Straight Answers — Honest Cybersecurity FAQ for Irish SMEs (No Sales Pitch)

Direct, jargon-free answers to the cybersecurity questions Irish business owners actually ask. No scare tactics, no upsells, no sales pitch.

Plain-English answers to the cybersecurity questions Irish business owners are actually asking in 2026 — covering NIS2, CyFUN, ransomware, phishing, cyber insurance, GDPR, and more.

Each answer is direct and jargon-free, with no scare tactics and no sales pitch. Where relevant, an answer links to the full article or glossary term.

Frequently Asked Questions

Is my small business really a target for cybercriminals?

Yes — and more so than you might think. Cybercriminals do not primarily target large organisations. They target the easiest victims, and small businesses are consistently easier to breach than enterprises. They have fewer defences, less monitoring, and staff who have received little or no security training. An Irish SME with 10 employees is just as likely to receive a phishing email as a company with 1,000. The Garda National Cyber Crime Bureau reports that fraud and cybercrime are among the fastest-growing categories of crime in Ireland. Our article on why Donegal businesses are a more attractive target than you think explains the mechanics in detail.

What are the five most important things I can do right now to improve my cybersecurity?

The five highest-impact actions for any Irish SME are: (1) Enable multi-factor authentication (MFA) on email, remote access, and admin accounts — this single control blocks over 99% of automated credential attacks. (2) Enable automatic updates on all operating systems and applications — unpatched software is the most common entry point for attackers. (3) Restrict admin rights to only those who genuinely need them — most employees do not need administrator access on their devices. (4) Set up tested, offline or immutable backups — a backup that has never been tested is not a backup. (5) Deploy a reputable endpoint security tool on all devices. Our five-things-to-do-this-week guide walks through each step practically.

How do I know how secure my business actually is right now?

The most practical starting point is a self-assessment against a recognised framework. CyFUN — Ireland's national cybersecurity baseline — includes a selection tool that assigns your business a maturity level based on size, sector, and risk. Our free 20-minute call with a senior security professional gives you an honest picture of where you stand against the overlapping core controls that every framework agrees on. We will identify your three biggest gaps and give you a prioritised action plan at no cost.

What is a cybersecurity risk assessment and does my business need one?

A risk assessment is a structured process for identifying what digital assets your business holds, what threats those assets face, how likely those threats are, and what the impact would be if they materialised. Every business that holds customer data, processes payments, or relies on digital systems needs one — and NIS2 makes it a legal requirement for businesses in scope. A risk assessment does not need to be a lengthy exercise. For most Irish SMEs, a focused half-day session with a security professional produces a practical risk register that drives the next 12 months of security investment.

What is the difference between cybersecurity and IT support?

IT support keeps your systems running. Cybersecurity keeps your systems safe. The two overlap but are not the same. Your IT provider might manage your laptops, email, and internet connection — but that does not mean they are actively monitoring for threats, managing your security posture, or ensuring your controls meet regulatory standards. Many Irish SMEs discover this distinction the hard way when an incident occurs and their IT provider has no incident response plan. The cybersecurity conversation every Donegal business owner should have with their IT provider is a good starting point for understanding what questions to ask.

How much should a small business spend on cybersecurity?

Industry benchmarks suggest SMEs should allocate 5–15% of their IT budget to cybersecurity. For a business spending €20,000 per year on IT, that is €1,000–€3,000 on security. However, the most important controls — MFA, automatic patching, admin restriction, and tested backups — cost little or nothing to implement if you already have the right software licences. The real investment is time and expertise. A vCISO engagement from €1,500 per month gives you senior security leadership to ensure that investment is directed correctly. Irish SMEs can also access between €5,000 and €67,000+ in government cybersecurity grants — use our free Grants Eligibility Checker to find out what you qualify for. The 10-minute quarterly security review is a free starting point for any business.

What is a cybersecurity policy and does my business need one?

A cybersecurity policy is a written document that sets out how your business handles digital security — what is acceptable use of company devices, how passwords must be managed, what staff should do if they suspect a phishing email, and who is responsible for security decisions. Every business that holds customer data needs one, and NIS2 makes governance documentation a legal requirement for businesses in scope. The good news is that a policy does not need to be a 50-page document. Our guide on how to write a cybersecurity policy your staff will actually read includes a practical template.

What is a security audit and how often should I have one?

A security audit is a systematic review of your security controls, policies, and practices against a defined standard. It identifies gaps between where you are and where you need to be. For most Irish SMEs, an annual security audit is the minimum — with a lighter quarterly review in between. The audit should cover your technical controls (MFA, patching, backups, access controls), your governance documentation (policies, risk register, incident response plan), and your staff awareness. Our security audit service includes a written report with a prioritised remediation plan.

What is 'shadow IT' and why is it a security risk?

Shadow IT refers to software, apps, and services that employees use for work without the knowledge or approval of the IT or security team. Common examples include personal Dropbox accounts used to share work files, WhatsApp groups used to discuss client matters, and free online tools used to convert or process documents. Shadow IT is a significant security risk because data processed through unapproved services may be stored in unknown locations, outside your GDPR controls, and without the security standards your approved tools meet. Our article on shadow IT explains how to identify and manage it.

What is the attack surface of my business and how do I reduce it?

Your attack surface is the total set of points through which an attacker could try to gain access to your systems — every internet-facing device, every email account, every cloud service, every employee's laptop. The larger your attack surface, the more opportunities an attacker has. You reduce it by removing or securing unnecessary entry points: disabling services you do not use, enforcing MFA on all accounts, removing admin rights from accounts that do not need them, and keeping software patched. Our exposure management approach maps your attack surface and prioritises the most critical reductions.

What is zero trust and does my business need it?

Zero trust is a security model built on the principle of 'never trust, always verify' — meaning no user, device, or network connection is trusted by default, even inside your own office network. Every access request is verified before it is granted. For most Irish SMEs, full zero trust architecture is aspirational rather than immediately achievable. However, the core principles — MFA everywhere, least privilege access, device health checks before granting access — are practical and achievable. Zero Trust Network Access (ZTNA) tools are increasingly affordable for SMEs and are a significant improvement over traditional VPNs.

What is the difference between a vulnerability and a threat?

A vulnerability is a weakness in your systems, software, or processes that could be exploited — for example, unpatched software, a weak password, or an employee who has not received phishing awareness training. A threat is the potential for harm — the attacker, the ransomware gang, or the phishing campaign that might exploit that vulnerability. Risk is the combination of the two: a vulnerability that faces a credible threat creates risk. Understanding this distinction helps you prioritise: you cannot eliminate all threats, but you can reduce your vulnerabilities to make exploitation harder.

What is NIS2 and does it apply to my Irish business?

NIS2 is the EU's updated Network and Information Security Directive, which significantly expands the scope of mandatory cybersecurity obligations across Europe. In Ireland, it is being transposed into national law by the NCSC. It applies to organisations in 18 critical sectors — including healthcare, transport, food production, manufacturing, digital services, financial services, and professional services — above certain size thresholds. Critically, it also applies to businesses in the supply chain of larger NIS2-regulated organisations, regardless of size. Use our free NIS2 Scope Check tool to find out in under two minutes whether your business is in scope.

What are the penalties for NIS2 non-compliance in Ireland?

Penalties under NIS2 are significant. For essential entities, fines can reach €10 million or 2% of global annual turnover — whichever is higher. For important entities, the maximum is €7 million or 1.4% of global annual turnover. Critically, NIS2 also introduces personal liability for directors and senior management: they can be held personally responsible for cybersecurity failures, including temporary bans from management roles. The NCSC Ireland is the competent authority for enforcement. Our article on NIS2 fines and penalties explains the enforcement framework in detail.

What security measures does NIS2 require?

NIS2 Article 21 requires organisations to implement risk-based security measures across ten areas: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; security in network and information systems acquisition, development, and maintenance; policies and procedures to assess the effectiveness of cybersecurity risk management measures; basic cyber hygiene practices and cybersecurity training; cryptography and encryption policies; human resources security, access control policies, and asset management; and the use of MFA or continuous authentication solutions. The NCSC Ireland recommends CyFUN as the practical path to meeting these requirements.

What are the NIS2 incident reporting requirements?

NIS2 introduces a three-stage incident reporting obligation. Within 24 hours of becoming aware of a significant incident, you must submit an early warning to the NCSC. Within 72 hours, you must submit an incident notification with an initial assessment of the incident's severity and impact. Within one month, you must submit a final report with a detailed description, the type of threat, root cause, mitigation measures taken, and cross-border impact. 'Significant' incidents are those that cause or could cause severe operational disruption or financial loss. Our NIS2 incident reporting article explains the thresholds and process.

What is the difference between NIS2 essential entities and important entities?

NIS2 divides in-scope organisations into two tiers. Essential entities are in the highest-risk sectors — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. They face stricter supervision and higher maximum fines. Important entities cover additional sectors including postal services, waste management, manufacturing, food production, digital providers, and research. The distinction affects the level of supervisory scrutiny and the maximum fine level, but the security measures required under Article 21 are the same for both.

What is DORA and does it apply to my business?

DORA — the Digital Operational Resilience Act — is an EU regulation that applies specifically to financial services entities: banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party service providers. It came into force in January 2025. If your business provides ICT services to financial entities, you may be in scope as a third-party provider. DORA requires ICT risk management frameworks, incident reporting, digital operational resilience testing, and third-party risk management. Our NIS2 vs DORA article explains which regulation applies to your firm.

What is the EU AI Act and how does it affect Irish businesses?

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence, which came into force in August 2024. It classifies AI systems by risk level — unacceptable, high, limited, and minimal — and imposes obligations proportionate to that risk. For most Irish SMEs, the immediate impact is limited: using standard AI tools like Microsoft Copilot or ChatGPT for productivity falls into the minimal risk category. However, businesses developing or deploying AI systems in high-risk areas — HR, credit scoring, healthcare, law enforcement — face significant compliance obligations. Our AI Act article explains the framework.

What is supply chain security and why does NIS2 require it?

Supply chain security refers to managing the cybersecurity risks that arise from your suppliers, vendors, and technology partners. NIS2 explicitly requires in-scope organisations to assess and manage the security of their supply chains, because attackers increasingly target smaller, less-defended suppliers to gain access to their larger clients. This means you need to know what data your suppliers can access, what security standards they maintain, and what would happen if they were breached. Our supply chain security under NIS2 article explains the practical requirements.

What is the NIS2 Scope Check tool on your website?

The NIS2 Scope Check is a free, interactive tool on our website that helps Irish business owners determine whether their organisation is likely in scope for NIS2 obligations. It asks a series of questions about your sector, size, and activities, and provides an instant assessment with an explanation of why you may or may not be in scope. It takes under two minutes to complete. It is not a substitute for legal advice, but it gives you a clear starting point for understanding your obligations.

What is the Cyber Resilience Act and how does it affect Irish businesses?

The EU Cyber Resilience Act (CRA) is a regulation that introduces mandatory cybersecurity requirements for products with digital elements — hardware and software sold in the EU market. It came into force in December 2024 with a phased implementation period. If your business manufactures, imports, or distributes connected products — from smart devices to software applications — the CRA will require you to implement security by design, provide security updates throughout the product lifecycle, and report actively exploited vulnerabilities. For businesses that only use rather than sell digital products, the immediate impact is limited.

What is the NCSC Ireland and what resources do they provide for SMEs?

The National Cyber Security Centre (NCSC) Ireland is the government agency responsible for cybersecurity in Ireland. It operates under the Department of the Environment, Climate and Communications. For SMEs, the NCSC provides free guidance on common cyber threats, the CyFUN framework for structured security improvement, the NIS2 guidance documents, and a reporting mechanism for cyber incidents. Their SME guidance publication is a practical, free resource. The NCSC also operates the national cyber incident response service. We reference NCSC guidance throughout our content.

What is director liability under NIS2 and GDPR?

Both NIS2 and GDPR introduce personal liability for directors and senior management. Under NIS2, management bodies of essential and important entities are required to approve cybersecurity risk management measures, oversee their implementation, and undergo regular cybersecurity training. Directors can be held personally liable for infringements and can face temporary bans from management roles. Under GDPR, the Data Protection Commission can hold senior management accountable for systemic failures in data protection governance. Our director liability briefing explains the specific obligations and how to document compliance.

What is CyFUN and why has Ireland adopted it?

CyFUN — the Cyber Fundamentals Framework — is a structured cybersecurity framework originally developed in Belgium. Ireland's NCSC adopted it as a co-owner in 2025 and recommends it as the primary path for Irish organisations to meet NIS2 obligations. CyFUN is built on the NIST Cybersecurity Framework 2.0 and organises security into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It provides a tiered, risk-based approach with three maturity levels — Basic, Important, and Essential — allowing organisations to demonstrate proportionate, progressive improvement. Our CyFUN hub has everything you need to get started.

What are the six CyFUN functions and what does each one mean for my business?

The six CyFUN functions map directly to the NIST CSF 2.0. Govern means establishing cybersecurity policies, assigning responsibility, and ensuring management understands cyber risks. Identify means maintaining an inventory of your IT assets, understanding your data flows, and conducting risk assessments. Protect means implementing controls to prevent incidents — MFA, patching, access control, staff training. Detect means monitoring for unusual activity and ensuring you have visibility into potential threats. Respond means having a tested incident response plan so you can act quickly when something goes wrong. Recover means ensuring you can restore operations quickly through tested backups and a business continuity plan.

What is the difference between CyFUN and Cyber Essentials?

CyFUN is a comprehensive governance and risk management framework that covers all six security functions — from governance and risk assessment through to detection, response, and recovery. It is guidance-based and does not, by itself, produce a formal certification. Cyber Essentials is a UK government certification scheme focused specifically on five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It produces a formal, independently verified certificate. For Irish SMEs, CyFUN provides the governance structure and NIS2 alignment, while Cyber Essentials provides the technical baseline certification that enterprise clients and insurers recognise.

What is the Essential 8 and is it relevant to Irish businesses?

The Essential 8 is a set of eight mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to protect organisations against the most common cyber attack techniques. The eight strategies are: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. It uses maturity levels 0–3 for progressive improvement. While developed in Australia, its controls are universally applicable and increasingly referenced by Irish and European security professionals. It is particularly strong for ransomware resilience.

What is ISO 27001 and does my business need it?

ISO 27001 is the international standard for information security management systems (ISMS). It provides a comprehensive framework for managing information security risks across an organisation. Achieving ISO 27001 certification requires an independent audit by an accredited certification body. For most Irish SMEs, ISO 27001 is more comprehensive — and more expensive — than necessary as a starting point. CyFUN and Cyber Essentials are more proportionate first steps. ISO 27001 becomes relevant when you are supplying large enterprises or regulated sectors that require it, or when you have grown to the point where a formal ISMS is warranted.

What is the NIST Cybersecurity Framework and how does it relate to CyFUN?

The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the US National Institute of Standards and Technology. It is one of the most widely adopted cybersecurity frameworks globally. CyFUN is built directly on NIST CSF 2.0, adopting its six functions (Govern, Identify, Protect, Detect, Respond, Recover) and its risk-based approach. This means that implementing CyFUN simultaneously aligns your business with NIST CSF — which is increasingly referenced in Irish and European procurement and regulatory contexts.

What is the CyFUN Govern function and how do I implement it in a week?

The Govern function is the foundation of CyFUN — it covers establishing cybersecurity policies, assigning responsibility, setting risk appetite, and ensuring management oversight of security. Without governance, all other controls are ad hoc and unaccountable. Our 7-day Govern quick start guide for Irish directors walks through exactly what to do each day: Day 1 is assigning a security owner; Day 2 is documenting your critical assets; Day 3 is setting your risk appetite; Day 4 is writing a one-page security policy; Day 5 is reviewing your supplier access; Day 6 is scheduling a quarterly review; Day 7 is briefing your management team.

What is Cyber Essentials Plus and when do I need it?

Cyber Essentials Plus includes all five controls of Cyber Essentials but adds independent technical testing by an accredited assessor. The assessor scans your systems, tests your configuration, and validates that your controls are genuinely working — not just documented. You need Cyber Essentials Plus when contracts require it, when you handle sensitive personal data (medical, financial, legal), when you supply regulated sector clients, or when you need stronger trust signals for enterprise procurement. It does not add new controls — it validates the ones you already have.

What is the CyFUN Essential 8 hybrid baseline and why does it matter for NIS2?

The CyFUN Essential 8 hybrid baseline is an approach that combines CyFUN's governance and risk management structure with the Essential 8's specific technical controls — particularly its explicit requirements for MFA, application control, and immutable backups. This hybrid provides both the NIS2 governance alignment that Irish regulators expect and the technical rigour that makes ransomware resilience demonstrable. Our article on the CyFUN Essential 8 hybrid baseline explains how to implement this combined approach.

How long does it take to achieve CyFUN Basic maturity level?

For a typical Irish SME with 10–50 employees, achieving CyFUN Basic maturity — which covers the foundational controls across all six functions — takes approximately 8–12 weeks when approached systematically. The biggest time investment is in governance documentation (policies, risk register, asset inventory) rather than technical implementation. The technical controls — MFA, patching, backups, endpoint protection — can typically be implemented in 2–4 weeks. Our 12-month cyber governance roadmap provides a week-by-week plan for progressing from zero to NIS2-ready.

What is phishing and how do modern attacks work?

Phishing is the use of fraudulent communications — typically emails, but increasingly SMS (smishing) and voice calls (vishing) — to trick recipients into revealing credentials, transferring money, or installing malware. Modern phishing attacks are AI-generated, highly personalised, and nearly indistinguishable from legitimate communications. Attackers research their targets on LinkedIn, company websites, and social media to craft convincing pretexts. AI-powered phishing tools can generate thousands of personalised emails per hour. Our article on why your employees can no longer spot the fakes explains the new threat landscape and what defences actually work.

What is ransomware and how does it work?

Ransomware is malicious software that encrypts your files and demands payment — usually in cryptocurrency — for the decryption key. Modern ransomware attacks typically begin weeks before the encryption event: attackers gain access through a phishing email or unpatched vulnerability, spend time moving through your network, exfiltrating data, and identifying your backup systems — often deleting or encrypting them before triggering the encryption. This is why tested, immutable, offline backups are essential: attackers specifically target backup systems. The HSE ransomware attack in 2021 is Ireland's most prominent example of the damage these attacks cause.

What is Business Email Compromise (BEC) and how do I protect against it?

Business Email Compromise (BEC) is a sophisticated fraud where attackers impersonate a trusted party — a CEO, supplier, or client — to trick employees into transferring money or sensitive data. BEC attacks cost Irish businesses millions of euros annually. A Donegal accountancy firm lost €18,000 to a BEC attack where the attacker had been inside their email system for three weeks, reading correspondence and timing the attack to coincide with a legitimate payment. The most effective defences are MFA on all email accounts (which prevents account takeover), DMARC email authentication (which prevents domain spoofing), and a strict callback verification procedure for any payment instruction received by email.

What is social engineering and how do I protect my staff from it?

Social engineering is the use of psychological manipulation to trick people into performing actions or revealing information that compromises security. Phishing is the most common form, but social engineering also includes pretexting (creating a fabricated scenario to extract information), baiting (leaving infected USB drives in car parks), and tailgating (following someone through a secure door). The defence is a combination of staff awareness training, clear procedures (especially for financial transactions and credential requests), and a culture where staff feel comfortable questioning unusual requests without fear of embarrassment.

What is a DDoS attack and can it affect my small business?

A Distributed Denial of Service (DDoS) attack floods your website or online services with traffic from thousands of compromised devices, making them unavailable to legitimate users. While large-scale DDoS attacks typically target enterprises and critical infrastructure, small businesses with e-commerce sites or online booking systems are also targeted — particularly by extortion groups who threaten to take your site down unless you pay. Basic DDoS protection is included in most reputable web hosting and CDN services. If your business depends heavily on online availability, a dedicated DDoS mitigation service is worth considering.

What is a deepfake and how are cybercriminals using them against businesses?

Deepfakes are AI-generated audio or video content that convincingly impersonates real people. Cybercriminals are using deepfake audio to impersonate CEOs in phone calls instructing finance staff to make urgent transfers. In 2024, a Hong Kong finance employee transferred HK$200 million after a deepfake video call that appeared to show his company's CFO. In Ireland, deepfake audio is increasingly used in BEC attacks. The defence is strict out-of-band verification for any unusual financial instruction — call back on a known number, not the one provided in the request.

What is AI-generated malware and how does it change the threat landscape?

AI-generated malware refers to malicious software created or enhanced using AI tools, which can now produce novel malware variants faster than traditional signature-based antivirus can detect them. AI also enables attackers to automate vulnerability discovery, personalise phishing at scale, and adapt attack techniques in real time. This means the threat landscape is evolving faster than ever. The defence is not just better antivirus — it is Endpoint Detection and Response (EDR) tools that detect behavioural anomalies rather than known signatures, combined with the core hygiene controls that reduce the attack surface.

What is a software supply chain attack and how do I protect against it?

A software supply chain attack occurs when an attacker compromises a software vendor or open-source component and uses that access to distribute malware to all of the vendor's customers. The SolarWinds attack in 2020 is the most famous example — attackers inserted malware into a software update that was then distributed to 18,000 organisations. For Irish SMEs, the practical defence is keeping software updated (so you receive security patches quickly), using reputable vendors with documented security practices, and monitoring for unusual network behaviour that might indicate a compromised tool.

What is quishing and how does it work?

Quishing is QR code phishing — the use of malicious QR codes to direct victims to fraudulent websites that steal credentials or install malware. QR codes are particularly dangerous because most email security tools do not scan the URLs embedded in QR codes, and users are conditioned to scan them without thinking. Attackers place malicious QR codes in emails, printed materials, and even on physical devices like parking meters and restaurant menus. The NCSC Ireland has published specific guidance on QR code phishing scams. Staff awareness training should explicitly cover quishing.

What is an insider threat and how do I manage it?

An insider threat is a security risk that originates from within your organisation — a current or former employee, contractor, or partner who misuses their access, either maliciously or accidentally. Most insider incidents are accidental: an employee who sends a file to the wrong person, uses a personal email account for work, or loses a laptop. Malicious insiders are less common but more damaging. The defences are the same for both: least privilege access (people can only access what they need), audit logging (so you can see what was accessed and when), and offboarding procedures that immediately revoke access when someone leaves.

What is whaling and how does it differ from regular phishing?

Whaling is a highly targeted form of phishing that specifically targets senior executives — the 'big fish'. Where standard phishing sends generic emails to thousands of recipients, whaling involves extensive research into the target's role, relationships, and communications style to craft a highly convincing, personalised attack. Common whaling pretexts include urgent requests from the CEO to finance staff, fake legal notices, and impersonation of the target's own senior colleagues. The defence is the same as for all phishing — MFA, DMARC, and clear procedures for financial transactions — but with particular emphasis on executive awareness.

What is dark web monitoring and does my business need it?

Dark web monitoring services scan dark web forums, marketplaces, and data dumps for your business's email addresses, passwords, and other credentials that have been stolen and are being sold or shared by cybercriminals. This gives you early warning that credentials have been compromised — often before attackers have used them. For Irish SMEs, dark web monitoring is a useful early warning system, particularly for businesses where a credential breach could lead to significant financial or reputational damage. Many cyber insurance policies now include dark web monitoring as a standard benefit.

What is an Advanced Persistent Threat (APT) and should Irish SMEs be concerned?

An Advanced Persistent Threat (APT) is a sophisticated, long-term attack campaign typically conducted by nation-state actors or highly organised criminal groups. APT actors spend months inside a target's network, moving quietly, exfiltrating data, and waiting for the right moment to act. While APTs are primarily associated with large enterprises, critical infrastructure, and government targets, Irish SMEs in supply chains of critical organisations can be targeted as a stepping stone. The core hygiene controls — MFA, patching, least privilege, monitoring — significantly reduce the risk of APT compromise.

What is the current cyber threat landscape for Irish SMEs in 2026?

The Q1 2026 Irish SME cyber risk index identifies five primary threats: AI-powered phishing that is increasingly indistinguishable from legitimate communications; Business Email Compromise fraud targeting payment processes; NIS2 enforcement activity as the NCSC begins supervision; ransomware attacks with double extortion (encrypt and threaten to publish); and DORA assessment pressure for financial services supply chains. The AI threat landscape article provides a detailed analysis of what has changed since 2025 and what has not — including the controls that remain effective regardless of how the threat evolves.

What is a zero-day vulnerability and how do I protect against it?

A zero-day vulnerability is a security flaw in software that is unknown to the vendor and for which no patch exists. Attackers who discover zero-days can exploit them before any defence is available. Zero-days are rare and typically used by sophisticated attackers against high-value targets. For most Irish SMEs, the practical response is not to worry specifically about zero-days — it is to ensure that known vulnerabilities are patched quickly (so attackers cannot use the much larger pool of known exploits) and that your defences are layered so that no single vulnerability can lead to a catastrophic breach.

What is the cyber kill chain and why does it matter for defence?

The cyber kill chain is a model that describes the stages of a cyber attack: reconnaissance (researching the target), weaponisation (creating the attack tool), delivery (sending the phishing email or exploiting the vulnerability), exploitation, installation (installing malware), command and control (establishing communication with the attacker's server), and actions on objectives (exfiltrating data, deploying ransomware). Understanding the kill chain helps defenders identify where they can interrupt an attack. Most SME defences focus on delivery and exploitation — but monitoring and detection at the command and control stage can catch attacks that have already bypassed initial defences.

How long does it typically take to discover a breach?

The average time to discover a data breach is 197 days — and that figure has not improved significantly in recent years. This means attackers are typically inside a network for over six months before detection. During that time, they are reading emails, mapping the network, exfiltrating data, and preparing for the final attack. For Irish SMEs, the practical implication is that detection capability — monitoring, logging, and alerting — is just as important as prevention. Our article on the 197-day breach discovery problem explains what you can do to reduce your detection time.

What is ChatGPT data leakage and how do I manage AI tool risk?

When employees use AI tools like ChatGPT, Microsoft Copilot, or Google Gemini for work tasks, they may inadvertently share confidential information — client data, financial figures, strategic plans, or personal data — with the AI provider's servers. This data may be used to train future models or stored in ways that are not compliant with your GDPR obligations. The practical response is a clear AI usage policy that specifies which tools are approved, what data can and cannot be entered, and what the consequences of policy violation are. Our article on ChatGPT and data leakage covers the specific risks and controls.

How do I set up multi-factor authentication (MFA) on Microsoft 365?

Setting up MFA on Microsoft 365 takes approximately 20 minutes and immediately protects all your business email accounts. The process involves: logging into the Microsoft 365 Admin Centre, navigating to Security > Authentication methods, enabling Security Defaults (which enforces MFA for all users), and communicating the change to your team so they can set up the Microsoft Authenticator app on their phones. Our step-by-step guide on setting up MFA on Microsoft 365 in 20 minutes walks through every step with screenshots.

What is patch management and how do I implement it for my business?

Patch management is the process of keeping all software — operating systems, applications, browsers, plugins — updated with the latest security patches. Unpatched software is the most common entry point for attackers. Microsoft releases security patches on the second Tuesday of every month (Patch Tuesday), and critical patches should be applied within 48 hours. The most practical approach for most Irish SMEs is to enable automatic updates on all devices and use a centralised patch management tool if you have more than 10 devices. Our Patch Tuesday article explains why ignoring software updates is the most expensive mistake you can make.

What is the 3-2-1-1-0 backup rule and how do I implement it?

The 3-2-1-1-0 rule is the gold standard for backup strategy: keep 3 copies of your data, on 2 different media types, with 1 copy offsite, 1 copy offline or immutable (so ransomware cannot encrypt it), and 0 errors verified through regular testing. The '0 errors' element is the most commonly missed: a backup that has never been tested is not a backup. Our backup strategy article explains how to implement the 3-2-1-1-0 rule practically for an Irish SME, including which tools to use and how to schedule and test backups.

What is DMARC and why does my business need it?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that prevents attackers from sending emails that appear to come from your domain. Without DMARC, anyone can send an email that looks like it came from your business — which is exactly how BEC and phishing attacks work. Implementing DMARC involves adding DNS records to your domain and configuring a policy that tells receiving mail servers what to do with emails that fail authentication. Our DMARC guide explains the implementation process. It is free to implement and one of the highest-impact security controls available.

What is endpoint detection and response (EDR) and do I need it?

EDR (Endpoint Detection and Response) is a security tool that monitors devices for suspicious behaviour and can automatically respond to threats — isolating a compromised device, killing a malicious process, or alerting your security team. Unlike traditional antivirus, which detects known malware signatures, EDR detects behavioural anomalies — which means it can catch novel threats, including AI-generated malware, that antivirus would miss. For Irish SMEs with 10 or more employees or those handling sensitive data, EDR is strongly recommended. Modern EDR tools are affordable and can be managed by an MSSP if you do not have in-house IT.

How do I secure my business Wi-Fi?

Business Wi-Fi security has three critical elements that most SMEs get wrong. First, separate your guest Wi-Fi from your business network — any device on the same network can potentially access your business systems. Second, use WPA3 encryption (or at minimum WPA2) and a strong, unique password — not the default password on the router. Third, ensure your router firmware is kept updated, as unpatched routers are a common entry point for attackers. Our guide on how to secure your business Wi-Fi covers these steps and the risks you are probably ignoring.

What is a BYOD policy and why does my business need one?

BYOD (Bring Your Own Device) refers to employees using personal smartphones, laptops, or tablets for work. Without a clear BYOD policy, you have no visibility into what security controls are on those devices, what other apps are installed, or what happens to business data when an employee leaves. A BYOD policy defines which devices are permitted, what security requirements they must meet (screen lock, encryption, remote wipe capability), what business data can be accessed from personal devices, and what the company's rights are regarding business data on personal devices. Our BYOD security article covers the policy and technical controls.

What is privileged access management and how do I implement it?

Privileged Access Management (PAM) is the practice of controlling and monitoring accounts that have elevated access rights — admin accounts, service accounts, and accounts with access to sensitive data. The principle of least privilege means giving people access to only what they need to do their job, and no more. For most Irish SMEs, practical PAM means: removing admin rights from standard user accounts, using separate admin accounts for IT tasks, ensuring admin accounts require MFA, and reviewing access rights when roles change or employees leave. Our article on privileged access management for Irish SMEs explains the implementation.

What is cloud security and what are the key risks for SMEs?

Cloud security covers the controls and practices needed to protect data and applications hosted in cloud services — Microsoft 365, Google Workspace, AWS, Azure, Dropbox, and the hundreds of SaaS tools most businesses now use. The key risks for SMEs are: misconfigured sharing settings that expose data publicly, weak or reused passwords on cloud accounts, lack of MFA on cloud services, and excessive permissions granted to third-party apps. Our cloud security for SMEs article covers the most common misconfigurations and how to fix them.

What is network segmentation and does my business need it?

Network segmentation means dividing your network into separate zones so that a compromise in one zone cannot easily spread to others. For example, separating your guest Wi-Fi from your business network, isolating point-of-sale systems from general office computers, or separating IoT devices (smart TVs, printers, CCTV) from systems that hold sensitive data. For most Irish SMEs, the most important segmentation is separating guest Wi-Fi from the business network and ensuring IoT devices are on their own VLAN. This limits the blast radius if any one device is compromised.

What is penetration testing and does my small business need it?

Penetration testing (pen testing) is a simulated cyber attack conducted by security professionals to identify vulnerabilities in your systems before real attackers do. It goes beyond automated vulnerability scanning to include manual exploitation attempts that replicate real-world attack techniques. For most Irish SMEs, penetration testing is not the first priority — the basics (MFA, patching, backups, access control) should be implemented first. Pen testing becomes valuable when you have implemented the core controls and want to validate that they are working, when a client or insurer requires it, or when you are handling particularly sensitive data.

What is security awareness training and how often should I run it?

Security awareness training teaches employees to recognise and respond to cyber threats — phishing emails, social engineering, suspicious links, and unsafe practices. It is the human layer that all technical controls depend on. Training should be practical, scenario-based, and regular — not a once-a-year slideshow. The most effective approach combines short monthly micro-training sessions with regular simulated phishing exercises that test whether training is working. Our guide on building a human firewall explains how to run training that actually changes behaviour.

How do I run a phishing simulation without destroying my team's trust?

Phishing simulations — sending fake phishing emails to your own staff to see who clicks — are one of the most effective ways to measure and improve security awareness. But poorly designed simulations can damage morale and trust. The key principles are: communicate in advance that simulations will happen (without revealing when), frame them as learning opportunities rather than gotcha exercises, provide immediate, non-judgmental training to anyone who clicks, and never use simulations to discipline staff. Our guide on how to run a phishing simulation without destroying your team's trust explains the ethical and practical approach.

What is co-working space security and what risks should I be aware of?

Working from co-working spaces, cafes, or client offices introduces specific security risks: public Wi-Fi networks that may be monitored or compromised, shoulder surfing (people looking at your screen), and the risk of leaving devices unattended. The practical defences are: always use a VPN on public Wi-Fi, use a privacy screen on your laptop, never leave devices unattended, and ensure your devices are encrypted and have screen lock enabled. Our co-working space security article covers the specific risks and practical controls.

What does cyber insurance actually cover?

A comprehensive cyber insurance policy covers: first-party costs (your own losses) including incident response and forensic investigation costs, data recovery, business interruption losses, ransom payments, and crisis communications; and third-party costs (claims from others) including legal defence costs, regulatory fines and penalties, and compensation to affected customers. However, policies vary significantly in what they cover and exclude. Our article on what cyber insurance covers — and the six things it does not — explains the key inclusions and exclusions to look for.

Why are cyber insurance claims being denied and how do I avoid it?

Cyber insurance claims are increasingly being denied on the grounds of material misrepresentation (answering the application questionnaire inaccurately), policy exclusions (particularly for acts of war, unencrypted data, or failure to maintain basic controls), and failure to meet the policy's minimum security requirements. Three Irish SME scenarios where claims were denied include: a business that claimed to have MFA but did not have it on all accounts; a firm that suffered a breach through an unpatched vulnerability after representing that patching was up to date; and a company whose claim was denied under a war exclusion following a state-sponsored attack. Our article on denied claims explains how to avoid each scenario.

What do cyber insurers look for when assessing my application?

Cyber insurers assess applications across several key dimensions: MFA deployment (especially on email and remote access), patch management processes, backup strategy and testing, endpoint security tools, employee training, incident response planning, and governance documentation. The questionnaire is increasingly detailed and technical. Insurers are also conducting technical verification — not just taking your word for it. Our article on what insurers look for explains how to prepare your application and what controls to implement before applying to get the best coverage at the best premium.

How does NIS2 compliance affect my cyber insurance?

NIS2 compliance and cyber insurance are increasingly interlinked. Insurers are using NIS2 compliance status as a proxy for security maturity — businesses that can demonstrate CyFUN alignment or Cyber Essentials certification are seen as lower risk and may qualify for better coverage and lower premiums. Conversely, businesses that are in scope for NIS2 but have not implemented the required controls may face higher premiums, reduced coverage, or policy exclusions. Our article on cyber insurance and NIS2 explains the specific relationship between compliance and insurability.

What is business interruption coverage in a cyber insurance policy?

Business interruption coverage compensates you for lost revenue and ongoing fixed costs (rent, salaries, utilities) during the period your business cannot operate normally following a cyber incident. It is often the most valuable part of a cyber policy — a ransomware attack that takes your systems offline for two weeks could cost far more in lost revenue than the ransom itself. Key things to check: the waiting period (how long you must be down before coverage kicks in), the indemnity period (how long coverage lasts), and whether the policy covers dependent business interruption (losses caused by a breach at a supplier).

What should I do when my cyber insurance policy comes up for renewal?

Cyber insurance renewal is not a passive process — it is an opportunity to ensure your coverage reflects your current risk profile and to negotiate better terms based on improved security controls. Our step-by-step renewal guide for 2026 covers: reviewing your current coverage against your actual risk exposure, documenting security improvements made during the year, preparing for the insurer's technical questionnaire, comparing quotes from multiple providers, and checking for new exclusions that have been added to the market since your last renewal.

What is an incident response retainer and do I need one?

An incident response retainer is a pre-agreed contract with a cybersecurity firm that guarantees you priority access to incident response specialists in the event of a breach. Without a retainer, you may spend hours or days trying to find help during the most critical period of an incident. Many cyber insurance policies now include or require an incident response retainer as a condition of coverage. The retainer typically includes an agreed response time, a set number of hours of response work, and a pre-agreed hourly rate for additional work.

What should I do in the first hour of a cyber incident?

The first hour of a cyber incident is critical. The immediate priorities are: contain the incident (isolate affected systems by disconnecting from the network — do not turn them off, as this destroys forensic evidence), assess the scope (what systems are affected, what data may have been accessed), notify your incident response team or IT provider, contact your cyber insurer (they may have a 24/7 hotline and can direct you to approved response providers), and preserve evidence (take screenshots, note times, do not delete anything). Do not pay a ransom without consulting your insurer and a specialist. Our incident response plan template provides a step-by-step guide.

When do I need to report a cyber incident to the NCSC or DPC?

There are two separate reporting obligations. Under NIS2 (for in-scope organisations), you must report significant incidents to the NCSC within 24 hours (early warning), 72 hours (incident notification), and 30 days (final report). Under GDPR (for any organisation that holds personal data), you must report a personal data breach to the Data Protection Commission within 72 hours of becoming aware of it, if it is likely to result in a risk to individuals' rights and freedoms. These obligations can overlap — a ransomware attack that encrypts personal data may trigger both. Our incident reporting article explains the thresholds and process.

What is a tabletop exercise and why should my business run one?

A tabletop exercise is a facilitated discussion where your team walks through a simulated cyber incident scenario — without actually triggering any systems. The goal is to test your incident response plan, identify gaps in your procedures, clarify roles and responsibilities, and build muscle memory so that when a real incident occurs, your team knows what to do. Tabletop exercises are recommended by every major cybersecurity framework, including CyFUN and NIS2. They do not require technical expertise to run and can be completed in two to three hours. Our business continuity planning article covers how to design and run an effective exercise.

What should I tell customers, staff, and regulators after a cyber incident?

Communication after a cyber incident is as important as the technical response. The key principles are: be transparent but precise (do not speculate about what happened before you know), communicate early (silence is worse than uncertainty), have a single authorised spokesperson, and tailor the message to each audience. Customers need to know if their data was affected and what you are doing about it. Staff need to know what happened, what they should and should not say, and what the business is doing. Regulators need the specific information required by law. Our cyber crisis communication article provides templates for each audience.

What is business continuity planning and how does it relate to cybersecurity?

Business continuity planning (BCP) is the process of ensuring your business can continue operating — or recover quickly — following a disruptive event, including a cyber incident. A cyber-specific BCP goes beyond backup and recovery to address: how you will operate if your systems are unavailable for days or weeks, how you will communicate with customers and suppliers, what manual processes you can fall back on, and who has authority to make decisions during a crisis. NIS2 explicitly requires business continuity planning as part of its security measures. Our business continuity planning article covers the key elements.

What is forensic investigation and when do I need it?

Forensic investigation is the process of collecting, preserving, and analysing digital evidence following a cyber incident to determine what happened, how it happened, what data was accessed, and who was responsible. It is required when you need to understand the full scope of a breach for regulatory reporting, when you are pursuing legal action against an attacker, when your insurer requires it as a condition of a claim, or when you need to demonstrate to regulators that you have taken appropriate remediation steps. Forensic evidence must be preserved carefully — turning off affected systems can destroy it.

What is an incident response plan and how do I create one?

An incident response plan (IRP) is a documented set of procedures for detecting, containing, eradicating, and recovering from a cyber incident. It should define: what constitutes an incident, who is responsible for each stage of the response, how to contain different types of incidents, what to communicate and to whom, how to preserve evidence, and how to conduct a post-incident review. You do not need a 50-page document — a clear, practical one-page flowchart and a set of contact numbers is more useful than a comprehensive document no one has read. Our template for creating an IRP in one afternoon is a practical starting point.

What is cyber resilience and how is it different from cybersecurity?

Cybersecurity focuses on preventing incidents from happening. Cyber resilience accepts that incidents will happen and focuses on your ability to absorb, adapt, and recover from them with minimal disruption. A resilient business has strong preventive controls, but also tested backups, a practised incident response plan, business continuity procedures, and the ability to communicate effectively during a crisis. NIS2 explicitly uses the language of resilience rather than just security — recognising that no organisation can prevent every attack, but every organisation can prepare to recover quickly.

What does a vCISO actually do for an Irish SME?

A vCISO (Virtual Chief Information Security Officer) provides strategic cybersecurity leadership on a part-time or fractional basis. For an Irish SME, this typically means: conducting an initial security assessment and gap analysis; developing a security roadmap aligned with NIS2, CyFUN, and the business's risk profile; implementing and overseeing the core security controls; managing relationships with IT providers and insurers; preparing governance documentation for regulatory compliance; providing board-level reporting on security posture; and leading incident response when needed. Our vCISO services page explains the specific deliverables.

What is the difference between a vCISO and an MSSP?

A vCISO provides strategic leadership — governance, risk management, compliance, and security programme management. An MSSP (Managed Security Services Provider) provides operational security services — monitoring, threat detection, patch management, and incident response. They are complementary rather than competing. A vCISO decides what security controls you need and why; an MSSP implements and operates those controls. For most Irish SMEs, the most cost-effective approach is a vCISO for strategic direction combined with an MSSP for operational delivery.

What is a security roadmap and why does my business need one?

A security roadmap is a prioritised, time-bound plan for improving your security posture over a defined period — typically 12 months. It translates the findings of a risk assessment into specific actions, with owners, timelines, and budgets. Without a roadmap, security investment tends to be reactive — responding to incidents or compliance deadlines rather than systematically reducing risk. A roadmap also provides the documentation that regulators, insurers, and enterprise clients want to see: evidence that you are taking a structured, managed approach to cybersecurity rather than hoping for the best.

What is a security culture and how do I build one in my business?

A security culture is an environment where every employee understands their role in protecting the business, feels empowered to raise concerns, and makes security-conscious decisions as a matter of habit — not just when reminded. Building a security culture requires leadership commitment (security must be visibly important to the people at the top), regular communication (not just annual training), positive reinforcement (celebrating good security behaviour rather than only punishing mistakes), and making security easy (controls that are too burdensome will be worked around). Our article on building a security culture explains the vCISO approach.

What is threat modelling and should my business do it?

Threat modelling is a structured process for identifying what threats your business faces, which assets are most at risk, and what controls are most effective at reducing that risk. It asks four questions: what are we building or protecting? What can go wrong? What are we going to do about it? Did we do a good enough job? For most Irish SMEs, a lightweight threat model — a one-page diagram of your critical assets and the most likely threats — is more useful than a formal methodology. It focuses your security investment on the risks that matter most to your specific business.

What is OSINT and how do attackers use it against my business?

OSINT (Open Source Intelligence) is the collection and analysis of publicly available information. Attackers use OSINT to research targets before launching attacks: finding employee names and email addresses on LinkedIn, identifying technology stack from job postings, discovering domain registrations and IP addresses, and finding leaked credentials in public data breach databases. Businesses can use the same OSINT techniques defensively — to understand what information about them is publicly available and to identify exposed assets before attackers do. Our vCISO service includes an initial OSINT assessment as part of the security review.

What is a Security Operations Centre (SOC) and does my business need one?

A Security Operations Centre (SOC) is a team of security analysts who monitor your systems 24/7 for threats and respond to incidents in real time. A dedicated in-house SOC is only practical for large enterprises. For Irish SMEs, the equivalent is a Managed Security Services Provider (MSSP) that provides SOC-as-a-service — 24/7 monitoring and response at a fraction of the cost of an in-house team. Whether your business needs SOC-level monitoring depends on your risk profile: businesses handling sensitive data, operating in regulated sectors, or with high availability requirements should consider it.

What is a SIEM and does my business need one?

A SIEM (Security Information and Event Management) system collects log data from across your IT environment — firewalls, servers, endpoints, cloud services — and analyses it in real time to detect suspicious patterns. It is the foundation of a mature security monitoring capability. For most Irish SMEs with fewer than 50 employees, a full SIEM is more than is needed — the cost and complexity outweigh the benefit. However, ensuring that your key systems generate logs and that those logs are reviewed regularly (even manually) is an important step. Cloud-native SIEM tools are becoming more affordable and accessible for SMEs.

What is GDPR and what does it require from my business?

GDPR (General Data Protection Regulation) is the EU's data protection law that applies to any organisation that processes personal data about EU residents. For Irish businesses, it requires: a lawful basis for processing personal data, transparent privacy notices, data subject rights (access, erasure, portability), data protection by design and default, appropriate technical and organisational security measures, data breach notification to the DPC within 72 hours, and data processing agreements with third-party processors. The Data Protection Commission (DPC) is Ireland's supervisory authority and has the power to impose fines of up to €20 million or 4% of global annual turnover.

What is a data breach and when must I report it?

A data breach is any security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes ransomware attacks that encrypt personal data, phishing attacks that result in email account access, lost or stolen devices, and accidental emails sent to the wrong recipient. You must report a breach to the DPC within 72 hours of becoming aware of it if it is likely to result in a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk, you must also notify the affected individuals directly.

What is the Data Protection Commission (DPC) and what powers does it have?

The Data Protection Commission (DPC) is Ireland's independent supervisory authority for GDPR and data protection law. It has the power to investigate complaints, conduct audits, issue warnings and reprimands, impose temporary or permanent bans on processing, and impose administrative fines of up to €20 million or 4% of global annual turnover. The DPC also has jurisdiction over many of the world's largest technology companies, as they have their European headquarters in Ireland. For Irish SMEs, the DPC's enforcement focus is on organisations that hold significant volumes of personal data or that have experienced breaches.

What are my GDPR obligations when using AI tools like ChatGPT?

When employees use AI tools for work, GDPR obligations apply to any personal data entered into those tools. If you are using a consumer AI tool (like the free version of ChatGPT), you may not have a data processing agreement in place, and data entered may be used to train the model. This means you should never enter personal data — names, email addresses, health information, financial details — into consumer AI tools without a clear legal basis and a data processing agreement. Business versions of AI tools (Microsoft Copilot for M365, ChatGPT Enterprise) typically include data processing agreements and do not use your data for training.

What is hybrid work GDPR compliance and what are the key risks?

Hybrid working introduces specific GDPR risks: employees processing personal data on home networks that may not be secure, using personal devices that may not meet your security standards, printing documents at home, and using personal cloud storage to share work files. The key controls are: a clear remote working policy, MFA on all work accounts, VPN for accessing company systems, encryption on all devices used for work, and a prohibition on using personal cloud storage for work data. Our remote and hybrid work security articles cover the specific risks and controls.

What is encryption and when is it required under GDPR?

Encryption converts data into an unreadable format that can only be decrypted with the correct key. GDPR does not explicitly mandate encryption, but it is listed as an example of an 'appropriate technical measure' for protecting personal data. Critically, encryption affects your breach notification obligations: if a laptop containing personal data is stolen but the data is encrypted, the breach may not need to be reported to the DPC because the data is effectively inaccessible to the thief. For Irish SMEs, the minimum encryption requirements are: full-disk encryption on all laptops and mobile devices, and encryption of sensitive data in transit (HTTPS) and at rest in cloud storage.

What happens in the free 20-minute call and what should I prepare?

The 20-minute call is a straight conversation with the team at Pragmatic Security — no sales pitch, no obligation, no junior account manager. You do not need to prepare anything technical. We will ask about your business size, sector, what you currently have in place for security, and what is keeping you up at night. We will tell you whether you are likely in scope for NIS2, which framework is the right starting point for your situation, and what the three highest-priority actions are for your business right now. Most business owners leave the call with a clear picture of where they stand — often for the first time.

What services does Pragmatic Security provide?

Pragmatic Security provides vCISO services, NIS2 compliance support, CyFUN implementation, Cyber Essentials preparation, cyber insurance readiness assessments, security awareness training, incident response planning, and ongoing security programme management. We work primarily with Irish SMEs in Donegal, Sligo, and across Ireland — businesses that need senior security expertise but cannot justify a full-time CISO. Our Work With Us page explains the specific service packages and engagement models.

What is the Pragmatic Security approach to cybersecurity?

Our approach is built on three principles. Plain English: we explain cybersecurity in terms that make sense to business owners, not IT specialists — because decisions made without understanding are not really decisions. Proportionality: we recommend controls that are appropriate to your actual risk, not the maximum possible security. A 10-person accountancy firm does not need the same controls as a hospital. Pragmatism: we focus on the controls that will make the biggest difference to your real-world risk, not the ones that look best on a compliance checklist. Our manifesto article explains the philosophy in detail.

Where is Pragmatic Security based and do you work with businesses outside Donegal?

Pragmatic Security is based in Donegal and works with businesses across Ireland — from Donegal and Sligo to Dublin, Cork, and everywhere in between. We work remotely with most clients, with on-site visits for initial assessments and specific engagements. Our deep knowledge of the Donegal and northwest Ireland business community means we understand the specific challenges facing businesses in the region — including the particular cybersecurity risks facing rural SMEs, the local threat landscape, and the practical constraints of businesses operating outside major urban centres.