Question 1

Is my small business really a target for cybercriminals?

Accepted Answer

Yes — and more so than you might think. Cybercriminals do not primarily target large organisations. They target the easiest victims, and small businesses are consistently easier to breach than enterprises. They have fewer defences, less monitoring, and staff who have received little or no security training. An Irish SME with 10 employees is just as likely to receive a phishing email as a company with 1,000. The Garda National Cyber Crime Bureau reports that fraud and cybercrime are among the fastest-growing categories of crime in Ireland. Our article on why Donegal businesses are a more attractive target than you think explains the mechanics in detail.

Question 2

What are the five most important things I can do right now to improve my cybersecurity?

Accepted Answer

The five highest-impact actions for any Irish SME are: (1) Enable multi-factor authentication (MFA) on email, remote access, and admin accounts — this single control blocks over 99% of automated credential attacks. (2) Enable automatic updates on all operating systems and applications — unpatched software is the most common entry point for attackers. (3) Restrict admin rights to only those who genuinely need them — most employees do not need administrator access on their devices. (4) Set up tested, offline or immutable backups — a backup that has never been tested is not a backup. (5) Deploy a reputable endpoint security tool on all devices. Our five-things-to-do-this-week guide walks through each step practically.

Question 3

How do I know how secure my business actually is right now?

Accepted Answer

The most practical starting point is a self-assessment against a recognised framework. CyFUN — Ireland's national cybersecurity baseline — includes a selection tool that assigns your business a maturity level based on size, sector, and risk. Our free 20-minute call with a senior security professional gives you an honest picture of where you stand against the overlapping core controls that every framework agrees on. We will identify your three biggest gaps and give you a prioritised action plan at no cost.

Question 4

What is a cybersecurity risk assessment and does my business need one?

Accepted Answer

A risk assessment is a structured process for identifying what digital assets your business holds, what threats those assets face, how likely those threats are, and what the impact would be if they materialised. Every business that holds customer data, processes payments, or relies on digital systems needs one — and NIS2 makes it a legal requirement for businesses in scope. A risk assessment does not need to be a lengthy exercise. For most Irish SMEs, a focused half-day session with a security professional produces a practical risk register that drives the next 12 months of security investment.

Question 5

What is the difference between cybersecurity and IT support?

Accepted Answer

IT support keeps your systems running. Cybersecurity keeps your systems safe. The two overlap but are not the same. Your IT provider might manage your laptops, email, and internet connection — but that does not mean they are actively monitoring for threats, managing your security posture, or ensuring your controls meet regulatory standards. Many Irish SMEs discover this distinction the hard way when an incident occurs and their IT provider has no incident response plan. The cybersecurity conversation every Donegal business owner should have with their IT provider is a good starting point for understanding what questions to ask.

Question 6

How much should a small business spend on cybersecurity?

Accepted Answer

Industry benchmarks suggest SMEs should allocate 5–15% of their IT budget to cybersecurity. For a business spending €20,000 per year on IT, that is €1,000–€3,000 on security. However, the most important controls — MFA, automatic patching, admin restriction, and tested backups — cost little or nothing to implement if you already have the right software licences. The real investment is time and expertise. A vCISO engagement from €1,500 per month gives you senior security leadership to ensure that investment is directed correctly. Irish SMEs can also access between €5,000 and €67,000+ in government cybersecurity grants — use our free Grants Eligibility Checker to find out what you qualify for. The 10-minute quarterly security review is a free starting point for any business.

Question 7

What is a cybersecurity policy and does my business need one?

Accepted Answer

A cybersecurity policy is a written document that sets out how your business handles digital security — what is acceptable use of company devices, how passwords must be managed, what staff should do if they suspect a phishing email, and who is responsible for security decisions. Every business that holds customer data needs one, and NIS2 makes governance documentation a legal requirement for businesses in scope. The good news is that a policy does not need to be a 50-page document. Our guide on how to write a cybersecurity policy your staff will actually read includes a practical template.

Question 8

What is a security audit and how often should I have one?

Accepted Answer

A security audit is a systematic review of your security controls, policies, and practices against a defined standard. It identifies gaps between where you are and where you need to be. For most Irish SMEs, an annual security audit is the minimum — with a lighter quarterly review in between. The audit should cover your technical controls (MFA, patching, backups, access controls), your governance documentation (policies, risk register, incident response plan), and your staff awareness. Our security audit service includes a written report with a prioritised remediation plan.

Question 9

What is 'shadow IT' and why is it a security risk?

Accepted Answer

Shadow IT refers to software, apps, and services that employees use for work without the knowledge or approval of the IT or security team. Common examples include personal Dropbox accounts used to share work files, WhatsApp groups used to discuss client matters, and free online tools used to convert or process documents. Shadow IT is a significant security risk because data processed through unapproved services may be stored in unknown locations, outside your GDPR controls, and without the security standards your approved tools meet. Our article on shadow IT explains how to identify and manage it.

Question 10

What is the attack surface of my business and how do I reduce it?

Accepted Answer

Your attack surface is the total set of points through which an attacker could try to gain access to your systems — every internet-facing device, every email account, every cloud service, every employee's laptop. The larger your attack surface, the more opportunities an attacker has. You reduce it by removing or securing unnecessary entry points: disabling services you do not use, enforcing MFA on all accounts, removing admin rights from accounts that do not need them, and keeping software patched. Our exposure management approach maps your attack surface and prioritises the most critical reductions.

Question 11

What is zero trust and does my business need it?

Accepted Answer

Zero trust is a security model built on the principle of 'never trust, always verify' — meaning no user, device, or network connection is trusted by default, even inside your own office network. Every access request is verified before it is granted. For most Irish SMEs, full zero trust architecture is aspirational rather than immediately achievable. However, the core principles — MFA everywhere, least privilege access, device health checks before granting access — are practical and achievable. Zero Trust Network Access (ZTNA) tools are increasingly affordable for SMEs and are a significant improvement over traditional VPNs.

Question 12

What is the difference between a vulnerability and a threat?

Accepted Answer

A vulnerability is a weakness in your systems, software, or processes that could be exploited — for example, unpatched software, a weak password, or an employee who has not received phishing awareness training. A threat is the potential for harm — the attacker, the ransomware gang, or the phishing campaign that might exploit that vulnerability. Risk is the combination of the two: a vulnerability that faces a credible threat creates risk. Understanding this distinction helps you prioritise: you cannot eliminate all threats, but you can reduce your vulnerabilities to make exploitation harder.

Question 13

What is NIS2 and does it apply to my Irish business?

Accepted Answer

NIS2 is the EU's updated Network and Information Security Directive, which significantly expands the scope of mandatory cybersecurity obligations across Europe. In Ireland, it is being transposed into national law by the NCSC. It applies to organisations in 18 critical sectors — including healthcare, transport, food production, manufacturing, digital services, financial services, and professional services — above certain size thresholds. Critically, it also applies to businesses in the supply chain of larger NIS2-regulated organisations, regardless of size. Use our free NIS2 Scope Check tool to find out in under two minutes whether your business is in scope.

Question 14

What are the penalties for NIS2 non-compliance in Ireland?

Accepted Answer

Penalties under NIS2 are significant. For essential entities, fines can reach €10 million or 2% of global annual turnover — whichever is higher. For important entities, the maximum is €7 million or 1.4% of global annual turnover. Critically, NIS2 also introduces personal liability for directors and senior management: they can be held personally responsible for cybersecurity failures, including temporary bans from management roles. The NCSC Ireland is the competent authority for enforcement. Our article on NIS2 fines and penalties explains the enforcement framework in detail.

Question 15

What security measures does NIS2 require?

Accepted Answer

NIS2 Article 21 requires organisations to implement risk-based security measures across ten areas: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; security in network and information systems acquisition, development, and maintenance; policies and procedures to assess the effectiveness of cybersecurity risk management measures; basic cyber hygiene practices and cybersecurity training; cryptography and encryption policies; human resources security, access control policies, and asset management; and the use of MFA or continuous authentication solutions. The NCSC Ireland recommends CyFUN as the practical path to meeting these requirements.

Question 16

What are the NIS2 incident reporting requirements?

Accepted Answer

NIS2 introduces a three-stage incident reporting obligation. Within 24 hours of becoming aware of a significant incident, you must submit an early warning to the NCSC. Within 72 hours, you must submit an incident notification with an initial assessment of the incident's severity and impact. Within one month, you must submit a final report with a detailed description, the type of threat, root cause, mitigation measures taken, and cross-border impact. 'Significant' incidents are those that cause or could cause severe operational disruption or financial loss. Our NIS2 incident reporting article explains the thresholds and process.

Question 17

What is the difference between NIS2 essential entities and important entities?

Accepted Answer

NIS2 divides in-scope organisations into two tiers. Essential entities are in the highest-risk sectors — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. They face stricter supervision and higher maximum fines. Important entities cover additional sectors including postal services, waste management, manufacturing, food production, digital providers, and research. The distinction affects the level of supervisory scrutiny and the maximum fine level, but the security measures required under Article 21 are the same for both.

Question 18

What is DORA and does it apply to my business?

Accepted Answer

DORA — the Digital Operational Resilience Act — is an EU regulation that applies specifically to financial services entities: banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party service providers. It came into force in January 2025. If your business provides ICT services to financial entities, you may be in scope as a third-party provider. DORA requires ICT risk management frameworks, incident reporting, digital operational resilience testing, and third-party risk management. Our NIS2 vs DORA article explains which regulation applies to your firm.

Question 19

What is the EU AI Act and how does it affect Irish businesses?

Accepted Answer

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence, which came into force in August 2024. It classifies AI systems by risk level — unacceptable, high, limited, and minimal — and imposes obligations proportionate to that risk. For most Irish SMEs, the immediate impact is limited: using standard AI tools like Microsoft Copilot or ChatGPT for productivity falls into the minimal risk category. However, businesses developing or deploying AI systems in high-risk areas — HR, credit scoring, healthcare, law enforcement — face significant compliance obligations. Our AI Act article explains the framework.

Question 20

What is supply chain security and why does NIS2 require it?

Accepted Answer

Supply chain security refers to managing the cybersecurity risks that arise from your suppliers, vendors, and technology partners. NIS2 explicitly requires in-scope organisations to assess and manage the security of their supply chains, because attackers increasingly target smaller, less-defended suppliers to gain access to their larger clients. This means you need to know what data your suppliers can access, what security standards they maintain, and what would happen if they were breached. Our supply chain security under NIS2 article explains the practical requirements.

Question 21

What is the NIS2 Scope Check tool on your website?

Accepted Answer

The NIS2 Scope Check is a free, interactive tool on our website that helps Irish business owners determine whether their organisation is likely in scope for NIS2 obligations. It asks a series of questions about your sector, size, and activities, and provides an instant assessment with an explanation of why you may or may not be in scope. It takes under two minutes to complete. It is not a substitute for legal advice, but it gives you a clear starting point for understanding your obligations.

Question 22

What is the Cyber Resilience Act and how does it affect Irish businesses?

Accepted Answer

The EU Cyber Resilience Act (CRA) is a regulation that introduces mandatory cybersecurity requirements for products with digital elements — hardware and software sold in the EU market. It came into force in December 2024 with a phased implementation period. If your business manufactures, imports, or distributes connected products — from smart devices to software applications — the CRA will require you to implement security by design, provide security updates throughout the product lifecycle, and report actively exploited vulnerabilities. For businesses that only use rather than sell digital products, the immediate impact is limited.

Question 23

What is the NCSC Ireland and what resources do they provide for SMEs?

Accepted Answer

The National Cyber Security Centre (NCSC) Ireland is the government agency responsible for cybersecurity in Ireland. It operates under the Department of the Environment, Climate and Communications. For SMEs, the NCSC provides free guidance on common cyber threats, the CyFUN framework for structured security improvement, the NIS2 guidance documents, and a reporting mechanism for cyber incidents. Their SME guidance publication is a practical, free resource. The NCSC also operates the national cyber incident response service. We reference NCSC guidance throughout our content.

Question 24

What is director liability under NIS2 and GDPR?

Accepted Answer

Both NIS2 and GDPR introduce personal liability for directors and senior management. Under NIS2, management bodies of essential and important entities are required to approve cybersecurity risk management measures, oversee their implementation, and undergo regular cybersecurity training. Directors can be held personally liable for infringements and can face temporary bans from management roles. Under GDPR, the Data Protection Commission can hold senior management accountable for systemic failures in data protection governance. Our director liability briefing explains the specific obligations and how to document compliance.

Question 25

What is CyFUN and why has Ireland adopted it?

Accepted Answer

CyFUN — the Cyber Fundamentals Framework — is a structured cybersecurity framework originally developed in Belgium. Ireland's NCSC adopted it as a co-owner in 2025 and recommends it as the primary path for Irish organisations to meet NIS2 obligations. CyFUN is built on the NIST Cybersecurity Framework 2.0 and organises security into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It provides a tiered, risk-based approach with three maturity levels — Basic, Important, and Essential — allowing organisations to demonstrate proportionate, progressive improvement. Our CyFUN hub has everything you need to get started.

Question 26

What are the six CyFUN functions and what does each one mean for my business?

Accepted Answer

The six CyFUN functions map directly to the NIST CSF 2.0. Govern means establishing cybersecurity policies, assigning responsibility, and ensuring management understands cyber risks. Identify means maintaining an inventory of your IT assets, understanding your data flows, and conducting risk assessments. Protect means implementing controls to prevent incidents — MFA, patching, access control, staff training. Detect means monitoring for unusual activity and ensuring you have visibility into potential threats. Respond means having a tested incident response plan so you can act quickly when something goes wrong. Recover means ensuring you can restore operations quickly through tested backups and a business continuity plan.

Question 27

What is the difference between CyFUN and Cyber Essentials?

Accepted Answer

CyFUN is a comprehensive governance and risk management framework that covers all six security functions — from governance and risk assessment through to detection, response, and recovery. It is guidance-based and does not, by itself, produce a formal certification. Cyber Essentials is a UK government certification scheme focused specifically on five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It produces a formal, independently verified certificate. For Irish SMEs, CyFUN provides the governance structure and NIS2 alignment, while Cyber Essentials provides the technical baseline certification that enterprise clients and insurers recognise.

Question 28

What is the Essential 8 and is it relevant to Irish businesses?

Accepted Answer

The Essential 8 is a set of eight mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to protect organisations against the most common cyber attack techniques. The eight strategies are: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. It uses maturity levels 0–3 for progressive improvement. While developed in Australia, its controls are universally applicable and increasingly referenced by Irish and European security professionals. It is particularly strong for ransomware resilience.

Question 29

What is ISO 27001 and does my business need it?

Accepted Answer

ISO 27001 is the international standard for information security management systems (ISMS). It provides a comprehensive framework for managing information security risks across an organisation. Achieving ISO 27001 certification requires an independent audit by an accredited certification body. For most Irish SMEs, ISO 27001 is more comprehensive — and more expensive — than necessary as a starting point. CyFUN and Cyber Essentials are more proportionate first steps. ISO 27001 becomes relevant when you are supplying large enterprises or regulated sectors that require it, or when you have grown to the point where a formal ISMS is warranted.

Question 30

What is the NIST Cybersecurity Framework and how does it relate to CyFUN?

Accepted Answer

The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the US National Institute of Standards and Technology. It is one of the most widely adopted cybersecurity frameworks globally. CyFUN is built directly on NIST CSF 2.0, adopting its six functions (Govern, Identify, Protect, Detect, Respond, Recover) and its risk-based approach. This means that implementing CyFUN simultaneously aligns your business with NIST CSF — which is increasingly referenced in Irish and European procurement and regulatory contexts.

Question 31

What is the CyFUN Govern function and how do I implement it in a week?

Accepted Answer

The Govern function is the foundation of CyFUN — it covers establishing cybersecurity policies, assigning responsibility, setting risk appetite, and ensuring management oversight of security. Without governance, all other controls are ad hoc and unaccountable. Our 7-day Govern quick start guide for Irish directors walks through exactly what to do each day: Day 1 is assigning a security owner; Day 2 is documenting your critical assets; Day 3 is setting your risk appetite; Day 4 is writing a one-page security policy; Day 5 is reviewing your supplier access; Day 6 is scheduling a quarterly review; Day 7 is briefing your management team.

Question 32

What is Cyber Essentials Plus and when do I need it?

Accepted Answer

Cyber Essentials Plus includes all five controls of Cyber Essentials but adds independent technical testing by an accredited assessor. The assessor scans your systems, tests your configuration, and validates that your controls are genuinely working — not just documented. You need Cyber Essentials Plus when contracts require it, when you handle sensitive personal data (medical, financial, legal), when you supply regulated sector clients, or when you need stronger trust signals for enterprise procurement. It does not add new controls — it validates the ones you already have.

Question 33

What is the CyFUN Essential 8 hybrid baseline and why does it matter for NIS2?

Accepted Answer

The CyFUN Essential 8 hybrid baseline is an approach that combines CyFUN's governance and risk management structure with the Essential 8's specific technical controls — particularly its explicit requirements for MFA, application control, and immutable backups. This hybrid provides both the NIS2 governance alignment that Irish regulators expect and the technical rigour that makes ransomware resilience demonstrable. Our article on the CyFUN Essential 8 hybrid baseline explains how to implement this combined approach.

Question 34

How long does it take to achieve CyFUN Basic maturity level?

Accepted Answer

For a typical Irish SME with 10–50 employees, achieving CyFUN Basic maturity — which covers the foundational controls across all six functions — takes approximately 8–12 weeks when approached systematically. The biggest time investment is in governance documentation (policies, risk register, asset inventory) rather than technical implementation. The technical controls — MFA, patching, backups, endpoint protection — can typically be implemented in 2–4 weeks. Our 12-month cyber governance roadmap provides a week-by-week plan for progressing from zero to NIS2-ready.

Question 35

What is phishing and how do modern attacks work?

Accepted Answer

Phishing is the use of fraudulent communications — typically emails, but increasingly SMS (smishing) and voice calls (vishing) — to trick recipients into revealing credentials, transferring money, or installing malware. Modern phishing attacks are AI-generated, highly personalised, and nearly indistinguishable from legitimate communications. Attackers research their targets on LinkedIn, company websites, and social media to craft convincing pretexts. AI-powered phishing tools can generate thousands of personalised emails per hour. Our article on why your employees can no longer spot the fakes explains the new threat landscape and what defences actually work.

Question 36

What is ransomware and how does it work?

Accepted Answer

Ransomware is malicious software that encrypts your files and demands payment — usually in cryptocurrency — for the decryption key. Modern ransomware attacks typically begin weeks before the encryption event: attackers gain access through a phishing email or unpatched vulnerability, spend time moving through your network, exfiltrating data, and identifying your backup systems — often deleting or encrypting them before triggering the encryption. This is why tested, immutable, offline backups are essential: attackers specifically target backup systems. The HSE ransomware attack in 2021 is Ireland's most prominent example of the damage these attacks cause.

Question 37

What is Business Email Compromise (BEC) and how do I protect against it?

Accepted Answer

Business Email Compromise (BEC) is a sophisticated fraud where attackers impersonate a trusted party — a CEO, supplier, or client — to trick employees into transferring money or sensitive data. BEC attacks cost Irish businesses millions of euros annually. A Donegal accountancy firm lost €18,000 to a BEC attack where the attacker had been inside their email system for three weeks, reading correspondence and timing the attack to coincide with a legitimate payment. The most effective defences are MFA on all email accounts (which prevents account takeover), DMARC email authentication (which prevents domain spoofing), and a strict callback verification procedure for any payment instruction received by email.

Question 38

What is social engineering and how do I protect my staff from it?

Accepted Answer

Social engineering is the use of psychological manipulation to trick people into performing actions or revealing information that compromises security. Phishing is the most common form, but social engineering also includes pretexting (creating a fabricated scenario to extract information), baiting (leaving infected USB drives in car parks), and tailgating (following someone through a secure door). The defence is a combination of staff awareness training, clear procedures (especially for financial transactions and credential requests), and a culture where staff feel comfortable questioning unusual requests without fear of embarrassment.

Question 39

What is a DDoS attack and can it affect my small business?

Accepted Answer

A Distributed Denial of Service (DDoS) attack floods your website or online services with traffic from thousands of compromised devices, making them unavailable to legitimate users. While large-scale DDoS attacks typically target enterprises and critical infrastructure, small businesses with e-commerce sites or online booking systems are also targeted — particularly by extortion groups who threaten to take your site down unless you pay. Basic DDoS protection is included in most reputable web hosting and CDN services. If your business depends heavily on online availability, a dedicated DDoS mitigation service is worth considering.

Question 40

What is a deepfake and how are cybercriminals using them against businesses?

Accepted Answer

Deepfakes are AI-generated audio or video content that convincingly impersonates real people. Cybercriminals are using deepfake audio to impersonate CEOs in phone calls instructing finance staff to make urgent transfers. In 2024, a Hong Kong finance employee transferred HK$200 million after a deepfake video call that appeared to show his company's CFO. In Ireland, deepfake audio is increasingly used in BEC attacks. The defence is strict out-of-band verification for any unusual financial instruction — call back on a known number, not the one provided in the request.

Question 41

What is AI-generated malware and how does it change the threat landscape?

Accepted Answer

AI-generated malware refers to malicious software created or enhanced using AI tools, which can now produce novel malware variants faster than traditional signature-based antivirus can detect them. AI also enables attackers to automate vulnerability discovery, personalise phishing at scale, and adapt attack techniques in real time. This means the threat landscape is evolving faster than ever. The defence is not just better antivirus — it is Endpoint Detection and Response (EDR) tools that detect behavioural anomalies rather than known signatures, combined with the core hygiene controls that reduce the attack surface.

Question 42

What is a software supply chain attack and how do I protect against it?

Accepted Answer

A software supply chain attack occurs when an attacker compromises a software vendor or open-source component and uses that access to distribute malware to all of the vendor's customers. The SolarWinds attack in 2020 is the most famous example — attackers inserted malware into a software update that was then distributed to 18,000 organisations. For Irish SMEs, the practical defence is keeping software updated (so you receive security patches quickly), using reputable vendors with documented security practices, and monitoring for unusual network behaviour that might indicate a compromised tool.

Question 43

What is quishing and how does it work?

Accepted Answer

Quishing is QR code phishing — the use of malicious QR codes to direct victims to fraudulent websites that steal credentials or install malware. QR codes are particularly dangerous because most email security tools do not scan the URLs embedded in QR codes, and users are conditioned to scan them without thinking. Attackers place malicious QR codes in emails, printed materials, and even on physical devices like parking meters and restaurant menus. The NCSC Ireland has published specific guidance on QR code phishing scams. Staff awareness training should explicitly cover quishing.

Question 44

What is an insider threat and how do I manage it?

Accepted Answer

An insider threat is a security risk that originates from within your organisation — a current or former employee, contractor, or partner who misuses their access, either maliciously or accidentally. Most insider incidents are accidental: an employee who sends a file to the wrong person, uses a personal email account for work, or loses a laptop. Malicious insiders are less common but more damaging. The defences are the same for both: least privilege access (people can only access what they need), audit logging (so you can see what was accessed and when), and offboarding procedures that immediately revoke access when someone leaves.

Question 45

What is whaling and how does it differ from regular phishing?

Accepted Answer

Whaling is a highly targeted form of phishing that specifically targets senior executives — the 'big fish'. Where standard phishing sends generic emails to thousands of recipients, whaling involves extensive research into the target's role, relationships, and communications style to craft a highly convincing, personalised attack. Common whaling pretexts include urgent requests from the CEO to finance staff, fake legal notices, and impersonation of the target's own senior colleagues. The defence is the same as for all phishing — MFA, DMARC, and clear procedures for financial transactions — but with particular emphasis on executive awareness.

Question 46

What is dark web monitoring and does my business need it?

Accepted Answer

Dark web monitoring services scan dark web forums, marketplaces, and data dumps for your business's email addresses, passwords, and other credentials that have been stolen and are being sold or shared by cybercriminals. This gives you early warning that credentials have been compromised — often before attackers have used them. For Irish SMEs, dark web monitoring is a useful early warning system, particularly for businesses where a credential breach could lead to significant financial or reputational damage. Many cyber insurance policies now include dark web monitoring as a standard benefit.

Question 47

What is an Advanced Persistent Threat (APT) and should Irish SMEs be concerned?

Accepted Answer

An Advanced Persistent Threat (APT) is a sophisticated, long-term attack campaign typically conducted by nation-state actors or highly organised criminal groups. APT actors spend months inside a target's network, moving quietly, exfiltrating data, and waiting for the right moment to act. While APTs are primarily associated with large enterprises, critical infrastructure, and government targets, Irish SMEs in supply chains of critical organisations can be targeted as a stepping stone. The core hygiene controls — MFA, patching, least privilege, monitoring — significantly reduce the risk of APT compromise.

Question 48

What is the current cyber threat landscape for Irish SMEs in 2026?

Accepted Answer

The Q1 2026 Irish SME cyber risk index identifies five primary threats: AI-powered phishing that is increasingly indistinguishable from legitimate communications; Business Email Compromise fraud targeting payment processes; NIS2 enforcement activity as the NCSC begins supervision; ransomware attacks with double extortion (encrypt and threaten to publish); and DORA assessment pressure for financial services supply chains. The AI threat landscape article provides a detailed analysis of what has changed since 2025 and what has not — including the controls that remain effective regardless of how the threat evolves.

Question 49

What is a zero-day vulnerability and how do I protect against it?

Accepted Answer

A zero-day vulnerability is a security flaw in software that is unknown to the vendor and for which no patch exists. Attackers who discover zero-days can exploit them before any defence is available. Zero-days are rare and typically used by sophisticated attackers against high-value targets. For most Irish SMEs, the practical response is not to worry specifically about zero-days — it is to ensure that known vulnerabilities are patched quickly (so attackers cannot use the much larger pool of known exploits) and that your defences are layered so that no single vulnerability can lead to a catastrophic breach.

Question 50

What is the cyber kill chain and why does it matter for defence?

Accepted Answer

The cyber kill chain is a model that describes the stages of a cyber attack: reconnaissance (researching the target), weaponisation (creating the attack tool), delivery (sending the phishing email or exploiting the vulnerability), exploitation, installation (installing malware), command and control (establishing communication with the attacker's server), and actions on objectives (exfiltrating data, deploying ransomware). Understanding the kill chain helps defenders identify where they can interrupt an attack. Most SME defences focus on delivery and exploitation — but monitoring and detection at the command and control stage can catch attacks that have already bypassed initial defences.

Straight Answers to Your Cybersecurity Questions

Getting Started

NIS2 & Regulation

CyFUN & Frameworks

Threats & Attacks

Protecting Your Business

Cyber Insurance

Incident Response

vCISO & Security Leadership

GDPR & Data Protection

Working With Pragmatic Security

Still have questions? Let's talk.

Cookie Preferences