When a Donegal manufacturing firm was hit by ransomware in late 2024, the owner's first call was to his IT provider, who was not available on a Saturday afternoon. His second call was to the number listed in the company's incident response plan — a document that turned out to be three years old, referencing staff who had long since left the business and a server that no longer existed. By the time a specialist was reached, four hours had passed. Every hour of delay meant more encrypted data and a longer recovery.
The question for Irish SMEs is no longer whether a cyber attack will happen — it is whether your business is ready to respond when it does. An Incident Response Plan (IRP) is not a bureaucratic exercise. It is the difference between a controlled, structured response and a chaotic scramble that turns a recoverable incident into a business-ending one.
WHAT: Why Preparation Is the Most Valuable Hour You Will Spend
An IRP is a living set of procedures that tells your business exactly what to do in the critical hours immediately after a cyber incident is detected. Without one, the consequences are predictable: extended downtime as people debate who has authority to make decisions, spiralling costs as unnecessary forensic work is commissioned, regulatory non-compliance as reporting deadlines pass unnoticed, and reputational damage as clients and suppliers discover the problem before you have communicated it properly.
The NCSC Ireland provides clear guidance on the obligations Irish businesses have when a significant incident occurs.[^1] Under NIS2, businesses in scope must report significant incidents to the NCSC within 24 hours of becoming aware of them — and must provide a more detailed report within 72 hours. Meeting those windows is only possible if your reporting process is already documented and your team knows who makes the call.
Does your business have an incident response contact list stored somewhere other than email? Book a free 20-minute strategy call — we work with Irish SMEs to build practical plans that work under pressure, not just on paper.
WHAT NOW: The Eight Elements of Effective Preparation
Effective incident response planning concentrates on the preparation phase — establishing everything your business needs before an incident occurs, rather than trying to improvise under pressure.
Form an incident response team. Designate a core team responsible for managing cyber incidents. In a small business, this might be the owner, the operations manager, and whoever manages IT. The team should include someone with authority to make decisions, someone who can communicate with staff and clients, and someone with technical responsibility. Define each role in writing, and make sure every team member has a printed copy of the contact list at home.
Identify your critical assets. An inventory of your critical IT systems and the data they hold is the foundation of any response. You cannot prioritise recovery without knowing what matters most. For each system, document who is responsible for it, where it is hosted, and what the business cannot do if it is unavailable. This asset inventory is also a NIS2 compliance requirement.
Document your external contacts. Your incident response contact list should include your IT provider's out-of-hours number, your cyber insurance company's claims line, the NCSC Ireland's incident reporting contact, and a specialist incident response firm if you have one pre-engaged. These numbers should exist on paper or in a location that does not depend on your email or Microsoft 365 being operational.
Implement technical controls for detection. Your plan only works if you know an incident has occurred. Basic logging — recording who logged in, what they accessed, and from where — is the minimum standard. Without logs, you cannot determine what the attacker accessed, which triggers mandatory notification to the Data Protection Commission under GDPR.[^2] Enable audit logging in Microsoft 365 today if you have not already done so.
Establish secure, tested backups. Backups are essential but insufficient on their own. They must be stored offline or in a location that an attacker who has compromised your main systems cannot reach. They must be tested regularly — a backup that has never been restored is an assumption, not a guarantee. And they must be included in your recovery priority list so you know which systems to restore first.
Conduct regular employee training. Staff are almost always involved in the early stages of an incident — clicking a phishing link, responding to a social engineering call, or being the first to notice that something is wrong. Regular security awareness training, including specific training on how to report suspicious activity, is one of the highest-return investments an Irish SME can make.
Test your plan annually. Run a tabletop exercise with your management team at least once a year. Present a scenario — "Our email is down, we have found encrypted files on the shared drive, and it is 3pm on a Friday" — and work through the first four hours. The gaps you discover in a tabletop exercise cost nothing to fix. The same gaps discovered during a real incident cost everything.
Understand your cyber insurance policy. Review your policy before an incident. Know what is covered, what exclusions apply, what notification requirements your insurer imposes, and which vendors they require you to use for forensic and legal services. An insurer who discovers you delayed notification or used an unauthorised vendor will look for reasons to deny your claim.[^3]
WHY IT MATTERS: The Regulatory Dimension
An Garda Síochána's National Cyber Crime Bureau has reported a consistent increase in ransomware and business email compromise targeting Irish businesses. In both types of attack, the absence of an incident response plan consistently makes the outcome worse — more data lost, higher recovery costs, and greater regulatory exposure because reporting deadlines are missed.
The Data Protection Commission expects organisations to have documented procedures for responding to personal data breaches. If your incident response plan does not include a step for assessing whether personal data was accessed, and a procedure for notifying the DPC within 72 hours if it was, your plan is incomplete. The NCSC Ireland's published guidance on incident management for businesses provides a solid baseline for what good looks like.
Your incident response plan is only as good as your last test of it.
WHAT NEXT: Three Actions Before the End of This Week
1. Identify who is on your incident response team and ensure everyone knows their role. Write it down. Share the contact list outside of your email system.
2. Enable audit logging in your core systems — particularly Microsoft 365 or Google Workspace — if it is not already active. This is the single most important technical step for improving your ability to understand what happened in an incident.
3. Schedule a one-hour tabletop exercise with your management team in the next four weeks. Use a simple ransomware scenario. The gaps it reveals will tell you exactly where to invest next.
Related Reading
- HRB Cyberattack: Lessons for Irish SMEs
- How to Build a NIS2-Compliant Incident Response Plan in One Day
- Integrating Cyber Security and Business Continuity in Ireland
[^1]: NCSC Ireland — advice and guidance for organisations on incident management: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission Ireland — breach notification requirements: https://www.dataprotection.ie [^3]: An Garda Síochána — National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.