Repeated low-level incidents are draining productivity and resilience across Irish SME sector, new research finds.
Irish small and medium-sized enterprises are losing billions each year to cyber incidents, with the greatest damage coming not from headline-grabbing attacks but from the steady accumulation of everyday disruption.
New research from eir business estimates the annual cost of cyber risk to SMEs at up to €3.4bn, with more than 7.2 million working days lost across the sector.
“These risks affect not just individual businesses, but supply chains, customers and the wider business ecosystem”
The findings point to a persistent operational drag, as businesses contend with multiple incidents each year ranging from phishing attempts to ransomware intrusions and service outages.
The report, The Hidden Cost of Cyber Risk, supported by Microsoft and led by Dr Mauricio Perez-Alaniz of the Kemmy Business School at the University of Limerick, suggests that the cumulative nature of cyber disruption is a defining feature of the challenge facing smaller firms.
For individual SMEs, the impact is material. Businesses lose an average of 18.6 working days annually, equivalent to nearly three working weeks, while the broader economic effect amounts to roughly €50,000 per firm in lost value.
The weight of everyday disruption
The research highlights how repeated incidents, rather than isolated breaches, are shaping the financial and operational burden on SMEs. Firms that experience cyber attacks typically report four to five incidents each year, with a median cost of €8,700 per incident.
Susan Brady, managing director of eir business, said the findings reflect the lived reality for many SME operators.
“This report shows that cyber risk is not just about rare, large-scale attacks. For most SMEs, it is the cumulative impact of everyday incidents, from phishing emails and ransomware attempts to service disruptions, that drives significant loss of time and productivity,” she said.
“These risks affect not just individual businesses, but supply chains, customers and the wider business ecosystem.”
Across the SME base, even conservative estimates place the cost of cyber risk at €750m annually, rising sharply when repeat incidents and associated downtime are factored in.
Preparedness shapes outcomes
The report draws a clear link between cyber preparedness and business resilience. Organisations with stronger security measures and structured data management experience fewer incidents, shorter periods of disruption and lower financial losses.
Highly prepared firms limit annual downtime to around five days, compared with more than 30 days for those with weaker defenses. Structured data management alone reduces the likelihood of an attack from 40 per cent to 24 per cent and generates measurable savings for businesses of all sizes.
Micro and small firms face average annual losses of around €8,600 to €8,700, rising to €16,000 in the absence of basic controls. Medium-sized businesses incur costs of approximately €19,000, increasing to €25,000 where preparedness is low.
Access to external expertise also plays a role, with businesses using third-party support reporting savings of more than €5,500 and up to nine fewer days of disruption each year.
Dr Perez-Alaniz said the research aims to bring greater clarity to an area that is often underappreciated.
“While SMEs are increasingly being reminded about the potential productivity and sustainability gains that can arise from the adoption of digital technologies, the issue of cyber-risk and the associated costs of cyber attacks require more attention,” he said.
“This report provides an intuitive approach to quantify the costs of cyber attacks in terms of direct economic costs and, more importantly, the potential costs associated with downtime.”
He noted that estimating the full economic impact of cyber incidents remains complex, with the report’s figures based on a series of assumptions and benchmarks. Even so, the findings offer a useful indication of scale.
Policy focus and industry response
The report lands amid growing concern about the resilience of SMEs in an increasingly digital economy. Minister of State Alan Dillon said strengthening cyber preparedness is central to sustaining competitiveness.
“Small and medium-sized enterprises are central to the Irish economy, and ensuring they are resilient in an increasingly digital environment is critical,” he said.
“This research highlights the real and growing impact that cyber risk is having on businesses across the country, not just in financial terms, but in disrupted operations and lost productivity.”
He pointed to existing supports from the National Cyber Security Centre, including a dedicated website offering practical guidance for SMEs on improving awareness, preparedness and response capabilities.
In response to the findings, eir business has launched a new Cybersecurity Assurance service aimed at helping SMEs build resilience through continuous support rather than reactive interventions.
The subscription-based offering includes access to a virtual chief information security officer, ongoing advisory services, regularly updated incident response and business continuity plans, and rapid access to specialist response teams.
Brady said the focus is on helping firms manage cyber risk in a structured and sustained way.
“That’s why we are launching Cybersecurity Assurance, to help SMEs manage the full spectrum of cyber threats in a practical and sustainable way,” she said.
Image at top: Oliver Loomes, CEO of eir; Minister of State Alan Dillon, TD; and Susan Brady, Managing Director eir business
-
Bank of Ireland is welcoming new customers every day – funding investments, working capital and expansions across multiple sectors. To learn more, click here
-
For support in challenging times, click here
-
Listen to the ThinkBusiness Podcast for business insights and inspiration. All episodes are here. You can also listen to the Podcast on:
-
Spotify
-
SoundCloud
-
Apple
