When a Cork manufacturing business was hit by ransomware in late 2024, the attackers had been inside their network for eleven days before anyone noticed. They encrypted the production management system, the accounts database, and the email archive. Recovery took three weeks and cost more than €80,000, not counting the contracts that went elsewhere while their systems were down. The painful part was this: NCSC Ireland's own guidance had flagged every single vulnerability the attackers exploited. Unpatched software, no MFA, no tested backups, no incident response plan. The 12-step framework existed. The business simply had not worked through it.
If you run a business in Ireland today, cybersecurity is no longer optional. It is a survival skill. Yet for most owner-managers, the subject feels overwhelming — a wall of jargon, an endless list of products, and no clear starting point. This guide changes that. It is based on NCSC Ireland's own 12-step framework for building cyber resilience, translated into plain language with practical actions for Irish SMEs.[^1]
WHAT: The Framework Explained
NCSC Ireland structures its guidance around twelve interconnected areas. The steps are not a checklist to be ticked off once and forgotten. They are a cycle, designed to be revisited annually as your business changes and as threats evolve. The good news is that you do not need to complete all twelve before your defences improve significantly. Steps 5 and 6 — awareness training and basic technical protections — deliver the greatest risk reduction and are the right place to start.
Step 1: Establish Governance. Every successful security programme starts at the top. Designate one person as responsible for cybersecurity, even if that person is you, the owner. Agree a simple acceptable use policy covering passwords, devices, and what to do if something goes wrong. Without ownership, nothing else sticks.
Step 2: Identify What Matters Most. You cannot protect what you do not know you have. Map your digital assets: customer data, financial systems, operational software, intellectual property. Rank them by how critical they are to the business. This map drives every security decision that follows.
Step 3: Understand the Threats. Irish SMEs face a consistent set of threats: phishing and social engineering, ransomware, business email compromise, and supply chain attacks. A small accountancy firm in Donegal and a food manufacturer in Cork face different specific risks, but both face more risk than most owners realise. Understanding which threats are most realistic for your business allows you to focus your defences where they matter most.
Step 4: Define Your Risk Appetite. This step asks a simple question: how much risk are you willing to accept, and what are you willing to spend to reduce it? Estimate the cost of your most likely attack scenario. Decide which risks you will invest to reduce, which you will transfer through insurance, and which you will accept. Document those decisions. That documentation matters if you ever face a regulatory investigation or an insurance claim.
Unsure where to focus your security investment first? Book a free 20-minute strategy call — we will give you an honest assessment of your risk profile and your most urgent priorities.
Step 5: Education and Awareness. The majority of successful cyberattacks in Ireland succeed because of human error, not technical failure. An employee clicks a link they should not have. A manager approves a payment request without verifying it. Training fixes this. It does not need to be expensive: regular short briefings, phishing simulation exercises, and clear reporting procedures cover the essentials. The key word is "regular." A one-off induction session is not enough.
Step 6: Basic Protections. This is the highest-impact step for most Irish SMEs. Four controls together eliminate the majority of your risk. Multi-factor authentication prevents credential theft from succeeding even when passwords are stolen. Systematic patch management closes the vulnerabilities that attackers rely on most. Endpoint protection — modern EDR tools, not legacy antivirus — detects suspicious behaviour before attacks spread. And a tested backup strategy ensures you can recover from ransomware without paying a ransom.
Step 7: Detection. Most organisations that suffer significant damage from a cyberattack do not fail to prevent it — they fail to detect it quickly enough. The average time between compromise and discovery in Ireland is measured in weeks. Set up alerts from your security tools to a monitored email address. Review access logs periodically. Know what normal looks like so you can spot what is not normal.
Step 8: Incident Response. When an attack occurs, your response in the first twenty-four hours determines whether it becomes a manageable incident or a business-ending crisis. Your incident response plan needs to answer four questions: who is in charge, who do you call (your IT provider, your insurer, NCSC Ireland on 1800 CYBER1), what do you do first, and how do you communicate with clients and regulators. Test this plan at least once a year.
Step 9: Risk-Based Resilience. Resilience is the ability to keep operating — or recover quickly — when something goes wrong. For Irish SMEs, this means knowing before an attack which systems, if lost for twenty-four hours, would stop the business. Document your recovery priorities and test them annually. A business continuity plan does not need to be complex to be effective.
Step 10: Additional Automated Protections. Once the basics are in place, the next layer focuses on automation. Web application firewalls protect customer-facing websites. Data loss prevention tools monitor the movement of sensitive data. Zero trust architecture assumes no user or device is trusted by default, even inside your own network — increasingly relevant for businesses with remote workers.
Step 11: Test Regularly. Security controls that have never been tested are controls you cannot rely on. Quarterly vulnerability scans identify known weaknesses. Annual penetration testing provides a controlled simulation of a real attack. Phishing simulations measure how your staff respond. Tabletop exercises test whether your incident response plan actually works under pressure. An Garda Síochána's National Cyber Crime Bureau consistently finds that tested organisations recover faster and suffer less damage when attacks occur.[^2]
Step 12: A Cyber Risk Management Lifecycle. Cybersecurity is not a project with a start and end date. It is an ongoing discipline. Build an annual review cycle into your business calendar. Revisit your threat landscape, your risk appetite, and your controls. Under NIS2 and GDPR, many Irish businesses now have ongoing compliance obligations that require exactly this kind of structured, documented approach.
WHY IT MATTERS: Regulation Is Adding Pressure
The Data Protection Commission has the power to impose fines of up to €20 million for serious GDPR breaches.[^3] NIS2 adds director-level personal liability for inadequate security governance. Beyond regulation, the commercial argument is straightforward: the businesses that win major contracts and retain enterprise clients are increasingly the ones that can demonstrate a structured, documented security programme.
The businesses that get into serious trouble are not the ones that started slowly. They are the ones that never started at all.
WHAT NEXT: Three Actions to Take This Week
Identify who in your business is currently responsible for cybersecurity. If the answer is "nobody," designating that person — even informally — is your most important first step.
Enable MFA on your email platform today. For Microsoft 365 or Google Workspace, this takes thirty minutes and immediately reduces your most significant attack surface.
Work through Steps 2 and 3 this month: map your critical assets and write down the three threats that are most likely to affect your business. That combination — what you have and what threatens it — is the foundation of a security programme that is proportionate to your real risk.
Related Reading
- 12-Month Cyber Governance Roadmap for Donegal SMEs
- Backup Test: Run Every Month, Probably Never Have
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
[^1]: NCSC Ireland. Advice for Organisations. https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána. Cyber Crime. https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission. Guidance for Organisations. https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.