When a Donegal hospitality business was hit by ransomware on a Friday evening in 2024, the owner spent the weekend believing it was a technical problem that would be fixed by Monday. By Tuesday, with every computer still locked, €8,000 already spent on emergency IT support, and a forensic investigation revealing that customer card data may have been exfiltrated, the scale of the situation became clear. The DPC 72-hour notification deadline had already passed. The cyber insurance policy had a clause requiring notification within 24 hours of discovering the incident. The business eventually recovered, but it took four months, cost over €35,000 in total, and lost two long-standing corporate contracts. The owner said afterwards: "I thought if we didn't have a serious breach, we didn't have a serious risk. I was wrong about both."
One in five Irish SMEs that suffer a serious breach do not reopen within six months. That is not a statistic designed to frighten — it is a pattern that An Garda Síochána's National Cyber Crime Bureau and the NCSC Ireland document consistently in the aftermath of incidents affecting Irish businesses.[^1]
The First 24 Hours: Chaos Without a Plan
The first hours after discovering a cyber attack are universally described by business owners as among the most stressful of their professional lives. Systems are inaccessible. Staff cannot work. Customers are calling and receiving no answers. There is no script, no clear next step, and often no single person with authority to make the decisions that need to be made immediately.
The decisions required in the first 24 hours include whether to shut down affected systems to contain the attack (which may destroy evidence needed for investigation), whether to notify customers before the full extent of the breach is known (which risks incomplete information), whether to engage external forensic expertise (which costs money that may not be budgeted), and whether the situation constitutes a personal data breach requiring DPC notification. Getting any of these wrong has downstream consequences that compound the original damage.
Does your business have a written plan for the first two hours of a cyber incident — including who makes decisions and who they call first? Book a free 20-minute strategy call — we can walk you through what a basic incident response plan looks like for a business of your size, and how to have one in place within a week.
The First Week: Costs, Deadlines, and Legal Obligations
The financial reality of the first week after a serious attack on an Irish SME is typically far larger than owners anticipate. Emergency IT support and system recovery costs are immediate. Forensic investigation to understand what was accessed and exfiltrated typically costs €5,000 to €15,000 for a small business. If backups are not current or are themselves encrypted (a common ransomware technique targeting backup systems), data recovery costs rise significantly. If the business is offline, the direct revenue loss accumulates daily.
The legal clock starts simultaneously. Under GDPR, a personal data breach that poses risk to individuals' rights must be reported to the Data Protection Commission within 72 hours of discovery.[^3] Many Irish SMEs discover this obligation during an incident rather than before it. Missing the deadline is itself a breach, and the DPC's post-incident investigation will assess whether appropriate security measures were in place at the time — including whether there was a documented incident response procedure.
Cyber insurance, if held, needs to be notified immediately under virtually all Irish policy terms. The notification requirement is typically 24 to 48 hours from discovery. A business that waits three days to contact their insurer while managing the technical crisis has potentially compromised their claim.
The First Month: Reputation, Customers, and Staff
In tight-knit business communities across Donegal, Sligo, and rural Ireland generally, news of a cyber attack spreads quickly. Customers who were told their data may have been compromised do not always return when the business reopens. Enterprise clients with supplier security requirements may suspend the relationship pending their own investigation of the incident. The reputational damage from a serious breach can persist for a year or more.
An Garda Síochána's NCCB consistently finds that businesses without documented security practices suffer longer and more expensive recovery periods than those with even basic security programmes in place.[^2] The reason is simple: without a plan, every decision in recovery is made in crisis mode, often incorrectly, often at premium cost.
Staff morale is a separate dimension that is often underestimated. Employees who felt secure now feel exposed. A breach that involved HR or payroll data affects every member of staff personally. Leadership credibility is damaged when it becomes clear that a serious security risk was not being managed. Rebuilding internal trust takes months.
The businesses that recover fastest from cyber attacks are not the ones that were never attacked — they are the ones that prepared before the attack happened.
What Preparation Actually Changes
The difference between businesses that recover in weeks and those that close within months is not luck or scale — it is whether they had three things in place before the attack occurred.
The first is a tested backup that was not accessible to the ransomware. A business with clean, offline backups restored within 24 to 48 hours. A business without them spent weeks recovering data manually or accepting permanent loss.
The second is a written incident response plan. Even a basic one-page document that identifies who to call, what to shut down, when the DPC clock starts, and what to tell customers changes the quality of decisions made in the first chaotic hours.
The third is cyber insurance that accurately reflects their security posture. As we cover in our post on the cyber insurance application, policies that pay out are ones where the declared controls were actually in place.
What to Do Next
Three actions that materially change your exposure before an incident occurs:
Write a one-page incident response plan this week. Include the NCSC Ireland emergency contact (1800 CYBER1), your IT provider's emergency number, your cyber insurance broker's claims line, and a note about the DPC 72-hour notification obligation. Laminate it and keep a physical copy offsite.
Test your backup recovery this month. Run a full restore test and document the outcome. If you cannot restore a critical system from backup within four hours, you have a critical gap that needs to close before an attack exploits it.
Review your insurance policy. Check the notification timeline, confirm the declared controls are accurate, and verify that your IT provider is named as an approved response vendor. Most policies have specific requirements that need to be understood before an incident.
Related Reading
- Building an Incident Response Plan: A Template for Irish SMEs
- Tabletop Exercises: How to Test Your Incident Response Plan
- The Cyber Insurance Application Your Insurer Hopes You Don't Read Carefully
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.