An Irish State Agency Was Hacked. Here Is What Every SME Owner Needs to Learn From It.
On Tuesday, staff at the Health Research Board arrived at work and were told to unplug their computers and go home.
Not a fire drill. Not a planned maintenance window. A cyberattack had brought the entire organisation to a standstill.
The Health Research Board manages over €50 million in health research funding annually. It is a serious, well-resourced Irish state body with dedicated IT staff and, almost certainly, formal security policies. And it was shut down.
If this can happen to them, the idea that your business is "too small to be a target" is not a strategy. It is a gamble.
This is not a headline from the United States. This happened in Ireland. This week.
What Actually Happened — and Why It Matters to You
The HRB has not yet confirmed the nature of the attack. But the response — telling all staff to disconnect their devices immediately — is the textbook first step when a major incident is detected. It is almost always the sign of ransomware: malicious software that spreads rapidly across a network, encrypting files as it goes.
The goal of that first instruction ("unplug everything") is to stop the spread. Every device that remains connected is a device that can be encrypted, a device that can be used as a launchpad to attack the next system.
The immediate cost of a cyberattack is not data loss. It is operational paralysis.
Think about your own business for a moment. What would happen if you could not access your email, your files, your accounting system, or your project management tools for a day? For a week? Could you issue invoices? Run payroll? Contact clients? Fulfil orders?
For most Irish SMEs, the honest answer is: not easily. And for some, the honest answer is: not at all.
Lesson 1: Your Incident Response Plan Is a Verb, Not a Noun
Many businesses have a document somewhere called an "Incident Response Plan." It was written two years ago, it lives in a folder no one can find, and it has never been tested.
The HRB's response on Tuesday was not a document. It was a decision — made quickly, under pressure, by people who knew what to do. They used text messages for out-of-band communications when email was compromised. They had a chain of command. They acted.
The question is not whether you have a plan. The question is whether your plan works when the pressure is on.
Ask yourself three questions right now:
Who in your business has the authority to make the call to shut everything down? Not "who would probably do it" — who has been explicitly told that this is their responsibility?
How do you contact all your staff if email and Microsoft Teams are unavailable? Do you have a WhatsApp group? A phone tree? A list of personal mobile numbers somewhere offline?
What is the first external call you make? Your IT provider, your cyber insurance company, and the NCSC Ireland all need to be on a printed card, not stored in an email account you can no longer access.
If you cannot answer all three questions in under thirty seconds, your incident response plan needs work.
Lesson 2: Backups Protect Your Data. They Do Not Protect Your Reputation.
Here is the part of the HRB story that most coverage will miss.
Even if the HRB has perfect, tested, offline backups — and even if they can restore every single file without paying a ransom — the attack may not be over.
Modern ransomware attacks are no longer just about encryption. They are about exfiltration. Before the attackers encrypt your files, they steal them. The threat is no longer "pay us or you cannot access your data." It is "pay us, or we publish your data to the world."
Your backups get you operational again. They do not prevent the breach from happening.
This changes the calculus entirely. For a health research organisation, the stolen data could include sensitive research data, personal data of research participants, financial records, and staff information. The reputational and legal consequences of that data appearing on a dark web forum do not disappear because the systems were restored from backup.
For your business, the equivalent might be client contracts, financial records, employee data, or commercially sensitive communications.
The lesson here is not "don't bother with backups" — backups remain essential. The lesson is that backups are the last line of defence, not the first. The first line of defence is preventing the attacker from getting in at all. That means multi-factor authentication (MFA) on every account, regular software patching, and strong access controls that limit what an attacker can reach if they do get in.
Not sure if your business is prepared for an incident like this? Download the Irish SME Cyber Survival Guide — a free, plain-English guide to the 10 controls every Irish business needs. No jargon, no sales pitch.
Lesson 3: The NCSC Is for You, Too
The National Cyber Security Centre (NCSC) is involved in the HRB incident. Many Irish SME owners read that sentence and assume the NCSC is something that exists for government bodies and large corporations — not for a 15-person professional services firm in Letterkenny or a 30-person manufacturer in Sligo.
That assumption is wrong.
The NCSC provides free guidance for all Irish businesses, regardless of size or sector. Their website at ncsc.gov.ie includes SME-specific resources, incident reporting tools, and practical guidance on the controls that matter most. If your business suffers a serious cyber incident, the NCSC is one of the first calls you should make.
Knowing who to call before an incident is the difference between a controlled response and a chaotic one.
Add the NCSC to your incident response contact list today. Their incident reporting line is available 24/7. If you are subject to NIS2, reporting to the NCSC within 24 hours of detecting an incident is a legal obligation, not a choice — and the fine for missing that window can match the fine for the breach itself.
What the HRB Attack Tells Us About the Threat Landscape in 2026
The timing of this attack is not coincidental. Irish organisations are being targeted at a higher rate than at any point in the last five years.
The NCSC Ireland's Annual Review consistently shows that ransomware remains the dominant threat to Irish organisations, with public sector and healthcare bodies disproportionately targeted. The reason is straightforward: these organisations hold sensitive data, they have operational dependencies that make downtime extremely costly, and they are often perceived as more likely to pay a ransom to restore services quickly.
But the targeting logic that applies to the HRB also applies to your business. If you hold data that someone would pay to recover or pay to keep private — client records, financial data, employee information, commercially sensitive contracts — you are a target.
| What Attackers Want | Why Your Business Is at Risk |
|---|---|
| Data to encrypt and ransom | Every business has operational data it cannot afford to lose |
| Data to steal and extort | Client records, financial data, and employee information all have value |
| Access to your clients | Your email account is a trusted route into your clients' inboxes |
| Payment redirection | Your supplier relationships are a source of fraudulent invoice opportunities |
The HRB attack is a reminder that cyber threats are not abstract. They are operational. They shut businesses down. They cost money, reputation, and in some cases, jobs.
Three Actions to Take Before the End of This Week
The HRB attack provides three clear lessons for every Irish business leader. Here is what to do with them.
Test your incident response plan. Not read it — test it. Run a ten-minute tabletop exercise with your management team: "Our email is down and our files are encrypted. What do we do in the next 60 minutes?" If the answer is "we don't know," that is the gap you need to close first.
Audit your access controls. Who has access to what in your business? Does every member of staff have MFA enabled on their email account? Are former employees' accounts disabled? Does your IT provider have admin access to your systems — and do you know exactly what that access covers? These are the questions that determine whether an attacker who gets one set of credentials can reach everything, or just one thing.
Bookmark the NCSC. Visit ncsc.gov.ie today. Read their SME guidance. Add their incident reporting contact to your phone. If you are in scope for NIS2, confirm you are registered and that you understand your 24-hour reporting obligation.
The Bottom Line
The Health Research Board attack is not a story about a government agency. It is a story about operational resilience — and the cost of not having it.
Every Irish business that relies on digital systems to operate is exposed to the same category of risk. The difference between the businesses that survive a serious cyber incident and the businesses that do not is not luck. It is preparation.
Reading this article is a good first step. The next step is acting on it.
If you are unsure where your business stands — whether your incident response plan is fit for purpose, whether your access controls are adequate, or whether you are meeting your NIS2 obligations — book a free 20-minute strategy call with our vCISO team at pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just an honest assessment of where you stand and a clear plan to address it.
The HRB did not expect to be attacked this week. Neither will you.
Sources: NCSC Ireland | An Garda Síochána Cybercrime Bureau | Health Research Board
Related Reading
Share this article
Related Articles
How to Create a Cyber Incident Response Plan in One Afternoon: A Template for Irish SMEs
What Happens to a Small Business After a Serious Cyber Attack? The Honest Answer.
A Sligo Hotel Was Offline for Three Days After a Cyber Attack. Here Is What the Owner Wishes They Had Done.
Ready to strengthen your security?
Get expert vCISO guidance tailored to your business needs.