Moving your business online is an exciting stage of your journey. In 2025, managing your operations and storing information digitally is even more essential than ever. When all your data is readily accessible from a centralised location, your business can operate more efficiently – and let’s face it, no one wants to be left behind in this tech-driven world.

However, venturing online also carries significant risks.

If your business stores data online – including sensitive client information – there’s an ongoing risk of this data being accessed or manipulated by unauthorised parties. Data breaches can incur losses that are crippling for SMEs; in 2025, these losses can sometimes exceed what many businesses can recover from. This is where an effective Cyber Security Plan becomes indispensable.

What Is Cyber Security?

Cyber security is the practice of safeguarding your online data and information from unauthorised access, theft, or corruption. With advances in technology and increasingly sophisticated cyber threats, keeping your digital assets secure is akin to locking your office to prevent valuable items from being stolen.

Not having a robust cyber security system in place is like leaving your office door wide open – you wouldn’t do that with physical assets, so why risk your digital ones? Making cyber security a regular habit is vital to protect your business.

Consider this: the cost of implementing proactive cyber security measures is likely far lower than the expense of recovering from a major data breach. Safeguarding sensitive information – such as your clients’ payment details or personal records – is a priority for any responsible business.

What Kind Of Online Threats Are We Talking About?

Cyber security threats manifest in various forms, making them both dangerous and challenging to detect.

A threat could be as minor as an email impersonating a trusted contact asking for sensitive data – a tactic known as spoofing. But there are many other, more severe threats too, such as:

  • Scam emails (commonly referred to as ‘phishing’)
  • Malware – including viruses, spyware or worms
  • Ransomware – where data is held hostage until a ransom is paid (and even then, recovery is not always guaranteed)
  • Denial of service attacks – which overload your systems with excessive requests until they crash

Fortunately, there are many strategies you can implement to protect your business and manage your cyber security effectively.

How Can I Protect My Data?

Many SMEs tend to defer cyber security matters to IT professionals. However, an effective data protection strategy requires the commitment of the entire organisation.

Cyber security is a responsibility that falls on everyone in the workplace – from changing passwords regularly to following well-defined data handling protocols. For further guidance on establishing robust workplace policies, check out our Working From Home Legal Issues resource and our detailed Workplace Policy guidelines.

So, how do you ensure that every team member is engaged in protecting your data?

Update Your Systems Regularly

While most businesses back up their data and update their systems routinely, the ever-evolving digital landscape in 2025 demands even more frequent checks. Regular updates help counteract new vulnerabilities as soon as they are discovered.

This practice should include changing passwords periodically, enabling two-factor authentication for all user accounts, and maintaining up-to-date encryption on cloud-based services. For additional insights, our article on moving your business online legally provides some practical tips.

Monitor Who Has Access To Your Data

It’s essential to control access to your data. Only those employees who need access to perform their work should have it. Use robust permissions and regularly review access levels to ensure compliance with best practices.

Having a comprehensive Cyber Security Policy will clearly outline who is authorised to access your data and under what conditions. To further safeguard your business, use a carefully drafted Contractor Agreement when working with independent contractors, detailing the scope of work, intellectual property rights, confidentiality and data handling protocols.

If you work with overseas contractors, it’s crucial to establish whether your agreements fall under New Zealand law or the local laws of your contractor. For more on managing cross-border legal issues, have a look at our guide on engaging overseas contractors.

What If My Employees Are Working From Home?

Since the changes brought about by recent global events, remote working has become standard practice. Therefore, having a robust Work From Home Policy is not just a bonus but a necessity. Such a policy should specify which secure systems and software employees must use when accessing company data remotely.

A well-drafted Work From Home Policy can help mitigate the risks of unintentional data breaches, especially for those using shared devices or unsecured networks at home. Additionally, updating Employment Contracts to include specific clauses on data access can further enhance protection.

Train Your Employees About Cyber Security

Having robust policies is only half the battle; ensuring that your employees understand and comply with them is equally important. Regular cyber security training equips your staff with the knowledge to recognise phishing schemes, handle suspicious emails, and manage sensitive data securely.

Empowered employees are your first line of defence against cyber threats. For more tips on creating a secure working environment, our Legal Tips section offers valuable insights.

Getting Cyber Security Insurance

Even with all the safeguards in place, no system is entirely immune to breaches. Cyber Security Insurance can help mitigate the financial impact of a data breach by covering costs associated with recovery, legal fees, and even regulatory fines. It’s a crucial safety net for any modern business.

There are numerous policies available to suit different business needs – it might be worthwhile exploring options on our small business lawyers page for more tailored advice.

Additional Cyber Security Measures for 2025

With cyber threats becoming more sophisticated, consider integrating advanced measures such as Zero Trust Architecture and continuous monitoring systems into your security protocol. These methods assume that threats can exist both inside and outside your network, ensuring that all access requests are rigorously verified. For further reading on effective strategies, see our legal tips on safeguarding your business.

What Other Agreements Might I Need?

Even with all the necessary security precautions, data breaches can still occur. That’s why it’s critical to have a robust Data Breach Response Plan in place. This plan should clearly outline the steps to take in the event of a breach, including how to notify affected parties and which staff members are responsible for different aspects of the response.

Having comprehensive legal agreements helps ensure you’re prepared for any eventuality. For example, incorporating a Non-Disclosure Clause in your Employment Agreements – or even as a standalone NDA – is a critical measure to prevent unauthorised sharing of confidential information.

Your employment contracts may also include a Non-Compete Clause to prevent employees from joining competing firms or sharing sensitive information after leaving your company. For more tailored contract solutions, our guides on contract drafting and data privacy policies can be invaluable.

Staying proactive about cyber security means not only preventing breaches but also being prepared to manage them if they occur. A comprehensive legal framework helps safeguard your business and build trust with your clients.

Non-Disclosure Clause

You can incorporate a non-disclosure clause into your Employment Agreements or have it as a separate document – an NDA – both designed to prevent the divulgence of confidential information outside your business.

This is one of the most common and effective methods for protecting vital business information. Similarly, including a Non-Compete Clause in your contracts helps ensure that sensitive data does not inadvertently fall into the hands of competitors.

For up-to-date legal guidance on these agreements, feel free to browse through our detailed resources on contract drafting and privacy policies.

We also recommend reviewing the latest recommendations from the New Zealand National Cyber Security Centre, which regularly updates its guidance to help businesses stay ahead of emerging threats. You can visit their website here for current information.

What Is A Notifiable Data Breach?

If your business falls under the requirements of the Privacy Act, you must disclose any data breach that exposes sensitive information to the affected individuals and notify the Office of the Privacy Commissioner (OPC). This process is known as a Notifiable Data Breach.

A Notifiable Data Breach occurs when:

  • Unauthorised access to or loss of data has occurred;
  • The breach is likely to result in serious harm;
  • It is not possible for your business to fully prevent that harm.

Am I Covered By The Privacy Act?

Typically, the Privacy Act applies to any business with an annual turnover of more than NZ$1 million, though certain businesses – such as health service providers – are covered regardless of their turnover. For the most current guidelines on your obligations, please refer to the updated information available here.

Need Help?

Data breaches and cyber security threats can affect any business – especially now that so many operations have moved online. In 2025, it’s more important than ever to have both a comprehensive cyber security strategy and the necessary legal framework in place.

Our team of professional lawyers is here to help you navigate these challenges. Whether you need assistance with drafting legal documents or advice on your cyber security policies, we’re ready to support you. For more detailed guidance, our Legal Tips page offers additional insights.

You can reach out to us at [email protected] or contact us on 0800 002 184 for an obligation-free chat.

Rowan Gardoce
Rowan is the Marketing Coordinator at Sprintlaw. She is studying law and psychology with a background in insurtech and brand experience, and now helps Sprintlaw help small businesses
About Sprintlaw

We're an online legal provider operating in New Zealand, Australia and the UK. Our team services New Zealand companies and works remotely from all around the world.

5.0 Review Stars
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

Register a Security Interest

Quick help with registering your security interest.
Learn More

Information Security Policy

Protect your business' information with an Information Security Policy.
Learn More

Data Processing Agreement

Get legal help for your Data Processing Agreement
Learn More

Legal Health Check

Get an overall check up on the legal health of your business
Learn More

Data Breach Notification

Make sure your business is ready to respond to a data breach.
Learn More
Related Articles
Software Licence Agreements: What Is Included And Why (2025 Updated)
Posted 25th February, 2025
Want To Protect Your Ideas Or Copyright? Here’s How An NDA Or Copyright Disclaimer Can Help. (2025 Updated)
Posted 25th February, 2025
Do I Need A Domain Name Licence? (2025 Updated)
Posted 25th February, 2025
Who Can Access Medical Records? (2025 Updated)
Posted 24th February, 2025
Trade Marks Vs. Copyright: What’s The Difference? (2025 Updated)
Posted 24th February, 2025
McDonald’s vs Hungry Jack’s: What’s The Beef? (2025 Updated)
Posted 24th February, 2025