraints in volunteer-led groups.
Human Factors in Cyber Threats
New Zealand's cyber threat environment deteriorated noticeably through 2025. The National Cyber Security Centre documented 53% of small and medium enterprises experiencing threats in January to June, up from 36% the year before. State-sponsored groups, hacktivists tied to global conflicts, and ransomware operators commoditised via service models targeted organisations of all sizes, often via social engineering that leverages artificial intelligence for convincing personalised lures.
Nonprofit and charity organisations operate with particular vulnerabilities. Limited dedicated IT staff, high reliance on volunteers, and cultures built on trust leave them open to the human errors that feature in roughly 60% of breaches globally. They manage volumes of personal information on vulnerable populations and donors, where compromise can destroy public confidence essential for funding and operations. The March 2025 cyberattack on James Pascoe Group, owner of major retailers including Farmers and Whitcoulls, illustrates the immediacy: IT systems failed, forcing stores nationwide to cash-only trading and prompting a data-breach notification to the Privacy Commissioner.
Financial and regulatory stakes have sharpened. Direct losses reported to authorities reached NZ$26.9 million for the 2024-25 period amid broader annual cybercrime harm estimated at NZ$1.6 billion. The Privacy Amendment Act's IPP3A rule, effective 1 May 2026, requires organisations to notify individuals of indirect personal data collections, adding compliance layers shortly after awareness initiatives. Public-sector minimum cybersecurity standards, mandatory from October 2025, set benchmarks that charities ignore at governance risk, aligning with ACNC expectations for robust risk management in the not-for-profit sector.
Less discussed are the structural tensions. Nonprofit emphasis on openness and collaboration conflicts with security practices demanding suspicion of unsolicited contacts or regular simulations. Volunteer turnover undermines consistent training, while budget pressures pit mission-critical spending against preventive measures. Supply-chain dependencies amplify blind spots, as smaller entities rarely scrutinise third-party tools to the level now expected.
Sources
- https://www.ncsc.govt.nz/assets/insights/cyber-threat-report/NCSC-CyberReport2025-FINAL.pdf
- https://www.kordia.co.nz/cyber-security-report-2025
- https://oag.parliament.nz/2025/cyber-security
- https://www.privacy.org.nz/resources-and-learning/a-z-topics/ipp3a/
- https://www.wtwco.com/en-se/insights/2025/08/ngos-and-charities-reputational-risk-report-2024-2025
- https://www.acnc.gov.au/for-charities/manage-your-charity/governance-hub/governance-toolkit/governance-toolkit-cyber-security
- https://www.nzherald.co.nz/business/farmers-and-whitcoulls-owner-james-pascoe-group-sends-data-breach-notification-to-privacy-commissioner/OKFMJB6FGFEKXME7HFNJLZTSPM/