Review of the 2026 Verizon DBIR: What New Zealand Organisations Need to Learn Now
Key Takeaway: The 2026 Verizon DBIR reinforces that cyber resilience still depends on disciplined execution of core controls. For New Zealand organisations, the priority is to close practical gaps in vulnerability management, third-party assurance, ransomware readiness, human risk, and AI governance, and to be able to evidence that these controls are operating effectively when boards, regulators, insurers or customers ask.
The 2026 Verizon Data Breach Investigations Report provides a timely reminder for New Zealand organisations: cyber resilience is still built on fundamentals. The report analysed more than 31,000 real-world security incidents, including more than 22,000 confirmed data breaches across 145 countries, making it the largest DBIR dataset to date. Its central message is clear. The threat landscape is changing quickly, but organisations that maintain strong asset visibility, disciplined patching, third-party oversight, incident response planning and a security-aware culture are better positioned to withstand modern attacks.
This is highly relevant in New Zealand. Recent high-profile cyber breaches have resulted in increased regulatory scrutiny and compliance notices from the Office of the Privacy Commissioner. For executives and boards, the lesson is that cyber controls are no longer simply “IT controls”. They are privacy safeguards, governance controls and evidence of reasonable care.
Where personal information is involved, the ability to demonstrate reasonable security practices is critical. Organisations need to be able to show that they understand their risks, have implemented appropriate safeguards, monitor those safeguards, and can respond effectively when something goes wrong.
Key Lessons from the 2026 DBIR
The first major finding is the rise of vulnerability exploitation. The DBIR reports that exploitation of vulnerabilities is now the most common initial access vector for breaches, rising to 31%, while credential abuse fell to 13%. It also found that only 26% of CISA Known Exploited Vulnerabilities were fully remediated by organisations in 2025, down from 38% the previous year, with median full remediation time increasing to 43 days. For New Zealand organisations, this should prompt a practical review of vulnerability management. Boards should be asking whether critical internet-facing systems, cloud services, remote access platforms and third-party hosted environments are being patched based on real exploitation risk, not just generic severity scores. A vulnerability that is actively exploited should be treated as an incident waiting to happen.
The second major lesson is that ransomware remains a core business risk. The DBIR found ransomware was involved in 48% of breaches, up from 44% the previous year. However, 69% of ransomware victims in the dataset did not pay, and median ransom payments continued to decline. This does not mean ransomware is becoming less serious. It means organisations are increasingly judged on whether they can contain, recover, evidence decisions and communicate effectively under pressure.
The third major finding is the growth of third-party risk. The DBIR reports that breaches involving third parties increased by 60% from the previous year, reaching 48% of total breaches. This is a significant issue for New Zealand organisations that rely on outsourced technology providers, cloud platforms, managed service providers, software vendors and specialist business systems. Third-party outsourcing does not remove accountability. Organisations remain responsible for understanding where their data is held, who has access to it, how it is protected, and how suppliers will respond during a cyber incident. Contractual assurances are not enough. Assurance needs to be tested, evidenced and reviewed regularly.
The fourth lesson is the continuing role of people. The DBIR found the human element was present in 62% of breaches, with social engineering representing 16% of breaches. Mobile-centric vectors such as voice and text messaging produced higher success rates in simulations than email, and pretexting is becoming a more common initial access vector for ransomware and extortion attacks. This means awareness training must move beyond email phishing. Help desks, finance teams, executives, customer support teams and IT administrators need clear procedures for verifying unusual requests, resetting credentials, approving payments and granting access. Attackers are increasingly targeting process weaknesses, not just technical vulnerabilities. This is why we continue to develop and offer to our customers contextual cyber training via the CyberSafeHQ.com learning management system.
The fifth lesson is emerging AI-related data leakage. The DBIR found that 45% of employees are now regular users of AI on corporate devices, up from 15% the previous year, and that 67% of users accessing AI services on corporate devices used non-corporate accounts. It also identified Shadow AI as a rapidly growing data loss prevention issue, with source code, images, structured data and technical documentation being submitted to external AI tools. For New Zealand organisations, this requires immediate governance attention. Staff may be using AI tools to improve productivity, but without clear rules they may unintentionally expose sensitive information, personal data, source code, commercial records or internal documentation.
Why We Map These Developments to the CIS Controls
We closely follow these developments because they map to the CIS Controls for measurable risk reduction. The CIS Controls provide a practical structure for reducing the likelihood and impact of common cyber-attacks. They are especially useful because they convert threat intelligence into specific safeguards that can be implemented, tested and evidenced.
The DBIR’s findings reinforce the value of using CIS Controls as a practical benchmark. Vulnerability exploitation maps to CIS Control 7, Continuous Vulnerability Management. Credential abuse and weak access governance map to CIS Controls 5 and 6, Account Management and Access Control Management. Ransomware preparedness maps to CIS Controls 11 and 17, Data Recovery and Incident Response Management. Social engineering maps to CIS Control 14, Security Awareness and Skills Training. Third-party exposure maps to CIS Control 15, Service Provider Management. Shadow AI and data leakage map to CIS Controls 3 and 8, Data Protection and Audit Log Management.
The practical value is that the CIS Controls help organisations ask the right questions:
- Do we have this safeguard?
- Is it operating effectively?
- Can we produce evidence?
- Has it been tested during a realistic incident scenario?
Those questions are increasingly important when regulators, insurers, auditors, customers and boards assess whether an organisation acted reasonably.
What New Zealand Organisations Should Do Next
New Zealand organisations should treat the DBIR as a board-level risk input, not simply a technical report. In light of recent high-profile breaches and compliance action from the Office of the Privacy Commissioner, organisations holding personal or sensitive information should review whether their security controls can be evidenced, not just described.
Priority actions should include:
- Confirm complete visibility of internet-facing assets, cloud services, privileged accounts and third-party data stores.
- Review vulnerability management against active exploitation, especially for externally exposed systems.
- Enforce MFA for remote access, privileged users, externally exposed applications and third-party platforms.
- Test incident response plans through realistic executive tabletop exercises, including privacy notification, regulator engagement, media response, ransomware decision-making and business continuity.
- Review third-party contracts, assurance processes and security evidence, particularly where suppliers host or process personal information.
- Establish clear AI usage rules, including approved tools, account requirements, data restrictions and monitoring for unauthorised use.
- Align cyber and privacy governance so that security weaknesses are assessed in terms of potential privacy harm, not only technical impact.
The strongest message from the 2026 DBIR is that cyber risk reduction is still achieved through disciplined execution of known controls. For New Zealand organisations, the regulatory context makes this more urgent. Where personal information is involved, weak cyber hygiene can quickly become a privacy compliance issue, a governance issue and a public trust issue.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 