When a Cork accountancy firm suffered a phishing breach in mid-2025, the investigation revealed something uncomfortable: the firm had a cybersecurity policy. It was forty-seven pages long, written in legal language, and had been signed by every employee on their first day. Nobody had read it since. The compromised employee had no idea the policy required them to verify unexpected financial requests by phone before processing them — the rule was buried in section nine, paragraph four of a document they had forgotten existed.
The breach cost the firm €40,000 in remediation and client notification costs, plus a DPC investigation. The policy, designed to protect the business, had protected nobody because it was designed to sit in a filing cabinet rather than guide human behaviour.
Why Policy Design Matters as Much as Policy Content
The NCSC Ireland consistently highlights human error as the primary factor in Irish cyber incidents.[^1] That is not an argument for blaming employees — it is an argument for designing policies that give employees a realistic chance of acting correctly when a threatening situation arises. A document that cannot be remembered cannot be acted upon.
Most Irish SME cybersecurity policies were written by a consultant, based on a template, for a different kind of organisation. They are comprehensive in covering every possible risk and completely impractical as day-to-day guides for a ten-person accounting practice, a twelve-room guesthouse in Donegal, or a twenty-person engineering firm in Sligo. The staff who most need clear guidance — front-of-house employees, accounts payable administrators, reception staff — are the ones least likely to find it in a dense document.
The consequence is visible in breach reports. Employees process fraudulent payment requests because nobody told them how to verify. They click phishing links because nobody showed them what these look like. They use personal devices for work email because nobody told them why that creates a problem. The policy existed. The behaviour change did not happen.
When did your employees last read your cybersecurity policy — and do you know which rules they actually follow? Book a free 20-minute strategy call — we'll help you identify the three policy rules that matter most for your specific business and make them stick.
What an Effective Policy Actually Needs
An effective cybersecurity policy for an Irish SME is not comprehensive — it is focused. It covers the five to eight situations your employees are most likely to encounter, and it tells them exactly what to do in plain English. It is short enough to read in fifteen minutes and specific enough to act on.
The situations that matter most for most Irish businesses are: how to recognise and handle a suspicious email; what to do when someone unexpected contacts you claiming to be IT support or a supplier; how to handle requests to change payment details or make urgent transfers; what devices and accounts are acceptable for work use; what to do if something goes wrong and who to call.
Each of these topics can be covered in one to three paragraphs of plain English. The rule should be stated clearly — not "exercise appropriate caution when verifying payment requests" but "if anyone asks you to change a supplier's bank details, call the supplier on the number in our system, not the number in the email, before making any changes." One sentence. Unambiguous. Actionable.
The Data Protection Commission expects that staff who handle personal data receive appropriate training and have clear procedures to follow.[^2] A policy that staff cannot find or understand does not satisfy this expectation, regardless of how comprehensive it is.
Structure That Works
A policy for a Donegal SME should follow a simple structure that mirrors how employees think about their working day. Start with the one-page summary — what the policy is about, why it matters, and the three things that matter most. This page is what gets read. Everything else is the detail for people who need to check a specific situation.
The main body should cover each key situation as a short section with a clear title. Use the second person — "if you receive an email asking for payment" — not the passive voice. State the rule first, then the reason briefly. "Call the requester back on a number you already know, not one provided in the email. Fraudsters can create perfect copies of supplier emails and use them to redirect payments." That is the rule and the reason in two sentences.
Include a clear section on reporting. An Garda Síochána's National Cyber Crime Bureau advises that businesses report cybercrime incidents promptly, and your policy should specify who within your business is the first call, what information to capture immediately, and that staff should not try to investigate or resolve incidents themselves.[^3] The decision to report externally — to the Garda NCCB, the DPC, or your cyber insurer — is a management decision, but staff need to know who to contact internally without delay.
Include an acknowledgement process — not a legal disclaimer that nobody reads, but a short confirmation that the employee has read the key rules and knows who to call if something seems wrong. A one-page summary signed by each employee and dated, reviewed annually, is sufficient. It demonstrates to the DPC and your cyber insurer that you took reasonable steps to inform your staff.
A cybersecurity policy is not a compliance document — it is a behaviour guide. If your staff cannot explain its key rules in one sentence, the policy is not working.
How to Make Rules Stick Beyond the Document
Policies alone do not change behaviour. They need to be reinforced through regular, short communications that remind staff of the key rules in context. A thirty-second reminder at a staff meeting about what to do with suspicious emails is more effective than a paragraph buried in a document they signed eighteen months ago.
NCSC Ireland provides free resources for businesses including practical guidance on phishing awareness that can be adapted for staff briefings. Use real examples — when a phishing attempt hits your industry in Ireland, which happens regularly, it is worth a brief team message explaining what happened elsewhere and what your own rule is. When a supplier invoice arrives with changed bank details — which Business Email Compromise attacks produce regularly in Ireland — it is the moment to remind staff of the verification procedure.
For businesses in Donegal and Sligo with smaller teams, this does not require a training department. A five-minute briefing at a monthly team meeting, rotating through the key policy areas, covers the same ground as a formal training programme at a fraction of the effort.
Three Steps to a Policy That Works
These three steps are the practical output of everything above.
Write a one-page policy summary covering the five situations your employees are most likely to face. Use plain English and second person. State each rule clearly and briefly explain why it exists. Have it reviewed by one employee who was not involved in writing it — if they cannot understand it, rewrite it.
Hold a fifteen-minute briefing with all staff when the policy is introduced. Walk through the key rules, take questions, and give each person a copy. Collect signed acknowledgements and file them. Repeat this annually and whenever a significant threat changes your guidance.
Build a simple reporting chain — a WhatsApp number, an email address, or a direct line — that staff can use to report anything suspicious without fear of criticism. The speed of your response to an incident depends entirely on how quickly you find out about it. Staff who fear being blamed for clicking a phishing link will not tell you immediately. Staff who know their report will be welcomed will call within minutes.
Related Reading
- Building a Human Firewall: Security Awareness Training That Works
- Building a Security Culture: A vCISO's Approach
- 10 Questions Every Irish Director Should Ask About Cybersecurity
[^1]: NCSC Ireland — Guidance on organisational security and human factors in Irish cyber incidents: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission Ireland — Staff training and data protection policy requirements under GDPR: https://www.dataprotection.ie [^3]: An Garda Síochána — Cybercrime reporting guidance for Irish businesses: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.