Ten specific cybersecurity questions every Irish director should ask their IT team. Covers MFA, NIS2, backups, insurance, and supply chain risk for Irish SMEs.

10 Questions Every Irish Director Should Ask Their IT Team About Cybersecurity

Across Ireland — from Donegal to Dublin — directors are personally responsible for cybersecurity governance under NIS2 and existing Irish company law. Not the IT team. Not the managed service provider. You.

The problem is that most directors do not know what questions to ask. They sit in board meetings, hear reassurances like "we have a firewall" and "our antivirus is up to date," and assume the business is protected. In most cases, it is not.

This article gives you ten specific questions to ask your IT team or provider. You do not need to understand the technical answers — you need to understand whether the answers exist at all. If your IT team cannot answer these questions clearly and confidently, that tells you everything you need to know about your current security posture.

Question 1: "If We Were Hit by Ransomware Tonight, How Long Before We Are Operational Again?"

Why this matters: This is the single most revealing question you can ask. The answer exposes whether your business has tested backups, a recovery plan, and a realistic understanding of downtime. A fishing industry firm we worked with lost three weeks of operations because their backups existed but had never been tested. The answer to this question should be measured in hours, not weeks.

What a good answer sounds like: "We have tested backups that are stored offline. We last tested a full restore on [specific date]. Our recovery time objective is [X hours] for critical systems."

What a bad answer sounds like: "We have backups." (No mention of testing, offline storage, or recovery time.)

Question 2: "Do We Have Multi-Factor Authentication on All Email Accounts?"

Why this matters: Business email compromise (BEC) is the single biggest fraud threat to Irish businesses. A Donegal business group lost over one million euro to a BEC attack. In almost every case, the attack succeeds because the email account was protected by a password alone — no multi-factor authentication (MFA).

What a good answer sounds like: "Yes, MFA is enforced on all accounts, including administrator accounts. We use authenticator apps, not SMS."

What a bad answer sounds like: "Most people have it. We haven't enforced it for everyone yet."

Question 3: "Who Has Administrator Access to Our Systems, and When Was It Last Reviewed?"

Why this matters: Administrator accounts can install software, change security settings, and access everything. If a former employee, a contractor, or an attacker gains access to an admin account, the damage is unlimited. Many Irish SMEs have admin accounts that belong to people who left the company years ago.

What a good answer sounds like: "We have [X] admin accounts. They were last reviewed on [date]. All former employees have been removed. We use separate admin accounts for daily work."

What a bad answer sounds like: "I'd have to check."

Question 4: "Are We in Scope for NIS2, and What Are We Doing About It?"

Why this matters: The NIS2 Directive applies to far more Irish businesses than most directors realise — including many SMEs in healthcare, food production, manufacturing, digital services, and the supply chain of larger regulated entities. Penalties reach ten million euro or 2% of global turnover. Directors can be held personally liable for non-compliance.

What a good answer sounds like: "We have assessed our NIS2 status using [specific methodology]. We are [in scope / not in scope]. Here is our compliance roadmap with deadlines."

What a bad answer sounds like: "NIS2 doesn't apply to us" — without evidence of a formal assessment.

Question 5: "What Happens If a Staff Member Clicks a Phishing Link?"

Why this matters: Phishing is the most common attack vector for Irish businesses. The question is not whether someone will click — it is what happens when they do. A mature security posture means the click is contained. An immature one means a single click leads to a full compromise.

What a good answer sounds like: "Our email filtering blocks most phishing attempts. If one gets through and is clicked, our endpoint protection isolates the device. We have a reporting process so staff can flag suspicious emails without fear of blame."

What a bad answer sounds like: "We tell people to be careful."

Question 6: "When Was Our Last Security Assessment, and What Did It Find?"

Why this matters: If the answer is "never" or "more than 12 months ago," your board is making governance decisions without current information. A security assessment does not need to be expensive or disruptive — but it does need to happen regularly.

What a good answer sounds like: "Our last assessment was [date]. It identified [X] high-priority issues. We have addressed [Y] and the remaining [Z] are scheduled for [date]."

What a bad answer sounds like: "We haven't done one."

Question 7: "Is Our Cyber Insurance Policy Actually Valid?"

Why this matters: Many Irish businesses have cyber insurance but have not read the policy conditions. Most policies require specific security controls — MFA, regular patching, tested backups, employee training — and will deny claims if those controls are not in place at the time of the incident.

What a good answer sounds like: "Our policy requires [specific controls]. We have verified that all conditions are met. Our broker confirmed this on [date]."

What a bad answer sounds like: "We have a policy. I think it covers cyber."

Question 8: "How Are We Managing Security in Our Supply Chain?"

Why this matters: NIS2 explicitly requires organisations to manage cybersecurity risk in their supply chain. Even if your own systems are secure, a compromised supplier can provide attackers with a direct path into your network. This is not theoretical — supply chain attacks are one of the fastest-growing attack vectors globally.

What a good answer sounds like: "We have classified our suppliers by risk tier. High-risk suppliers have completed a security questionnaire. We review this annually."

What a bad answer sounds like: "We trust our suppliers."

Question 9: "What Security Awareness Training Have Our Staff Completed This Year?"

Why this matters: Your staff are your first line of defence — and your biggest vulnerability. Regular, practical training reduces the likelihood of successful phishing, BEC, and social engineering attacks. One-off training at induction is not enough. The threat landscape changes constantly, and training must keep pace.

What a good answer sounds like: "All staff completed training in [month]. We run simulated phishing exercises quarterly. Our click rate has dropped from [X%] to [Y%] this year."

What a bad answer sounds like: "We did something when they joined."

Question 10: "Can You Show Me a One-Page Summary of Our Current Security Posture?"

Why this matters: If your IT team or provider cannot produce a clear, non-technical summary of your security posture, they do not have one. A board needs visibility — not a 50-page technical report, but a single page that shows: current risk level, key controls in place, outstanding gaps, and next actions. This is exactly what a vCISO provides.

What a good answer sounds like: A document is produced within 24 hours.

What a bad answer sounds like: Silence, or a promise to "put something together."

The Pattern You Should Be Looking For

If your IT team answered most of these questions confidently, with specific dates, numbers, and evidence — your business is in a stronger position than most Irish SMEs.

If the answers were vague, defensive, or non-existent — that is not necessarily a criticism of your IT team. Most IT providers are excellent at keeping systems running. But operational IT and cybersecurity governance are different disciplines. Your IT provider keeps the lights on. A vCISO keeps the business safe.

10 Questions Every Irish Director Should Ask Their IT Team About Cybersecurity.