Originally published at tpdowns.com
A Kiwi tradie had his business laptop encrypted by ransomware last year. Cost him $8,000 in downtime and a $4,500 ransom - which he paid. The tool that would have stopped it costs under $80 a year.
Small businesses in New Zealand get hit harder by cyber attacks than most owners realise. CERT NZ reported over 8,500 incidents in 2023, and the majority targeted organisations with fewer than 20 staff. The attackers aren't after big enterprise networks - they go where defences are weakest, and a small NZ business with no IT team and five Windows laptops is a prime target.
This guide covers the four tools worth your money in 2026, what each actually costs in NZD, and which combination makes sense for your size.
The four threats NZ small businesses actually face
Before spending anything, know what you're defending against:
- Phishing emails - fake invoices from "IRD", fake bank alerts, fake courier notifications. Someone clicks, enters credentials, and you're compromised.
- Ransomware - your files get encrypted overnight. You pay or you lose everything.
- Credential theft - a password you've reused across multiple accounts gets leaked in a data breach and sold on dark web markets.
- Unpatched software - attackers scan for known vulnerabilities in outdated Windows or browser versions and exploit them automatically.
Good news: you don't need enterprise-grade tools to defend against these. Three targeted products handle 90% of real-world risk for most NZ small businesses.
1. Avast Essential Business Security - best value endpoint protection
Avast sells directly to NZ businesses with NZD pricing, which is unusual. Their Essential plan is NZ$48.14 per device per year (first year), or NZ$60.17 at renewal - that's roughly $4 per device per month. For a 5-device office, you're looking at around NZ$240 a year all up.
What you get: real-time antivirus across Windows, Mac, and servers; a web shield that blocks malicious sites before they load; an email shield that catches phishing attempts; and a firewall. Everything manages from a web dashboard - no IT team required.
The web shield is the part that matters most. It stops the phishing link before the browser renders it, so even if someone clicks a dodgy "IRD refund" email link, Avast intercepts it.
Who it's right for: any NZ business with 2–20 devices that needs endpoint protection without a complicated setup. Staff can self-install using a download link you send them.
Who should look elsewhere: if you need patch management (automated software updates) or mobile device management, step up to Avast Premium Business Security (NZ$76.43/device/year at renewal) or consider Bitdefender GravityZone.
Get a quote at avast.com/en-nz/business.
2. Bitdefender GravityZone Business Security - best value for growing teams
Bitdefender's GravityZone Business Security starts at around USD$132.99/year for up to 3 devices (roughly NZ$220 at current exchange rates). It covers Windows, Mac, Linux, iOS, and Android from a single cloud console.
Where Bitdefender beats Avast: patch management is included. The console automatically identifies outdated software across all devices and can push updates without staff needing to do anything. For a business where employees run personal apps on work machines, this is the gap that gets exploited most.
GravityZone also has better ransomware mitigation - it creates protected backup copies of your files that can't be modified by ransomware processes. If something does get through, you restore from there rather than paying anyone.
The management console is more complex than Avast's, so factor in half a day of setup time the first time.
Who it's right for: businesses with 5–50 devices, a mix of operating systems, or staff who travel and connect to public Wi-Fi regularly.
Who should look elsewhere: if you're under 5 devices and not technical, Avast is simpler. If you need 24/7 threat monitoring, look at ThreatDown (below).
See GravityZone plans at bitdefender.com/business.
3. ThreatDown (formerly Malwarebytes for Teams) - best for ransomware focus
Malwarebytes rebranded its business product to ThreatDown in late 2023. The Core tier starts at around USD$50 per endpoint per year (roughly NZ$83 at current exchange rates). The Elite tier, which adds 24/7 managed detection and response, runs USD$99/endpoint/year (roughly NZ$163).
If your business handles client data - any kind of financial records, legal documents, health information - ThreatDown Elite is worth considering. You get a team watching for threats around the clock, not just software running locally.
The Core tier is strong on ransomware specifically. Malwarebytes made its name on ransomware rollback - it monitors process behaviour rather than just known malware signatures, which means it catches novel ransomware variants that Avast or Bitdefender might miss in the first hours after a new variant appears.
Who it's right for: businesses handling sensitive client data, or anyone who had a malware incident before and wants a second layer of active protection alongside their antivirus.
Who should use Core vs Elite: Core is fine for most businesses. Elite makes sense if you'd pay ransomware to get your data back - the managed response service typically intervenes before that point.
See ThreatDown plans at threatdown.com.
4. 1Password Business - non-negotiable for credential security
Credential theft is the most common attack vector in NZ small business incidents. Most businesses are still letting staff choose their own passwords, reusing them across services, and storing them in browser autofill or a shared spreadsheet.
1Password Business costs USD$7.99 per user per month (billed annually), around NZ$13.20 per person per month at current rates. For 5 staff, that's roughly NZ$790 a year.
What it does: every staff member gets a personal encrypted vault. You create shared vaults for business credentials (the Xero login, the bank portal, the Wi-Fi passwords) that only specific people can access. When someone leaves, you revoke their access and the credentials stay safe.
The admin dashboard shows you who has weak passwords, who's reusing passwords across sites, and flags accounts where credentials were found in known data breaches. That last feature has saved multiple NZ businesses I'm aware of - you find out your accounting portal login was leaked before an attacker does.
There's also a Teams Starter plan for up to 10 users at USD$19.95/user annually (roughly NZ$2.75/user/month). Read the fine print - it doesn't include the admin reporting features.
Who it's right for: every business with more than one employee. Non-negotiable if staff access banking, Xero, client portals, or anything where a breach would cause real damage.
See 1Password Business pricing at 1password.com/business.
What a realistic NZ small business setup costs
For a 5-person team:
| Tool | Cost per year (NZD approx.) |
|---|---|
| Avast Essential Business (5 devices) | NZ$240 first year |
| 1Password Business (5 users) | NZ$790/year |
| Total | ~NZ$1,030/year |
That's roughly NZ$200 per person per year, or less than a single hourly rate for an IT callout. Add ThreatDown Core if you handle client financial data (another ~NZ$415/year for 5 devices).
Compare that to the cost of a ransomware incident: average ransom paid by small NZ businesses was around NZ$12,000 in 2023, plus downtime, client notification, and potential Privacy Commissioner obligations if personal data was exposed.
The one thing most NZ businesses skip
Two-factor authentication (2FA). Every tool on this list supports it, but it only works if staff actually use it.
Set up 1Password first - it manages 2FA codes alongside passwords, so it doesn't add friction. Then enable 2FA on Xero, your bank portal, Microsoft 365, and Google Workspace. If someone's credentials get stolen, 2FA stops the attacker logging in.
This costs nothing and takes 30 minutes to set up across your team.
Which to buy first
If budget is tight, prioritise in this order:
- 1Password Business - credential theft is the most likely attack vector and this closes it.
- Avast Essential Business Security - antivirus on every device prevents the most common malware.
- ThreatDown Core - add this when you can if you handle sensitive client data.
If you're setting up from scratch with a reasonable budget, run Avast plus 1Password. That combination handles phishing, malware, ransomware, and credential theft - the four threats that account for most real NZ small business incidents.
Pricing correct as of May 2026. USD/NZD conversion at approximately 1.65. Check vendor sites for current NZ pricing.
Top comments (0)