Skip to main content

Cybersecurity for Irish SMEs: Understanding the cyber resilience gap

Patricia

 

The role of SMEs in national cyber resilience

 In today's digital economy, cybersecurity is no longer optional for small and medium-sized enterprises (SMEs). Irish SMEs face an unprecedented cyber threat landscape, with attackers increasingly targeting smaller businesses that often lack the dedicated security resources of larger organisations. This article focuses on why cybersecurity must be a priority for every Irish SME, examining the scale of the threat and the critical vulnerabilities that leave most small businesses exposed.  
Untitled (14)
icons8-coins-50

icons8-collaborating-in-circle-50

icons8-creativity-and-resourcefulness-50 (1)

The Backbone of Ireland's economy

Small and medium-sized enterprises form the foundation of Ireland's economic prosperity. Recent 2022 CSO figures show that Ireland's SME sector dominates the business landscape, comprising nearly all enterprises (99.8%) and generating annual gross value of more than €53 billion. These businesses are major employers, providing jobs for approximately 2.29 million workers, representing over two-thirds of the nation's total workforce [1].

As highlighted by the “SME Cyber Resilience State of the Sector 2025”, published by MTU in collaboration with the National Cybersecurity Centre (NCSC), while it is clear the relevance of Irish SMEs in the Irish economy, most of them lack sufficient cyber resilience. This vulnerability leaves them “exposed to cyber threats that could compromise individual businesses and disrupt entire supply chains and sectors” [1]. The operational disruption and economic risks posed by cyber-attacks represent a clear and present danger to this critical sector.

The cyber resilience crisis

Critical vulnerability levels

The above-mentioned publication on Irish SMEs, based on data collected from 894 enterprises across 11 sectors, reveals an alarming picture. Assessment results revealed a concerning pattern: more than three-quarters of Irish SMEs (78%) demonstrate inadequate cyber resilience, falling into the lowest two preparedness categories [1]. This indicates widespread vulnerability, with most small businesses ill-equipped to withstand or bounce back from cyber incidents.

The situation is particularly severe for micro enterprises (1-9 employees), which comprise 88% of the businesses surveyed. The research shows a clear size-vulnerability correlation: while 45% of medium-sized businesses demonstrate weak cyber resilience, this figure rises to 81% among micro enterprises [1]. This suggests that the most prevalent business types are also the least equipped to handle cyber threats, a concerning correlation given their economic importance.

This scenario is confirmed even by the UK Government, that in a November 2025 letter on cybersecurity to small businesses states that “half of small businesses in the UK report having suffered a cyber-attack in the previous 12 months and 35% of micro businesses reported phishing attacks” [3].

Widespread systemic weaknesses

Furthermore, the MTU assessment identified consistent critical weaknesses across Irish SMEs in fundamental security areas. The data reveals critical gaps in basic security practices across the sector: fewer than three in ten businesses (26%) maintain automated backup systems, less than two in five (39%) deploy multi-factor authentication across essential applications, and a substantial portion (40%) have provided no cybersecurity training whatsoever to their employees [1].

Additional vulnerabilities compound these risks. Preparation for cyber incidents remains inadequate: two-thirds of surveyed businesses (67%) operate without formal response protocols, and even among the minority with documented plans, barely one-third (36%) have validated them through testing [1]. These shortcomings dramatically escalate both the risk and consequences of cyberattacks, digital frauds, and system breakdowns, severely weakening operational digital resilience.

The impact of cyber incidents

When an SME experiences a cyber incident, the consequences often extend well beyond the business itself. Supply chain partners may lose access to vital services, and customer data could be compromised. In the worst-case scenarios, the business might be forced to shut down entirely [1].

Business Email Compromise (BEC) provides a stark example of the financial impact cyber-attacks can have on SMEs. Invoice redirect fraud extracted nearly €10 million from the SME sector in 2023 alone. One particularly costly incident saw a local authority transfer over €500,000 to criminals using a fraudulent supplier email, a payment processed without additional verification steps and ultimately unrecoverable [2].

The interconnected nature of modern business means that a cyber incident at one SME can cascade through supply chains, affecting partners, customers, and the broader economic ecosystem. SMEs with lower cyber resilience levels face greater business risks, including a higher likelihood of damaging cyber-attacks, longer recovery periods, and increased financial risks [1].

Untitled (13)

Why SMEs are prime targets

Cyber criminals often view SMEs an easy target valuable enough to attack yet often lacking the dedicated security teams and resources found in larger companies. The assessment data supports this perception: Cybersecurity governance shows significant weaknesses: nearly two-thirds of surveyed businesses (63%) place all security responsibilities on owners who typically lack specialist knowledge, while one in nine organizations (11%) have no clear assignment of cybersecurity accountability [1].

The combination of valuable business data, digital payment systems, and supply chain connections makes SMEs attractive targets. At the same time, resource constraints mean that basic protective measures remain absent in many organizations: more than a quarter (27%) operate without any antivirus protection, exposing all systems to malicious software, while nearly two-thirds (63%) fail to enable automated patching, leaving known security flaws unaddressed [1].

A call to action

The scale and severity of the cyber resilience gap facing Irish SMEs demands urgent attention. With 78% of SMEs in the 'Low' or 'Very Low' resilience categories, the sector faces a critical vulnerability that threatens not just individual businesses but the broader Irish economy [1].

However, the research also reveals cause for optimism. The findings highlight practical, achievable opportunities to strengthen cybersecurity. Every organisation that completed the cyber resilience assessment received tailored support through a customised action plan [1]. By confronting these challenges directly and implementing proven security measures, Ireland's SME sector is well-positioned to enhance its overall cyber resilience.

The subsequent articles in this series will explore specific threats, practical mitigation strategies, and resources available to help Irish SMEs build robust cyber defences. The journey to improved cybersecurity begins with understanding the threat and for Irish SMEs, that understanding must translate into immediate action.

Further information and resources

See more information in our Trade Hub Cyber Security Article - An SMEs guide to the main cyber regulations 

A blog by Patricia Shields. 

Patricia is CEO and Co‑Founder of Cyber Cert Labs and creator of Attestra, an AI‑powered product security platform supporting compliance with the EU Cyber Resilience Act. With over 25 years in cybersecurity, she works at the heart of CRA implementation, helping manufacturers move beyond checkbox compliance to real product security capability.

References

[1] Munster Technological University and National Cyber Security Centre. (2025). SME Cyber Resilience: State of the Sector 2025. Drawing on data from 894 enterprises across 11 sectors. https://cyberresilience.ie/state-of-the-sector-report-2025/

[2] National Cyber Security Centre Ireland. Business Email Compromise (BEC) Guidance. NCSC guidance document on BEC threats and mitigation. https://www.ncsc.gov.ie/pdfs/NCSC_BEC_Guidance.pdf

[3] Ministerial letter on cyber security to small businesses (November 2025). UK Government letter to UK’s small business owners and entrepreneurs. https://www.gov.uk/government/publications/ministerial-letter-on-cyber-security-to-small-businesses/ministerial-letter-on-cyber-security-to-small-businesses