January 2026
2026’s Biggest Tech Trend Isn’t a New Gadget
There is still a tendency among New Zealand businesses to assume serious cyber incidents happen to someone else: a government agency overseas, a major airline, or a Fortune 500 brand. The official data says otherwise. In 2024/25, New Zealand’s National Cyber Security Centre recorded 5,995 incident reports, triaged 331 for specialist support because of their potential national significance, and recorded NZ$26.9 million in direct financial loss. Separate NCSC research found 53% of New Zealand SMEs experienced a cyber threat in the first half of 2025.
Australia is seeing the same pattern at larger scale. ASD’s (Australian Signals Directorate) ACSC received over 84,700 cybercrime reports in FY2024–25 – about one every six minutes – and said the average self-reported cost of cybercrime per report for businesses rose 50% to $80,850. It also responded to more than 200 DoS and DDoS incidents, up more than 280% from the year before. New Zealand’s warnings have stayed current too: in March 2026, NCSC told organisations to be alert for increased brute forcing and low-level denial-of-service activity linked to evolving events in Iran.
At Layer3, the most useful way to talk about this is not to pretend AI has created a completely new category of cyber risk. It hasn’t. What AI has done is make familiar threats faster, more convincing, and easier to scale. NCSC’s 2025 threat report says the commercialisation of cybercrime is giving criminals more tools, and that AI is helping attackers create personalised phishing, deepfakes, malicious code, and automated attacks at a pace that can overwhelm organisations with weak basics.
For many businesses, the breach no longer starts with a dramatic “hack.” It starts with a password reset, an MFA change, a convincing phone call, or a stolen token. In Q2 2025, NCSC said unauthorised access accounted for the largest share of direct financial loss at $3.7 million. NCSC also says attackers are increasingly calling IT helpdesks pretending to be staff, using LinkedIn and breach data to sound legitimate, and trying to reset passwords or weaken MFA. NCSC says similar techniques have already been used against multiple New Zealand organisations. Australia is seeing the same thing from another angle: ACSC says phishing appeared in 60% of the incidents it received in FY2024–25, and that social engineering is becoming easier to use at scale partly because of AI. At a broader cloud level, Google Cloud found identity compromise underpinned 83% of major cloud and SaaS compromises.
That also explains why the line between personal and business security is getting thinner. In March 2026, NCSC warned NZ organisations about the risk of staff using work credentials for personal services or shadow IT. In Australia, ACSC documented a case where credentials were likely exposed after an employee synced work credentials to a personal Google account, and an information stealer on their personal device pulled them out. The message is blunt: your business can lose access long before malware ever hits a server.
If anything has changed, it is the professionalism of cybercrime. NCSC says ransomware remains the most damaging criminal attack type, that more than half of the significant incidents it analysed in 2024/25 were likely to involve ransomware-as-a-service, and that ransomware reports rose from 63 to 88 year on year. ACSC says 11% of the incidents it responded to in FY2024–25 included ransomware. This is the reality for NZ and Australian businesses: ransomware is not fading out, it is being packaged, sold, and operated more efficiently.
AI is adding another layer to that problem. Anthropic’s own threat intelligence reporting described criminals using Claude Code in a large-scale extortion operation targeting at least 17 organisations, using AI to automate reconnaissance, credential harvesting, network penetration, and the creation of psychologically targeted extortion demands. Anthropic also said it has seen AI-generated ransomware sold by a cybercriminal with only basic coding skills. That is one of the clearest current proof points that AI is lowering the skill barrier and labour cost of cybercrime.
The recent Claude Code leak is worth including in any 2026 cyber discussion, but it is best described carefully. Based on early reporting, it appears to have been an accidental source-code leak caused by human error in a software update, not a classic external breach, and Anthropic said no customer data or credentials were exposed. Around the same period, Check Point disclosed Claude Code vulnerabilities that could allow remote code execution and API key theft through malicious project configurations when a developer opened an untrusted repository; Check Point said Anthropic patched the issues before publication. Together, those stories make a bigger point for businesses: AI tools are not just productivity tools. They are also software supply-chain components, privileged workflow tools, and new attack surfaces that deserve the same scrutiny as any other business-critical platform.
One of the most practical lessons in the NZ threat picture is that attackers do not need zero-day magic if known weaknesses are sitting exposed. NCSC documented a case where 19 New Zealand organisations – including small businesses, councils, and MSPs – were compromised through the same known vulnerability. The same report says organisations need to focus on vulnerability management, network segmentation, least privilege, MFA, and software allow-lists. Google Cloud now says the window between vulnerability disclosure and mass exploitation has collapsed from weeks to days, while its H2 2025 data showed software-based exploitation overtaking weak credentials as the primary initial access vector. Australia’s ACSC is telling businesses much the same thing: replace legacy IT and manage third-party risk.
That global pattern matters here because NZ and Australian organisations use the same SaaS platforms, cloud services, developer tools, and edge appliances as the rest of the world. Verizon’s 2025 DBIR found third-party involvement in breaches doubled to 30%, while credential abuse and vulnerability exploitation remained the leading initial access vectors. In other words, the local threat picture is not separate from the global one — it is part of the same ecosystem.
For Layer3, this is why cyber security in 2026 should be framed around disciplined layers, not hype. The core response is still the same: protect identity first, harden email and endpoints, reduce attack surface at the edge, segment networks, verify every access request, keep patching moving, and make sure recovery is real rather than theoretical. That logic already appears in Layer3’s own service design, which references Microsoft 365 Business Premium-class controls including Intune, Azure AD P1 and Defender for Business, a commitment to implement 2FA, managed firewalls, Todyl SASE, patching, and regular Microsoft Security Score reviews.
As an MSP, Layer3 is also part of that trust chain. NCSC explicitly tells organisations to consider what access their MSPs have and how that trust could be targeted, which means strong internal verification, disciplined admin controls, and tight supplier hygiene are not just good practice for Layer3 – they are part of the service being delivered. This is one of the reasons we very big on policy, especially vendor review and AI policies.
That is also why the AI conversation needs to stay grounded. Yes, businesses should be thinking about AI-assisted attacks, prompt injection, exposed APIs, malicious model inputs, third-party AI services, and whether staff are feeding sensitive information into tools they do not control. NCSC’s AI guidance explicitly calls out risks across AI data, models, software, infrastructure and third-party services, while secure deployment guidance recommends strong authentication, logging, API security, and validation and sanitisation of inputs to reduce prompt injection risk. But the answer is still not panic. It is governance, visibility, Zero Trust thinking, and good operational hygiene.
The businesses that will handle this era best will not be the ones shouting the loudest about AI. They will be the ones that make it hard to steal an identity, hard to move laterally, hard to encrypt core systems, and hard to turn one mistake into a business-wide outage. In 2026, the real cyber story for NZ businesses is not that the threats are unrecognisable. It is that the old ones are arriving with new speed, new realism, and new scale.
