Ossian Smyth (Dún Laoghaire, Green Party) | Oireachtas source

We do. It is a normal part of security practice to, for example, send an email to everybody in an organisation and see what proportion of them click on the link in an email that is trying to phish or store information. Typically the results of that, even in software companies that are very advanced, is between 5% and 10% of staff members still click on the link. One’s security team has to accept that this will happen and that once somebody is in the network that they cannot progress all the way through. That is the idea of defence in depth. That advice comes from the NCSC and is available to any organisation that wants it.