When a Sligo accountancy practice asked us whether their business was at serious risk of a cyberattack, the managing partner's honest assumption was that it was not — they were too small, too regional, too unremarkable to attract the attention of organised criminals. Three months later, their systems were encrypted by ransomware that had entered through a VPN product that had not been patched in eleven months. The attackers had not chosen them. They had found them — because an automated scanning tool had identified their unpatched VPN as a known vulnerability and exploited it within minutes of the scan completing.
This is exactly the scenario that Richard Horne, head of the UK's National Cyber Security Centre, described when he issued a direct warning to small and medium-sized businesses: the belief that you are too small to be a target is not just wrong — it is dangerous. The NCSC Ireland echoes this warning consistently in its published guidance and threat advisories. Most attackers are not selective. They are opportunistic.
WHAT: Why Opportunistic Attacks Target Irish SMEs
Understanding the mechanism of opportunistic attacks changes how you think about the risk. A criminal group does not sit in a room and select your business by name. They deploy automated tools that probe millions of internet-connected systems simultaneously, looking for known vulnerabilities — unpatched software, default credentials, open ports that should be closed, remote desktop services exposed to the internet. When the tool finds a match, it exploits it automatically. Your size, your location, and your industry are largely irrelevant to that process.
The attack is not chosen. It is triggered by the presence of a weakness. This is why the "we're too small to be targeted" mindset is so dangerous — it leads businesses to deprioritise the basic controls that would stop the automated scan from finding anything worth exploiting. The NCSC Ireland publishes regular threat advisories that confirm this pattern: ransomware groups and criminal networks scan for specific vulnerabilities that are known, patched, and therefore theoretically avoidable — but only by businesses that apply updates consistently.[^1]
For Irish businesses, the geographical context is equally important. An Garda Síochána's National Cyber Crime Bureau reports that ransomware incidents against Irish businesses have increased consistently across every sector and size over the past three years. A business in Donegal is not less likely to be targeted than a business in Dublin — both face the same automated scanning infrastructure operated by criminal networks that have no interest in geography.[^2]
Does your business have any known, unpatched vulnerabilities exposed to the internet? Book a free 20-minute strategy call — a structured security review will identify the specific gaps that opportunistic attackers rely on.
WHAT NOW: The Five Controls That Stop Opportunistic Attacks
The Cyber Essentials framework — which the NCSC Ireland endorses as a baseline for NIS2 compliance — identifies five core controls that address the most common attack vectors used against SMEs. None of these require a large budget or a dedicated security team. All are achievable for any Irish business.
Secure device configuration. Most devices come with default settings that prioritise ease of use over security. Default passwords, unnecessary services running, open ports serving no business purpose — attackers know these defaults and scan for them specifically. Every device in your business should have its default credentials changed, unnecessary services disabled, and its configuration documented. This is foundational, not optional.
Strong access controls and multi-factor authentication. Passwords alone are insufficient. Multi-factor authentication on all remote access points is the single most effective control available at minimal cost. Strong access controls also mean applying the principle of least privilege — every user should have access only to the systems and data they need for their job, and no more. If an attacker compromises a low-privilege account, least privilege limits the damage they can reach before being detected.
Malware protection and endpoint detection. Traditional antivirus is no longer sufficient against modern threats. Attackers use techniques specifically designed to evade signature-based detection. Endpoint Detection and Response tools provide behavioural detection — identifying suspicious activity patterns rather than relying on known malware signatures. For most Irish SMEs, this means replacing legacy antivirus with a modern EDR solution. The cost difference is modest; the protection difference is significant.
Timely patching. The majority of successful cyberattacks exploit known vulnerabilities that the software vendor has already identified and issued a patch for. A structured patching approach — tracking what software your business runs, monitoring for available patches, and applying them within 14 days of release — removes a significant proportion of the attack surface that opportunistic attackers rely on. The Sligo accountancy practice mentioned above was compromised through an eleven-month-old vulnerability that had a patch available within days of its discovery.
Firewalls and network boundary protection. A properly configured firewall controls what traffic can enter and leave your network. For businesses using cloud services and remote working, the concept of a network perimeter has evolved — but the principle of controlling what can connect to your systems, and from where, remains essential. Close any ports that are not actively required for business operations. Review firewall rules with your IT provider at least annually.
WHY IT MATTERS: The Mindset Shift That Changes Everything
The NCSC Chief's warning is not only about technical controls. It is about the fundamental way business leaders think about cyber risk. Cybersecurity is still treated by many Irish SME owners as an IT problem — something to be delegated to whoever manages the computers, reviewed when something goes wrong, and budgeted as a cost to minimise.
The businesses that survive cyberattacks — and the businesses that avoid them — treat cybersecurity as a core business risk, equivalent to fire safety, insurance, or financial controls. It is a business continuity problem. It is a reputational problem. It is a legal and regulatory problem under GDPR and, increasingly, under NIS2. Ireland's NIS2 obligations are now in force, placing legal requirements on a broad range of businesses to implement specific security controls and report incidents within defined timeframes. The five controls described above align directly with the NIS2 baseline requirements.[^3]
The Data Protection Commission has established a track record of enforcement under GDPR that signals serious intent. A business that suffers a breach attributable to an eleven-month-old unpatched vulnerability will face significant difficulty defending its compliance position before the DPC.
The opportunistic attacker scanning for vulnerabilities does not check your regulatory status before exploiting a weakness.
WHAT NEXT: A Self-Assessment in Three Questions
Before you close this article, answer three questions honestly. Do you have any internet-facing systems — VPN, remote desktop, web applications — running software that has not been updated in the last 30 days? Does every staff member who works remotely have MFA enabled on their email and VPN access? Do you know what devices are currently connected to your business network and what software each of them is running?
If the answer to any of these questions is no or "I'm not sure," you are carrying the kind of exposure that opportunistic attackers rely on. The good news is that all three gaps can be assessed and addressed without significant investment.
1. Ask your IT provider this week to confirm that every internet-facing system is running current software. If they cannot confirm it with evidence, treat it as a gap until they can.
2. Enable MFA on every remote access point — email, VPN, and any cloud applications used for business — if it is not already in place.
3. Request a firewall rule review from your IT provider. Close any ports that are not actively required. Document what is open and why.
Related Reading
- Incident Response Planning: What to Do Before a Cyber Attack Hits
- MFA Rollout Roadmap: Essential 8 to CyFUN Protect
- NIS2 Cost of Non-Compliance: Why Irish SMEs Cannot Ignore It
[^1]: NCSC Ireland — threat advisories and advice for organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland — security obligations and enforcement: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.