Cybersecurity is an ever-evolving field, with evolutions in threat detection matched by increased innovation in attack and vice versa.

Growing threats and risks in cybersecurity, coupled with the explosion of AI in recent years, have created a more complex and sophisticated landscape for businesses to navigate.

In any given week, it’s common to see major European and international organisations, retailers and healthcare providers, or Government Departments and Agencies suffering attacks, while the hacking and harvesting of passwords and other sensitive data from social media, marketplaces and other websites is commonplace.

Irish companies face a balancing act of bolstering the safety of their systems while continuing to run their day-to-day businesses and managing budgets.

While Cybersecurity is an investment priority for almost half (48 per cent) of the tech leaders surveyed for the recent EY Tech Leaders Outlook survey, staying ahead of threats, securing your supply chain and attracting and retaining the right talent can be challenging.

This is front of mind for EY’s Puneet Kukreja as he helps clients build resilience for future threats – and it’s also where Managed Cyber Services, in particular, can support organisations.

As Ireland Cyber Security Leader at EY, Kukreja heads up the cybersecurity managed services hub for EY in Dublin, which is built to serve both Irish and European clients.

“My role as head of cyber for the Irish market is to ensure that cybersecurity in all its forms, across strategy, risk, governance, identity, engineering and managed services is taken to our clients,” he said.

“It’s heavily geared towards building capability and servicing our clients on the island of Ireland. The investments that we’ve made in the firm, for example, in our managed security services almost three years ago, were to ensure that our managed security services centre is not in an offshore location, but anchored here in Dublin, creating high-value Irish jobs and developing local expertise.”

Businesses may see cybersecurity as a top investment priority, but crafting a cybersecurity strategy – both to stave off threats and to make the most of the opportunity presented by AI – can be overwhelming.

In Ireland, 41 per cent of organisations run their core systems in the cloud, according to EY’s survey of tech leaders. This is a significant bump from 15 per cent just two years ago and shows an accelerating rate of adoption, albeit at a much slower pace than would have been expected given the capability has been in place for some time now.

Kukreja said he has witnessed a “moment of reset” in how Irish businesses think about cybersecurity and a growing willingness to seek outside help as companies realise they can’t do it alone.

“Over the last 20 years, everyone says, well, if you need it done, do it yourself,” Kukreja said, but in an increasingly complex world for cybersecurity, doing it alone isn’t feasible.

“If my core business means I’m a hospital, I’m a retail store, or I provide solar panels and energy services, should I be doing IT? With AI, with cloud, with the speed at which it’s developing, Ireland really needs to think, when I go home, do I pump my own water? Do I service my own car? Do I generate my own electricity?”

With the need for 24/7 monitoring to stay ahead of new threats and managing the roll-out of secure AI, organisations and especially SMEs can’t pull it off on their own, Kukreja said.

Add in the trend of minimal resources in cybersecurity talent across companies, big and small, and the idea of doing it yourself becomes even more untenable.

Navigating risk and seizing opportunity

The dangers of a cyber-attack are never far from Irish businesses’ minds, particularly the 2021 cyber-attack on the HSE that significantly impacted the health service. Kukreja played a key role in the post-recovery phase, helping the HSE strengthen resilience and design one of the most comprehensive recovery frameworks in Europe.

“The HSE cyber-attack was Ireland’s burning platform”, says Kukreja. “It proved that cybersecurity is not an abstract risk, it is here to stay. The recent M&S breach shows us this is not confined to any one sector, it is a constant, evolving threat that demands readiness, investment and the capability to respond at speed”.

The recovery effort demonstrated what can be achieved when expertise, leadership and resources align. This has become the blueprint for how Kukreja now advises clients across Europe. “It is about embedding resilience as part of day-to-day operations, not treating it as a project that ends once the crisis fades”, he adds.

EY’s managed services centre aids clients in that, from strategy guidance and implementation to understanding the swathe of regulations on privacy and security that companies of all sizes must contend with.

Crucially, there was a “gap in the market” from guidance to implementation, Kukreja said. This is what the Dublin centre aims to bridge and help businesses understand the threat landscape.

“The velocity and voracity of the attacks have gone up. The threat landscape is now localised. Yes, there is a global threat, but organisations are getting compromised a lot more,” Kukreja said.

The traditional attack vectors remain open but are becoming more advanced, thanks in large part to AI.

“People are still getting hacked through exposed passwords. People are still getting hacked through unpatched servers. People are still getting hacked through third parties,” Kukreja said. “Third-party risk, hacks and attacks through third parties were quite prevalent three or four years ago. It’s just now taken a very big uptick.”

Social engineering attacks remain prevalent too and are now more sophisticated with AI, through the use of deepfakes, like mimicked voices that can be used to bypass authentication controls.

Discussions around the evolving threats and the state of cybersecurity must consider artificial intelligence. Adoption is moving at a rapid pace, whether it’s large enterprises or SMEs wielding the latest tools to stay innovative.

Any new technology brings inherent risk, as organisations attempt to understand its use and adopt innovative tech while acknowledging that mistakes and missteps can and will happen.

AI and cyber go hand in hand, Kukreja said. He draws similarities between the adoption of AI and the adoption of the cloud, where cybersecurity must be the bedrock of that adoption.

“AI today is at the start of its journey, it is where the cloud was almost a decade ago,” Kukreja said. “Cybersecurity, just before cloud came, was really at the top because it was all about new systems, new regulations, how do I secure my assets?”

Moving data off premises and into the cloud, with a third party, was a leap of faith for many industries.

“Cyber was at the forefront of it then. All the regulators wanted to make sure that the infrastructure was secure, the data was secure. GDPR was in there, and regulation played a big part. As cloud morphed, cyber became intertwined because people wanted to make sure that, yes, we’re moving into the cloud, but it’s secure. I’m now using SaaS-based applications, but it’s secure.”

Cloud is now the norm, from services like AWS to SaaS tools that are day-to-day features of doing business. AI is following a similar trajectory, and while still at the early stages of adoption, it is moving fast and organisations need to be conscious of security as they integrate these tools into their businesses.

“We’re still in the early days of AI adoption, but the way AI has taken off, it probably took cloud about four or five years [to reach that stage]. AI is not just a technology shift; it is a trust shift. Europe will lead the way in ensuring AI is deployed securely, ethically and resiliently, and Ireland can be at the forefront of that movement. ” Kukreja said.

“Cyber and resilience are now cornerstones of AI. You cannot have a mature AI system that’s being rolled out alongside your existing services without making sure that the data is secure, the infrastructure on which it is running is secure, and also ensuring how the resilience element comes in, given the trust factors that are involved,” he said.

Advancements in AI are continuing at a rapid pace, and the technology is becoming more and more ubiquitous as it embeds in several different industries.

Ten per cent of Irish businesses now say AI is fundamental to their business. This up from two per cent just last year, according to research by EY.

Businesses can’t afford to move slowly on technology and risk being left out of the opportunity ahead. At the same time, AI has to be adopted safely and securely.

Looming regulation

The rate of technological innovation may be driving a lot of companies to pick up the latest and greatest tech to stay ahead in the game, but at the same time, regulation is driving these companies to do so with safety and security top of mind.

Irish businesses face a myriad of existing and forthcoming rules at an EU level that will shape how data is secured and drive stronger security postures.

The piece of legislation taking up much space on Kukreja’s desk is the Network and Information Systems Directive 2, or NIS2. It is the updated directive on the security of critical infrastructure. Its predecessor was relatively narrow in its scope, targeting particularly important industries like electricity grids and water infrastructure, but the refreshed version of the directive is much broader.

“With NIS2 coming in, the operators of essential entities have now expanded. There are in excess of 3,000+ Irish organisations that are now within the scope of NIS2, given the multiple services and sectors that NIS2 now covers. Ireland’s readiness for NIS2 is not just a compliance milestone; it is a chance to set a European benchmark for operational resilience.” Kukreja said.

The “step change” in rules adds a new layer of considerations for businesses to navigate. The expanded remit of the rules means that organisations must assess their own systems but also the risk presented by third-party vendors.

“You have your infrastructure and applications and your technology ecosystem that you need to secure, which includes software that you’ve developed, third parties that you use and then SaaS services,” Kukreja said.

It all creates a much more complex security chain to manage, and this comes on top of existing rules like GDPR that companies must manage too.

Breakdowns in just one third-party can have significant effects. One need only look at the CrowdStrike outage last summer to see how widespread the impact can be.

That is why companies, and especially SMEs, will need outside help like managed services to stay on top of everything.

“With our Managed Cyber Service, we are focusing on small to medium businesses in Ireland, because there’s a trust factor. We are HQ’d in Ireland, our people are based on the island of Ireland, our services are here,” Kukreja said of the Dublin centre.

The focus is on the health security of native Irish companies and to provide the round-the-clock services that these companies need. Through this model, Ireland is not simply adopting European cyber resilience standards – it is shaping them. EY’s investment in local capability, world-class talent and Ireland-first delivery means we can protect our clients’ most critical assets 24/7, with the scale and expertise to meet both Irish and European demand.

In Kukreja’s view, Ireland’s small size is an advantage: “We can move faster, align public and private sectors more effectively and demonstrate what national scale resilience looks like in practice. That is how Ireland can lead in Europe, not by following, but by proving what works”.

For now, Kukreja’s focus is on scaling EY’s Irish operations to meet European demand while continuing to invest in local talent, but his vision is bigger – positioning Ireland as a hub where European cyber resilience, AI governance and trusted technology converge.

“In the AI era, trust is currency”, notes Kukreja. “If we can make Ireland the most trusted place in Europe to innovate securely, we win more than contracts, we set the pace for an entire continent.”

This is partner content and has been produced in association with EY.