Complacent Kiwi businesses think they are safe from cyber crime - and it's making them even more of a target for hackers.
A survey from NZ cyber security firm Aura Information Security shows a third of local businesses believe the country is at a reduced risk of cyber attacks than the rest of the world.
But Aura's general manager Peter Bailey said New Zealand was just as vulnerable as any other nation, and perhaps even more so.
According to a study released by Microsoft last month, New Zealanders are the most likely people in the world to have experienced a tech support scam.
Bailey said Kiwis were becoming "complacent" , rather than thinking "well, we're as exposed as the rest of the world and we should be looking after our information properly."
He thought there were a few reasons Kiwi businesses had the misplaced sense of safety.
"Because we're geographically isolated we're used to the idea that it's hard for people to get in and out of New Zealand to do bad things," he said.
"We tend to feel that people are genuine and that they're doing things for genuine reasons, and we're not on the alert as much as other countries for the fact that someone might be trying to scam us."
Bailey does talks about cyber security, and said many people don't know the extent of the problem.
"People are shocked. I don't think people realise how much scamming there is and how much they're targeted. I don't think we're getting a good sense of what's going on in the rest of the world.
"I hate using the word gullible, but yeah, we're a little bit gullible and a little bit complacent."
The survey polled more than 230 IT decision makers in businesses with 20 or more employees across the country.
Slightly more than 40 per cent of respondents who indicated that New Zealand is just as at risk as the rest of the world have a much better understanding of the challenge that local businesses are facing, Bailey said.
Forty per cent of businesses reported being targeted by one to five ransomware or phishing attack per quarter; 20 per cent estimate the number of attacks is closer to between five and 10 incidents and 10 per cent said they are subject to 15 or more.
"This confirms the wide prevalence of cyber-attacks on New Zealand businesses, which is why we were concerned so many of those surveyed consider New Zealand safer than the rest of the world," Bailey said.
"Cyber criminals operate in much the same way as legitimate businesses, using similar automation and artificial intelligence tools to identify opportunities and then focusing their attention from where the best results are likely to flow."
Those businesses that believe they haven't been targeted probably just don't know that it has already happened, he said.
Smaller companies were more at risk than larger ones as they tended to have a more lax approach to cyber security.
"Hackers are really going for low hanging fruit. They're looking for companies who just happen to not be taking care of themselves."
Companies could make themselves less obvious targets by keeping up "basic computer hygiene" - regularly updating software, backing up data, and educating staff about scams.
Other key findings
• A general expectation that cyber crime will continue to grow. 70 per cent of businesses anticipate an increase in the frequency and complexity of cyber attacks in the coming 12 months
• Budgets are increasing. Two thirds of respondents anticipate an increase in budgets dedicated to cybersecurity.
• Training and policies in place, but questions over effectiveness. Most companies (more than 70 per cent) say they have policies or training in place to prevent cyber breaches, but only four in 10 are very confident in these measures as a key line of defence. Only six in 10 businesses have assessed the impact a significant cyber breach would have on their business.
• The basics are still ignored. Even managers aware of the risks tend to overlook the basics. Almost 40 per cent of businesses do not carry out regular penetration testing.
• Personal attacks. Four in 10 respondents were personally targeted by phishing or ransomware attacks.