When a Cork distribution company called us two days after discovering a ransomware infection, the managing director was sitting in a conference room with three members of his senior team, a lukewarm cup of coffee, and the growing realisation that the worst week of his professional life had only just begun. I have been in that room, or rooms very much like it, more times than I can count. The air has a particular quality — stress, stale food, and a mixture of anger and regret. The conversation is always some variation of the same theme. A series of "if onlys."
As a cybersecurity adviser, a significant part of my work is the post-incident review — the structured process of understanding what happened, how the attacker got in, what they accessed, and what could have changed the outcome. It is in these sessions, when the adrenaline has faded and the cold reality of the consequences is clear, that the most painful truths emerge. The things they wished they had done differently are almost always the same four things. None of them are complex. None of them are expensive. And all of them would have changed the outcome.
WHAT: Four Preventable Failures That Come Up Every Time
Failure 1: "We didn't even know what we had." In the immediate aftermath of an attack, the first question we ask is always: what systems are affected? The answer, far too often, is a shrug. The IT manager points to a server rack. The finance director mentions a cloud service she thinks someone set up, but she is not sure who has the password. The marketing team remembers a CRM they switched from two years ago that may still hold client data. Without a complete asset inventory — a living document that records every server, every cloud application, every database, every device that connects to your network — you are fighting blind from the first moment. You cannot determine the scope of the breach. You cannot confirm the attacker is gone. You cannot even calculate the potential data exposure, which means you cannot make accurate breach notifications to the Data Protection Commission within the required 72-hour window.[^1]
Failure 2: "We can't see what they did." Once we have a rough picture of the compromised systems, the next question is: what did the attackers do while they were inside? The answer, in a majority of cases, is that nobody knows — because the logs either were never enabled, were overwritten after a short retention period, or were stored in the same systems the attacker encrypted or deleted. Without logs, you must assume the worst: that all sensitive data the attacker could have accessed has been exfiltrated. This triggers mandatory notification obligations and a legal process that is far more costly and damaging than the investigation would have been. The 2021 HSE attack demonstrated this at national scale: the absence of comprehensive logging made it extraordinarily difficult to trace the attacker's movements across a complex network.[^2]
Failure 3: "We just panicked." The scene is chaos. The finance director wants to know whether payroll can be processed. The sales team is asking whether the CRM is safe to use. IT is unplugging machines at random. There is no chain of command, no clear plan, no defined decision-making authority. Decisions made under this kind of pressure are often wrong. Wiping a machine destroys forensic evidence. Shutting down the wrong server takes offline a system that was unaffected. Without a written incident response plan — not a 100-page document, but a one-page list of who does what in the first four hours — the response becomes a disorganised scramble that extends the downtime and deepens the damage.
Failure 4: "We didn't know what to recover first." Once the immediate threat is contained, the focus shifts to recovery. The leadership team wants everything back online immediately. But the IT team has limited resources and backups that need careful validation. Without a Business Impact Analysis — a formal process for identifying which systems and functions are most critical to the business — recovery is inefficient. The marketing website comes back online before the invoicing system. The customer portal is restored before the core operational database. Every hour of misprioritised recovery costs money that a correct prioritisation would have saved.
Could your business answer the question "what systems are affected?" within 30 minutes of discovering an incident? Book a free 20-minute strategy call — we can help you close the gaps before an incident forces you to find them under pressure.
WHY IT MATTERS: What the Regulators Will Ask
When a significant cyber incident occurs in an Irish business, two regulatory bodies become relevant almost immediately. The Data Protection Commission will want to know whether personal data was accessed, what data was involved, how many people are affected, and what the business is doing to address the breach. An Garda Síochána's National Cyber Crime Bureau may become involved if criminal activity is suspected — which ransomware always is.[^3]
In both cases, the ability to answer their questions quickly and accurately depends entirely on having done the foundational work before the incident. Without an asset inventory, you cannot confirm what data was at risk. Without logs, you cannot describe what the attacker accessed. Without an incident response plan, you cannot demonstrate that you had appropriate procedures in place. The absence of these elements does not just make the incident worse — it makes your regulatory position significantly more difficult to defend.
The post-incident room conversations are always the same. The preparation that changes them never is.
WHAT NEXT: Your Start-Monday Checklist
1. Schedule a one-hour meeting to begin building your asset inventory. Start with the systems your business cannot function without — email, file storage, accounting, client database. Document what each system holds and who is responsible for it. This does not need to be a sophisticated exercise. A shared spreadsheet is sufficient to start.
2. Ask your IT provider today whether audit logging is enabled on your main file server, your email system, and your firewall. If the answer is no, or "I'm not sure," that is the priority fix. Logging is the digital CCTV of your business — without it, you will never know what happened.
3. Designate an incident response lead before you need one. Who is in charge when something goes wrong? Who has the authority to disconnect systems, contact your IT provider, notify your insurer, and make decisions under pressure? Write it down. Share it with the relevant people. Store it somewhere that does not depend on your email being operational.
Related Reading
- Incident Response Planning: What to Do Before a Cyber Attack Hits
- HRB Cyberattack: Lessons for Irish SMEs
- How to Build a NIS2-Compliant Incident Response Plan in One Day
[^1]: Data Protection Commission Ireland — personal data breach notification: https://www.dataprotection.ie [^2]: NCSC Ireland — advice for organisations on incident management: https://www.ncsc.gov.ie/advice-for-organisations/ [^3]: An Garda Síochána — National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.