Let’s get your team trained and using Microsoft Copilot and moving your business forward. Click here to book 09 974 2379Client PortalRemote Support
Belton IT Nexus
NZ AU
Contact us
01 Run

We become your IT department and own the day-to-day.

Managed IT Your whole environment, owned Managed Devices Endpoints, patched & tracked Microsoft 365 The workplace, managed Cloud & Azure Networks, Wi-Fi, voice
02 Protect

Security operations you can verify, and show.

24-Hour CyberSOC Security ops that don't clock off Compliance Reviews Aligned to Essential 8 & ISO Backup & Recovery Provably restorable Identity & Email MFA enforced, threats stopped
03 Improve

Honest strategy and predictable budgets.

IT Advisory & vCIO Honest, predictable plans AI & Copilot Where it genuinely helps Compliance & Governance Audit-ready evidence Projects & Consulting Build what you can't buy
Belton · Run / Protect / ImproveView all services ›
Professional Services

Firms that run on trust, time and confidential data.

Accounting Ledgers & client data Legal Privilege & matter files Business Advisory Plans & reporting Mortgage & Finance Loan files & AML/CFT Insurance Claims & client records Insurance Brokers Cover & premiums
Built & Made

Site, studio and floor, where uptime is the product.

Construction Sites & project files Architecture Drawings & large models Quantity Surveyors Cost data & big files Manufacturing Floor & ERP uptime Healthcare Patient data & privacy
Trade & Technology

Fast-moving operations that can't carry downtime.

Logistics Fleet, orders & tracking Retail & Wholesale POS & storefronts Technology Cloud-native teams Distribution Inventory & systems
Belton · Sector-specialised IT & securityAll industries ›
Guides & Frameworks

Plain-English playbooks for the controls that matter.

Essential Eight ASD's eight, explained DIY Cybersecurity Lock down the basics Cyber Standards Guide ISO, SMB1001 & more M365 Selection Guide Pick the right licences
Tools & Assessments

Self-serve checks that map where you stand.

Security Assessment Score your posture Network Assessment Find the weak spots M365 Security Checklist Find the gaps Cyber Insurance Readiness Be claim-ready
Reading & Learning

Get more from the tools you already pay for.

SME Tech Outlook 2026 Where NZ tech heads next Copilot Learning Hands-on with Copilot FAQ Straight answers CEO's Blog Plain-English views
Belton · Knowledge, not gatekeepingResource library ›
The Firm

A senior team with the skills and scale for any project.

About Belton Who we are, plainly How We Work Our delivery process Who We Work With The fit we look for Leadership Jason & Amy Agnew + team
Proof & Partners

The evidence behind the claims, and ways to build with us.

Case Studies Real outcomes, named Accreditations The proof behind the practice Industries Sector-specialised White-label / Partners Our bench, your brand
Connect

Real people, fast, no ticket-queue runaround.

Contact Us Talk to a human, today Book a Session A 90-minute discovery Find Us Newmarket, Auckland Remote Support Get help now
Belton IT Nexus · Est. 2004 · Newmarket, AucklandAbout us ›
Home/ Insights/ The CEO's take on cyber

How I actually feel about cyber security.

Not a lecture. A conversation, the same one I have with clients, friends and family. Five habits that stop most attacks, and the standards quietly sitting behind each one.

Jason AgnewFounder & CEO
Jun 2026Security
8 minRead

I've spent twenty-two years in this industry, and I'll tell you the thing most security marketing won't: the majority of incidents I've seen didn't start with a genius hacker. They started with a zip file someone opened, an invoice someone paid, or a password that hadn't changed since the office moved in. Cyber security mostly isn't a technology problem. It's a habits problem.

That's actually good news. Because habits are free, and the right handful of them stops most of what's actually aimed at a New Zealand business. So here's the conversation I keep having, at boardroom tables and at barbecues. None of it is my invention, every habit below is a recognised control from ISO 27001 or the Essential Eight, wearing casual clothes. I'll point at the standard as we go, so you can see this is engineering, not opinion.

1. Stop opening attachments you didn't ask for. Especially zip files.

If one change could prevent the most pain across our client base, it's this one. A zip file in an email is a box you can't see inside until you've opened it, and by then it's too late. Compressed files exist in attacks precisely because they smuggle payloads past filters and past your own judgement, you can't tell what's in there from the outside, and that's the point.

My rule is simple: if you weren't expecting it, don't open it. Not from a stranger, and honestly, not from a colleague either, a compromised supplier mailbox sends the most convincing malicious attachments you'll ever receive, because they arrive mid-conversation from someone you trust.

The better answer is to stop the file from travelling at all. Inside Microsoft 365, share a SharePoint or OneDrive link instead of an attachment. A link points at one copy of the document, in a place you control, behind your sign-in. If something's wrong, you revoke the link and it's gone, try doing that with an attachment that's already in forty inboxes.

The standard behind it: ISO 27001's malware controls (Annex A 8.7) and the Essential Eight's user-application hardening and macro restrictions exist for exactly this delivery path. When we configure a client's Microsoft 365, risky attachment types are filtered and macros from the internet are blocked by default, so the habit gets a safety net.

2. Share documents like you mean it.

Email attachments are photocopies you can never collect back. Every forward creates another copy, on another device, outside your control, forever. For a contract, a payroll file or a client's financials, that should bother you.

Secure sharing means the document stays in one governed place and people come to it. A link with a scope, this person, this company, view-only, expires in two weeks. An audit trail of who opened what, when. The ability to change your mind after you've hit send. This isn't exotic; it's built into the Microsoft 365 you already pay for. Most businesses just haven't turned the behaviour into the default.

And if you're sending something genuinely sensitive to someone outside your tenant, a lawyer, a bank, an accountant, use a sharing link with verification, not an attachment, and never put the password in the same email. (Yes, we still see that. Weekly.)

The standard behind it: ISO 27001 calls this information transfer (Annex A 5.14) and access restriction (8.3): agreed, controlled ways of moving information, instead of whatever's fastest. We set those defaults so the secure way is also the easy way.

3. No verification, no money. Ever.

This is the habit I'd make law if I could. Invoice redirection, business email compromise, is where small businesses lose the big money. The scam is brutally simple: a real supplier's mailbox gets compromised, a real invoice arrives in a real thread, and the only thing that's changed is the bank account number. Everything about it looks legitimate, because everything about it is legitimate except one detail.

So the rule has nothing to do with technology: any new bank account, any changed bank account, any unusually large or urgent payment gets verified through a second channel before money moves. That means in person, or a phone call to the number you already had on file, never the number printed on the invoice, because the attacker chose what's printed on the invoice. Thirty seconds of awkwardness against six figures of loss. I know which side of that trade I'm on.

Urgency is the tell, by the way. "Pay today or we lose the deal" is precisely engineered to make you skip the call. The more pressure an email applies, the more certain the verification should be.

The standard behind it: this is segregation of duties and verified identity in ISO 27001 terms (Annex A 5.3, 5.16), and it's front and centre in the NCSC's guidance on payment scams. We back the habit with email security that flags impersonation and lookalike domains, but the phone call is the control that holds when everything else has been fooled.

4. Rotate your wireless passphrases.

Here's an uncomfortable question: how many people know your office Wi-Fi password right now? Every former staff member, every contractor who visited, every mate of a mate who asked for it, and every one of their devices, which remember it forever. A Wi-Fi passphrase only ever accumulates holders. It never sheds them on its own.

So treat it like the key it is. Rotate it on a schedule and after anyone with access leaves. Keep guests and personal devices on a separate guest network that can't see your business systems, so the passphrase you hand out over coffee isn't the one protecting your file server. Make it long, a passphrase, not a password, because length is what makes wireless keys genuinely hard to crack.

For businesses past a certain size, the grown-up answer is certificate or identity-based Wi-Fi, where each person signs in as themselves and leavers lose access the moment they're offboarded, no rotation required, because nobody shares a secret in the first place.

The standard behind it: network security and segregation in ISO 27001 (Annex A 8.20–8.22): control who joins your networks, and separate the ones that matter from the ones you share. The guest network isn't hospitality, it's segmentation.

5. The rest of the conversation

If we keep talking past the first coffee, here's where it goes next, quick fire:

  • Multi-factor authentication on everything. The single highest-value control in existence, and an Essential Eight pillar. A stolen password without the second factor is a key to a door that no longer exists.
  • Updates within days, not months. Most successful attacks exploit holes that were patched long before. Patching applications and operating systems quickly is two of the Essential Eight's eight strategies, that's how much it matters.
  • Backups you've actually restored. An untested backup is a hope, not a plan (ISO 27001 Annex A 8.13 expects the test, not just the copy). Ransomware negotiates very differently with a business that can restore last night's data.
  • Nobody works as admin. Day-to-day accounts shouldn't have administrator rights, restricting privilege is another Essential Eight pillar, and it turns "someone clicked the wrong thing" from a disaster into a Tuesday.
  • Train the least technical person, not the most. Awareness training (ISO 27001 Annex A 6.3) pays off most with the people attackers actually target: accounts, reception, the front line of the inbox.

Why I keep mentioning the standards

You might have noticed every habit came with a control number attached. That's deliberate. Frameworks like ISO 27001 and the Essential Eight aren't paperwork for big corporates, they're the distilled record of what actually went wrong for thousands of organisations, and what measurably prevents it. When I give you advice, I want you to be able to check it isn't just my opinion.

It's also how we run client environments: mapped to those standards, with evidence. Not because every SMB needs certification, most don't, but because "aligned to a recognised standard, and we can show you" beats "trust us" every single time. Your insurer increasingly agrees, your bigger customers' procurement teams definitely agree, and so does the brief I hold my own team to: proof, not promises.

Cyber security isn't a product you buy. It's a handful of habits, held consistently, with engineering behind them that makes the safe way the easy way.

That's how I feel about cyber. Less fear, more habit. If any of the five made you wince in recognition, the zip you opened last week, the Wi-Fi password from 2019, the invoice you paid without calling, that wince is worth a conversation. It's free, and I promise it'll be a conversation, not a pitch.

Jason Agnew
Jason Agnew Founder & CEO, Belton IT Nexus. Twenty-two years building specialist IT and security for New Zealand business.
Keep reading

More from the blog.

Insights
Security
Insights
The cybersecurity conversation has changed
From "do we need this?" to "show me it's working." What that shift means for your business.
Read ›
IT Strategy
Jan 2026 · 5 min
Three patterns from clients who get IT right
After twenty-two years the patterns repeat. What the organisations who get IT right have in common.
Read ›
Operations
Insights
The true cost of an IT emergency
The invoice is the smallest part. What downtime really costs, and the planning that avoids it.
Read ›

Have the conversation.
It's free.

A 90-minute discovery & security session. We map your environment against these exact habits and standards, and tell you the truth about where you stand.

Book the session Talk to a human
NEW ZEALAND OWNED & OPERATED EST. 2004
Sovereign by design

New Zealand owned and operated.

Sovereign data centres across New Zealand and Australia, with your data kept onshore wherever it's required. Our team understands New Zealand, and our leaders have built, scaled and secured businesses right across the New Zealand landscape.

Sovereign data centres · New Zealand & Australia
  • Auckland
  • Christchurch
  • Sydney
  • Melbourne
  • Brisbane
  • Perth
International data-centre operations
  • Singapore
  • Germany
  • Netherlands
  • USA

Servers available in minutes, not days.

Explore data centres & hosting →
Accredited partners
Microsoft Solutions Partner Fortinet Partner Lenovo Partner HP Partner Apple Business Manager