Guest post by Stephen Phillips, Head of Public Sector for Ireland, Integrity360
Cyber security in the public sector is undergoing a revolution. What was once a compliance-led, box-ticking exercise is now becoming a board-level concern that is driven by the real fear of service disruption. Public sector leaders understand that a cyber attack on a public system – such as healthcare, transport, policing, or social services – isn’t just an IT issue, but a crisis of trust, continuity, and critical services.
The necessary shift is clear: from focusing on prevention alone to building resilience. That means embedding cyber thinking into everyday operations, testing response plans so that everyone knows their role when the pressure is on, and seeing security as a critical enabler of digital transformation – not a blocker.
Multi-layered cyber challenges
Current cyber security challenges across the public sector in Ireland are multi-layered. First and foremost, there’s the sheer pace at which the threat landscape is evolving. Ransomware remains a top concern, but we’re also seeing a rise in more sophisticated, targeted attacks that often leverage artificial intelligence (AI) to bypass traditional defences. Supply chain risk is another big challenge as many public sector bodies rely on third-party vendors for critical services, which introduces a level of exposure that’s hard to fully control. We’ve seen a growing awareness of this among organisations, but the tools and processes to manage that risk aren’t always where they need to be.
Then there’s the issue of resources – budgets are tight and, while there’s a strong appetite to improve cyber resilience, it’s not always matched by the funding or staffing levels required. Moreover, training and awareness are often underfunded, and that’s a problem when human error is still one of the biggest cyber security vulnerabilities.Resilience depends on people, and public sector organisations must ensure that staff across departments understand their own roles in keeping services safe.
When it comes to Ireland’s national cyber security strategy, there’s no doubt that it has come a long way. The transposition of the NIS2 Directive and the upcoming National Cyber Security Bill are important steps – they’ll give the National Cyber Security Centre (NCSC) more teeth and help to drive consistency across sectors. But we’re still in a bit of a transitional phase. There’s a solid foundation, but execution is key. The strategy needs to be backed by sustained investment; not just in technology, but in people, processes, and cross-sector collaboration. We also need to make sure that smaller public bodies without dedicated cyber teams aren’t left behind. The intent is there, but we need to accelerate the pace of implementation.
Demand for cyber talent outpacing supply
One of the biggest challenges is attracting and retaining cyber talent in Ireland’s public sector. The demand for cyber talent is outpacing supply, and the public sector is competing with private industry, which can often offer higher salaries and more flexible working conditions.
That said, there are some positives. Ireland has a strong pipeline of STEM graduates, and groups such as Cyber Ireland are helping to build a more connected ecosystem. But we need to do more to make public sector cyber roles attractive – whether that’s through better career pathways, training opportunities, or simply making it easier for people to move between departments and roles.
A ransomware payment ban – helpful or harmful?
Meanwhile, as cyber risks continue to evolve and grow more sophisticated, the UK government is mulling a proposed ransomware payment ban for public sector organisations. Whether this is something that could (or should) be introduced in Ireland remains to be seen. On paper, banning ransom payments makes sense as it removes the financial incentive for attackers. But in practice, it’s not that simple.
Public sector organisations are responsible for delivering critical services and the pressure to restore operations quickly can be immense. A blanket ban could put them in an impossible position. Rather than an outright ban, a more nuanced approach could be effective. Mandatory reporting, clear guidance on when and how to engage with attackers, and support from the NCSC and law enforcement would go a long way. With that, organisations aren’t left to make these decisions alone under pressure. The focus should be on resilience – underpinned by the right backups, response plans, and support structures so that paying a ransom doesn’t have to be on the table.
AI driving a volatile landscape
AI is a double-edged sword. On one hand, it’s a powerful tool for defence, helping to detect anomalies, automate responses, and reduce the burden on overstretched teams. On the other, it’s also being used by attackers to craft more convincing phishing emails, automate attacks, and find vulnerabilities faster than ever.
The growing use of AI adds urgency: while automation is improving efficiency, many teams are deploying systems without clear governance or oversight. In the public sector, there’s a real opportunity to use AI to improve service delivery and security, but it has to be done responsibly. That means proper risk assessments, clear governance, and making sure staff understand how to use these tools safely. The NCSC has issued guidance on generative AI, which is a good start, but we need to keep building awareness and capability across the board.
Ultimately, we need to treat cyber security as a core public service capability, not just an IT function. A ransomware attack or a breach that takes public services offline isn’t just a technical issue, it’s a national one. That shift in mindset is starting to happen, but there’s still plenty of work to do.
See more stories here.
