You already know that Cybersecurity preparedness is no longer just an IT issue – it’s a critical to business risk mitigation. For midsize and smaller businesses in New Zealand, the stakes are high. NZ’s National Cyber Security Centre (NCSC) Cyber Security Insights Report for Q1 2025 highlighted a 14.7% increase in financial losses from cyber incidents, with over 830,000 Kiwis affected by online threats. Small to medium businesses are particularly vulnerable, with 17% more cyber incidents reported in 2024, with documented costs over $20 million (though, in our experience, most incidents are not reported).
At Gorilla, we understand the Cyber Security challenges faced by businesses in safeguarding critical data and operations. That’s why we’re breaking down the NCSC Top 10 Critical Controls—a practical, prioritised framework designed to help Kiwi businesses stay secure. These controls, informed by real-world incident data, are a good roadmap to mitigating the most common and damaging cyber threats. Let’s dive in and explore how you can implement these controls to protect your business.
Why the NCSC NZ Critical Controls Matter
Crafted by the National Cyber Security Centre (NCSC NZ) using real-world incident data and global threat intelligence, these controls are tailored to tackle New Zealand’s most pressing cyber risks. They focus on prevention, detection, and containment, providing midsize businesses with a clear, resource-efficient path to stronger security. By adopting these controls, you can mitigate most attacks, from ransomware to phishing, and build a resilient operation. Here’s how to implement the Top 10 Critical Controls with business-focused approaches.
The Top 10 Critical Controls for NZ Businesses
1. Asset Lifecycle Management
You can’t protect what you don’t know exists. Asset lifecycle management tracks hardware, software, and data through their entire lifecycle—purchase, development, maintenance, and decommissioning – to prevent vulnerabilities in forgotten or outdated systems.
Actionable Step: Partner with a cybersecurity firm like Gorilla Cyber Security to audit your IT environment and create a comprehensive asset inventory. Establish a business process to review and update this inventory quarterly, ensuring no system goes unmaintained.
2. Patch Your Software and Systems
Unpatched software is a common entry point for attackers. NCSC NZ’s advisories frequently highlight vulnerabilities that timely updates can address, covering everything from operating systems to network devices.
Actionable Step: Audit your current patching and updating processes and ensure you have a solid company-wide policy for regular updates that is proactively delivered across all infrastructure – from laptops to cloud and server hosted systems. Assign clear responsibilities to ensure all systems are patched promptly without disrupting operations.
3. Implement Multi-Factor Authentication (MFA) and Verification
MFA strengthens security by requiring multiple verification methods, especially for internet-facing or admin accounts. NCSC NZ notes that weak credentials drive many unauthorised access incidents, which robust verification processes can prevent.
Actionable Step: Engage Gorilla Cyber Security to audit your authentication practices and implement MFA across critical systems. Establish business verification protocols for sensitive transactions to reduce fraud risks.
4. Provide and Use a Password Manager
Strong, unique passwords remain vital, even with MFA. Providing a password manager encourages your team to use secure credentials, reducing the risk of weak or reused passwords.
Actionable Step: Collaborate with a cybersecurity partner to select and roll out a password management solution that suits your business. Integrate its use into employee onboarding and ongoing training to promote adoption.
5. Centralised Logging
Centralised logging provides visibility into your IT environment, enabling early detection of suspicious activity. Without detailed logs, investigating and resolving incidents is challenging.
Actionable Step: Work with Gorilla Cyber Security to conduct an audit of your logging capabilities and establish a centralised logging process. Define key events to monitor and set up a business process for regular log reviews to spot anomalies.
6. Build Security Awareness in Your Organisation
Human error drives many breaches. Training your team to recognise phishing, suspicious links, and other threats strengthens your first line of defence.
Actionable Step: Partner with a firm like Gorilla to design and deliver tailored cybersecurity awareness programmes. Incorporate regular training and simulated phishing exercises into your business operations to keep staff vigilant.
7. Implement and Test Backups
Ransomware, a frequent threat in NCSC NZ’s 2024 reports, can destroy data and therefore disrupt operations. Regular, tested backups as part of business continuity and disaster recovery planning exercises ensure you can recover data without paying a ransom.
Actionable Step: Engage Gorilla Cyber Security to audit your backup processes and develop a robust strategy. Implement monitoring of regular backups and schedule regular tests to ensure data recovery is reliable.
8. Implement Application Control
Application control prevents unauthorised software, including malware, from running on your systems. Restricting what can execute reduces the risk of malicious programs.
Actionable Step: Work with a cybersecurity partner to assess your software usage and establish policies to limit unapproved applications. Integrate these controls into your IT governance to maintain oversight.
9. Enforce the Principle of Least Privilege
Limiting access to the minimum required for each role reduces the risk of accidental or malicious damage. Separating admin and user accounts protects sensitive systems.
Actionable Step: Partner with Gorilla to audit user access levels and implement a least-privilege policy across your organisation. Establish regular reviews to ensure access rights align with job roles.
10. Implement Network Segmentation and Separation
Network segmentation divides your network into smaller, controlled segments, limiting an attacker’s ability to move laterally if they gain access.
Actionable Step: Engage a firm like Gorilla Cyber Security to audit your network and design a segmentation strategy. Create business processes to regularly review and update access controls for critical systems.
Why Midsize and Smaller Businesses Must Act Now
New Zealand’s Midsize and smaller organisations are prime targets since their systems are online and therefore accessible to automated and specific attacks – and they have fewer resources to stay keep their valuable data safe than larger enterprises. NCSC NZ’s Q4 2024 report noted a 24% increase in quarterly cybercrime losses, reaching $6.8 million. Beyond financial impacts, breaches can damage customer trust and reputation. The NCSC NZ Critical Controls offer a scalable, prioritised approach to protect your business, whether you have 5 or 500 employees.
How Gorilla Cyber Security Can Help
At Gorilla Cyber Security, we love helping midsize and smaller businesses in New Zealand to lower their cyber risk – through our technology audits, and ongoing IT and Cybersecurity engagements, often with a focus on NCSC NZ’s Critical Controls. From our Auckland office, we provide tailored solutions to strengthen your security posture.
-
Cybersecurity Auditing Services: We audit your environment and align it with NCSC NZ’s controls.
-
Proactive Services: Our team is committed continuous improvement of our client’s cybersecurity preparedness.
-
Training and Awareness: We deliver customised sessions to empower your staff.
Take the Next Step
Cybersecurity doesn’t need to be overwhelming. Start with the NCSC NZ Critical Controls – audit your assets, implement MFA, and ensure robust backups. These steps lay the foundation for a secure business. For more guidance, explore NCSC NZ’s Own Your Online platform or visit our blog for practical tips.
Get in Touch: Reach out today for a consultation. Visit our Updates & Resources page or call us to learn how we can help your business stay secure in a dynamic digital landscape.