When a ten-person accountancy firm in Letterkenny asked their managed IT provider how much they should be spending on cybersecurity, they got an answer that surprised them. The provider quoted €18,000 a year. The owner, who had assumed she needed to spend €2,000 or so on antivirus and a firewall, nearly dropped the phone. Both figures, it turned out, were wrong — and the gap between them is exactly where Irish SMEs get into trouble.
Getting the budget question right matters. Spend too little and your business is genuinely exposed. Spend too much in the wrong areas and you end up with expensive tools nobody uses, while the basic controls that actually stop attacks are still missing. For most ten-person Irish businesses, the truth sits somewhere between panic and complacency.
WHAT: The Benchmarks Irish Businesses Should Know
Industry guidance suggests that small businesses should allocate between 5% and 10% of their IT spend on cybersecurity. For a business that spends €40,000 a year on IT — software subscriptions, hardware, support contracts — that means a cybersecurity budget of roughly €2,000 to €4,000 per year. Some analysts use a broader revenue-based benchmark of 0.2% to 0.5% of annual turnover for companies under €2 million in revenue.
NCSC Ireland does not publish a fixed spending target, but its guidance for organisations consistently emphasises a risk-based approach: identify what matters most to your business, understand the realistic threats you face, and prioritise controls accordingly.[^1] A ten-person firm processing sensitive client data — a solicitor's office, a payroll bureau, a GP practice — faces a materially different risk profile from a small trades business that keeps minimal digital records.
The practical range for a ten-person Irish business sitting somewhere in the middle — operating a cloud-based email platform, storing some customer data, maybe using accounting software and a shared network drive — is typically between €3,000 and €12,000 per year. Where you land in that range depends on how sensitive your data is, whether you have regulatory obligations such as GDPR or NIS2, and whether you have any technical in-house capability.
WHAT NOW: What Your Budget Should Actually Buy
At the lower end — around €3,000 to €5,000 per year — a small Irish business should expect to have all of the following in place. Microsoft 365 Business Premium or Google Workspace Business Plus includes strong email security, multi-factor authentication enforcement, and device management at roughly €15 to €20 per user per month. For ten users, that is €1,800 to €2,400 annually — and it eliminates several categories of risk at once. Add a business-grade DNS filtering service, a password manager rolled out across the team, and an annual phishing simulation exercise from a local provider, and you have a credible baseline for under €5,000.
Are you spending your cybersecurity budget in the right places? Book a free 20-minute strategy call — we will tell you exactly what your business needs and what it does not, based on your actual risk profile.
In the €5,000 to €10,000 range, you can add a managed detection and response service, which means someone is monitoring your systems for unusual activity rather than you waiting to discover a breach weeks after it happened. You can also bring in a virtual CISO — a part-time senior security adviser — for a few hours a month. A vCISO reviews your posture, advises the owner or board, and keeps your policies current. For businesses with GDPR obligations or that are working towards NIS2 compliance, this is increasingly not optional.
Above €10,000, you are typically looking at formal penetration testing, staff security awareness training delivered as a structured programme rather than a once-a-year email, and possibly a cyber insurance policy review with gap analysis. None of this is extravagant for a business handling sensitive data or processing payments.
WHY IT MATTERS: The Regulatory and Business Case
An Garda Síochána and the Garda National Cyber Crime Bureau report that small and medium-sized businesses in Ireland are now the primary target for ransomware gangs and business email compromise fraud, precisely because they are perceived as less defended than larger enterprises.[^2] The cost of a breach — forensic investigation, recovery, regulatory notification, lost revenue — routinely runs to multiples of what a year's worth of adequate protection would have cost.
The Data Protection Commission expects businesses of all sizes to implement appropriate technical and organisational measures to protect personal data. The standard is not what you could theoretically afford; it is what is appropriate given the risk. A business that processes employee payroll data, customer health information, or financial records and cannot demonstrate basic controls is exposed not just to a breach, but to a DPC investigation and potential fine.[^3]
NIS2, which came into force in Ireland in 2024, extends mandatory security requirements to a wider range of sectors. Even if your business is not directly in scope, your enterprise clients may require evidence of your security posture before they will work with you. A credible cybersecurity spend — and the documentation to show what it covers — is increasingly a commercial requirement, not just a regulatory one.
WHAT NEXT: Three Actions to Take This Month
First, take stock of what you are already spending. List every piece of software, every support contract, every subscription that has any security function. Many Irish businesses discover they are already paying for tools they are not using properly — Microsoft 365 security features left on default settings, for instance, or a backup solution that has never been tested.
Second, categorise your data. Work out what information your business holds that would cause real harm if it were lost, stolen, or published. Staff personal data, client financial records, health information — these attract regulatory obligations and should drive your spending priorities. Everything else is secondary.
Third, get a second opinion before committing to major spend. A one-off security assessment from an independent adviser — not from a vendor trying to sell you something — will tell you where your gaps are and what they would cost to close. For most ten-person Irish businesses, that assessment itself costs between €500 and €1,500 and typically pays for itself immediately by identifying either waste or genuine exposure.
Most Irish SMEs are either overpaying for the wrong things or underprotected in the areas that matter most. Book a free 20-minute strategy call — plain-English advice on where your budget should actually go.
The goal is not to spend the most. It is to spend in the right order, on the controls that genuinely reduce your exposure, and to be able to demonstrate that you have done so. That is the standard NCSC Ireland, the DPC, and your enterprise clients will hold you to — and it is entirely achievable for a small Irish business that approaches it methodically.
Related Reading
- What to Expect in Your First 90 Days With a vCISO
- Cyber Essentials for Irish SMEs: The 5 Controls That Matter Most
- Director Liability Under NIS2 and GDPR: A Briefing for Irish Company Directors
[^1]: NCSC Ireland: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána: https://www.garda.ie/en/crime/cyber-crime/ [^3]: DPC: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.