Academic Jobs - Home of Higher Ed Logo

AI-Driven Cyber Risks Double in New Zealand Businesses: Kordia Report Spotlights Staff Misuse as Top Threat

Submit News
Become a Contributor
A laptop computer sitting on top of a desk
Photo by Glen Carrie on Unsplash

Unveiling the Surge in AI-Driven Cyber Risks: Insights from Kordia's Latest Report

New Zealand businesses are grappling with escalating cyber threats amplified by artificial intelligence (AI), according to the freshly released 2026 Kordia New Zealand Business Cyber Security Report. This landmark study, marking its 10th year, surveyed nearly 250 organisations with 50 or more employees, painting a vivid picture of a threat landscape where AI vulnerabilities have more than doubled year-over-year. From 6% of attacks exploiting AI weaknesses in 2024 to 14% in 2025, the data underscores how rapidly evolving technologies are reshaping cybersecurity challenges. While overall cyber incidents dipped slightly to 44% from 59%, the sophistication and potential impact of AI-related breaches demand immediate attention from leaders across sectors, including higher education institutions handling vast troves of sensitive student and research data.

The report highlights not just external hacker ingenuity but internal pitfalls, positioning improper staff use of AI as the foremost concern for a quarter (24%) of respondents—up from 16% last year. This internal threat, often manifesting as 'shadow AI'—unauthorised deployment of tools like ChatGPT without oversight—poses unique dangers in knowledge-intensive environments like universities, where academics and administrators experiment with generative AI for everything from grant writing to lecture preparation.

AI Vulnerabilities Doubling: A Deep Dive into the Numbers

At the heart of Kordia's findings is the explosive growth in attacks targeting AI systems. Cybercriminals are leveraging AI to craft hyper-personalised phishing emails, automate vulnerability scans, and generate deepfakes for social engineering. Email phishing alone accounted for 43% of all incidents, supercharged by large language models that make scams cheaper and faster to produce. In New Zealand's context, where businesses increasingly integrate AI for efficiency, unpatched models or misconfigured APIs become prime entry points.

Consider the mechanics: AI vulnerabilities often stem from data poisoning—where attackers corrupt training datasets—or prompt injection attacks, tricking models into revealing confidential info. The report notes 28% of large organisations now rank AI-generated attacks among their top threats, a sentiment echoed in global trends but acutely felt in NZ's tight-knit digital economy. For higher education, this means research collaborations and student portals could unwittingly expose intellectual property or personal identifiable information (PII) if AI tools lack robust safeguards.

Staff Misuse Tops the List: The Shadow AI Menace

Shadow AI emerges as the report's most alarming revelation, with 43% of leaders pinpointing employee-driven data exposures as their primary risk. Staff unwittingly pasting sensitive documents into public AI chatbots risks perpetual data leakage, as inputs may train third-party models. In NZ universities, where faculty juggle teaching, research, and admin, this is rife: a lecturer querying an AI for paper summaries might inadvertently share unpublished findings.

  • 24% cite improper AI use as a top challenge, reflecting lax policies in half of businesses lacking AI data breach guidelines.
  • Examples include 'copy-pasting' confidential info into unsanctioned tools, amplifying insider risks.
  • 43% accidental exposures via AI processes, blending human error with tech naivety.

Patrick Sharp, GM of Aura Information Security (Kordia-owned), warns: "Shadow AI is growing into a massive problem." Real-world echoes include NZ Corrections staff disciplined for AI-drafted reports, hinting at broader cultural gaps.

Broad Cyber Landscape: Beyond AI to Persistent Threats

AI doesn't eclipse classics: financial extortion rose to 19% of incidents (from 14%), with personal info theft at 17%. Ransomware hit 8% paying demands, 42% compliance rate among victims, and 32% openness to pay—despite experts decrying it as futile. Disruptions plagued 61% of victims, supply chains 20%, with insurance claims (17%) and fines (11%) adding sting.

NCSC data corroborates: Q3 2025 losses hit $12.4m, up 118% quarterly. China state-sponsored actors loomed at 35% perceived threat, per related surveys. For NZ higher ed, akin to large enterprises, these stats signal vulnerability—student records mirror corporate PII troves.

Cybercrime Analysis & research Alliance building

Photo by Wendy Tan on Unsplash

Impacts Rippling Through NZ Businesses and Institutions

Financial hits mount: direct losses soar amid sophisticated ops. Operationally, 21% faced blackmail fears post-breach. Higher ed feels this acutely—imagine a university's learning management system (LMS) down during exams, or research IP stolen via AI-assisted spear-phishing. TEC's tertiary cyber initiative underscores sector maturity gaps, with universities pioneering programs like Waikato's Cyber Wing yet lagging holistic defences.

Stakeholders report regulatory fines, legal woes, and reputational scars. 36% demand mandatory breach reporting, aligning with global norms like GDPR.

Graph showing cyber attack impacts on New Zealand organisations from Kordia report

Policy Gaps and Calls for Action

36% seek harsher penalties, 38% government education, 27% ransom bans. NZ's Cyber Security Strategy 2026-2030 aims bolder, critiqued as Five Eyes laggard.DPMC Strategy Kordia urges executive-level security, staff upskilling on deepfakes/vishing. For unis, integrate into career development, training on AI ethics.

Higher Education Under the Microscope: Unique Vulnerabilities

NZ universities mirror report profiles: AI in grading, research (e.g., data analysis), admin. Shadow AI risks amplify—students/faculty bypassing policies. Global parallels: IBM notes 20% breaches shadow AI-linked. NZ cases sparse but growing; TEC pushes maturity. Waikato, AUT lead cyber education, yet sector-wide policies lag. Solutions: AI governance frameworks, like vendor 'opt-out' audits.

  • Research data: Prime target for nation-states.
  • Student PII: Phishing magnets.
  • Hybrid learning: Expanded attack surface.

Practical Solutions: Mitigating AI Cyber Risks Step-by-Step

1. Assess AI inventory: Map sanctioned/unsanctioned tools.
2. Policy rollout: Clear guidelines on data input.
3. Training: Phishing simulations, AI literacy.
4. Tech stack: MFA, zero-trust, AI-specific scanners.
5. Incident prep: Tabletop exercises with NCSC. Alastair Miller advises: "Supplement basics with strategic AI defences." Higher ed can leverage programs like Canterbury's Cybersecurity Lab for tailored advice.Kordia Report

black laptop computer turned on with green screen

Photo by Moritz Erken on Unsplash

Infographic of steps to mitigate AI cyber risks in organisations

Expert Perspectives and Stakeholder Views

Sharp: "Insider threats... shadow AI massive." Miller: "AI new frontier of cybercrime." Balanced: AI aids defence via anomaly detection. Multi-perspective: NCSC reports declining incidents but rising costs; businesses want accountability. Higher ed voices via TEC emphasise sector uplift.

Future Outlook: Quantum and Beyond

Expect quantum threats to encryption, more deepfakes. NZ Strategy eyes resilience; unis pivotal in talent pipeline via cybersecurity roles. Proactive stance key—businesses preparing now avoid 2026 pitfalls.

In conclusion, Kordia's report is a wake-up call. For NZ higher ed, securing AI fortifies innovation. Explore professor insights, career advice in cybersecurity, or higher ed jobs to build resilient teams. Stay vigilant, upskill, and protect tomorrow's knowledge economy.

Portrait of Dr. Sophia Langford
About the author

Dr. Sophia LangfordView author

Academic Jobs In House Author

Discussion

Sort by:

Be the first to comment on this article!

You

Please keep comments respectful and on-topic.

New0 comments

Join the conversation!

Add your comments now!

Have your say

Engagement level

Browse by Faculty

Browse by Subject

Frequently Asked Questions

📊What does Kordia's 2026 report say about AI cyber risks in NZ?

The report notes AI vulnerability attacks doubled from 6% to 14%, with 28% viewing AI-generated attacks as top threats. Staff misuse rose to 24% top challenge.

🕵️How prevalent is shadow AI in New Zealand organisations?

Shadow AI—unauthorised tool use—is a major insider risk, with 43% citing employee data exposures via AI as biggest concern. Nearly half lack policies.

🔒What percentage of NZ businesses faced cyber attacks recently?

44% in past year, down from 59%, but impacts like 61% disruptions persist. Financial losses hit $12.4m in Q3 2025.

⚠️Why is staff AI misuse a top cyber threat?

Employees input sensitive data into public AI, risking leaks. Examples: confidential uni research or student PII shared unwittingly.

💰What are ransomware trends in NZ per the report?

8% paid demands, 42% compliance; 32% would pay. Extortion up to 19%. Experts warn against funding criminals.

🎓How do AI risks affect NZ higher education?

Unis handle sensitive data; shadow AI in research/teaching amplifies breaches. Leverage cyber jobs for defence.

🛡️What solutions does Kordia recommend?

AI policies, staff training, zero-trust, incident drills. Strategic AI defences supplement basics. See full report.

📜What policy changes do NZ businesses want?

36% mandatory reporting, 38% education programs, 36% harsher penalties, 27% ransom bans.

📖Are there case studies of AI misuse in NZ?

Corrections staff disciplined for AI reports; broader shadow AI risks in businesses/unis per experts.

🔮What's the future outlook for AI cyber threats in NZ?

Deepfakes, quantum risks loom. NZ Strategy 2026-30 key; higher ed vital for talent via advice resources.

📈How can higher ed pros upskill against these risks?

Pursue cyber certs, integrate AI ethics in curricula. Check NZ uni jobs in cybersecurity.