Cyber Security Checklist for NZ Businesses

A plain‑English guide aligned to the NCSC 10 Critical Controls

Cyber security is one of those topics most business owners know they should care about, but aren’t always sure where to start.

At Revolution IT, we’re an Auckland‑based Managed Service Provider (MSP), and we regularly speak with business owners across Auckland and New Zealand who essentially have the same question:

“Are we actually secure, or are we just hoping we are?”

That’s exactly why we recommend starting with a cyber security checklist. Not a technical audit. Not a 40‑page report. Just a clear, practical baseline that removes uncertainty and focuses on the risks that actually impact NZ businesses.

 

Why every NZ business should take the cyber security checklist

Most cyber incidents don’t happen because a business ignores security entirely. They happen because basic controls aren’t applied consistently.

The New Zealand National Cyber Security Centre (NCSC) publishes the 10 Critical Controls which are a practical framework designed to prevent, detect, or contain the majority of cyber attacks seen in New Zealand.

What we like about the NCSC 10 Critical Controls is that they’re:

  • Evidence‑based and NZ‑specific
  • Regularly reviewed against real incidents
  • Focused on fundamentals, not vendor tools

As an Auckland MSP, our role is to translate those controls into a plain‑English cyber security checklist that business owners can understand and act on, without needing to become IT experts.

Cyber security checklist

The “Are We Basically Secure?” cyber security checklist

This checklist reflects the baseline we work through with most Auckland small and medium businesses.

If you can confidently tick most of these, you’re in a strong position. If not, you’ll know exactly where to focus.

> Download the checklist here

 

1. Software and systems are kept up to date

Unpatched software remains one of the most common entry points for attackers, which is why patching sits at the top of the NCSC 10 Critical Controls.

  • Operating systems, applications, firewalls and network devices are regularly updated
  • Unsupported or end‑of‑life systems are identified and removed
  • Updates happen automatically — not “when someone remembers”

> Check out Managed IT Support Auckland

 

2. Accounts are protected with more than passwords

Account compromise is still one of the fastest ways into a business environment.

  • Multi‑Factor Authentication (MFA) is enabled on email, cloud apps and remote access
  • Administrator accounts have additional protection
  • Passwords are not treated as the only line of defence

 

3. Backups are tested, not just enabled

Backups don’t protect your business unless they can be restored.

  • Backups run automatically
  • Restores are tested and verified
  • Backups are protected from ransomware or deletion
  • You understand how long recovery would realistically take

> Business Backup and Data Recovery

4. Access is limited to what people actually need

Excessive admin access allows small incidents to become major problems.

  • Staff are not local administrators unless required
  • Admin access is reviewed and documented
  • Accounts for former staff are removed promptly

 

5. Security issues would be detected early

You can’t respond to what you can’t see.

  • Security logs are collected centrally
  • Alerts exist for unusual or risky behaviour
  • Issues wouldn’t go unnoticed for months

> Cyber Security Services Auckland

 

6. There is a simple incident response plan

Incident response doesn’t need to be complex — it just needs to exist.

  • You know who to call if something looks wrong
  • Critical systems are identified
  • The plan fits on one page

 

7. Staff understand basic cyber risks

People remain a key part of any cyber security strategy.

  • Staff know how to spot suspicious emails or requests
  • There is some level of security awareness training
  • Suspicious activity is reported, not ignored

 

Why we align to the NCSC 10 Critical Controls

We base our cyber security checklist on the NCSC 10 Critical Controls because they provide a realistic and defensible baseline for NZ businesses.

NZ National Cyber Security Centre

Rather than chasing every new threat or tool, the controls help businesses:

  • Prioritise effort and budget
  • Reduce the most common attack paths
  • Build consistency across their IT environment

For most organisations, this checklist forms a strong foundation for ongoing improvement.

Download the checklist here

 

 

So, What Next?

Good cyber security shouldn’t feel overwhelming or mysterious.

If IT is keeping you awake at night, something’s not right.

A clear cyber security checklist brings visibility, reduces risk, and confidence that the fundamentals are covered.

If you’re an Auckland business and want help working through this checklist, that’s exactly what we do at Revolution IT.

> Get in touch today

 

An article by Revolution IT in Auckland

Should you have any inquiries about this article or our services, feel free to reach out. We’re here to discuss your options, even if it’s just a casual chat.