When a Letterkenny-based construction company lost €47,000 to a Business Email Compromise scam in 2024, the attack did not make the news. The firm was not named. An Garda Síochána's National Cyber Crime Bureau logged the report, the money was gone, and the business absorbed the loss quietly.[^2] A few weeks later, national media reported on a major multinational data breach affecting millions of accounts across Europe. The coverage was extensive. The Letterkenny story — more financially devastating to the business concerned than any global breach — received no coverage at all.
This gap between what Irish business media covers and what Irish businesses actually experience is not trivial. It creates a dangerous blind spot that allows a myth to persist: that serious cyber threats are a large-company problem. They are not.
What the Headlines Miss
Irish business media does a reasonable job of covering landmark cyber incidents — the HSE attack, major European ransomware campaigns, EU regulatory developments. These stories are important and genuinely relevant to policy and enterprise security. But the editorial focus on dramatic, large-scale incidents leaves the everyday reality of cyber risk to Irish SMEs largely uncovered.
The NCSC Ireland reports that the majority of cyber incidents affecting Irish organisations involve SMEs, and that many of these incidents are not publicly reported due to the reputational concerns of the businesses involved.[^1] A hotel in Sligo that goes offline for three days after ransomware does not want the story in the local paper. A professional services firm in Donegal that loses a client after a phishing attack does not issue a press release. The silence is understandable, but it feeds a narrative that cyber incidents are rare events affecting other, larger organisations.
Do you believe your business is at meaningful risk of a cyber attack this year — or do you tend to think it is more likely to happen to someone else? Book a free 20-minute strategy call — we can give you an honest, unvarnished view of the specific threat landscape for your sector and size.
The Silence Creates a Vicious Cycle
When businesses do not report cyber incidents, two things happen. Other businesses do not hear about them and continue to underestimate their own risk. And the media, without concrete local examples to report, continues to frame cybersecurity as primarily an enterprise or government concern. The cycle reinforces itself.
This has practical consequences. A business owner who has never heard of a local peer being hit by ransomware is less likely to invest in backup testing. A firm whose director has never spoken to someone who lost money to BEC fraud is less likely to implement a payment verification policy. The absence of visible local examples depresses the perceived urgency of action, even when the objective risk is high.
The Data Protection Commission handles hundreds of breach notifications from Irish businesses each year, the vast majority of which are never publicly reported.[^3] The gap between DPC statistics and public awareness of cyber incidents affecting Irish businesses is significant and consequential.
What the Real Threat Landscape Looks Like
The daily reality of cyber risk for Irish SMEs is not nation-state hacking or sophisticated zero-day attacks. It is phishing emails convincingly impersonating suppliers, Business Email Compromise scams targeting accounts teams in busy firms, ransomware deployed through unpatched remote access services, and credential stuffing attacks against businesses that reuse passwords across accounts.
These attacks are not technically sophisticated. They succeed because they are persistent, because they target human behaviour rather than technical vulnerabilities, and because the businesses they affect have often not taken even basic preventative steps — deploying MFA, training staff to verify unusual payment requests, or testing their backup recovery. An Garda Síochána's NCCB consistently finds that the vast majority of successful attacks against Irish SMEs exploit gaps that have been understood and documented for years.
The geographic dimension of this matters. Businesses in Donegal, Sligo, Mayo, and other areas outside the main urban centres often have less access to specialist security advice, smaller IT support arrangements, and fewer peer networks where security discussions happen. The information asymmetry between what threat actors know about available targets and what those targets know about their own risk is larger in rural Ireland than it is in Dublin's business districts.
The cyber threat to Irish SMEs is not a distant, enterprise-scale risk. It is a daily, local reality that rarely makes it into print.
Why Businesses Stay Silent — and Why It Matters
The reputational calculus that prevents Irish SMEs from disclosing incidents is understandable. A building contractor in Donegal that admits losing money to fraud fears losing future bids. A hospitality business that goes offline for a week fears the perception of vulnerability affecting bookings. A professional services firm that suffers a data breach fears losing client trust that took years to build.
This silence is rational at the individual business level and harmful at the sector level. Every undisclosed incident is a missed opportunity for a peer to learn, adjust their practices, and avoid the same outcome. The cybersecurity community in Ireland and internationally relies on incident disclosure — anonymised, aggregated, but real — to understand how attacks actually work and what defences actually stop them.
The NCSC Ireland actively encourages businesses to report incidents, including those that do not result in clear data breaches, to contribute to national threat intelligence. There is no legal obligation to publicly disclose most cyber incidents, but reporting to the NCSC is valuable and has no negative consequences for the reporting business.
What to Do Next
Three actions that address the practical implications of this gap:
Assume the risk applies to you. Regardless of your size, sector, or location, operate on the basis that your business is a plausible target for the most common attack types — phishing, BEC, and ransomware. The controls that protect against these do not require an enterprise budget.
Talk to your peers. The most useful security information for an Irish SME often comes from other businesses in the same sector and geography. If you have experienced an incident — even a small one — consider sharing the experience, even confidentially through your trade association or local business network.
Report to the NCSC Ireland. If your business experiences a cyber incident, reporting it to the NCSC Ireland (1800 CYBER1) contributes to national threat intelligence and does not require public disclosure. It may also give you access to technical assistance during recovery.
Related Reading
- Top 5 Cybersecurity Threats Facing Irish SMEs in 2026
- BEC Fraud in Donegal Firms Every Week
- What Happens to a Small Business After a Cyber Attack
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.