Ireland should be a cybersecurity powerhouse. However, the nation takes a cautious approach. The country is a preferred destination for California’s Silicon Valley technology giants and other foreign technology investments. The island is home to around 30% of Europe’s data centres. It has artfully managed its strategic relationships with the European Union and the United States of America. Technology and cybersecurity clusters in Dublin, Cork, Galway and Shannon continue to grow and attract investment. Cyber Ireland, the national cybersecurity cluster, is seeking to join up and mature the local ecosystems. Headline-grabbing cyberattacks such WannaCry (2017), NotPetya (2017) and the Health Service Executive (HSE) ransomware attack in May 2021 were significant warnings to Ireland to significantly upgrade its national information security resilience. In 2021, it was estimated that cybercrime cost Ireland €9.6 billion a year. Ireland public sector remains stoic, pragmatic and relatively low spending. In contrast, the private sector is developing a growing appetite for cybersecurity services and solutions.
Ireland’s National Cyber Security Strategy 2019-2024
Ireland’s current National Cyber Security Strategy was published in 2019 and covers the five years from 2019 – 2024. Ireland’s National Cyber Security Centre (NCSC) is the main body responsible for the Strategy and many of the measures set out in the document. The NCSC is also accountable for Ireland’ Critical National Infrastructure information security and enforcing the EU’s Networks and Information Systems Directive (NIS Directive). NCSC has been designated as Ireland’s Cyber Security Incident Response Team (CSIRT-IE). See PrivacySolved Insights Briefing Cybersecurity: Focus on Ireland’s National Cyber Strategy for more details on the Strategy.
Cautious New Funding for the National Cyber Security Centre (NCSC)
Ireland’s digital economy has been valued at USD $14 billion and is increasingly facing cybersecurity threats that have led to increases in cybersecurity spending in the private and public sectors. In July 2021, two months after the HSE ransomware attack, the Irish Government announced a doubling of staff numbers at the NCSC over the following 18 months. This was estimated to cost €2.5m in the first year. Twenty (20) new roles would be added to the existing 25 already working at the NCSC. The longer-term plan is to reach 70 employees within five years (by 2026). A new headquarters building, new graduate training programme and a new head of the NCSC have also been added.
There are growing calls for the NCSC to receive more funding as a good investment and to reflect the spending priorities of Ireland’s European neighbours like the UK, France, Netherlands, Belgium and Germany. Evidence given to the Irish Parliament’s Joint Oireachtas Committee on Transport and Communications in May 2021 suggested that the NCSC should receive a ten times budget uplift from £5 million a year to £50 million a year. Ireland is informally called “data island” because of its considerable market share of European data centres, yet the NCSC’s £5 million budget is relatively low. For context, the NCSC’s budget is said to be a third of the spending by the public relations (PR) team in the Department of the Taoiseach (the Irish Prime Minister’s Department) which was about €16.9 million in 2020. A former Chief Executive of the HSE suggested in 2021 that the HSE’s expenditure on IT security was about a quarter of what would be expected when compared with other health systems. On closer analysis, there is evidence of underinvestment in government and public sector information security. By contrast, the $300 million Irish market for cybersecurity solutions and services (mainly private sector) is growing.
Cyber Security Baseline Standards (Public Sector)
In January 2022, the NCSC and the Office of the Government Chief Information Officer (OGCIO) published their jointly developed Cyber Security Baseline Standards for Irish Public Sector bodies. The Standards are intended to create an acceptable security standard, build a more resilient security environment and form a broad framework for measures which can be revised over time. The standards will help organisations improve the management of cybersecurity risks, allowing Public Service bodies to better identify, protect, detect, respond to, and recover from cybersecurity attacks. This will minimise damage and adverse impacts.
The Standard includes a Cyber Incident Response Plan (CIRP) checklist and checklists for a range of other activities such as Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity. It is a minimum set of standards and requires organisations to expand upon these depending on their activities and risk profiles.
Data Protection Commission Ireland’s data breach enforcement efforts
Data Protection Commission Ireland (DPC Ireland) is Ireland’s data protection and GDPR regulator. Since May 2018 it has not developed a significant and high- profile case work on major cyberattack response and data breaches. So far, DPC Ireland’s position on major data breaches remains underdeveloped. However, in October 2021, DPC Ireland fined Twitter €450,000 for reporting a data breach late, which breached GDPR. DPC Ireland’s Annual Reports 2021 suggests a high level of engagement and high rates for resolving personal data breach notifications and referrals. In 2021, the Commission it received 6,549 personal data breach notifications and concluded its work on 95% (6.274) in the same year. In October 2021, DPC Ireland received a budget increase of 22% (€4.1 million), from the year before, to €23.2 million for the next year. At present, DPC Ireland, receives nearly five times the annual budget of the NCSC. DPC Ireland has 190 staff, four times more than the recently enlarged NCSC.
The key future developments to look for are more public sector cybersecurity funding and specific new investment and resources for the NCSC. The growth and maturity of the NCSC will be demonstrated by a larger staff pool, more IT and technical specialists and more involvement in critical national infrastructure initiatives. The NCSC is beginning to work more fully with the EU’s Agency for Cybersecurity (ENISA), the UK’s National Cybersecurity Centre (UK NCSC), the US Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA). Together they respond to coordinated threat alerts and cyberattack responses. Future high impact cross-border activities will also imply maturity, growth and development. DPC Ireland’s increased enforcement activities, especially in the area of large data breaches, sophisticated cyberattacks and GDPR non-compliance in large systems will signal a more confident future for Ireland’s cybersecurity, data protection, trust and national security resilience efforts.
For help, advice, consulting and strategy for Irish Data Protection compliance, GDPR gap analysis, Cybersecurity policies and procedures and access to our data breach response services, contact PrivacySolved:
Dublin +353 1 960 9370
London +44 207 175 9771