The small-business website security gap
The average Irish business reported 58 cyber attacks in a year. For smaller firms, basic controls and staff habits remain the most practical line of defence.
Website security can sound like a specialist problem until a compromised account redirects customers, exposes contact details or takes a business offline. Irish data shows that incidents are common, while compulsory security training remains far less prevalent in small enterprises than in large ones.
More than one attack a week
Hiscox’s 2024 Irish survey reported an average of 58 cyber attacks per business per year—more than one each week. Almost three quarters of respondents said attacks had increased over the previous year. The survey covered 250 Irish business leaders and IT decision-makers, so it should be read as reported business experience rather than a census of every firm.
Official CSO figures add another view. In 2024, 11.5% of enterprises experienced temporary unavailability of ICT services because of hardware or software failure or intentional attack. Some 2.1% experienced destruction or corruption of data and 1.5% disclosure of confidential data.
The training divide is substantial
Only 17.9% of small enterprises employing 10 to 49 people had compulsory ICT-security training in 2024, according to the CSO. The equivalent figure for large enterprises was 82.3%. That divide matters because phishing and fraudulent messages target people rather than software alone.
The National Cyber Security Centre describes phishing as disguised communication intended to persuade recipients to reveal information, click a malicious link or open an unsafe attachment. Training should be practical: verify unusual payment requests through a separate channel, inspect links before opening them and report suspicious messages rather than quietly deleting them.
The website controls that matter first
Keep the website platform, plugins and dependencies supported and updated. Remove unused accounts and extensions. Require multi-factor authentication for administration, domain and email accounts. Give each person only the access needed for their role, and avoid sharing a single administrator login.
Backups should be automatic, recent and kept separately from the live website. A backup that has never been restored is only an assumption, so test recovery. HTTPS is a baseline for protecting data in transit, but it does not make vulnerable software or stolen credentials safe.
Protect the domain and business email
A domain is part of a company’s identity. If its registrar account is taken over, an attacker may redirect the website or intercept email. Protect the registrar with a unique password and multi-factor authentication, keep recovery details current and enable transfer locks where available.
Business-email compromise can be more damaging than a visible website hack. Attackers imitate executives or suppliers to change bank details and divert payments. Payment or credential requests should never be approved solely from an email thread, especially when urgency is used as pressure.
Prepare for the incident before it happens
Write down who controls the website, domain, hosting and email, and how each provider can be contacted. Decide who will inform customers, advisers, insurers and authorities. Keep this plan somewhere accessible if normal systems are unavailable.
If personal data is involved, organisations may have duties under data-protection law, including assessing whether the breach must be notified. The right response depends on the incident, so businesses should seek appropriate legal or security advice rather than improvise under pressure.
Sources and further reading
Facts were checked against the following official or named institutional sources. Links open the original material.