Eduardo Wnorowski is a network infrastructure consultant and Director.
With over 30 years of experience in IT and consulting, he helps New Zealand businesses stay secure and resilient through smarter IT practices.
LinkedIn Profile
January 2025 • Estimated read time: 15 minutes
Despite increased awareness and investment in cybersecurity, many small and medium businesses (SMBs) continue to fall victim to the same avoidable mistakes. As the digital threat landscape evolves, so too must our mindset, tooling, and internal habits.
This newsletter identifies twelve of the most persistent security gaps and human errors we’ve observed across the New Zealand SMB landscape—along with actionable ways to mitigate each in 2026 and beyond.
Most breaches don’t start with technical exploits—they start with people. Phishing, social engineering, and accidental data loss continue to dominate incident root cause analysis. Ongoing training, simulated phishing campaigns, and a strong “report-it” culture can shift your weakest link into your strongest defence.
Password reuse across systems is still rampant, and “Summer2023!” is not a strong password. Implement password managers and enforce strong policies. At a minimum, enforce MFA everywhere—especially email and remote access.
Delaying updates can leave known vulnerabilities wide open. In 2026, there’s no excuse—automate patching for OS, browsers, and third-party apps. Track exceptions and validate completion.
If a breach happens tomorrow, who does what? Who contacts stakeholders? What systems are shut down or isolated? Documenting and rehearsing your IR process turns chaos into control.
Staff installing personal tools or syncing files to consumer cloud apps outside IT oversight can cause major risks. Establish clear Acceptable Use and BYOD policies, backed by real-time monitoring.
Flat networks mean a single breach can take down everything. Segment IoT, guest, production, and finance traffic. Implement VLANs, firewalls, and micro-segmentation in high-risk environments.
Many platforms ship with insecure defaults. Change admin usernames, rotate default credentials, disable unused services, and run regular configuration audits.
Backups aren’t enough if they’re incomplete, untested, or accessible to attackers. Follow 3-2-1-1-0 principles. Regularly test restores—automate this where possible.
“Everyone has access” is a recipe for disaster. Enforce least privilege and role-based access. Audit permissions quarterly and apply Just-in-Time access for sensitive environments.
You can’t protect what you can’t see. Centralize logs using tools like Wazuh or Zabbix. Monitor file integrity, logins, and firewall rules. Configure alerts for suspicious behavior.
Your security is only as good as the weakest vendor you trust. Vet your suppliers, require attestations, and isolate integrations where possible.
This mindset is the most dangerous of all. Threat actors increasingly automate attacks against SMBs. Assume breach and build with resilience in mind.
Each of the 12 security mistakes outlined in this newsletter presents a critical opportunity to improve—not just to patch gaps, but to reshape your overall IT security strategy into a proactive, business-enabling framework.
At Virtus Group, we go beyond checklists. Our services are designed to holistically address each layer of your digital environment. From Secure Cloud Architectures and Managed SIEM to Staff Awareness Training and Modern Authentication Protocols, we align cybersecurity with your business priorities.
We understand New Zealand SMBs face unique challenges—limited resources, fragmented systems, and evolving compliance requirements. That’s why our solutions are modular, scalable, and backed by local expertise. No matter your industry or size, we’ll help you turn these common mistakes into lasting strengths.
Eduardo Wnorowski is a network infrastructure consultant and Director.
With over 30 years of experience in IT and consulting, he helps New Zealand businesses stay secure and resilient through smarter IT practices.
LinkedIn Profile