False economies on cybersecurity

Cost of ransomware attack a multiple of investment in keeping data safe

As cybersecurity experts continue to try to unravel the mess that is the the Health Service Executive's computer systems, the cost of the ransomware that crippled our health services should be attracting far more attention than it is.

HSE chief executive Paul Reid suggested last week that the attack could cost the service €100 million or more. If previous experience of pubic-service cost forecasts is anything to go by, that estimate could turn out to be significantly higher.

This is in the context of bitter annual budgetary battles for fractions of that amount to help fund various frontline services in health and elsewhere.

It is the price of apathy.


The budget for Ireland's National Cyber Security Centre is a derisory €5.1 million. And this, we are told, is a threefold increase on what it was this time last year.

In a world where we are moving vast reams of sensitive personal data online – from medical details to banking, and personnel files to social welfare applications – it is a tiny sum.

Security expert Paul Ward told an Oireachtas committee that even if this budget was 10 times that figure, it would leave us just on a par with what the UK is spending on a per capita basis.

The trouble is that, in our political culture, there is no incentive to plan for the future and every incentive to announce myriad small and immediate “wins” for local constituencies. Investment in security to ensure no adverse headlines earns Ministers no kudos.

The same is true, for different reasons, for much of corporate Ireland, especially the small and medium-size enterprise sector.

Figures show that there have been 400 data breaches across Government so far this year and more than 2,000 going back to 2019. And ransomware hackers tend to be even more active in the corporate sphere where insurance often covers the cost. Ardagh and PCH are just two recent examples of Irish corporates on the receiving end of hackers.

Maybe €100 million spent proactively on cybersecurity would not cover fully the cost of keeping our data safe, but it would go a long way. Certainly better than paying a multiple of that after the event.