Small businesses lack cybersecurity knowledge and few have a backup plan in the event of an online attack.
According to a survey by Spark Lab, almost 70 per cent of New Zealand SMEs have no crisis management plan for cyber attacks and 40 per cent have no virus protection installed on their company computers and devices.
These findings come at a time when cyber attacks in New Zealand are on the rise.
Last year, a quarter of SMEs experienced a digital security breach, up from 18 per cent a year earlier, according to Norton.
PwC cyber security partner Adrian van Hest said New Zealand SMEs assumed they were safe from cyber breaches as they did not have the appeal of multinationals.
"Your perception of information assets have a certain value to you but they also have a market value and by that I mean we see attacks from ransomware," van Hest said.
"New Zealanders live in a high trust society and you can generally do business with most people in good faith, but the challenge is [ensuring] that perspective doesn't change when working digitally."
Josh Bahlman, head of security at Spark security, said small firms lacked the necessary cyber security knowledge.
"Small and medium businesses don't necessarily understand the risk until it happens to them," Bahlman said. "Attackers aren't necessarily always targeting specific people or entities. They go for the lowest hanging fruit; they are literally trying to get to everyone and anyone who will engage - people who aren't aware, don't have a plan, don't have protection."
He said most attacks were automated and phishing was the most common.
"Whether it's a link you click on and download or an attachment, a lot of the attacks these days are crypto-locker attacks such as the WannaCrys and the Not Petyas whereby there is financial gain for the attacker because they can ransom the data of a user or company," he said.
"The standard anti-virus is something everyone of the 90s knows about now but new generation attacks target getting around these types of anti-virus tools."
To be protected against cyber breaches, it was important to use different passwords and keep systems updated, van Hest and Bahlman said.
"Passwords need to be long rather than short and complicated because as far as password cracking goes, it is exponentially harder if its longer," van Hest said.
"Make sure you have up-to-date operating systems. When Microsoft says 'do you want to update this?' don't say 'next week', say 'now'," Bahlman said.
"Make sure all the applications you use, Word, Outlook or anything else, is patched and as a last resort, make sure all of your critical information that you've got around your business is backed up and stored somewhere else."
Van Hest said the convenience of technology had warped the perception of risks.
"Technology has become so ingrained that people are not appreciating its digital footprint," he said. "If you're a business that's becoming more and more reliant on digital... then its really critical to have a crisis management plan.
"Ransomware is a threat so it's important to have an offline backup."
How to protect your business from a cyber attack
1. Make sure you're using a variety of passwords - and passwords are long
2. Make sure you have up-to-date operating systems
3. Back-up important data offline and in multiple places
4. Make sure you have passwords and users on everything