When a Dublin-based accountancy firm discovered in 2025 that an attacker had been inside their email system for eleven days, the investigation traced access back to a single compromised password. The affected account belonged to a senior partner who used the same password across three different services — one of which had suffered a data breach months earlier. The attacker had simply purchased the stolen credentials from a dark web forum and logged straight in. No hacking required. For Irish SMEs, the story is not unusual. Passwords are frequently the weakest link, and fixing them costs almost nothing compared to recovering from a breach.
What the Problem Actually Is
Irish businesses often believe their password practices are adequate. They have a policy somewhere, staff know not to write passwords on sticky notes, and most accounts are protected with something. The problem is that "something" is rarely enough. Attackers today do not guess passwords manually — they use automated tools that can test millions of combinations per second, or they purchase lists of previously compromised credentials and test them systematically across common services. This technique, known as credential stuffing, is highly effective against businesses where staff reuse passwords across personal and professional accounts.
The NCSC Ireland identifies compromised credentials as a leading cause of cyber incidents affecting Irish organisations, and recommends a layered approach to account security that begins with strong, unique passwords and extends to multi-factor authentication.[^1] GDPR and NIS2 reinforce this at a regulatory level: the Data Protection Commission expects businesses to implement appropriate technical measures to protect personal data, and weak password practices are increasingly cited in DPC investigations following data breaches.[^3]
Does your business have a written, enforced password policy — or is it more of an informal understanding? Book a free 20-minute strategy call — we can tell you within the hour where your credential security stands and what needs to change.
What Good Password Practice Looks Like
A modern password policy for an Irish SME does not need to be complicated. It needs to be practical and enforceable. Here is what it should cover.
Length over complexity. The NCSC Ireland and international guidance from NIST both recommend prioritising password length over complex character rules. A 14-character passphrase — three or four random words strung together — is far harder to crack than an eight-character password that substitutes letters for numbers and symbols. Requiring complexity without adequate length produces passwords like "P@ssw0rd!" which are among the most commonly used and most easily cracked patterns in existence.
Uniqueness across accounts. Every system your business uses should have a different password. This is the control that stops a breach of one service from cascading into everything else. It sounds obvious, but without a password manager it is genuinely difficult to maintain in practice, which is why most people do not do it.
Multi-Factor Authentication everywhere. Multi-factor authentication (MFA) is the single most effective control available for protecting accounts. When MFA is active, even a stolen password is not enough to gain access — the attacker also needs the second factor, typically a code from an authenticator app or a hardware token. MFA should be mandatory for email, cloud services, remote access, and any system that holds sensitive data. Many cyber insurance policies in Ireland now treat MFA as a prerequisite for coverage, not a nice-to-have.
Password managers for your team. You cannot expect staff to remember fourteen-character unique passwords for thirty different systems. Password managers solve this by generating and storing strong credentials securely. Business-grade password managers such as 1Password, Bitwarden, or Dashlane can be deployed across your organisation and give administrators visibility into password hygiene without ever seeing the passwords themselves.
No forced rotation without cause. Mandating that staff change passwords every 90 days has been shown to produce weaker passwords over time — people increment a number, add an exclamation mark, and move on. Current guidance from NCSC Ireland and NIST recommends against arbitrary rotation schedules. Change passwords when there is a reason: a suspected breach, a staff member leaving, or a credential appearing in a known data breach list.
Why This Matters Right Now
An Garda Síochána's National Cyber Crime Bureau (NCCB) handles hundreds of reports annually from Irish businesses whose accounts have been compromised through stolen credentials.[^2] The consequences range from financial fraud via Business Email Compromise to ransomware deployed after an attacker moves laterally through a network once they have one foothold. For Donegal businesses in particular, where many SMEs operate lean IT setups without dedicated security staff, a compromised account can go undetected for weeks.
The regulatory pressure is also increasing. Under NIS2, which the Irish government is transposing into law, organisations in scope must demonstrate that they have implemented appropriate access control measures. The Data Protection Commission actively investigates data breach notifications and will scrutinise whether basic controls such as MFA and password policies were in place at the time of the incident.
A stolen password alone is not enough to break in if MFA is active. That one control changes the economics of credential-based attacks entirely.
What to Do Next
Here are three concrete steps for any Irish SME that wants to improve password security this week:
Audit your MFA coverage today. Log into your Microsoft 365 or Google Workspace admin panel and pull a report showing which accounts have MFA enabled. If it is not at 100%, especially for admin and leadership accounts, that is your most urgent priority. Your IT provider can enforce MFA at a policy level so that staff cannot bypass it.
Deploy a business password manager. Pick one of the established business-grade options and roll it out to your team with a short briefing session. The overhead is minimal and the protection is significant. Many providers offer Irish SME pricing under €5 per user per month.
Check whether your credentials have been breached. Use the NCSC Ireland's recommended resources or services such as HaveIBeenPwned to check whether email addresses associated with your business appear in known data breach datasets. If they do, those passwords should be changed immediately regardless of your rotation policy.
Password security is not glamorous, but it remains one of the highest-return investments in cybersecurity available to any Irish business. The cost of prevention is a password manager licence and an afternoon's training. The cost of recovery from a compromised account can run into tens of thousands of euros.
Related Reading
- MFA Everywhere: Why Multi-Factor Authentication Is Non-Negotiable in 2026
- Access Control and Least Privilege for Irish SMEs
- Building a Human Firewall: Security Awareness Training That Actually Works
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.