Ask the expert

Start by identifying your most critical assets—such as customer data, financial records, and operational systems. Then assess the risks to these assets, including potential threats like phishing, malware, and data breaches.

Small businesses in Ireland often face cyberattacks due to poor password usage, such as reusing the same password across multiple accounts or using weak passwords. Phishing is also a big threat where attackers try to trick you into revealing information such as your login details for sensitive accounts, or having you open a document that contains a computer virus.

You can assess your risk by looking at a few key areas. For instance, if you're not using strong passwords or multi-factor authentication, you're at higher risk. Also, if your employees aren't trained to spot phishing emails or if you don't regularly back up your data, you're more vulnerable. Understanding the threats, your vulnerabilities, and the potential impact to your business helps determine your risk.

Cybersecurity is all about protecting your devices, services, networks, and the information on them from unauthorised access, theft, or damage.

Data protection, while closely related, focuses specifically on how personal data is collected, processed, stored, and shared, ensuring privacy and compliance with regulations like GDPR.

Cybersecurity is a key tool for achieving data protection.

Absolutely, yes! Small businesses are targeted by cyber criminals. Attackers often see SMEs as easier targets compared to larger organisations with more robust security.

Closely following the advice in the NCSC guidance document, Cyber Security for Small Business, will significantly improve your businesses resilience to cyber-attacks.

All passwords should be a minimum of 12 characters long but 14 or more is recommended. It's a better idea to use passphrases, which are easier to remember but still long and complex. These should use random and unrelated words, ideally not from a dictionary or common phrases. You should also avoid using personal words (like family names or pets) or words related to your organisation or industry in a password or passphrase.

Yes, you should definitely consider using a password manager. They help you create and store strong, unique passwords for all your accounts, so you don't have to remember them all. It's crucial not to reuse passwords across multiple accounts and password managers make this easier to do.

Also, remember to change any manufacturer's default passwords on new devices before staff use them.

If possible, you should enforce password rules like length and character types across all devices.

See the NCSC Online Account Security Guidance for more on this.

• Install antivirus and anti-malware software
• Keep software and devices updated
• Use strong, unique passwords and enable multi-factor authentication
• Secure your Wi-Fi network
• Limit user access to sensitive data

Yes, absolutely! Installing antivirus software on all your devices, including mobile devices, is an essential best practice to protect against malware and viruses. Antivirus software is designed to detect, stop, and remove malicious software. It is important to ensure it is configured to check for updates automatically to ensure you have the best protection.

Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is an essential security measure that significantly enhances the protection of your accounts and computer systems. It works by requiring you to use a second method after your password, to confirm it is you logging in. This second method, or factor, typically includes something like a code via SMS or app; a fingerprint or face id on your mobile device.

NCSC guidance highlights MFA as essential because passwords alone are too vulnerable. MFA should be enforced on all internet-facing systems like email, remote desktop, and VPNs.

MFA defends against the majority of password-related cyberattacks, including "credential stuffing" where stolen passwords from one site are reused elsewhere.

Provide regular, simple training on identifying phishing emails, using secure passwords, and reporting suspicious activity. Create clear policies for acceptable use of devices and data. Encourage a culture of security awareness.

Employee awareness matters, and regular training can help reduce cyber risks to your organisation. Employees should be trained immediately when hired and received regularly refreshers about the company’s information security policies and what is expected of them.

Effective phishing training would typically involve:

Explaining what phishing is: Emails that appear to be from a trusted source that are designed to trick users into entering credentials or opening attachments.

Show examples: Provide real-world examples of phishing emails, highlighting common red flags e.g., generic greeting, urgent language, suspicious links, grammatical errors.

Simulated phishing: Use a service to send fake phishing emails to employees and provide immediate feedback if they click on them.

Highlight consequences: Explain the potential impact to the organisation if staff fall for a phishing scam e.g., data breaches, financial loss, reputational damage, include some well publicised examples.

Cybersecurity policies are essential for businesses as they provide clear guidelines for employees and a framework for responding to incidents. Policies are living documents that should reviewed/updated and approved when changes occur.

The following is a list of key policy areas:

• Cybersecurity Policy: This clearly explains the protection of the organisation’s information and systems, and how it is expected that resources are to be used and protected.
• Acceptable Use Policy: Guidance to employees on appropriate use of company devices, networks, and data.
• Password and Multi-Factor Authentication (MFA) Policy: Specified minimum length, complexity, passphrase usage, and if appropriate promoting the use of password managers. Detailing the systems that require MFA to be used.
• Data Backup and Retention Policy: Specify appropriate approach to take with backups, including frequency, storage, and access controls. In addition, the types of data the business retains and for the appropriate periods of time should be outlined. The approach to take with the storage and destruction of data should also be specified in this policy.
• Third Party/Vendor Management Policy: This should cover the process for selecting a vendor, validating their information security posture, the process for conducting a risk management assessment, and maintaining a list of vendors.
• Remote Access Policy: Outlines security requirements when working remotely, including device encryption, secure network use, access to company devices by non-employees.
• Asset Management Policy: Specifies how the identification and recording of business assets, including hardware, software, data, should be handled.
• Incident Response Policy: Describes the steps to take if a cyberattack occurs, including the roles and responsibilities of staff.
• Updating/Patching Policy: Specify the regular updates for all applications and systems, and appropriate measures to ensure minimal downtime.
• Access Control Policy: Outline processes and requirements around access to systems and sensitive data, including privileged access to systems by external providers.

Employee awareness training matters and regular training can help prevent cyber-attacks. Training should be provided immediately to new hires, and regularly after that. Best practices would suggest:

• Initial onboarding: All new hires should undergo training
• Annual refresher: All employees should be given annual refresher training
• Ad-hoc: If you become aware of a specific threat, e.g. targeted phishing campaign, additional training would be beneficial.
• Ongoing awareness: Include cybersecurity advice in internal newsletters, on intranet pages, posters around the office, background/screensavers on devices.

Having an incident response plan, clearly outlines the roles and responsibilities of staff members. This plan would typically instruct employees to:

• Immediately report: Contact a designated internal person or team e.g., IT department, a specific manager.
• Disconnect (if safe): If they suspect their device is compromised e.g. ransomware or other malware, they might be instructed to disconnect it from the network to prevent spread.
• Do not delete evidence: Avoid trying to "fix" it themselves, as this could destroy crucial forensic evidence.
• Change passwords: Especially for the suspected compromised account, but only after reporting and by using a different, clean device.

Backing up your data is a critical part of your recovery plan. To do it securely:

• Regular Backups: Ensure you make regular backups of all critical data, including the systems needed to operate your business.
• Off-site Storage: Store backups in a separate, secure location, not directly connected to your main business network. This could be an external hard drive stored off-site or a cloud-based backup service.
• Air-Gapped: Ideally, keep your backups "air-gapped," meaning they are physically isolated from the original data and network, so they cannot be reached by an attacker who has access to your network. This will prevent them being tampered with if your network and systems are compromised.
• Access Controls & MFA: Implement strict access controls and multi-factor authentication to protect your backups.

• Regular Testing: Make sure to test your backups regularly to ensure they work when you need them.

Sensitive customer information should be stored in secure locations with robust controls. This includes:

• Encrypted storage: Both data at rest (stored) and in transit (moved across networks) should be encrypted. Consider encrypting end-user devices and removable media e.g. USB drives.
• Access controls: Implement strict access controls so only authorised staff can access the data. Staff access to data and information should be limited to only what they need to do their jobs - this is called the Principle of Least Privilege.
• Multi-factor authentication: Ensure MFA is enabled for access to systems containing sensitive data.
• Cloud solutions with enterprise-level security: If using cloud services, ensure the provider implements appropriate security measures and that you understand your shared security responsibilities.
• EU Data Storage: If applicable, consider if the data needs to be stored within the EU to comply with regulations.

If your files are encrypted by ransomware, and if you have secure, uncorrupted backups, you can often restore your data and resume operations quickly. A well-practiced recovery process will greatly increase this recovery time.

However, if you don't have good backups, the impact can be severe:

• Data loss: You could lose customer data, financial data, and your entire business infrastructure.
• Financial losses: This can lead to significant financial losses from recovery costs, potential fines and loss of earnings.
• Reputation damage: You could lose clients due to concerns over lack of cyber security.

Yes, you should consider encrypting your sensitive data. Encryption protects this data by making it unreadable to anyone without the appropriate decryption key. This is a critical step in protecting sensitive data on devices, in cloud storage, and when it is being sent over networks. In the event of a cyber-attack this data would be of little use to the attacker.

Many effective measures are low-cost or free. Use built-in security features on devices, apply software updates promptly, and educate staff. Consider the Cyber Fundamentals certification for affordable, structured protection.

There are practical steps that SMEs can implement themselves, like turning on MFA, backing up data, creating strong passwords etc. Basic measures can be self-managed, but for more complex aspects, or if your internal resources and experience are limited, bringing in a managed service partner might be more appropriate. An appropriate risk assessment will help prioritise resources and highlight areas where additional assistance may be required.

Some of the most impactful and cost-effective measures to improve your cybersecurity include:

• Turning on Multi-Factor Authentication (MFA): This provides strong protection against password attacks and is often free or low-cost to implement.
• Creating Strong, Unique Passwords/Passphrases: This costs nothing but significantly improves security if done correctly and not reused.
• Regularly Backing Up Data (with Off-site & Air-gapped copies): While backup services may have a fee, the cost of data loss from an attack far outweighs this.
• Employee Cybersecurity Awareness Training: Investing in training can prevent many incidents because of human error, like falling for phishing emails.
• Keeping Software Updated: Enabling automatic updates is often free and closes known vulnerabilities that attackers can exploit.

While it is not possible to provide guidance on all regulatory requirements across industry, there are two key that relate to cyber and data security:

• GDPR (General Data Protection Regulation): This EU regulation is highly relevant if you process the personal data of EU citizens.
• NIS2 Directive: This EU directive, which is currently being implemented in Ireland, aims to strengthen cybersecurity across critical sectors in the EU. Depending on your industry and organisation size, you might fall in scope, requiring specific security measures and incident reporting.

Understanding your obligations in the event of a cyber incident and establishing processes to ensure these notifications happen is essential to avoid additional complications with regulatory authorities. Considerations should be given to the following:

• GDPR: In the event of a cyber incident impacting “Personal Data”, a notification must be made to the DPC within 72 hours, where feasible. See the “Know Your Obligations” section on the DPC website for more information.
• NIS2 Directive: There are strict reporting timelines for entities in scope of NIS2, beginning with an “Early Warning” report to the NCSC within 24 hours of becoming aware of a cyber incident. See the NIS2 page on the NCSC website for more information.
• Industry Specific: There may be additional industry/sectoral specific reporting obligations that you should consider.
• Report a Crime: It is always advisable to report cybercrime incidents to An Garda Síochána. This can aid in criminal investigations and tracking cybercrime trends.

Even if there are no obligations, the voluntary reporting of incidents to the NCSC is strongly encouraged. This helps enhance the overall understanding of the cyber threats faced by organisations in Ireland, to develop better defences and issue advisories and guidance that benefit everyone.

Cyber insurance can help mitigate the financial risks of an incident by covering the costs associated with data breaches, cyber-attacks, and related legal expenses. Consideration should be given to the potential impact of a cyber security incident, and the financial ability of your business to weather the recovery.

Remote access and working from home have become common place across businesses. This provides many opportunities for business and staff, but it requires some important considerations:

• Secure Connection: Using a Virtual Private Network (VPN) connection is critical for a secure remote connection to your organisations network from devices outside of the network.
• Securing Home WiFi: Encourage staff members to ensure that their home router is updated and the WiFi requires a strong password to connect to.
• Device Security: Ensure that devices are encrypted, password protected, up to date software and have anti-virus installed.
• Strong Passwords & MFA: Mandate the use of strong passwords/passphrases and multi-factor authentication for all remote access.
• Updates: Ensure all devices are kept updated and that automatic updates are enabled.
• Geo-blocking: Consider the option of limiting the geographic location of devices when they are connecting to your network. This can prevent unauthorised access to your networks if staff members credentials have been compromised.
• Staff Awareness: Provide guidance to staff on best practices for keeping their devices safe and dangers of connecting to free/public WiFi.
• Reporting: Have a no blame policy to encourage the prompt reporting of misplaced or stolen devices.

Wi-Fi plays an important role in device networking and access but is open to attack in a number of ways. There are a few key measures you can take to limit this attack surface and better secure your network:

• Remove Default Credentials: Almost all routers will come with generic administrator credentials to ease the initial setup. This username and password should be changed at the first opportunity!
• Password Protected: Staff joining the business WiFi network must be required to enter a strong password and requested not to share this.
• Restrict Devices: Another approach is to only allow specific devices to connect to the business WiFi network.
• RADIUS Server: This is a more complex approach but significantly increases the security of your WiFi by authenticating users and devices against a central directory using individual logins and/or device certificates.
• WPA2/WPA3 Encryption:
• Guest Network: If you are providing non-staff members WiFi access, ensure this is separate from your business network. The guest network feature on some routers is designed for this purpose.
• Firmware Updates: Ensure that the firmware on your WiFi devices is updated regularly.

There are some additional risks with using personal devices for business purposes, these include:

• Lack of Control: Businesses have less control over the security of personal devices e.g., outdated software, lack of antivirus, other risky personal apps.
• Data Leakage: Business data could be accidentally or intentionally stored on insecure personal clouds or shared through personal apps.
• Malware Infection: Personal browsing habits or risky app downloads could introduce malware that then compromises business data or networks.
• Lost/Stolen Devices: If a personal device with business data is lost or stolen and isn't encrypted and properly secured, it poses a significant risk.

If you suspect a hack, you should have an incident response process in place. This typically includes:

• Isolate: Disconnect the compromised device or system from your network to prevent the attack from spreading.
• Report: Immediately inform relevant internal personnel (e.g., IT, management) and potentially external experts.
• Activate Incident Response Plan: Follow your pre-defined plan, which should include steps for communication, containment, eradication, and recovery.
• Preserve Evidence: Do not try to clean or fix the system yourself, as this can destroy crucial evidence for forensics. Examination of compromised systems will assist in determining how attackers got in, and where in your network they have been.

Without good backups, recovery can be impossible, leading to a significant impact on the business. The time to recover from a ransomware attack is hugely dependent on several factors:

• Incident response plan: Having a well-rehearsed plan can streamline the process.
• Quality of backups: If you have recent, air-gapped, and tested backups, recovery can be significantly faster (potentially from days to hours).
• Complexity of the attack: How deeply the attackers penetrated and what systems were affected.
• Resources: Availability of IT staff or external experts.

This is a complex issue and while paying the ransom might seem like a faster way to recover, or potentially the only way to recover, it offers no guarantees of a full recovery! The decryption keys provided by the cyber criminals may not work or may only partially work across your systems, leaving you unable to restore business operations, despite paying a large ransom.

Many ransomware groups operate a “double extortion” model, where after providing a decryption key they then extort you further by threatening to sell or publicly release the data they have obtained from your systems.

Critically, attackers often leave backdoors into systems they have compromised despite a ransom being paid, and in fact are more likely to target your organisation again if they know a ransom payment is likely.

Lastly it should be considered that paying a ransom is funding and incentivising criminal activity.

Software and system updates, or "patching", are a crucial cyber security measure because they fix security vulnerabilities that cyber attackers can exploit. These vulnerabilities are like open doors that hackers can use to get into your systems, steal data, or install malware, and once a vulnerability has been discovered, attackers are very quick to use it. You should aim to install updates as soon as they become available, ideally with automatic updates enabled. It's also a good idea to only install applications that you need to run your business and patch/update them regularly.

Physical security is very important because if someone can physically access your devices, they can potentially bypass some of the software-based security measures. Managing physical access to devices, facilities, servers, and network components is a key component of your security posture. This can include strictly managing keys and alarm codes, always retrieving keys or badges when an employee leaves, changing alarm codes frequently, and not leaving internal network access outlets accessible in public areas.

Yes, especially for SMEs. It can help cover financial losses and recovery costs following a cyber incident. Ensure the policy covers your specific risks.