Cybercriminals are no longer lone hackers sitting in dark rooms. Today, hacking is a business. An organised, well-funded industry where cybercriminals offer their services to the highest bidder. Known as "cybercrime-as-a-service," this trend means that businesses of all sizes—not just large corporations—are now prime targets.

The statistics paint a concerning picture with 60% of cyberattacks in 2024 targeted small and medium-sized businesses occuring every 12 minutes in New Zealand (CERT NZ, 2024). 

The message is clear. If your business handles sensitive data, relies on digital infrastructure, or simply exists online, you are a target. 

 

5 Key Strategies to Defend Against Cybercrime-as-a-Service

 

Cybercriminals are constantly evolving their methods, using automation, artificial intelligence, and large-scale data breaches to carry out highly efficient attacks. Businesses must respond with a layered security approach that not only strengthens their defences but also builds resilience against emerging threats.

 

 

Educate Your Team. Your First Line of Defence

Cybercriminals exploit human vulnerabilities more often than technical flaws. Phishing emails, fake login pages, and social engineering attacks are designed to trick employees into revealing sensitive information or clicking on malicious links. 
 
How to implement this

  • Conduct regular cybersecurity awareness training that teaches employees how to spot phishing attempts, suspicious links, and impersonation scams. 
  • Implement simulated phishing exercises to test and improve staff awareness. 
  • Encourage a "security-first" culture where employees report anything unusual without fear of blame.

 

"Security awareness training is really starting to play an important role... businesses are realising how valuable that is." 

 

Adopt a Zero Trust Security Model. Assume No One is Trusted

Traditional cybersecurity models focus on securing the perimeter of a network, assuming that everything inside is safe. However, modern attacks often come from compromised user accounts, making perimeter defences alone ineffective. Zero Trust Security operates on the principle of "never trust, always verify." 
 
How to implement this

  • Require multi-factor authentication (MFA) for all users accessing critical systems.
  • Apply role-based access controls (RBAC) so employees can only access the data necessary for their roles.
  • Continuously monitor user behaviour analytics to detect anomalies, such as login attempts from unusual locations.

 

By 2025, 80% of businesses are expected to adopt a Zero Trust framework (Gartner, 2023), making it a core cybersecurity standard. 

 

Secure Your Cloud Systems. Don’t Leave Doors Open

Cloud-based applications are increasingly targeted by cybercriminals, especially when security misconfigurations leave data exposed. As more businesses move workloads to the cloud, securing cloud access is critical. 
 
How to implement this

  • Use end-to-end encryption to protect sensitive data in transit and at rest.
  • Implement Secure Access Service Edge (SASE) solutions, such as HPE Aruba SASE, which combine network security and cloud security into one framework. 
  • Regularly review cloud security settings to ensure public-facing databases and applications are properly restricted.

With New Zealand’s cybersecurity spending projected to rise by 15% annually (IDC, 2023), investing in cloud security is no longer optional—it’s a business necessity. 

 

 

Monitor and Respond to Threats in Real-Time. Stay One Step Ahead

Cyberattacks happen fast, and manual responses are too slow to contain them. Modern security threats require real-time monitoring and automated incident response to detect and mitigate attacks before they escalate. 
 

How to implement this

  • Deploy Security Information and Event Management (SIEM) tools that aggregate and analyse security data for potential threats. 
  • Use automated threat detection and response (XDR, MDR, or EDR solutions) to react to attacks immediately. 
  • Set up 24/7 security monitoring—either through in-house teams or a Managed Security Services Provider (MSSP)—to ensure constant vigilance. 

 

"The tech is smart now—brute force, analyse huge data sets quickly, and run tests efficiently." 

 

Regularly Back Up and Test Recovery Plans. Prepare for the Worst

Even with strong defences, no system is immune to breaches. A strong backup and disaster recovery strategy ensures that even if attackers succeed, they don’t win.

How to implement this

  • Follow the 3-2-1 backup rule. Keep three copies of data, on two different media, with one offsite copy.
  • Regularly test disaster recovery and ransomware response plans to ensure your team can restore data quickly after an attack.
  • Implement immutable backups—data copies that cannot be altered or deleted by cybercriminals. 

 

The Future of Cybersecurity. Are You Prepared?

As cybercrime evolves into a full-fledged industry, businesses must shift from a reactive approach to a proactive, preventative security strategy. Whether you're an SMB or an enterprise, investing in cybersecurity today means avoiding costly breaches tomorrow.

Our latest Lifting the Lid podcast explores how cybercrime-as-a-service is reshaping the threat landscape and what businesses can do to stay ahead.

 

Back to Articles