It has been a noisy year on the New Zealand cybersecurity front. Between regulatory shifts, the “always-on” threat of ransomware, and the scramble to secure remote workforces, finding clear, actionable advice hasn’t always been easy.
At Axenic, we’ve spent the last 12 months sifting through the cybersecurity headlines to send you only what matters. We didn’t just want to add to your inbox; we wanted to arm you with “plain English” clarity.
Now that the dust is settling on 2025, we’ve gone back through our data and in this blog we take a look at what actually grabbed your attention.
The headlines that kept you up at night (our most clicked)
We looked at the analytics from every newsletter sent this year, and one trend was undeniable: May 2025 was the month of high interest.
While our steady advice on ISO standards and governance usually gets consistent engagement, traffic spiked massively in May. It wasn’t policy that drove the clicks—it was the realisation that the threats are getting closer to home.
The three most-read articles of the entire year all came from that single edition, effectively tying for first place:
1. The banking breach reality check
- The Story: A report detailed how cybercriminals had stolen almost 100 staff logins from Australia’s “Big 4” banks.
- Why it resonated: For years, we thought of banks as digital fortresses. This story shattered that illusion, proving that in the modern threat landscape, your security is only as strong as your staff’s credentials.
2. The cloud sovereignty scare
- The Story: An RNZ report warned about the risks of the Police shifting information to Microsoft cloud services.
- Why it resonated: This touched a nerve for every NZ public sector leader. The tension between “cloud-first” efficiency and data sovereignty risks (red and orange risks, as the article highlighted) is the defining balancing act of 2025.
3. The “Wait, They Can Hack That?” Moment
- The Story: Security researchers hacked US crosswalk signals to make them speak in the AI-spoofed voices of tech billionaires.
- Why it resonated: It was funny, but also a bit scary. It perfectly illustrated the “double-edged sword” of Generative AI—simultaneously a tool for innovation and a weapon for chaos.
The three big themes of 2025
Looking beyond the spikes, consistent themes emerged throughout the year. These were the topics you came back to month after month.
1. The “Privacy vs. Convenience” battle
If 2025 taught us anything, it’s that we are the product. From March through August, you were consistently concerned with how Big Tech handles data.
- The wake-up call: In March, we covered how Google tracks Android devices right from the moment you sign in.
- The creep factor: In April, Amazon updated Alexa to send voice recordings to the cloud by default, forcing users to trade privacy for functionality.
- The sovereign question: Interest surged again in August when Microsoft admitted it “cannot guarantee” data sovereignty for cloud services.
- The takeaway: The “set and forget” era of privacy is over. Organisations (and individuals) are now actively auditing where their data lives—and who is listening to it.
2. The human element (and the scams targeting it)
While we spend millions on firewalls, 2025 proved that the easiest way in is still a convincing lie.
- The local threat: In April, we saw Wellington law firms fall prey to offshore phone scammers.
- The insider threat: In March, we discussed “Trust Issues” after Health NZ had a staffer access private info, reminding us that sometimes the threat is already inside the whare.
- The glitch: It wasn’t always malicious. In June, Mighty Ape customers were logged into other people’s accounts due to a technical glitch, sparking a debate on what actually constitutes a “breach”.
3. The regulatory tightrope
It wasn’t all doom and gloom; a lot of you were focused on just getting the job done right.
- The compliance shift: Throughout the year, we saw steady engagement with updates on the Privacy Amendment Bill and the new IPP 3A requirements for collecting data indirectly.
- The standard: Our updates on ISO 27001 and PCI DSS remained steady performers, proving that while headlines grab attention, robust governance is what lets you sleep at night.
The “Plain English” award
A favourite from the Axenic team that didn’t get the most clicks, but should have.
“Don’t Panic” (March Introduction) In a year full of “red risks” and “critical alerts,” back in March, Doug reminded us to channel our inner Douglas Adams. While the news often focuses on the biggest crypto heists in history, the reality for most NZ businesses is simpler: Focus on the basics, prepare for the worst, and don’t let the hype paralyse you.
A Look Ahead to 2026
If this review tells us anything, it’s that the line between “personal privacy” and “corporate security” has vanished. The threats targeting your staff’s bank accounts are the same ones targeting your organisation’s cloud credentials.
As we head into 2026, expect the conversation to shift from “identifying” these risks to automating our defence against them.
Did you miss an update? If you found this wrap-up useful, be sure to subscribe to receive our monthly industry take. No FUD (Fear, Uncertainty, and Doubt), just clear, independent advice.