The Need for Information Security Management for Small to Medium Size Enterprises (SMEs)
Small and medium enterprises (SMEs) are recognized as organizations with a huge number of employees falling below the particular limit. The limit on the number of employees may vary from a particular industry to industry. These are recognized as the main contributors to the economy of every nation. SMEs are the main innovators within the technical space and management space. Micro small and medium enterprises (MSMEs) sector leads present the almost 90% of all organizations within the competitive world; more than 50% of the employees are employed within the sector of MSME as well, and more than 40% of GDP within the emerging nations are being contributed through this sector. It proves that all these kinds of SMEs play an important role in the industrial growth and development of many organizations. Still, a main concerning statistic to all these kinds of SMEs is that only a few of these organizations pay appropriate attention to the necessary informational security. One of the main reasons behind it is that all these kinds of organizations work with a small or tight budget, and many times, they would not have sufficient funds to employ information security experts (Horvath 2013). These possess a separate business continuity plan, which is fully farfetched. This essay aims to ensure the explanation of the requirement for information security management for small to medium-size enterprises. It will include the major relevant challenges in the case of information security management with specific topics. These topics are incident response management and disaster recovery, security training and education, and physical security challenges within information security.
Overall, the GDP of Singapore in the year 2020 was S$469096 million, which is a reduction of 802% compared to the last year. This has been researched that 70% of GDP nominal value-added is ensured through the industries of service, and 25% was formed through good producing industries. The top three goods-producing industries at the effective level are 7% construction, 3% dwellings ownership, and 5% manufacturing. There are the top three service industries. These are 8% other service industries, 8% wholesale trade, and 7% finance and insurance. SMEs in Singapore exported different types of services at a global level with more than S$550 billion. Regions like Singapore attracted 2.7 million global level visitors in 2020, leading to providing almost S$27.7 billion in tourism. Singaporeans, on average, ensured an average of 3.4 million trips on MRT every day. There were 9.1 million subscriptions on phones, while the population of Singapore sits at almost 5.69 million people. More than five thousand restaurants in the region, such as Singapore and more than 500 fast food stores (Naline, 2021).
Before identifying why all types of SMEs require strong information security management, it is important to understand mainly about information security. One of the best and most effective international standards leading to providing the necessary needs for the information security management system at an effective level is ISO27001. Moreover, information security management leads to protecting the confidentiality, integrity, and availability of the data assets belonging to the organization. An important key element within the case of security management is identified as the management of risk that identifies the possible risk at the starting level and decides the action appropriately. Another one is identified as the informational security incident. The third one is identified as an information security incident, which is having detailed knowledge about the vulnerability as well as a threat to the organization and necessarily having a deep level of knowledge to identify as well as rectify any security breach or security incident (Willey, Lorrie and White, 2013).
Physical security issues in information security
Different types of security threats occurred because of the improvement inside, mainly through the frequency and cost in recent years. The security threats rate has improved from 1 to 3.2 from 2016 to 2019. The amount of cost influenced by these types of security incidents has improved from USD 493093 to USD 871686 for a similar time. A study was completed within North America, Europe, the Middle East and Asia-Pacific regions. A study was completed within North America, Europe, Asia-Pacific, and Middle East regions. More than 200 organizations were surveyed. This was identified that almost 4716 insider incidents had occurred in 12 months. In this report, almost 24% of organizations come mainly under the SMBs. The main reasons cited for the insider security level threats are negligence through the employees or contractors, credential theft or malicious insider (Whitman, Mattord, 2014). More than 60% of security incidents occur because of the employees of contractor negligence; almost 23.4% of incidents occur because of malicious insiders. The rest are because of credential theft.
All SMEs at a specific level are not immune to different types of physical security challenges within information security. They are also prone to a targeted for a particular attack, like the incapability to prioritize different evaluations needed to avoid all information security incidents (Peltier, 2016). A report referred that almost 60% of SMBs prefers that organization will not be influenced because of the physical security challenges within the information security. It was referred that 25% of SMBs had to spend almost $10000 or more to recover from the cyber attack security, and it takes over 24 hours to recover from the attack. More than 25% of SMBs are not capable enough of recovering from a particular attack, and 60% of them have lost all crucial data. Out of the all surveyed SMBs, almost 10% of them have in-house IT employees to deal with any security incident, and 50% of SMB owners have referred that there is no availability of any training program remain present within the organization to improve the level of awareness about the security of information.
Application of an information security management approach through the SMEs to resolve the physical security challenges within the information security is a significant aspect of eliminating or minimizing the different types of threats and breaches. An appropriate information security framework is the elaborate plan for the appropriate and continued function and application of the different practices and techniques needed to protect the organizational information, data, and systems. Organizations are capable of managing the overall level of physical security risks and threats if they have the right implementation of an information security management framework with the involvement of many documents which present the needed procedures, policies, and processes to be implemented within the physical security practices of the organizations (Safa et al., 2018).
Moreover, information security frameworks are presented to external users and internal users of the organizational data and information on how all systems, services, and information are managed easily within the SMEs to keep off all hackers. Necessarily, the rationale for applying the information security framework within the SMEs is referred to reduce the risks level to which these are exposed and remain vulnerable (Radanliev et al., 2020). Applying the well-functioning information security approaches instills confidence within the organizational clients, improves sales, and attracts more organizational partners because of the assurance that the data of SMEs is more secured and remain less vulnerable to physical security threats.
There are two different types of security approaches or standards applied within information security management: the System Security Engineering Capability Maturity Model (SSE-CCM) and Common Criteria. This has been identified that Common Criteria leads to facilitate the analysis of systems security and products security through SMEs. A common criteria security approach was formed as the consequence of the global IT security stakeholders developing analysis criteria for security to raise the necessary level of confidence within the systems of IT and IT products, which is utilized internationally. SSE-CMM is referred to as the ISO/IEC 21827 approach, which is emphasized security implementation in the security domain of IT (Disterer, 2013). This approach was developed through the International Systems Security Engineering Association (ISSA).
It has been identified that different types of challenges linked with information security standards render them typical enough to apply within SMEs. Many important information security approaches like Common Criteria are very expensive for most SMEs to manage. A study by Alqatawna (2014) referred to the analysis of information technology systems and products through the Common Criteria security approach costly in that improvement within the level of assurance has an additional amount of costs associated. It has been identified that the Common Criteria approach is identified to be burdensome, which needs a huge amount of time and sources that most SMEs cannot access. Moreover, Common Criteria provides the approach to ensuring a deep level of analysis about the IT products utilized through SMEs. SMEs fail to provide an intense framework for how all types of SMEs should securely deploy and manage them (Pierer, 2016).
This has been revealed that SMEs are fast obtaining technology and transforming it into necessary e-Business. Information security approaches like ISO/IEC 27001 are not suitable for e-Business. It is because its security evaluation relies on the value of assets, threats, and the possibility of threats exploiting vulnerabilities. Big organizations, unlike SMEs, have the appropriate levels of assets and high channels of income that create necessarily information security frameworks suitable enough for them. Big organizations can easily afford to cater to the high costs of applying information security approaches. Big organizations can easily withstand the level of burden which mainly comes with applying information security approaches (Andrade, Torres, & Flores, 2018). Success level to applying the information security standards like ISO 27002 approaches is linked to different statistics that big organizations have put inappropriate and stable systems to applying and including appropriate resources and budgeting. This has been referred to that big organizations can easily afford to cater to the different types of required costs and many resources needed to apply the many information security frameworks (Harsch, Idler, & Thurner, 2014).
Information security contingency is recognized as the type of event that can disrupt the operational level capability of the organization, which will result mainly in the paralyzed crucial operations and the organization’s mission. This type of event can be because of the different occurrences such as failure of hardware, outage of power, fire, and any type of disaster. To reduce the disaster’s impact, SMEs do the appropriate level of planning, and all these types of planning are referred to as contingency planning. This involves a disaster recovery plan, training about contingency, backs through systems, and details post-disaster recovery. Contingency planning includes some of the basic and important steps. These are planning policy statement development, identification and sorting through the priority, key IT systems, identification of different measures to minimize the level of damage, development of recovery strategies, detailed level of guidance to restoring an impacted system, testing a plan with a different type of mock drills as well as to conduct different types of meetings, and all plan documents should be living and breathing which refers it at regular level needs to be updated on continuous intervals (Bada, & Nurse, 2019).
This has been referred through Mische and Wilkerson (2016) within the conference journal paper that in the year 2012 a, cyclone Sandy had hit different areas of New York as well as New Jersey, and many big hospitals such as NYULMC, Bellevue, and many more which were rendered inoperable for many hours and a similar day because of the destruction of nearby power station all nearby blocks faced power outages, and different hospitals were functioning on different backup generators. A cyclone led to cause the loss of almost $42 billion, and New York Stock Exchange closed for almost 2 days. In the US, after 9/11, most of the big institutions that have adopted disaster planning relied on the FEMA National Incident Management System.
This has been referred to through the conference paper that Business Continuity Management Practices (BCMP) or Business Continuity Management System (BCMS) refers to creating resilience within the business and having a high level of capability to protect stakeholders’ interests (Alqatawna, 2014). To apply a BCMS, the industry-standard model like PDCA is utilized, and all components of the model will be explained below.
Form a business continuity plan, policy, goal, and process as per the organizational policies
Apply the Business Continuity Plan policy
Regularly monitor the application of the Business Continuity Plan policy and report the challenges and effectiveness to upper-level management.
Any kind of reported challenges needs to be fixed.
This was reported through Kobis (2022) within the year 2019 survey. The result will be detailed below.
A business continuity plan is effective in case of incident response management and disaster recovery. Within the different surveyed SMEs, types of hardware and software are identified as the most important risk area throughout the organization. Still, according to the many other types of research, all types of human resources are the most common area of risk within the organization (Bertino, 2016).
The most qualitative evaluation is completed through the different types of organizations. Many factors such as trust within the brand, confidence level within the company, and loss of reputation after the new breach within the organization cannot be identified or quantified.
A low level of knowledge and experience is identified as the main reason behind the incident of security research. Social engineering is referred to as the main reason behind security incidents.
48% of SMEs have performed and completed the Risk Management Process only once after the introduction, and 26% do it lower level or lesser level once a year.
Incident response management and disaster recovery include management at a high level of the organization to manage the incident consequences and to respond to a said incident to recover mainly from an incident (Sen, Ozturk, & Vayvay, 2016). The following discussion will present the six important steps included in the incident response.
This kind of step mainly deals with the organization creating a team that will come up with the plan to deal with the incident. Different types of incidents in the case of SMEs can range anywhere from something very small such as a power outage, to a big challenge like a cyber-attack or failure of hardware. The team should remain capable enough to work speedily once the incident has taken place so as to come mainly to a resolution.
The identification step includes a collection of many kinds of information about an incident and determining the challenge. Moreover, information in SMEs that is collected involves different types of things such as log files, messages of error, firewalls, intrusion detection systems, and many other sources (The World Bank, 2020).
This kind of step includes the incident after it has been observed. This step at a specific level in the case of SMEs is significant as it minimizes the damage that can occur.
The eradication step includes removing the impacts of the incident and restoring the different types of systems to identify how they were before an incident took place (Capgemini Research Institute, 2019). This is significant that every part of a system removed fully any malicious content within the system. If an incident were contained speedily, then eradication would be easy.
The recovery step includes restoring an influenced system easily into an organization’s system environment. A deep level of testing and verifying the restored systems work is significant to see if an influence system is functioning according to the general and has not been reinfected.
Lessons learned step includes completing the documentation which was not completed during an entire incident response process. This kind of step in the case of SMEs is significant to ensuring learning from the last mistakes which may have led to the incident and not performing all these kinds of mistakes again to prevent any further incidents (Verizon, 2019). This will support being more appropriate next time whenever an incident occurs to improve the chance of recovering from the incident.
Incident response, management, and disaster recovery are critical parts of any organization, regardless of the size. All organizations can face similar threats; the only challenge for SMEs is that bigger organizations have a bigger budget than SMEs with a small budget. Moreover, many disaster recovery strategies can be used that involve methods of backup, different alternative sites, and replacement of equipment (Mahmudova & Kovács, 2018).
Whether SMEs or big organizations, it is significant to have information systems backed up at a periodical level to prefer all information. If the incident takes place and there is no backup about the information system, then the organization has no way to revert the information to how it was before an incident took place. Moreover, SMEs need to understand that significant information needs backups either once a week or once a day (Custers et al., 2018).
Having an alternative site enables the SMEs to recover more effectively, particularly during disasters like a fire or flood, wherever physical damage will lead to destroyed hardware. The downside to having the different alternative sites is that it mainly costs more, forming the critical system (Yang, & Lai, 2013).
One of the main backup approaches is to have hardware referred to as redundant hardware, which can easily replace the broken hardware or damaged hardware. It refers that redundant hardware at a specific level will hold all types of similar information as damaged hardware and can replace broken hardware at an immediate level to minimize the downtime (Nagamalla & Varanasi, 2017).
One of the main suitable recovery approaches for the SMEs would be to either have the standard backup approach or equipment replacement. This is because it is unlikely that SMEs will be able to afford different alternative sites because of how much that would lead to cost. In consideration of the previous topic (MDMs) takes place. It is more conceivably which SME will have selected to utilize SaaS to house the MDM system and store all the information. It refers that if SMEs are utilizing SaaS to store necessary data, they have less of the requirement to have alternative sites or replacement equipment since they, at a specific level, do not need to worry about having the hardware for storage of data. A SaaS vendor particularly will take care of the backups for SMEs without an SME needing to worry about having different multiple backup approaches (Deriabina, Ernest, & McAbee, 2018).
In today’s time, SMEs are recognized as the main group within the organizations threatened by the different types of cyber security attacks; one of the main potential reasons for it is the weaknesses of corporate cyber security within SMEs. In comparison to the bigger organizations, SMEs have a low level of awareness, specialty, and many types of resources whenever it comes to protecting the information system through security training and education. This has been identified that there are five important points the SMEs for training and education within the information security management system (Verizon, 2020).
Because the SMEs have a limited level of primary emphasis on the key operational security actions and resources, it can be challenging to compete with big organizations. Moreover, before beginning to work with the SME, it is important to first work on the appropriate way to engage and converse with the SME (Erokhin, 2020).
Government involvement in the different types of schemes to assist SMEs is important. Schemes of vouchers, different types of free courses, free types of education, software tools, hardware, governments, and many local bodies can be gained easily through SMEs based on setting many security objectives. It will ensure and provide the organization with an effective beginning point for SMEs to improve their base of security knowledge (Žigien?, Rybakovas, & Alzbutas, 2019).
This is imperative that security training can lead to support SMEs in identifying the core assets and gaining the necessary level of understanding the all possible threat to all these kinds of challenges. It will enable the organization to develop the appropriate level of resolution of all threats that can take place to all key assets (Horváth & CISM, 2013).
Different types of security and training programs in today’s time are required to match and suit the mission, users, and all different sources of SMEs. The information that a program of security training leads to provide should remain practical enough for organizations’ resources. It refers to cost-effective training solutions like free topics particular courses should be used.
This is important to ensure a good culture of security. This is necessary that any kind of training program applied for the SME suit necessarily the culture and organizational requirements of that SME (Hu et al., 2012). It will support to identifying existing challenges with the present culture of an SME and improve on these kinds of SME’s weaknesses to develop a strong culture of security.
This has been researched and identified that three hundred thousand organizations incorporate in the region like Singapore. The report has presented the significance of SMEs to Singapore’s economic growth. SMEs lead to making up almost 99% of all enterprises and support 72% of the total employment level. More than 80% of SMEs are owned locally, whilst 18% are foreign-owned. Singapore Department of statistics presented 2020 statistics of Singapore SMEs. SMEs within the region like Singapore are defined as effective organizations with a turnover of less than S$ 100 million or employ 200 or fewer employees.
Conclusion
In the limelight of the discussion, it can be concluded that SMEs do not have sufficient opportunities compared to bigger organizations because of their size and level of income. This essay has presented that different methods can be utilized to protect the information and provide the appropriate security solution and cost-effective security resolution. It has been found that all types of SMEs must be aware of all of the present resources, training, and education to remain capable of applying the different types of security resolutions. The essay presented that to remain capable enough and apply different things such as MDM or response to the incident and recovery of the disaster, an SME should have the appropriate level of knowledge, understanding, and training to remain capable enough to accomplish all those kinds of goals. It has been found that SMEs identify different types of ways to protect themselves as they are vulnerable enough to different types of cyber-attacks in comparison to bigger organizations as they have more resources with more skilled employees at the disposal to manage the level of cyber threats.
This has been identified that SMEs play an important role in ensuring the necessary level of growth and the development of most nations, particularly the developing nations. It has been found that SMEs account for a huge percentage of organizations at the global level and contribute highly to creating jobs. This essay has identified that SMEs face different types of threats. It has been founded that with the rapid level of development within the technology, many SMEs are adopting techniques of interacting and utilizing the different pieces of information generated through the organizations. Most of the techniques utilized by SMEs are prone to different types of internet security attacks, such as cybercrime. Many detailed pieces of information of SMEs are put at a higher risk, hence influencing the functions, security, and improving the level of associated cost with loss of data, denial of access, and information leading within the wrong hands. It calls for the requirement for information security management for SMEs. This essay has included a detailed discussion about the application of information security management to small and medium-sized enterprises (SMEs) compared to big organizations. Along with different topics, it has been identified that there is the importance of incident response management and disaster recovery, security training and education, and physical security challenges within information security.
References
Alqatawna, J. F. (2014). The challenge of implementing information security standards in small and medium e-business enterprises. Journal of Software Engineering and Applications, 7(10), 883.
Andrade, R., Torres, J., & Flores, P. (2018). Management of information security indicators under a cognitive security model. In 2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC) (pp. 478-483). IEEE.
Bada, M., & Nurse, J. R. (2019). Developing cybersecurity education and awareness programmes for small-and-medium-sized enterprises (SMEs). Information & Computer Security.
Bertino, E. (2016). Data security and privacy: Concepts, approaches, and research directions. In 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC) (Vol. 1, pp. 400-407). IEEE.
Capgemini Research Institute (2019). Reinventing Cyber-security with Artificial Intelligence: The new frontier in digital security. Retrieved from: https://www.capgemini.com/wp-content/uploads/2019/07/AI-inCybersecurity_Report_20190711_V06.pdf [Accessed 19 01 2021]
Custers, B., Dechesne, F., Sears, A. M., Tani, T., & van der Hof, S. (2018). A comparison of data protection legislation and policies across the EU. Computer Law & Security Review, 34(2), 234-243.
Deriabina, K., Ernest, A., & McAbee, B. (2018). Information Technology Regulatory Compliance and Information Security Management. Journal of Comprehensive Research, 5, 1.
Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for Information Security Management. Journal of Information Security, 04(02), 92-100. https://doi.org/10.4236/jis.2013.42011
Erokhin, S. D. (2020). Artificial Intelligence for Information Security. In 2020 Systems of Signals Generating and Processing in the Field of on Board Communications (pp. 1-4). IEEE.
Harsch, A., Idler, S., & Thurner, S. (2014). Assuming a state of compromise: A best practise approach for SMEs on incident response management. In 2014 Eighth International Conference on IT Security Incident Management & IT Forensics (pp. 76-84). IEEE.
Horváth, G. K., & CISM, C. (2013). Information Security Management for SMEs: Implementation and Operating a Business Continuity Management System (BCMS) Using PDCA Cycle. Proceedings of FIKUSZ, 133-141.
Horvath G., (2013) Information Security Management for SMEs: Implementing and Operating a Business Continuity Management System (BCMS) Using PDCA Cycle, Óbuda University https://kgk.uniobuda.hu/fikusz
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615-660.
Mahmudova, L., & Kovács, J. K. (2018). Definition of the performance of small and medium enterprises. Network Intelligence Studies, 6(12), 111-120.
Nagamalla, V., & Varanasi, A. (2017). A review of security frameworks for the Internet of Things. In 2017 International Conference on Information Communication and Embedded Systems (ICES) (pp. 1-7). IEEE.
Online, 2021. 2020 Singapore SMEs Statistics. [Online]
Available at: https://www.invoiceinterchange.com/2020-singapore-smes-statistics/#:~:text=Singapore%20SMEs%20Overview,support%2072%25%20of%20total%20employment.
[Accessed 19 01 2021].
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Pierer, M. (2016). Mobile device management: Mobility evaluation in small and medium-sized enterprises. Springer.
Radanliev, P., De Roure, D., Page, K., Nurse, J., Mantilla Montalvo, R., & Santos, O. et al. (2020). Cyber risk at the edge: current and future trends on cyber risk analytics and artificial intelligence in the industrial internet of things and industry 4.0 supply chains. Cybersecurity, 3(1). https://doi.org/10.1186/s42400-020-00052-8
Safa, N. S., Maple, C., Watson, T., & Von Solms, R. (2018). Motivation and opportunity-based model to reduce information security insider threats in organizations. Journal of information security and applications, 40, 247-257.
Sen, D., Ozturk, M., & Vayvay, O. (2016). An overview of big data for growth in SMEs. Procedia-Social and Behavioral Sciences, 235(1), 159-167
The World Bank. (2020). World Bank SME Finance. World Bank. Retrieved from: https://www.worldbank.org/en/topic/smefinance. [Accessed 19 01 2021]
Verizon. (2019). 2019 DBIR Introduction. Verizon Enterprise. Retrieved from: https://enterprise.verizon.com/resources/reports/dbir/2019/introduction/. [Accessed 19 01 2021]
Verizon. (2020). 2020 Data Breach Investigations Report. Verizon Enterprise. Retrieved from: https://enterprise.verizon.com/resources/reports/dbir/ [Accessed 19 01 2021]
Willey, Lorrie and White, Barbara Jo (2013) “Do you take Credit Cards? Security and Compliance for the Credit Card Payment Industry,” Journal of Information Systems Education: Vol. 24: Iss. 3, 181- 188. Available at: https://aisel.aisnet.org/jise/vol24/iss3/3
Whitman, M., Mattord, H. (2014). Information Security Governance for the Non-Security Business Executive. Journal of Executive Education, 11(1).
Yang, C. N., & Lai, J. B. (2013). Protecting data privacy and security for cloud computing based on secret sharing. In 2013 International Symposium on Biometrics and Security Technologies (pp. 259-266). IEEE.
Žigien?, G., Rybakovas, E., & Alzbutas, R. (2019). Artificial Intelligence Based Commercial Risk Management Framework for SMEs. Sustainability, 11(16), 4501.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
