Businesses have lifted their game on cybersecurity in recent years. Investment in monitoring, detection and response has grown and leadership confidence is high. Yet Datacom’s 2026 Cybersecurity Index reveals a gap that should concern every business owner and leadership team — recovery and continuity are lagging behind detection.
The Cybersecurity Index, which draws on an Omdia survey of more than 700 senior leaders across New Zealand and Australia, shows around three-quarters of organisations feel confident in their ability to detect and respond to incidents. But fewer than a third — just 30% of New Zealand organisations — have a formal, tested business continuity or cyber incident response plan in place. That disconnect is where risk turns into real downtime, lost revenue and reputational harm.
Key takeaways from Datacom’s 2026 Cybersecurity Index:
- Attackers exploit the basics. Most successful breaches still start with unpatched systems, weak or reused credentials and misconfigurations. Attackers are looking for weak spots so organisations need to maintain good security hygiene.
- Recovery takes longer than leaders expect. Many boards and executives assume operations will be back in hours or days but the on-the-ground reality after a serious incident is often weeks. Without rehearsed recovery, the costs mount quickly — customer churn, delayed orders, overtime and stretched teams.
- AI is compressing timelines. Autonomous and assisted tooling can discover and weaponise vulnerabilities faster than traditional patch cycles can keep up. That shortens the window to act and punishes organisations that rely on periodic scanning or manual processes.
The organisations that bounce back fastest adopt an assumed-breach mindset — they treat incidents as inevitable, design for swift recovery and ensure cybersecurity spending doesn’t stop at visibility. Keep your monitoring and detection sharp, but fund the plumbing that brings you back to business:
- Cyber-resilient backups with immutability and isolation, including the option to rebuild in a clean, segmented environment.
- Regular, unannounced recovery drills on real systems — not just tabletop run-throughs — so teams build muscle memory across IT, operations, finance and communications.
- Continuous controls assurance — automated breach-and-attack simulation to verify defences work as designed, rather than assuming an audit pass equals protection.
Mind the culture gap
Compliance doesn’t equal security, and dashboards don’t equal resilience. The recovery gap identified by our Cybersecurity Index research is as much cultural as technical.
Leaders should reward teams for discovering and fixing weaknesses, and celebrate successful recovery drills and near-miss learnings. Make cybersecurity training routine for everyone — not just IT — and ensure privileged users, frontline staff and suppliers complete it regularly. Breaches often come down to human error and regular, ongoing cybersecurity training is the best protection.
The takeaway for New Zealand businesses:
- Get the basics right — patching, identity and configuration hygiene are still where most attackers get in.
- Prove, do not assume — use continuous testing to turn confidence into evidence.
- Design for recovery — invest in immutable backups, clean-room rebuild options and cross-functional drills.
- Build a plan for recovery — if you do not have a formal, tested continuity and incident response plan, you are in the high-risk majority. Close that gap now.
Building cybersecurity resilience does not happen quickly, but there are practical steps you can make immediately. Tighten the basics, prove your controls, develop an incident response plan and rehearse recovery until it’s routine. That is how to ensure your team, your customers and your organisation will all recover in the wake of a serious cybersecurity breach.
Download the full report: datacom.com/cybersecurityindex
