When a Donegal-based retail business suffered a ransomware attack in late 2024, the owner told us the same thing we hear repeatedly: "I thought we were too small to be a target." The attack encrypted two years of stock and customer data over a weekend when nobody was in the office. The business spent three weeks recovering, lost an estimated €40,000 in downtime and recovery costs, and narrowly avoided a Data Protection Commission notification requirement. The irony is that the controls which would have stopped the attack — or drastically limited its impact — cost less than €200 per month to implement. Cybercriminals target Irish SMEs precisely because many remain under-protected and believe the risk does not apply to them.
It does. And the good news is that the ten steps below are achievable for any Irish business without specialist knowledge or an enterprise-level budget.
What the Essentials Cover
The NCSC Ireland has published clear guidance on the baseline security controls it expects Irish organisations to have in place.[^1] This starter kit maps directly to those recommendations. These are not advanced concepts. They are the equivalent of locking your door and fitting a deadbolt — the fundamentals that prevent the majority of opportunistic attacks.
Where does your business stand against these ten controls today — honestly? Book a free 20-minute strategy call — we run a quick structured review and tell you exactly what to prioritise first.
Step 1: Enable Multi-Factor Authentication everywhere. MFA is the single most effective control available to most Irish SMEs. Enable it on email, cloud storage, accounting software, and any remote access. When an attacker has a stolen password, MFA stops them cold. Many cyber insurance policies now require MFA as a condition of coverage.
Step 2: Use strong, unique passwords and a password manager. Require minimum 14-character passwords across all systems. Deploy a business-grade password manager — 1Password, Bitwarden, or Dashlane — so staff can maintain unique credentials without writing them on sticky notes. The cost is under €5 per user per month and eliminates credential reuse entirely.
Step 3: Keep software updated. Software vulnerabilities are constantly discovered and actively exploited. Establish a routine for applying updates to operating systems, applications, and network devices within 14 days of a critical patch release — the timeframe recommended by NCSC Ireland. Enable automatic updates where possible.
Step 4: Implement a tested backup strategy. Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy offsite. The word "tested" is non-negotiable. Run a full restoration exercise quarterly and document the outcome. Many ransomware victims discover during an attack that their backups were corrupted or had not run for weeks.
Step 5: Deploy endpoint protection on every device. Every laptop, desktop, and server connected to your network needs modern endpoint protection — not legacy antivirus from 2019. A managed Endpoint Detection and Response (EDR) solution provides real-time monitoring and centralised management. Unmanaged personal devices used for work are a common weak point.
Step 6: Train your team regularly. Phishing is still the number one initial access method in Irish cyber incidents. A once-a-year slideshow is not enough. Run quarterly awareness sessions and occasional simulated phishing tests. An Garda Síochána's National Cyber Crime Bureau (NCCB) consistently reports that employee awareness is a critical factor in whether an attack succeeds.[^2]
Step 7: Control who has access to what. Apply the principle of least privilege: every user should have access only to the systems and data they need to do their job. Review access rights whenever someone changes role or leaves the business. Excessive permissions massively increase the blast radius of a compromised account.
Step 8: Secure your email with authentication records. Publish SPF, DKIM, and DMARC records for your email domain. These technical controls prevent attackers from spoofing your domain to send phishing emails that appear to come from you. Your email or DNS provider can implement these with minimal effort.
Step 9: Secure your remote access. If staff access your systems remotely, ensure they do so through a VPN or Zero Trust solution, with MFA enforced. Exposed Remote Desktop Protocol (RDP) ports are among the most commonly exploited entry points in ransomware attacks targeting Irish businesses.
Step 10: Write a simple incident response plan. Document what you would do in the first two hours of discovering a cyber attack. Who do you call? What do you shut down? When does the Data Protection Commission need to be notified? Under GDPR, the DPC must be notified within 72 hours of discovering a personal data breach. If you have no plan, that 72 hours will be chaos.[^3]
Why These Ten Steps Specifically
These controls are not arbitrary. They reflect the attack techniques that are actually being used against Irish businesses right now. The majority of ransomware attacks begin with a stolen credential. The majority of data breaches involve phishing. The majority of successful attacks exploit known, unpatched vulnerabilities. Each step in this list directly addresses one or more of those pathways.
Ten controls, implemented consistently, would prevent the majority of cyber attacks currently targeting Irish SMEs.
What to Do Next
Start with the three highest-impact items: enable MFA on all accounts, deploy a password manager, and verify your backup recovery actually works. These three actions alone would prevent or limit most of the incidents we see affecting Irish businesses across Donegal, Sligo, and the wider North West region.
Then work through the rest of the list over the following quarter. Most can be implemented by your existing IT provider with clear direction. If you are not sure where to start or want a structured view of where your gaps are, a short advisory engagement can produce a prioritised plan within days.
Related Reading
- MFA Everywhere: Why Multi-Factor Authentication Is Non-Negotiable in 2026
- Backup Strategy for SMEs: The 3-2-1-1-0 Rule Explained
- Building a Human Firewall: Security Awareness Training That Actually Works
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission — Breach Notification: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.