From Distant Threats to Local Reality: How Cyber Attacks Are Shifting Toward AU/NZ

Written By Luke Thomas

Little old Christchurch, New Zealand, my home for the past 15 years, feels a long way from the world’s traditional cyber battlegrounds. For a long time, that distance felt like protection. The big headaches were happening somewhere else: the United States, China, the Middle East, and politically volatile regions like Russia and Ukraine.
But that’s no longer true, and the data tells the story.

The First Wave: Big Economies, Big Targets

Between 2015 and 2023, annual cybercrime complaints to the FBI’s Internet Crime Complaint Center (IC3) rose from just under 300,000 reports a year to more than 880,000. And those are only the incidents people bothered to report.

During that time, most cyber activity was aimed at:

  • High-value, data-rich economies

  • State-sponsored targets

  • IP-heavy industries

  • Banks and critical infrastructure in the Middle East and Asia

Think Sony Pictures being hacked by North Korea. Think Russian groups burrowing into US energy networks. Think industrial espionage coming out of China. And yes — reports consistently estimate that organisations in the Middle East fend off over a million cyber attacks per day across government, oil, finance, and telecommunications.

That early phase was defined by big targets, big motivations, and big players.

The Second Wave: Europe Lights Up

The biggest economies had started to harden up. They built serious state-backed defences and threw money at the problem. Funded, and funded, and funded again. At the same time, attacking got easier. Automation, off-the-shelf exploit kits, subscription ransomware, and point-and-click hacking tools meant you no longer needed to be a nation state to break into one.
So, the net expanded and drifted west into Europe, at which point the continent became a goldmine for attackers.

Not because Europe was suddenly more interesting, but because three things happened at once.

  1. GDPR forced breaches into daylight.
    Mandatory reporting meant incidents could not be hidden, ignored, or quietly handled anymore. Everyone finally saw how big the problem was.

  2. Mid-sized organisations were low hanging fruit.
    Local government, healthcare, manufacturers, universities, professional services. All digitally connected, all full of valuable data, none with the budgets of banks or defence departments.

  3. Ransomware as a service took off.
    The cyber underground industrialised. Affiliates, revenue sharing, customer support portals, helpdesks. Attacking Europe became scalable.

Norsk Hydro, the NHS, MOVEit, Travelex, multiple parliaments and councils. Europe wore the brunt of the second wave.

Europe has not moved past the cyber wave. It is still in it. In the past few months alone we have seen production suspended at Jaguar Land Rover after a major breach, customer data exposed through Harrods’ third-party provider, airports across the UK, Germany and Belgium disrupted by a ransomware hit on aviation software, Bouygues Telecom in France reporting a breach affecting more than six million customers, and fresh fines handed down after a telecom data leak in Greece.

Europe has not moved past the cyber wave. It is still right in the middle of it. In the past few months alone we have seen production halted at Jaguar Land Rover after a major breach, customer data exposed through a third-party supplier to Harrods, airports across the UK, Germany and Belgium disrupted by a ransomware attack on aviation software, Bouygues Telecom in France reporting a breach affecting more than six million customers, and fresh fines issued in Greece after a telecom data leak.

On top of that, the EU has recorded a 22 percent increase in significant cyber incidents in the past year alone. Hospitals, councils, law firms, logistics companies and critical suppliers across the continent are still being hit weekly.

And yet, that rate of increase is still not close to how fast attacks are rising year on year in Australia and New Zealand.

The Third Wave: Australia and New Zealand

n Australia, cybercrime reports have jumped from around 60,000 a year to more than 87,000 in just four years. That is roughly one report every six to seven minutes, and that still excludes the vast number of incidents that never make it to a formal channel. New Zealand is on the same trajectory. CERT NZ has gone from just over three thousand reports a few years ago to thousands every quarter, and that does not include attacks handled quietly by IT providers, insurers, or internal teams.

We are not seeing the tail end of a global problem. We are watching the migration pattern play out in real time. What happened in Europe five years ago is what is happening here now. Our per capita numbers are still lower, but the growth curve is almost identical, just slightly delayed.

And unlike Europe, we do not have mandatory reporting, sector-wide regulation, broad cyber funding, or strong enforcement driving visibility. That means two important things. First, the numbers we do see are a floor, not a ceiling. Second, when reporting does become mandatory, the perceived jump will look sudden, even though the shift has already happened.

This is not a matter of if the gap closes. It is only a matter of how long we ignore it before it does.


Why CySura Exists

CySura was not formed in a vacuum. It came out of watching the same cyber patterns that hit the United States and Europe start to surface here at home. After more than a decade working in the New Zealand healthtech sector, it became clear that Christchurch, Dunedin, Nelson, Tauranga and every other regional centre were on the front edge of that third wave, but without the support that larger markets had already built.

GP practices in Invercargill, SaaS providers in Queenstown, accounting firms in Palmerston North, legal practices in Napier, manufacturers in Hamilton and professional services firms in Christchurch were all exposed to the same attacks that had already swept through Europe. What they did not have were CISOs, incident response plans, board reporting structures or internal security teams. They were effectively left to figure it out on their own.

Most organisations in New Zealand will never employ a full time CISO. But they still need someone who can:

  • Assess risk in plain language

  • Build workable policies and response plans

  • Prepare for ransomware, phishing and business email compromise

  • Satisfy insurers, boards, regulators and large clients

  • Lead when an incident happens

That is why CySura exists.

We provide local, fractional cyber leadership and advisory services to organisations in:

  • Christchurch

  • Auckland

  • Wellington

  • Dunedin

  • Hamilton

  • Nelson

  • Tauranga

  • Queenstown

  • Palmerston North

  • New Plymouth

  • Invercargill

  • And every regional centre in between

We work with GP practices, software companies, councils, accounting and legal firms, logistics operators, manufacturers and other small and medium businesses across New Zealand and Australia that do not have in house security teams but still carry real cyber exposure.

We are new because the need is new. The same wave that hit the Northern Hemisphere is reaching us now. The attackers have shifted. The market is shifting. Most organisations have not.

If you are in that space, not a bank, not a government agency, but still a target, this is who CySura was built for.

Luke Thomas