Cyber Ireland 4 Pillars: A Cyber Security Baseline Framework for SME’s

How Ireland’s SMEs can be the Front Line of our National Cyber Resilience

The Covid-19 pandemic spurred the rapid acceleration of digital transformation to maintain business continuity and service delivery. While this provided numerous advantages and efficiencies, it has also presented new security challenges, risks and vulnerabilities. 

The demand for cyber security and cyber resilience has never been greater. However, considering the current economic downturn, companies are searching for ways to do more with less, which will inevitably impact IT and cyber security budgets, particularly for SMEs. 

Cyber attacks take many forms, but most are straightforward and executed by individuals with limited skills. These attacks are the digital equivalent of a thief trying your front door to see if it’s unlocked. Unfortunately, Irish SMEs have low levels of cyber preparedness, making them susceptible to rising cyber threats. This increases the risk of supply chain attacks for large enterprises and governments that rely on SME suppliers.

Some companies view cyber insurance as the answer, but it doesn’t prevent the immediate damage caused by a data breach or cyber attack. Organisations must still address the incident response, fulfil its breach notification requirements, and can be found liable for the incident under GDPR. Cyber Insurance should serve as a safety net if all other measures fail rather than being the primary line of defence.

The challenge for SMEs can be knowing where to start with establishing the basic steps for their cyber security posture. Getting ISO 27001 certified is not an option or necessary, for all SME’s. In Ireland, we have yet to introduce a cyber security framework or standard for SMEs, like the UK programme Cyber Essentials

A cyber security baseline framework for Irish SMEs is required to protect organisations from the most common cyber-attacks and increase cyber security preparedness, ensuring SMEs can be the front line of defence against cyber criminals. 

In order to initiate this framework, a Cyber Ireland sub-group partnered with the Small Firms Association (SFA) to enlist SMEs for piloting the framework and self-assessment. The pilot program, which began in January 2023, involved ten SMEs from diverse sectors such as recruitment, e-mobility solutions, retail, and IT services, who were guided through Cyber Ireland’s 4 Pillars (CI4) over the course of a month.

  1. Secure Configuration – Configuring the environment to a secure standard, including software, hardware, network devices and standard builds
  2. Managed Access Control – Ensuring that access to the secured environment is authorised, verified , accounted, and in line with the principle of least privilege
  3. Security Maintenance – Ensuring that systems are patched, anti-malware is functioning, logging is enabled, backups are in place, hardware is maintained and data is securely disposed of when no longer required
  4. Continuous Improvement – User awareness training is ongoing – audit schedule in place and functioning – vulnerability scanning – information security risk register

Companies Who Participated in the Pilot

cyber security baseline framework pilot companies

By canvassing the insurance market, Cyber Ireland identified a robust insurance provider that offers a comprehensive policy wording at a reduced rate for those who completed the CI4 framework. The insurance policy provides limits of indemnity starting at €250,000 with low policy excesses and no restrictive policy clauses, which served as a significant incentive for SMEs to complete the framework. 

The feedback provided by the pilot on delivery methods and SME feasibility is invaluable. For the programme to make a significant impact, it must now be implemented nationwide across all sectors of the economy with government support. This will provide SMEs with a framework to establish their cyber security posture, thereby enhancing Ireland’s national cyber resilience. 

A task group, who have been working on the initiative for the past 12 months, developed and delivered the CI4 SME Cyber Security Baseline Framework. Special thanks to David McNamara & Colm Gallagher, CommSec, and Brian O’Mara, O’Leary Insurances for their time and commitment to this project.