eCommerceNews New Zealand - Technology news for digital commerce decision-makers
New Zealand
Datacom finds New Zealand firms lack cyber recovery plans
Data Protection DR Ransomware

Datacom finds New Zealand firms lack cyber recovery plans

Tue, 14th Apr 2026
Sean Mitchell
SEAN MITCHELL Publisher

Datacom has found that only 30% of New Zealand organisations have a business continuity or cyber incident response plan in place, according to its latest survey of security leaders in New Zealand and Australia.

The research highlights a gap between confidence in cyber defences and preparedness for recovery after an attack. Among New Zealand respondents, 73% said they had sufficient visibility of risks, vulnerabilities and compliance, while 78% said they had the internal resources to deal with a cyber attack.

That confidence contrasts with the limited level of formal planning for disruption, leaving organisations more exposed to prolonged outages and operational disruption when incidents occur.

"Organisations have invested heavily in monitoring and detection, but they are falling short when it comes to recovery, posing significant risk to operations. The priority now is not another dashboard but engineered resilience - from containment to stabilisation to rapid recovery," said Mark Hile, Managing Director, Infrastructure Products, Datacom.

He said that requires rehearsed continuity plans, clear decision rights, and measurable time to resolution, not just time to detect.

"When an organisation can't operate for days or weeks, the fallout is significant - customers lose access to essential services, supply chains stall, and trust in the brand erodes. Responding quickly enough to protect the people who rely on you is the part that needs far more attention," Hile said.

Recovery gap

The findings also suggest business leaders may be underestimating how long a serious cyber incident can take to resolve. Four in 10 respondents across New Zealand and Australia said they expected to recover from a major cyber incident within days.

Datacom contrasted that expectation with examples of incidents that took far longer, including cases where production was halted for five weeks and full recovery took nearly five months, while others took around three weeks to contain and return to normal operations.

"The gap between how quickly leaders believe they can recover and how long recovery actually takes is not a technology problem; it's a preparedness problem," said Collin Penman, Chief Information Security Officer, Datacom.

He pointed to a recent example from the automotive sector.

"An example of this is the 2025 ransomware attack at Jaguar Land Rover in the UK, which halted production for five weeks, with full recovery taking nearly five months. A plan that's never been tested isn't a plan - it's a document. Resilience is built through realistic practice that creates muscle memory, so response becomes automatic, coordinated and fast," Penman said.

Trans-Tasman pattern

Australian respondents showed a similar mix of confidence and limited continuity planning. In Australia, 77% of security leaders said they were confident in their visibility of risks, while 70% said they had the resources to respond, but only 32% reported having a continuity plan in place.

This suggests a pattern across both sides of the Tasman, where investment in monitoring and detection has outpaced operational readiness for recovery. The survey covered 714 security leaders, including 208 in New Zealand and 506 in Australia.

Priorities shift

In New Zealand, the leading cybersecurity priority identified by respondents was employee culture and training, cited by 16%. Data protection, threat detection and monitoring, and cyber strategy and governance followed at 14% each.

The results suggest that despite concerns about recovery planning, many organisations continue to focus their cyber programmes on prevention and detection. AI-based attacks, including phishing, remained the top concern for security leaders in both countries.

According to the survey, these attacks are becoming more effective through greater use of automation, deepfakes and synthetic identities, compressing attack timelines from weeks to hours.

Human factors also remained a central issue. Employee or user error ranked as the third-biggest concern, with 60% of organisations running mandated employee training and awareness programmes and 56% issuing regular cybersecurity communications.

Sovereignty concerns

Beyond incident response, the survey found concern about where data is held and processed. Among New Zealand organisations, 51% said they were concerned about data sovereignty and the long-term viability of local compute, while 48% said those concerns were affecting their cybersecurity practices and approaches.

Progress on that issue has been slow, including in sectors such as government, health and critical infrastructure. Cybersecurity responsibility also remains concentrated in IT and security teams rather than spread more widely across organisations.

That pressure was reflected in another survey finding: 43% of New Zealand leaders reported signs of cybersecurity burnout in their teams.

Related stories
AI-fuelled supply chain cyber attacks surge in Asia-Pacific
ANZ firms shift to cyber resilience as AI risk grows
IBM warns AI & quantum threats will reshape cybercrime
AI reshapes supply chains as disruption becomes the norm
AI gives cyber criminals new tools in evolving ransomware threat
Top stories
Payments NZ urges resilience in payments modernisation
Airport Development Group picks Infor for systems overhaul
Homhero names ex-Shopify executive Wilkowski as CTO in ANZ
Why "strong passwords" can't save you from AI
Aimer Farming wins NZD $600,000 for AI pasture tools