The majority of Irish businesses are unprepared for the next big cyber attack and risk massive fines for non-compliance with the EU’s latest IT security law, according to three Irish universities.

The warning, from the Cyber Skills collaboration between Munster Technological University, University of Limerick and Technological University Dublin, comes after a number of organisations have yet to recover from the global “blue screen of death” outage triggered by a faulty update from the IT security firm CrowdStrike.

According to CrowdStrike CEO, George Kurtz, hundreds of thousands of computers are still affected by the outage, which grounded airlines and brought most of the UK’s GP surgeries to a standstill.

The New Cyber Security Law in the EU

Jacqueline Kehoe, a project manager for Cyber Skills, said most companies are unprepared for the upcoming NIS2 EU directive on proactive cyber security.

Citing a recent Microsoft cybersecurity report, Ms Kehoe said only 25pc of executives are aware of the EU’s NIS2 directive, due to be transposed into Irish law in mid-October.

The Microsoft report claims that just 20pc of Irish firms are currently compliant with NIS2, which carries a variety of potential fines, ranging up to €10m or 2pc of total worldwide annual turnover.

The Impact of Cyber Attacks

The lack of preparation comes amid claims from a separate “cyber readiness” report from the insurance firm Hiscox, that 71pc of Irish businesses suffered at least one cyber attack last year, up 22pc on the previous year. The Hiscox report said Ireland recorded the highest median number of attacks among all countries studied.

“The far-reaching consequences of a cyber attack could result in massive operational disruption and severe financial losses,” said Ms Kehoe.

The Urgent Need for Preparation

The warning comes amid questions over whether Ireland will transpose the NIS2 directive on time. The issue is being dealt with by the Department of Environment with the National Cyber Security Centre.

The law is one of the biggest pieces of cyber security legislation to affect Irish organisations in years. It places particular emphasis on critical utilities like telecoms, energy providers, health services and transport agencies to beef up their security and requires better back-ups and resilience against threats.

It also affects private businesses and companies, with severe sanctions for those found not to be in compliance.

Recommendations for Irish Businesses

Given the potential for significant fines and the increasing frequency of cyber attacks, Irish businesses need to take immediate action to prepare for NIS2 compliance. Here are some key recommendations:

• Assess current cyber security posture: Conduct a thorough review of existing security measures and identify any gaps or vulnerabilities.

• Develop a comprehensive cyber security strategy: This should include policies, procedures, and controls to address risks and protect sensitive data.

• Implement technical controls: Deploy appropriate security tools and technologies to enhance protection against cyber threats. These may include firewalls, intrusion detection systems, and endpoint security software.

• Train employees: Provide regular training to employees on cyber security best practices, including password management, phishing awareness, and data protection.

• Engage with a cyber security expert: Consider working with a qualified cyber security consultant to provide guidance on compliance with NIS2 requirements and develop a robust cyber security program.

The Importance of Third-Party Security Assessment

As highlighted by Darren Humphries, a CISO and CITO partner with the Acora Group, self-attestation is often inadequate. The recent UK Ministry of Defence breach, where hackers gained access to sensitive data, underscores the importance of independent security assessments.

Third-party security experts can provide an unbiased evaluation of an organisation's security posture and identify vulnerabilities that may have been missed internally. They can also help ensure compliance with NIS2 requirements and provide guidance on implementing effective controls.

The Future of Cyber Security

The NIS2 directive is a significant step in the EU's efforts to strengthen cyber security across member states. As businesses become increasingly reliant on technology, the need for robust security measures has never been more critical. By taking proactive steps to prepare for NIS2 compliance, businesses can mitigate their risk of cyber attacks, protect their sensitive data, and ensure ongoing business continuity.

Stay Informed and Take Action

The cyber security landscape is constantly evolving, and it's essential for Irish businesses to stay informed about emerging threats and best practices. By staying vigilant and taking proactive measures, businesses can protect themselves against cyber attacks and navigate the evolving regulatory environment. The future of cyber security is one of continuous vigilance and adaptation.