Irish small and medium enterprises selling internationally can avail of a grant scheme to review and update their cybersecurity. The Cyber Security Review Grant scheme subsidises both the cost of an initial assessment and subsequent remediation plan.

Here’s how the process works: companies taking part must be clients of Enterprise Ireland, the Government’s agency that supports Irish businesses to development and grow. First, companies need to get the initial review completed. Then, they choose actions they believe will be most effective at remediating any security gaps the assessment has identified.

Companies can claim up to 80 per cent of the fixed cost of €3,000 to cover the cost of the initial review. This part of the scheme is funded by Enterprise Ireland and it covers consultant time, travel, and other project expenses. It’s an affordable way for businesses to gain expert insights and improve their cybersecurity posture in a way that’s appropriate to their business. It might cover protecting their IT systems, their business operations, or educating their staff.

Who can apply for the Cyber Security Review Grant?

The grant is open to small and medium companies registered in Ireland and owned and controlled in Europe. The funds are handed out on a first-come first-served basis. Companies need to submit their Cyber Security Review Report and supporting documents by 8 December 2024 and remediation works must be completed by the end of June 2025.

Enterprise Ireland has more details about the scheme, and along with an application form, on its website. Cyber Ireland, the national cybersecurity cluster, contributed to developing the scheme. Its web page has a good breakdown of the grant process for the review and remediation stages, along with a webinar you can watch back.

The value of an independent cybersecurity review

The cybersecurity review acts as a useful benchmark of the company’s security maturity and its use of controls, showing how it matches up against good practice security standards. It can also be useful to share with external stakeholders, especially for SMEs that are scaling fast or are planning to go into new overseas markets. Typically, it will identify gaps in a company’s security that it needs to address, and recommend actions to take.

Depending on what the company wants to focus on, it can either invest in technical solutions to address a specific need, or choose to become compliant with a standard that would put a solid security management framework in place. I’ll come back to that point later.

The remediation package

The second part of the scheme is a remediation grant, which is co-funded by the National Cyber Security Centre and the Digital Europe Programme. The total aid fund is €2 million, so it’s intended to reach a wide group of SMEs. Companies that take part can receive funding between a minimum of €20,000, up to a maximum of €60,000. As with the review, the funding covers 80 per cent of the total project cost.

The remediation is intended to cover a wide range of potential areas, ranging from software updates, data backups, access management and antivirus, to network security, device management, cloud risk, data security, remote working, third-party risk, cybersecurity awareness training, business continuity planning and more.

To qualify for the second part of the grant scheme, companies must have a completed review and a statement of proposed works from their chosen cybersecurity service provider.

Why choose BH Consulting?

BH Consulting is one of the listed providers that are taking part in the scheme. We believe our independence is a critical factor in choosing to work with us as part of the grant scheme. We don’t represent or resell technical solutions, nor are we tied to any particular product supplier.

Our consultancy advice is fully agnostic, and we know the marketplace well. This allows us to provide unbiased guidance in choosing the most appropriate security solution based on what the review suggests – not just a narrow portfolio of products that we happen to sell.

What cybersecurity controls give good value for money?

Without anticipating the results of reviews into any particular company, I think there is a strong argument, which has been repeated by members of the NCSC, for becoming certified to the ISO27001 information security standard, or being aligned with the requirements of the NIS2 Directive. Having an independent certification can help companies to do business with much larger corporates or public sector agencies. We’re increasingly noticing that large regulated entities prefer to deal only with suppliers that have proven cybersecurity processes in place.

Another reason why having a framework to guide security is valuable is because it helps to put repeatable processes in place for managing cybersecurity on an ongoing basis. This can then make it easier to decide what other areas to invest in that will improve security.

As the launch information notes, companies are using digital tools more than ever – but this exposes them to more risk. For companies that haven’t undergone independent reviews of their cybersecurity controls before, this is a great opportunity to understand their exposure to risk while getting financial support towards 80 per cent of the cost of addressing that risk. In Ireland, SMEs represent 68.4% of all employment in the economy. We welcome this need being addressed as a priority, with support and funding made available for it.