When staff at the Health Research Board arrived at their Dublin offices on a Tuesday morning in early 2026, they were told to unplug their computers and go home. Not a fire drill. Not a planned maintenance window. A cyberattack had brought the entire organisation to a standstill. The HRB manages over €50 million in health research funding annually. It is a serious, well-resourced Irish state body with dedicated IT staff and formal security policies. And it was shut down.
If this can happen to them, the idea that your business is too small to be a target is not a strategy. It is a gamble.
This is not a headline from America. This happened in Ireland. It matters to every Irish SME owner because the attack that shut down the HRB uses the same tactics, delivered by the same criminal networks, that are targeting businesses in Donegal, Cork, Galway, and every other county in Ireland every day.
WHAT: What the Attack Tells Us About How Ransomware Works
The HRB's response — telling all staff to disconnect their devices immediately — is the textbook first step when a major incident is detected. It is almost always the sign of ransomware: malicious software that spreads rapidly across a network, encrypting files as it goes. The instruction to unplug everything is an attempt to stop the spread before the encryption reaches every system.
The immediate cost of a cyberattack is not data loss. It is operational paralysis. Think about your own business for a moment. What would happen if you could not access your email, your files, your accounting system, or your project management tools for a day? For a week? For most Irish SMEs, the honest answer is: not easily, and for some, not at all.
Modern ransomware attacks go further than encryption. Before attackers encrypt your files, they steal them. The threat is no longer "pay us or you cannot access your data." It is "pay us, or we publish your data." This changes the calculus entirely. Your backups get you operational again. They do not prevent the breach from happening — and the NCSC Ireland's incident advisories consistently confirm that data exfiltration has become a standard component of ransomware attacks.[^1]
Does your business have a tested incident response plan? Book a free 20-minute strategy call — we can review your current preparedness and identify the gaps that matter most.
WHAT NOW: Three Lessons Every Irish SME Must Act On
Lesson 1: Your incident response plan is a verb, not a noun. Many businesses have a document somewhere called an Incident Response Plan. It was written two or three years ago, it lives in a folder nobody can find, and it has never been tested. The HRB's response was not a document — it was a decision made quickly, under pressure, by people who knew what to do. The question is not whether you have a plan. The question is whether your plan works under pressure.
Ask yourself three questions right now. Who has the explicit authority to make the call to shut everything down? How do you contact all your staff if email and Teams are unavailable — do you have personal mobile numbers somewhere offline? What is the first external call you make, and do you have the number of your IT provider, cyber insurance company, and the NCSC Ireland on a printed card rather than stored in an email account you can no longer access? If you cannot answer all three in under thirty seconds, your plan needs work.
Lesson 2: Backups are the last line of defence, not the first. Even with perfect, tested, offline backups, a modern ransomware attack is not simply a recovery problem. The stolen data — research results, personal data of participants, financial records, staff information — can appear on a dark web forum regardless of whether your systems were fully restored. For your business, the equivalent might be client contracts, financial records, employee data, or commercially sensitive communications. The first line of defence is preventing the attacker from getting in at all. That means multi-factor authentication on every account, regular software patching, and strong access controls that limit what an attacker can reach if they do get in.
Lesson 3: The NCSC is for you, too. Many Irish SME owners assume the NCSC exists for government bodies and large corporations — not for a 15-person professional services firm in Letterkenny or a 30-person manufacturer in Sligo. That assumption is wrong. The NCSC provides free guidance for all Irish businesses, regardless of size or sector. If your business suffers a serious cyber incident, the NCSC is one of the first calls you should make. If you are subject to NIS2, reporting to the NCSC within 24 hours of detecting an incident is a legal obligation, not a choice.[^2]
WHY IT MATTERS: The Irish Threat Landscape in 2026
The timing of the HRB attack is not coincidental. Irish organisations are being targeted at a higher rate than at any point in the last five years. The NCSC Ireland's threat reporting consistently shows that ransomware remains the dominant threat, with public sector and healthcare bodies disproportionately targeted because they hold sensitive data, have operational dependencies that make downtime extremely costly, and are often perceived as more likely to pay a ransom.
The same targeting logic applies to your business. If you hold data that someone would pay to recover or pay to keep private — client records, financial data, employee information, commercially sensitive contracts — you are a target. An Garda Síochána's National Cyber Crime Bureau has reported a sustained increase in ransomware incidents against Irish businesses across every sector and size.[^3] The question is not whether attacks are happening. It is whether your business would survive one.
The businesses that survive serious cyber incidents are not luckier. They are better prepared.
WHAT NEXT: Three Actions Before the End of This Week
1. Test your incident response plan. Not read it — test it. Run a ten-minute tabletop exercise with your management team: "Our email is down and our files are encrypted. What do we do in the next 60 minutes?" If the answer is "we don't know," that is the gap to close first.
2. Audit your access controls. Does every member of staff have MFA enabled on their email account? Are former employees' accounts disabled? Does your IT provider have admin access to your systems, and do you know exactly what that covers? These questions determine whether an attacker who gets one set of credentials can reach everything, or just one thing.
3. Bookmark the NCSC. Visit ncsc.gov.ie today. Add their incident reporting contact to your phone. If you are in scope for NIS2, confirm you are registered and that you understand your 24-hour reporting obligation.
Related Reading
- Incident Response Planning: What to Do Before a Cyber Attack Hits
- How to Build a NIS2-Compliant Incident Response Plan in One Day
- Integrating Cyber Security and Business Continuity in Ireland
[^1]: NCSC Ireland — advice and guidance for organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission Ireland — breach notification requirements: https://www.dataprotection.ie [^3]: An Garda Síochána — National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.