The Minimum Security Baseline Every Irish Small Business Should Have in 2026.

A cyber security baseline is not a comprehensive security programme. It is the minimum set of controls that every business should have in place before any other security conversation happens. Without these basics, every other investment is built on a foundation that will not hold.

Most Irish SMEs that experience a significant incident are missing at least one of these four controls — sometimes all of them. The NCSC Ireland's incident data consistently shows that the majority of attacks that succeed against Irish businesses exploit an absence of basics, not a failure of sophisticated defences.

What Is a Security Baseline?

A security baseline is the minimum set of controls that, if absent, leaves a business materially and unnecessarily exposed to common attacks. It does not protect against everything. It closes the gaps that attackers exploit most often and most successfully against businesses of your size.

For an Irish SME in 2026, the baseline has four components: multi-factor authentication, consistent patching, tested backups, and endpoint protection.

Control One: Multi-Factor Authentication

MFA requires a second proof of identity — beyond a password — before granting access to an account. Without it, a stolen password is all an attacker needs to access your email, your cloud storage, your accounting software, or your Microsoft 365 tenant.

Stolen passwords are not rare. Credential databases containing billions of email and password combinations are traded on criminal markets. The probability that at least one of your staff members has a password that appears in a breach database is high. MFA means that password alone is not enough.

MFA should be enabled on every account your business uses. Priority order: email (your Microsoft 365 or Google Workspace), remote access (VPN, RDP), financial accounts, cloud storage, accounting software, and any system containing customer personal data. Most platforms support MFA at no additional cost.

Verification question: Log into your Microsoft 365 admin centre. Navigate to Users > Active Users and check the MFA status column. If any accounts show MFA as disabled, those accounts are your immediate priority.

Not sure whether MFA is fully deployed across your Microsoft 365 tenant? We can check your tenant configuration in a 20-minute call. Book a free 20-minute strategy call.

Control Two: Consistent Patching

Every piece of software your business uses contains vulnerabilities — known and unknown flaws that attackers can exploit to gain access. Software vendors release patches that close these vulnerabilities. Businesses that do not apply those patches in a timely manner leave known entry points permanently open.

The NCSC Ireland consistently cites unpatched software as one of the top attack vectors in Irish incidents. Attackers actively scan the internet for businesses running software with known, unpatched vulnerabilities. The scans are automated. The exploitation is often automated. A business running software with a known, unpatched vulnerability is identifiable and targetable within hours of that vulnerability being published.

Patching covers operating systems (Windows, macOS), applications (Microsoft Office, Adobe, browsers), server software (web servers, databases, remote access tools), and network equipment firmware (routers, firewalls, switches).

Verification question: When were Windows updates last applied to every device in your business? Ask your IT provider for a patching report. If they cannot produce one, they do not have a managed patching process in place.

Control Three: Tested, Isolated Backups

A backup that has never been restored from has an unknown failure rate. A backup that is connected to the same network as your primary systems can be encrypted by ransomware. A tested, isolated backup — one that has been verified to restore successfully and that ransomware cannot reach — is the last line of defence when everything else fails.

The minimum requirement is: daily automated backup, at least one copy stored in an immutable or offline location, and a verified restore test completed within the last 90 days. If you cannot confirm all three, your backup posture has a gap.

Verification question: When did your IT provider last confirm a successful test restore? If the answer is never, or more than three months ago, schedule it this week.

Control Four: Endpoint Protection

Endpoint protection — commonly called antivirus, though modern solutions do significantly more — monitors devices for malicious software, suspicious behaviour, and known attack patterns. On its own it is not sufficient against sophisticated attacks. In combination with MFA and patching, it closes the gap on the large volume of opportunistic, commodity attacks that account for the majority of incidents affecting Irish SMEs.

Modern endpoint protection should be installed on every device that accesses business systems — not just office computers, but laptops used at home, and ideally mobile phones that access business email. It should be centrally managed, so your IT provider can see the status of every device, not rely on individual users to keep it updated.

Verification question: Is endpoint protection installed on every device with access to business systems, centrally managed, and confirmed as running current definitions? Ask your IT provider for a status report.

Why This Matters Right Now

The Cyber Essentials scheme — which Irish businesses can pursue through NSAI or equivalent bodies — maps almost exactly to this baseline. Achieving Cyber Essentials certification demonstrates to clients, insurers, and regulators that you have the fundamental controls in place [^1]. It is increasingly a prerequisite for public sector contracts and is becoming a standard question in enterprise security questionnaires from large clients.

Beyond certification, the pragmatic case is straightforward. The four controls above would have prevented or significantly limited the impact of the majority of successful cyberattacks against Irish SMEs in the past three years. They are not expensive. They are not technically complex. They require consistent implementation and regular verification — which is where most businesses fall short.

What Next

1. Audit all four controls this week. For each one, determine whether it is fully implemented, partially implemented, or absent. Create a simple four-row table with your current status.

2. Fix the most critical gap first. If MFA is absent on email, that is the first fix. If your backup has never been tested, that is the first test. Start with the highest-risk gap, not the easiest one.

3. Build a quarterly verification process. The baseline is not a one-time project. MFA settings change when accounts are added. Patches need to be applied continuously. Backups need regular testing. Build a quarterly check into your business calendar.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• MFA Everywhere: Why Multi-Factor Authentication Is Non-Negotiable in 2026
• Immutable, Offline and Cloud Backups: The Last Line of Defence Against Ransomware
• Using Cyber Security Certifications to Win Business

[^1]: NCSC Ireland — Cyber Essentials [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.