It was a bank holiday weekend in Sligo when a hotel's booking system went dark. Not a power cut — a ransomware attack. Guests arrived to chaos, reservations had vanished, and the hotel faced a stark choice: pay €12,000 in Bitcoin or lose weeks of revenue. They paid. The decryption key only partially worked, leaving a trail of lost data and furious customers. This is not a distant threat. It is happening to Irish SMEs every month, in Donegal, in Cork, in Dublin, and in every county in between.
The Essential 8, developed by the Australian Cyber Security Centre, offers a clear and proven response. It is a set of eight prioritised mitigation strategies designed to stop the most common attack techniques used against organisations of all sizes. Research by the ACSC suggests that implementing these eight strategies can prevent up to 85% of targeted cyber attacks. For Irish SMEs that need practical protection without a complex security programme, the Essential 8 is a compelling starting point.
What Is Australia's Essential 8
The Essential 8 is a mitigation strategy framework, not a certification scheme. It focuses specifically on preventing the attack techniques that cybercriminals actually use — which is what distinguishes it from more general frameworks. Each strategy targets a specific attack vector and is assessed against maturity levels from 0 (not implemented) to 3 (fully implemented), allowing organisations to improve progressively rather than face a binary pass or fail.
For Irish SMEs, the beauty of the Essential 8 lies in its practicality. It is not about buying expensive software. It is about fundamental, consistently applied controls that counter the phishing attacks, ransomware infections, and credential compromises that make up the vast majority of incidents reported to An Garda Síochána's National Cyber Crime Bureau each year.[^1]
The Eight Strategies
Application control prevents unapproved programs from running on company devices. If an employee accidentally downloads malware from a phishing email, application control stops it from executing. This is one of the most technically demanding controls in the framework, but for higher-risk businesses it is transformative.
Patch applications ensures that software — browsers, Microsoft Office, Adobe products, and any other applications your business relies on — is kept up to date with security fixes. A Cork manufacturing firm lost a €2.3 million contract after failing a client audit partly because of poor patch management practices. The client walked away from a supplier that could not demonstrate basic security hygiene.
Configure Microsoft Office macro settings addresses the fact that malicious macros embedded in Office documents are one of the most common malware delivery methods. Restricting macros to trusted, signed sources closes this attack vector without preventing legitimate business use.
User application hardening means configuring browsers, PDF readers, and other applications securely — disabling unnecessary features, blocking untrusted content, and running applications with minimum required privileges. Small configuration changes applied consistently across an organisation create a materially more robust environment.
Restrict administrative privileges implements the principle of least privilege: staff have access only to what they need for their specific role. A Letterkenny GP practice was fined €15,000 by the Data Protection Commission after a former receptionist accessed patient records for six months post-employment because access was never revoked and had never been appropriately restricted.[^2] This control directly addresses that failure pattern.
Patch operating systems extends the patching discipline to the underlying systems — Windows, macOS, Linux — on which everything else runs. Microsoft and Apple release security updates monthly. Delaying those updates leaves known vulnerabilities open to exploitation. The Health Research Board attack in Dublin in February 2026, which caused staff to be sent home while the NCSC Ireland investigated, reflects a pattern that timely OS patching would have disrupted.
Multi-factor authentication adds a second verification step beyond a password. Even if an attacker steals a staff member's email credentials — through phishing, through a data breach at another service, or through credential stuffing — MFA prevents them from accessing the account without also passing the second factor. A Dublin law firm that suffered eleven months of undetected email compromise could have blocked the initial access entirely with MFA enabled on their email accounts.
Regular backups are the essential safety net when every other control has failed. The Sligo hotel's experience illustrates the point: €12,000 paid in Bitcoin, decryption only partial, weeks of booking data lost. Had they maintained tested, isolated backups, they could have wiped their systems and restored from a clean copy — no payment, no prolonged disruption, no customer fury. The Essential 8 requires backups to be immutable (unalterable by ransomware) and regularly tested. An Garda Síochána consistently advises Irish businesses never to pay ransoms — the only position that makes that advice financially viable is having tested backups.[^3]
Why MFA and Backups Are Your Highest-Priority Controls
For an Irish SME with limited time and budget, the question is where to start. The answer is clear: MFA and backups, implemented properly, provide the greatest protection per unit of effort.
MFA stops credential-based attacks, which account for the majority of initial access incidents in Irish SMEs. It is available at no additional cost within Microsoft 365 and Google Workspace. It takes an afternoon to configure and a brief session to train staff on using it. There is no technical or financial barrier to enabling it today.
Tested backups are your insurance against ransomware and catastrophic system failures. The word "tested" is critical — a backup that has never been restored under real conditions is not a backup, it is a hope. Monthly restoration tests from your most recent backup, documented and verified, transform your backup from a liability into a genuine recovery capability.
Are MFA and tested backups in place across your entire business right now? Book a free 20-minute strategy call — we work with Irish SMEs from Donegal to Dublin to implement the Essential 8 controls in order of impact, starting with what matters most for your specific environment.
The Maturity Model
The Essential 8 does not require perfection to provide significant protection. Reaching Maturity Level 1 across all eight strategies — meaning each control is implemented in a basic but consistent way — provides substantially better protection than most Irish SMEs currently have. Maturity Level 2 for the highest-risk controls (MFA, patching, admin restriction) is the appropriate target for most businesses operating with sensitive data or in critical supply chains.
NCSC Ireland's guidance explicitly endorses the Essential 8 as compatible with the CyFUN framework that Irish organisations use for NIS2 compliance. Implementing the Essential 8 alongside CyFUN governance documentation gives Irish businesses a hybrid baseline that satisfies both technical and regulatory requirements.
What Next: Three Actions for Irish SMEs
First, enable MFA on every email account and remote access system this week. This is the single highest-impact action available to any Irish business. Configure it in Microsoft 365 or Google Workspace, brief your staff on what it is and why it matters, and document that it is in place. One afternoon's work.
Second, test your most recent backup this month by actually restoring from it. Ask your IT provider or whoever manages your backups to demonstrate a full restoration on a test system. Get written confirmation of the test result, the date, and how long the restoration took. If the test fails or your provider cannot demonstrate it, your backup is not usable.
Third, implement automatic patching for all operating systems and applications across your business before the end of this quarter. Enable automatic updates on all devices, verify that business-critical applications are included, and set a monthly calendar reminder to check that patches are being applied successfully. This single control closes the most commonly exploited vulnerabilities in Irish SME environments.
[^1]: An Garda Síochána — Cybercrime [^2]: Data Protection Commission Ireland [^3]: NCSC Ireland — Advice for Organisations
Related Reading
- Essential 8 vs Cyber Essentials: Which Framework Wins for Irish Businesses?
- Backup Strategy for SMEs: The 3-2-1-1-0 Rule Explained
- MFA Everywhere: Why Multi-Factor Authentication Is Non-Negotiable in 2026
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.