Most Irish business owners assume cyber attacks are someone else’s problem. You’re not a bank, not a hospital, not sitting on millions of card numbers. Why would anyone come after you?
The 2025 SME Cyber Resilience report from Munster Technological University and the National Cyber Security Centre answers that question directly: 95% of Irish SMEs experienced a cyberattack in the past year.[1] And almost 90% of Irish companies have suffered financial loss or commercial disruption from a cyberattack in the past five years.[2]
The reason small businesses get targeted is exactly what you’d expect. They’re easier. A company with a dedicated IT team, proper policies, and regular audits is a harder target. A small firm running on shared passwords, outdated software, and no staff training is not.
What the attacks actually look like
According to the Hiscox Cyber Readiness Report 2025 (Ireland), cyber extortion was the most common attack type on Irish businesses at 37%, followed by phishing at 31%.[3] Neither requires sophisticated skills. Cyber extortion, most often ransomware, typically arrives through a phishing email or a stolen password. Phishing is a convincing fake email designed to get someone to hand over their login credentials or click a malicious link.
The average cost of a data breach for an Irish business now exceeds €200,000, covering legal fees, GDPR notification obligations, lost revenue, and IT recovery.[3] For a business turning over under €1 million, that is not a manageable hit without serious reserves.
What’s actually missing
The MTU/NCSC report identified 10 key areas where Irish SMEs are most exposed.[1] The list is not exotic. It covers data backups, multi-factor authentication, incident response plans, and password policies, things that cost more in attention than in money.
Only 39% of Irish businesses provide cybersecurity training to staff.[3] Just 19% of employees in smaller businesses receive regular security training, compared to 48% in larger companies.[1] Since phishing relies entirely on a human clicking something they shouldn’t, that gap is a real problem.
What to do about it
Turn on multi-factor authentication on your email first, then everything else that allows it. If someone gets hold of your password, MFA means they still can’t get in without a second code sent to your phone. It takes about ten minutes to set up on most platforms and costs nothing.
Sort your passwords. If your business shares passwords or reuses them across services, you’re exposed. A password manager, Bitwarden is free for most small teams, 1Password is worth the cost if you need more control, gives your team unique credentials for every service. When someone leaves, you revoke their access once rather than chasing down every account they used.
Back up your data properly. A backup to the same machine or a shared network drive doesn’t protect you from ransomware. The reliable approach is three copies of your data, on two different storage types, with one stored offsite or in a separate cloud environment you control. If ransomware locks your files, you restore from a clean copy rather than paying.
Run a basic training session at least once a year. A one-hour session showing staff what a phishing email looks like, when not to click links, and who to contact if something seems wrong closes more risk than most technical measures. The attacks hitting Irish businesses are not sophisticated. They succeed because no one recognised them in time.
Write a one-page incident response plan. Answer these questions before you need them: who do we call if our email is compromised? What do we shut down first? Who do we notify under GDPR? Under GDPR, a data breach that poses a risk to individuals must be reported to the Data Protection Commission within 72 hours.
How WeEvolvIT can help
We work with Irish businesses across IT, web, and digital services. One pattern we see regularly is businesses that have grown without their IT setup keeping pace, security that was fine at ten staff and one location doesn’t hold up when you’re at fifty staff with a mix of cloud tools and remote workers. We do practical security reviews for Irish SMBs that want a clear picture of where they’re exposed, without the jargon.
If you want to know where you stand, talk to us.
FAQ
Do hackers really target small Irish businesses?
They do. The 2025 MTU/NCSC report found 95% of Irish SMEs experienced a cyberattack in the past year. Smaller businesses are often preferred targets because their defences tend to be weaker.
What’s the most common way Irish businesses get hacked?
Phishing and cyber extortion account for the majority of attacks on Irish businesses, according to the Hiscox Cyber Readiness Report 2025. Both typically rely on someone clicking a link or opening an attachment in a fake email.
What’s the minimum a small business should have in place?
Multi-factor authentication on email, unique passwords in a password manager, regular offsite backups, and basic annual staff training. These four steps address the most common attack vectors directly.
What happens under GDPR if my business has a data breach?
You’re legally required to notify the Data Protection Commission within 72 hours if the breach poses a risk to individuals. If it poses a high risk, you must also notify the affected individuals directly. Take legal advice quickly after a breach, fines apply even to small businesses.
References
- Murray, H., O’Carroll, G. et al. SME Cyber Resilience: State of the Sector 2025. Munster Technological University / National Cyber Security Centre, December 2025. Available at: cybersafety.ie
- “Almost 90% of Irish companies hit by disruption or financial loss due to cyberattacks.” The Irish Times, 4 April 2025. Available at: irishtimes.com
- Hiscox Ireland. Cyber Readiness Report 2025. Available at: hiscox.ie/crr2025