In recent years, cybersecurity has risen up the political agenda, leading to a raft of new EU legislation in particular, including the updated Network and Information Security Directive (NIS2). This in itself is no surprise given our ever greater reliance on technology and the increased sophistication of cyberattacks.
According to a European Commission survey, in 2023, more than one in five EU enterprises (21.5 per cent) experienced ICT-related security incidents “leading to consequences such as the unavailability of ICT services, destruction or corruption of data, or disclosure of confidential data”.
But is either the growing threat or the new EU-levied fines for mishandling data also resulting in serious investment in security? The picture is mixed.
For example, the same EU survey found that in 2024, 92.8 per cent of EU enterprises used “at least one ICT security measure”. In Ireland, the figure was 86.2 per cent, while only 46.2 per cent had formally documented security procedures in place.
Broadly, this is an issue of capacity. According to the World Economic Forum’s Global Cybersecurity Outlook 2025, written in collaboration with Accenture, smaller organisations in particular face a problem, with 35 per cent saying that they had “insufficient cyber resilience”, up on five per cent in 2022 and contrasting with seven per cent and falling among large organisations.
Underscoring this, just this month, global insurance broker Marsh reported that cybersecurity at Europe’s SMEs lags larger firms by 15 per cent.
This disconnect between needs and capabilities often stems from leadership’s understanding of cybersecurity as a technical rather than strategic business issue, and the gap in cyber resilience is frequently exacerbated by difficulties in communicating security needs to decision-makers, said Jason Popplewell, group commercial director, at private cloud provider and security specialists Stryve.
“The biggest challenge around security at the minute is convincing people, including the senior management team, to understand how important it is,” he said.
Smaller businesses do face particular challenges, he said, including the mistaken belief that subscribing to the big cloud services always includes security, and even recovery, as part of the package.
However, they should be aware that, regardless of infrastructure, being targeted in a ransomware attack can be debilitating, he said.
“What I have found at times is that, for smaller business – when I say small, [turnover] of €20 million to €30 million can be ‘small’ – and certainly businesses [that are] not in the IT sector, say a manufacturing business, they can take things for granted, and don’t understand what an effect a major breach can have,” he said.
Popplewell said that, following a cyber attack, operations can be effectively brought to a halt as the intrusion may have a wider impact than “just the IT” , which can be particularly damaging in highly regulated sectors.
“You might think it’s ‘files and folders’, but there can be a ripple effect: for instance, your barrier may not open. Why not just build a path around the barrier? Well, it’s not ISO-compliant if you do that,” he said.
Problems can cascade, too: a loss of data can mean orders are not processed correctly, resulting in further delays, or the arrival of previously cancelled goods.
In truth, businesses of all sizes need to face the threat, so the lack of investment in cybersecurity is curious when you consider that businesses often spend heavily on, for instance, capital equipment.
The biggest challenge around security at the minute is convincing people to understand how important it is
It is up to companies like Stryve, Popplewell said, to make the positive case for investment as a necessary investment in the business.
“A good thing to ask senior leadership is what’s the makeup of your board. The culture comes from the top down. It’s our job to try and educate people, including telling them that prevention is an awful lot better than cure,” he said.
Government support does exist, Popplewell said, including the EI cyber review grant, an Enterprise Ireland scheme providing €3,000 to allow companies to get an overview of a security posture.
“There was also a potential follow-up grant of up to €60,000, the cybersecurity improvement grant, from the National Cyber Security Centre, which closed in December 2024. I’m hoping they’re going to reopen that [grant],” he said.
The embrace of cloud has helped, but it is not a silver bullet, and a strong cybersecurity posture – from education and policies, to actual security measures and a recovery strategy – remains essential, he said.
“The enterprise and large companies are very up to date with cloud. A lot of the smaller companies have a mixture [of cloud] with on-prem; they’re moving toward the cloud, mostly due to end-of-life for servers and so on. I would say 80 per cent of our customers are using the cloud and 20 per cent are totally in the cloud. The bigger companies are using it: banks, financial institutions, any enterprise company has embraced it,” he said.
But whether in the cloud or on-premise, no organisation should assume that a cyber attack either won’t happen or will have a minimal impact.
“Many haven’t budgeted for that surprise, and they definitely haven’t budgeted for that follow-on. Obviously, it’s very expensive to unwind after an attack. People don’t realise you need to invest to get it back to normal, you need to invest to stay normal,” he said.
A purely reactive approach to cybersecurity spending often proves far more costly than preventative measures would have been, he said.
“People just assume everything is fine, until it’s not. It never happens until it happens,” he said.