An Introduction to Cyber Security Fundamentals

Small and Medium Enterprises (SMEs) form the backbone of modern economies, yet they are increasingly exposed to cyber threats that were once associated only with large enterprises.

What cyber security gaps do SMEs face?

According to Munster Technological University (MTU) and National Cyber Security Centre’s (NCSC) 2025 report on SME cyber resilience, small and medium enterprises constitute 99.8% of Irish businesses, with findings indicating widespread gaps in preparedness for contemporary cyber threats like (MTU and NCSC, 2025):                   

• Data Backups
• Multi-Factor Authentication
• Incident Response Planning
• Cybersecurity Training
• VPN Usage
• Business Continuity Planning

Ransomware, data breaches, supply-chain attacks, and business email compromise now regularly impact organisations with limited budgets, minimal in-house IT expertise, and heavy reliance on third-party service providers.

What are the six core cyber security fundamentals SMEs should adopt?

Cyber security fundamentals are not about using complex tools or owning expensive technology.

For SMEs, they are about good governance, clear accountability, basic cyber hygiene, and informed decision-making. When approached correctly, cyber resilience becomes a business enabler rather than a burden - supporting growth, protecting reputation, and strengthening relationships with customers, regulators, and suppliers.

This article introduces the core cyber security fundamentals SMEs should adopt, structured under six key pillars: Governance, Identification, Protection, Detection, Response Planning, and Recovery. This reflects the six domains used in the CyFun frameworks used by Ireland and Belgium, that is an adaptation of NIST CSF (Cybersecurity Framework) 2.0 to include requirement by EU regulations like NIS2 and DORA.

In the next section we will outline the importance of these six domains.

1. Governance - Who is accountable for cyber security?

Cyber security governance is the foundation of all effective cyber resilience. For SMEs, this does not mean creating complex policies or appointing a Chief Information Security Officer (CISO). It means clearly assigning responsibility and embedding cyber risk into business decision-making.        

Making Cyber a Shared Responsibility

Many small and medium-sized enterprises (SMEs) demonstrate a structural weakness in how cybersecurity is understood and managed, often treating it as a purely technical issue delegated to IT functions. This narrow perspective fails to recognise that cyber threats can disrupt multiple areas of the business. Financial processes, human resources, operational activities, and customer-facing services are all potential targets. For example, deceptive emails aimed at payroll staff, manipulation of supplier payment details, or unauthorised access to customer information can each trigger grave consequences. Such incidents extend beyond technical disruption, exposing the organisation to regulatory breaches, economic loss, and long-term reputational harm. Addressing cyber risk therefore requires coordinated oversight and accountability across the entire organisation, rather than isolated technical controls.

Effective governance in relation to cybersecurity begins with the establishment of clear accountability at senior management or board level. Assigning ownership at this level ensures that cyber risk receives appropriate oversight and strategic attention.

Cybersecurity considerations should be integrated into wider risk discussions, alongside financial, operational, and compliance risks, rather than being treated as a separate technical issue. In addition, fostering a culture in which cybersecurity awareness is recognised as a shared organisational responsibility is essential.   

Leadership plays a critical role in shaping this culture; when senior management consistently positions cybersecurity as fundamental to business continuity and organisational trust, employees are more likely to adopt and maintain responsible security practices.

Governance When IT Is Outsourced     

Small and medium-sized enterprises (SMEs) frequently rely on third-party providers, such as managed service providers (MSPs) or cloud service vendors, to deliver IT capabilities. While this approach can enhance technical capacity and efficiency, it does not eliminate the organisation’s responsibility for cybersecurity. Accountability for safeguarding customer information, complying with regulatory requirements, and ensuring continuity of business operations remains with the SME.

Effective governance therefore requires a clear understanding of the security measures implemented by external providers, as well as defined roles and responsibilities for responding to cyber incidents. Cyber risk should also be formally incorporated into supplier management processes, including ongoing oversight and contractual review.

Outsourcing IT services do not remove exposure to cyber threats; rather, it alters the way cyber risk must be governed and controlled.

2. Identification - How do you know what you need to protect?

You cannot protect what you do not understand. The “identify” function focuses on having visibility and knowledge of the organisation’s assets, data, and risks.           

Understanding Critical Assets and Data

SMEs should begin by identifying:

• Key business systems (e.g. accounting, CRM, payroll, email)
• Sensitive data (customer data, financial records, intellectual property)
• Critical suppliers and outsourced services

This process does not need to be technical. A simple inventory of systems and data, mapped to business processes, provides clarity on what matters most and where disruption would have the greatest impact.

Risk Awareness and Prioritisation

Not all risks are equal, and not all assets warrant the same level of protection. SMEs should focus their limited resources on:

• Risks that could stop operations
• Risks that could lead to regulatory penalties
• Risks that could damage customer trust or brand reputation

Proportionate protection

Security measures must be proportionate to the value of what they protect. For example, installing an expensive intrusion detection system to protect a cheap company car would be economically nonsensical if the cost of protection would exceed the value of the asset. The same principle applies to cybersecurity: organisations should invest in controls that match the criticality and value of their digital assets.

Asset Identification as a foundation

A thorough identification of critical assets is fundamental for prioritising recovery activities after a cyber incident. An updated and clear list of critical assets helps companies, in the post-incident recovery phase, to prioritise the recovery of the assets, minimizing the customer experience disruption minimizing financial losses.

3. Protection - What is cyber hygiene?

Protection focuses on putting basic safeguards in place to reduce the likelihood and impact of cyber incidents. For SMEs, this is where cyber hygiene plays a critical role.

Core Cyber Hygiene Measures

Basic protective measures include:            

• Strong password policies and multi-factor authentication (MFA)
• Regular patching of systems and software
• Access controls based on job roles
• Secure configuration of devices and networks
• Regular data backups

These controls are simple, affordable, and proven to prevent a significant percentage of cyber incidents.

Business Benefits of Good Cyber Hygiene

Cyber hygiene is increasingly viewed as a commercial requirement, not just a security measure. SMEs with strong cyber practices benefit from:     

• Improved trust with customers and partners
• Easier onboarding as suppliers to larger organisations or critical industries
• Competitive advantage in procurement processes
• Stronger brand reputation and resilience

There is a growing low tolerance for poor cyber hygiene. Many organisations now require suppliers to demonstrate compliance with basic standards such as UK Cyber Essentials or equivalent controls before contracts are awarded. Viewing cyber hygiene as a business investment aligns security with growth, credibility, and long-term sustainability. The same is going to happen in Ireland with the adoption of the CyFun framework, with a national certification expected to be available in 2027.

4. Detection - How do you know when cyber security goes wrong?

Since no organisation can prevent every incident, SMEs must shift vision from asking themselves if they will be attacked to preparing for when they will be attacked. Detection ensures that when something goes wrong, it is identified quickly before damage escalates.

Detection in an Outsourced IT Model

A common scenario for SMEs is the outsourcing of IT services, meaning that threat detection capabilities often reside with the external service provider rather than within the organisation itself. However, SMEs must still:

• Understand what monitoring is in place
• Know how alerts are raised and escalated
• Ensure there is visibility into security incidents affecting their business

Questions SMEs should ask their IT providers include:

• What security events are monitored?
• How quickly are incidents identified?
• How and when is the business notified?

Clear answers to these questions help avoid confusion and delays during real incidents.

Human Detection Matters Too

While technical controls are essential, employees often serve as the first line of detection. Many attacks, particularly phishing, social engineering, and insider threats are first spotted by vigilant staff, not automated systems. Training employees to recognise warning signs such as suspicious emails, unexpected system behaviour, or unusual access requests significantly improves early detection and reduces impact.

For this to work effectively, staff need clear guidance on what to look for, easy reporting mechanisms  (such as a dedicated email or button), and positive reinforcement when they raise concerns.

This human element becomes especially critical when IT is outsourced, as external providers monitor technical systems but cannot observe day-to-day communications and behaviours within the organisation. An employee who spots a phishing email impersonating the CEO or notices unusual account activity provides intelligence that external monitoring tools may miss entirely.

5. Response Planning - How do you prepare for the inevitable cyber security incident?

Incident response planning is one of the most overlooked aspects of cyber security in SMEs. Many organisations only discover gaps in responsibility, communication, and decision-making during a live incident, when it is too late.

Why Response Planning Is Essential    

A cyber incident is a business crisis, not just a technical event. It can involve:

• Operational disruption
• Legal and regulatory obligations
• Customer communications
• Media and reputational risk.

Having a basic response plan ensures:

• Faster, more coordinated decision-making
• Clear roles during stressful situations
• Reduced financial and reputational damage.

Working with IT Providers Before Incidents happen

SMEs should ensure their contracts with IT providers clearly define:

• Incident response responsibilities
• Communication timelines
• Support provided during ransomware or data breach events
• Escalation paths and decision authority

Understanding backup and restore timeframes is particularly critical. SMEs should know:

• How often backups are taken
• Where backups are stored
• How long full restoration would take
• Whether backups are protected from ransomware.

These details can determine whether a business survives a cyber incident or suffers prolonged downtime.

6. Recovery - How do you come back better after an incident?

Recovery focuses on restoring operations and learning from incidents to improve resilience.

Business Continuity and Recovery Planning

Recovery planning should align cyber resilience with broader business continuity objectives. SMEs should:           

• Identify acceptable downtime for critical systems
• Test backup restoration processes
• Plan for alternative ways of working if systems are unavailable

Recovery is not just about technology, it encompasses people, processes, and communications. Successful recovery requires coordinated human effort: designated teams with clear roles, established procedures for decision-making and system restoration, and effective internal and external communication to manage stakeholders, customers, and regulators.

Without addressing these organizational elements, even the most robust technical backups and tools may fail to restore normal business operations effectively.

Learning and Continuous Improvement

Every incident, even minor ones, is the opportunity to learn valuable lessons. SMEs should:

• Review what worked and what did not
• Update policies and procedures
• Strengthen controls based on real-world experience

This cycle of improvement supports long-term resilience and maturity.

What are the potential cyber security solutions - CyFun and Cyber Essentials

SMEs can use several tools that can support their effort to improve their cybersecurity maturity. The following two, suggested by the UK and Irish National Cybersecurity Centres widely adopted schemes provide accessible, step-by-step approaches that organisations can leverage to systematically build their security capabilities.

CyberFundamentals Framework (CyFun)

The CyberFundamentals Framework provides Irish SMEs with a practical, accessible approach to building cyber resilience without requiring extensive technical expertise. It is built around three progressive maturity levels:         

• Basic: a level that covering core security measures applicable to all organizations
• Important: a level addressing targeted threats from moderately skilled adversaries
• Essential: this level designed for protection against sophisticated threat actors.

For Irish SMEs navigating the complexities of cybersecurity compliance, the CyFun framework offers a nationally endorsed pathway forward. The Irish NCSC endorses CyFun as a voluntary framework that organizations can leverage when developing approaches to meet NIS2 directive requirements¹. CyFun bridges the gap between regulatory requirements and practical implementation.    

The framework's tiered approach, progressing through Basic, Important, and Essential maturity levels, empowers organisations to build cyber resilience incrementally, addressing the six core security functions (Governance, Identify, Protect, Detect, Respond, and Recovery) in manageable stages.

With an optional national certification programme launching in 2027, Irish SMEs can leverage CyFun as a strategic asset that demonstrates cybersecurity commitment to customers and partners. This certification will serve dual purposes: validating technical capabilities while acting as a business enabler that strengthens trust throughout supply chains, transforming what might seem like a regulatory burden into a competitive advantage in an increasingly security-conscious marketplace.   

For resource-constrained SMEs, CyFun's structured guidance helps prioritise cybersecurity investments effectively, with research showing that implementing Basic level controls can counter 82% of common attacks, rising to 94% at Important level and 100% at Essential level². The framework's policy templates and step-by-step approach enable Irish SMEs to systematically address the six key cybersecurity functions Governance, Identify, Protect, Detect, Respond, and Recovery, while demonstrating their commitment to cybersecurity to customers, partners, and stakeholders through optional third-party verification or certification.            

The UK Cyber Essentials

UK Cyber Essentials represents a government-backed certification scheme designed to establish baseline cybersecurity standards across UK organisations. Operating under the technical oversight of the UK National Cyber Security Centre (NCSC), this annually renewable certification provides stakeholders, customers, and partners with verifiable assurance that an organisation has deployed fundamental protective measures against prevalent cyber threats.              

The scheme consolidates its requirements into five technical control areas:

• Firewalls and Routers
• Security Updates
• Access Control
• Malware Protection
• Secure Configuration

Cyber Essentials is based on two distinct levels:

• Cyber Essential Basic Level: a verified self-assessment
• Cyber Essential Plus: a verified self-assessment that includes a technical audit of your systems to check that the controls are implemented correctly.

Further Information

SMEs do not need to navigate cyber security alone. Several programmes provide practical, accessible guidance:

• Cyber Fundamentals (CyFun) – A risk-based framework designed specifically for SMEs, aligning cyber security with business priorities: https://cyfun.eu/en/cyberfundamentals-framework-2025

• Cyber Essentials (UK) – A government-backed certification demonstrating baseline cyber hygiene and increasingly required in supply chains: Cyber Essentials - NCSC.GOV.UK

• National Cyber Security Centre (NCSC) UK – Free guidance, tools, and alerts tailored to small businesses: Cyber security advice for small to medium sized... - NCSC.GOV.UK

• National Cyber Security Centre (Ireland) – Practical advice, incident reporting, and awareness resources for Irish SMEs: NCSC: National Cyber Security Centre

• “SME Cyber Resilience: State of the Sector 2025” (Munster Technological University (MTU) and National Cyber Security Centre (NCSC): SME Cyber Resilience – State of the Sector 2025 - Cyber Resilience

Article reviewed by the InterTradeIreland Trade Hub Team: March 2026

 

References

1. Cyber Fundamentals NCSC webpage:
   https://www.ncsc.gov.ie/CyFun/

2. Presentation on CyberFundamentals Framework (Cybersecurity Certification authority, 2025):https://cyfun.eu/sites/default/files/2025-09/introduction_PPT.pdf