The GCSB is urging New Zealand's critical businesses to stay alert in the face of increasing cyber threats, which can put nationally significant infrastructure in danger.
The intelligence agency has been working with tech giants Microsoft and Amazon Web Services, to have its government information security standards built into product templates for the rollout of cloud products.
GCSB director general Andrew Hampton said it has seen malicious actors, both state and criminal, increasingly exploit vulnerabilities in supply chains, such as service providers.
"Our advice is focused on how organisations can build their resilience to those types of attacks. Now, part of that is ensuring that your supply chain is protected and that's where these cloud security templates come in.
"But it's also about ensuring that you are governing cyber security at an all of organisational level. It's also about being ready for an attack because organisations now I think need to think about not it being a matter of if they are attacked, but when," Hampton said.
Another key focus was investment for resilience in cybersecurity, he said.
The agency said it recorded 404 cyber threat incidents last year, up 15 percent on the previous year.
About a third could be attributed to state sponsored actors and another third to criminal actors.
"One of the changes we have seen is a blurring of the distinctions between state and non-state actors. We are getting criminal actors for example who have sophisticated capabilities that previously tended to be in the hands of states," Hampton said.
Criminal actors were also operating out of safe havens provided by states, he said.
The GCSB's work with Microsoft and Amazon Web Services was judged the best security project at last week's Information Security Awards.
Hampton said it was the first time the agency had worked with the two major cloud service providers.
Building the government information security standards into its products provided confidence for the public and private sectors that they complied with security standards when they used the services, Hampton said.