Cyber disruption can cost Irish SMEs up to €3.4bn annually

‍Read the report here

‍

Dublin, 17^thJune

Cyber-attacks are costing Irish small and medium-sized enterprises (SMEs) up to €3.4 billion annually, but the greatest impact is not from major one-off breaches. Instead, repeated day-to-day cyber disruption is driving many losses, according to new research from eir business.

The report, The Hidden Cost of Cyber Risk, which was supported by Microsoft and Dr. Mauricio Perez-Alaniz from the Kemmy Business School (KBS), University of Limerick, finds that SMEs lose more than 7.2 million working days every year due to cyber incidents, with affected businesses experiencing multiple incidents annually. For individual firms, this equates to nearly three working weeks lost each year.

While the financial impact of any single incident can be significant, the analysis highlights that it is the cumulative effect of repeated disruption, downtime, lost productivity and operational interruption, that creates the greatest economic cost, amounting to approximately €50,000 per SME annually. Crucially, the findings show that much of this impact is avoidable.

SMEs with stronger cyber preparedness experience fewer incidents, lower overall losses and significantly less disruption. Organisations with higher levels of preparedness reduce annual downtime from more than 30 days to around 5 days, while structured data management significantly lowers the likelihood of experiencing an attack.

In response to these findings, eir business is announcing the launch of Cybersecurity Assurance, a first-of-its-kind subscription service designed to help SMEs strengthen their cyber resilience through ongoing support, planning and rapid response capability. The service includes named vCISO (virtual Chief Information Security Officer) governance, regularly updated business continuity and incident response plans, ongoing advisory, and access to critical incident response teams when needed.

Businesses with structured data management processes are far less likely to experience a cyber-attack, with incident likelihood falling from 40% to 24%. The gap between low and high preparedness is also stark, with annual disruption falling from more than 30 days for poorly prepared organisations to around 5 days for the most prepared.

Susan Brady, Managing Director eir business, said:

“This report shows that cyber risk is not just about rare, large-scale attacks. For most SMEs, it is the cumulative impact of everyday incidents, from phishing emails and ransomware attempts to service disruptions, that drives significant loss of time and productivity. These risks affect not just individual businesses, but supply chains, customers and the wider business ecosystem. That’s why we are launching Cybersecurity Assurance, to help SMEs manage the full spectrum of cyber threats in a practical and sustainable way.”

Mauricio Perez Alaniz, Assistant Professor in the Department of Economics, Kemmy Business School (KBS), University of Limerick noted the importance of cyber-risk and welcomed the attention to this critical issue.

He said:

“While SMEs are increasingly being reminded about the potential productivity and sustainability gains that can arise from the adoption of digital technologies, the issue of cyber-risk, and the associated costs of cyber-attacks, require more attention.

“This report seeks to do just that. It provides an intuitive approach to quantify the costs of cyber-attacks in terms of direct economic costs, and more importantly, potential costs associated with downtime. It is important to keep in mind that fully quantifying such costs is difficult. While the estimates presented by the report are necessarily high-level and resting on a set of assumptions, they offer important insights into the scale and nature of the issue.”

‍Read the report here

‍