Prioritising Security and Resilience Projects When Budgets Are Tight.
A Donegal manufacturing company asked for a security assessment in late 2024. The assessment identified 23 specific improvements that would meaningfully reduce their risk. The managing director looked at the list and said they had a budget for three of them this year.
This is the standard situation for Irish SMEs. Security practitioners who produce comprehensive assessment reports without engaging with budget reality are not providing useful advice. The practical question is not "what should we do?" — it is "what should we do first, given what we can afford?"
The answer is not arbitrary. There is a principled approach to security investment prioritisation that consistently produces the most risk reduction per euro spent.
The Prioritisation Framework
Rank investments by the product of two factors: the risk reduction they provide, and the cost of implementing them. An investment that provides significant risk reduction at low cost ranks higher than one that provides similar risk reduction at high cost. An investment that provides moderate risk reduction at very low cost ranks higher than one providing moderate risk reduction at high cost.
This is not a complex calculation. It is a structured way of avoiding the common mistake of investing in visible, sophisticated, expensive controls while leaving simple, cheap, high-impact controls unaddressed.
The Highest-Return Investments for Irish SMEs
Research into Irish SME incident data consistently identifies the same pattern: the attacks that succeed most often exploit the absence of basic controls, not the inadequacy of sophisticated ones. The highest-return investments address those basic controls.
MFA on all accounts. Cost: zero for accounts already on Microsoft 365 Business or higher. Risk reduction: eliminates the majority of credential-based account takeovers. Return on investment: extremely high.
DMARC at p=reject. Cost: one to two hours of IT provider time. Risk reduction: prevents your domain from being used to impersonate your business. Return on investment: extremely high.
External email banner. Cost: five minutes of configuration time in Microsoft 365. Risk reduction: reduces the effectiveness of impersonation attacks by providing persistent visual context. Return on investment: extremely high.
Tested, isolated backup. Cost: €80–200 per month for a proper immutable cloud backup. Risk reduction: transforms ransomware from a potential business-ending event to a recoverable disruption. Return on investment: extremely high relative to the risk it addresses.
Payment verification procedure. Cost: zero for the procedure itself; one team briefing session. Risk reduction: prevents the majority of successful BEC payment fraud. Return on investment: extremely high.
These five investments together address the most common and most costly attack vectors facing Irish SMEs, and the total combined cost is under €300 per month plus a few hours of one-off implementation time.
If you can only do three things this year, these are the three that provide the most risk reduction per euro of investment. The list above in order represents the prioritised action list for most Irish SMEs. Book a free 20-minute strategy call — budget-constrained prioritisation is something we do with almost every Irish SME we work with.
What to Deprioritise
The counterpart to identifying high-return investments is identifying low-return ones — controls that are often recommended but whose risk reduction, in the Irish SME context, does not justify their cost at this stage of the security journey.
A Security Operations Centre (SOC). Appropriate for large organisations with complex environments and dedicated security teams. For an Irish SME with ten to fifty staff, the cost is disproportionate to the risk environment and the benefit relative to lower-cost alternatives.
Penetration testing (before the basics are in place). Penetration tests identify vulnerabilities in a specific environment at a point in time. If the basic controls — MFA, patching, backups — are not in place, a penetration test will identify those gaps alongside more sophisticated ones. Implementing the basics first is significantly more cost-effective.
DLP platforms (before a data classification exercise). Data loss prevention tools are most valuable when you know what data you are trying to prevent from leaving. Without a data classification exercise, DLP deployment is often expensive and disruptive without proportionate benefit.
Building a Multi-Year Roadmap
A budget-constrained security programme is most effective when planned across a two to three year horizon, not just the current year. Year one addresses the highest-return basics. Year two builds on that foundation with controls that provide incremental improvement. Year three moves toward more comprehensive maturity.
This roadmap approach allows the board to make informed investment decisions year by year, demonstrates a consistent upward trajectory to clients and insurers, and ensures that each year's investment builds on rather than replaces the previous year's.
What Next
Confirm the five highest-return controls are in place before investing in anything else. MFA, DMARC, external email banner, tested isolated backup, payment verification procedure.
Rank your remaining identified gaps by impact-to-cost ratio. The item at the top of that ranked list is next year's priority, not the most interesting-sounding one.
Build a three-year roadmap. Year one: basics. Year two: intermediate controls. Year three: maturity investments. Present it to the board as a coherent plan, not an annual budget request.
Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.
Related Reading
- The Minimum Security Baseline Every Irish Small Business Should Have in 2026
- Creating a 12-Month Roadmap to Improve Cyber Security, Fraud Prevention and Resilience
- A Simple Risk Assessment Method for Busy Owners
[^1]: NCSC Ireland — Guidance for Organisations [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.
