Cyberattacks are costing Irish small and medium-sized enterprises (SMEs) as much as €3.4 billion annually, according to new research that highlights the growing economic impact of frequent digital disruptions rather than isolated major breaches.
The findings are set out in The Hidden Cost of Cyber Risk report by eir Business, supported by Microsoft and the Kemmy Business School at the University of Limerick. The study shows that the greatest damage to businesses is caused not by headline-grabbing cyber incidents, but by repeated day-to-day disruptions that accumulate over time.
Researchers estimate that SMEs across Ireland lose more than 7.2 million working days each year as a result of cyber-related incidents. Many businesses experience multiple attacks annually, ranging from phishing attempts to ransomware activity and service outages. While individual incidents can be costly, the report concludes that the combined effect of downtime, reduced productivity and operational interruption produces the most significant financial burden.
On average, the annual cost is estimated at about €50,000 per SME, reflecting both direct and indirect losses linked to disrupted business operations.
Minister of State Alan Dillon said SMEs remain a core pillar of the Irish economy and stressed the importance of strengthening their digital resilience. He pointed to ongoing government efforts through the National Cyber Security Centre, including the launch of a dedicated online resource aimed at providing small businesses with practical and accessible guidance on improving cybersecurity awareness, preparedness and response.
Academic contributors to the report noted that while the figures provide an important indication of scale, they are based on modelling and assumptions due to the difficulty of fully quantifying cyber-related losses.
Dr Mauricio Perez-Alaniz of the Kemmy Business School said the research focuses on capturing both direct economic impacts and the wider costs linked to downtime. He acknowledged that precise measurement remains challenging but said the estimates highlight the seriousness of the issue facing SMEs.
Industry representatives also emphasised that cyber risk is increasingly a matter of routine disruption rather than rare catastrophic events. Susan Brady, Managing Director of eir Business, said that for most SMEs, it is the constant stream of smaller incidents that leads to the greatest productivity losses.
She said the company is launching a new Cybersecurity Assurance initiative aimed at helping businesses manage a broad range of threats more effectively and sustainably, reflecting the need for continuous protection in an evolving digital environment.
The report underscores a growing reality for Irish SMEs: cyber risk is no longer occasional, but a persistent operational cost that is reshaping how businesses manage time, resources and resilience.
