Lessons from the Stryker Cyberattack
A global medical technology company. 56,000 employees. Operations in 60 countries. And in March 2026, systems wiped across every one of them — not because of a data breach or ransomware, but because of a school bombing in Iran.
Employees of Stryker Corporation arriving at work found an unfamiliar black-and-white cartoon figure staring back at them from their login screens. They were welcomed with the logo of a pro-Iranian hacktivist group called Handala. The attack took down ordering and shipping systems, with no timeline given for full restoration. The group claimed to have wiped more than 200,000 systems, servers, and mobile devices, and extracted 50 terabytes of critical data.
Stryker had no obvious connection to the conflict. One expert noted the company may have been targeted because of its 2019 acquisition of an Israeli medical technology company, or perhaps simply because attackers were scanning for vulnerable targets and Stryker presented an opening.
That second possibility is the one New Zealand businesses need to sit with.
You Don’t Have to Be the Target to Be Hit
The Stryker attack illustrates something uncomfortable about the modern threat landscape: your business doesn’t need to be politically relevant to become a casualty. According to IBM X-Force, Handala’s toolkit includes phishing, custom wiper malware, ransomware-style extortion, and hack-and-leak activity. Its focus is on generating disruptive and psychological impact.
One cybersecurity expert put it plainly: “Too much of cybersecurity is focused on lower consequence breaches from financially motivated enemies, while we’re increasing our exposures to nation states and other enemies who seek to disrupt and destroy.”
This is a wake-up call for local businesses, many of which operate as part of international supply chains, use US-based cloud platforms, or partner with companies that do.
The Attack Vector: Email First, Everything Else Second
Security experts confirm that phishing remains Handala’s primary attack method. That means that one of the most sophisticated geopolitical cyberattack of 2026, one that crippled a $25 billion global company, almost certainly began with someone clicking a link in an email.
Stryker’s own statement confirmed a severe, global disruption across its Windows environment impacting both client devices and servers. The attack targeted the Microsoft environment. That’s the same platform most New Zealand businesses run their operations on every day.
What This Means for Your Business
The Stryker incident reinforces three disciplines that Kinetics has long advocated for local businesses:
Assume you are a target. Threat actors scan broadly. Being a smaller business in New Zealand is not a shield.
Your people are your perimeter. Security awareness training isn’t a box-ticking exercise. It is the difference between a suspicious email being deleted and an organisation being taken offline.
Business continuity must be tested, not just documented. Stryker had continuity plans in place. The question is whether yours would hold up under a real-world disruption at scale.
Building Resilience Before You Need It
Kinetics’ KARE Foundation service is designed precisely for this environment. It’s layered, proactive cybersecurity that addresses not just technical vulnerabilities but the human and operational factors that sophisticated attackers exploit. From managed endpoint detection and response to security awareness training and backup integrity, it’s the foundation that gives businesses confidence when the threat landscape shifts, as it has this week.
The lesson from Stryker isn’t that every Kiwi business should be afraid. It’s that being prepared is a business decision, not just an IT one.
4 methods to test your BCP
1. Tabletop exercise Gather your leadership team and IT around a table. A facilitator presents a scenario: “It’s 8am Monday. Half your staff can’t log in. Your IT team finds the Handala logo on login screens. What do you do?” Walk through every decision. Who do you call? What’s the chain of authority? Where are the phone numbers stored? Are they in a system that’s now offline? This costs almost nothing and reveals gaps immediately.
2. Component testing Test individual pieces in isolation. Can you actually restore from your backups? How long does it take? Is the restored data complete? Many businesses discover at this point that their backup regime looked good on paper but the restores are partial or weeks out of date. (KARE Backups are regularly tested)
3. Parallel recovery simulation Run a simulated recovery alongside normal operations. Don’t take production systems offline, but work through the recovery process as if you had to, measuring time and identifying blockers. This gives you realistic recovery time estimates without the risk of a full cutover.
4. Full simulation (red team/live fire) The most rigorous test: an external party attempts to simulate an attack while your team responds in real time. Expensive and disruptive, but for businesses with genuine high-stakes dependencies (finance, healthcare, critical infrastructure supply), it’s the only way to know for certain.
The questions your test must answer
Regardless of method, a cyberattack-specific BCP test should stress-test these specifically:
Communications: If email and Teams are down, how do you coordinate? Do staff know to go to a pre-agreed out-of-band channel (a personal group chat, a phone tree)? Is the phone tree stored somewhere other than the systems that are offline?
Authority and decisions: Who is authorised to shut down systems? To communicate externally with customers? To engage a cyber incident response firm? Decision paralysis in the first hour of an attack causes enormous additional damage.
Data recovery hierarchy: Not everything can be restored at once. What comes back first? Is that priority list documented and agreed before an incident?
Vendor and partner notification: Which of your suppliers or customers need to be told, and how quickly?