Information security management is a very crucial element for all organizations irrespective of their size due to the increasing globalisation of business. The entities are trying their level best to make the best use of the technology by doing e-business as well. The business houses have made great volume of data available on their database, but unfortunately with it have invited various security issues. Thus organizations have to always be on the go of protecting their information from such vulnerabilities and therefore information security management is very important. A sizeable investment has been made by larger as well as small and medium enterprises (SME) so that they are able to maximise the usage of internet so as to be able to reach the customers across the globe with ease. But at the same time these enterprises had to make a huge investment in ensuring that the said information is well protected against any kind of security hacks. As the business houses have decided to take into account the internet platform to reach out to the world at large, therefore they are forced to form a digital kind of information circle so that the reach is simple. However the said information is prone to a number of attacks such as phishing, malware, Trojans etc. The need of the business houses keeps on changing continuously. The security management of the SME should be such that it may be able to adapt to the changes and support it with the altering business aims and goals. Those SMEs who have IT infrastructures target at challenging the bigger organizations due to their flexibility, competence and custom-made solutions (Helokunnas & Iivonen, 2003). Therefore it is rightly said that a well planned information security policy will help a SME concern outshine in comparison to its competitors and would be the first preference of customers.
The SMEs most of the time put in less money and have less expertise in establishing and maintaining IT security policies and strategies. Due to the same, the cyber hackers target them the most. As per a survey conducted by Symantec Global SMB Survey of 2013, due to less security of the information by the SMEs, 31 percent of the targeted attacks are done on them. Further, a survey was done by PWC LLP, UK in the year, April 2012, which showed that 76 percent of small organizations had to face the brunt of security lapses which had led to a cost of 15000 to 30000 pounds on an average. It is true that although the information security management is a must for the SMEs as well so as to be able to counter attack the larger organizations, they still are unable to invest that much of amount into it and hence become the man victim into the hands of the hackers (Abbas et al. 2016). The SMEs are one of the larger segments who need the information security management the most.
Topic 1: Security Standards Compliance Issues In Information Security Management
Management of the information security as against the IT related security is something which is now gaining the attention of many. It has been years that organizations have only been concentrating upon IT security management but the age has changed. One of the biggest threat in today’s age is the insider threat. It is a threat that is caused by the employees, staff and management itself that take benefit out of the susceptibilities that the system has to offer. The data bank of any company is one of the most priced assets (Magklaras, & Furnell, 2004). Thus for the protection of the same, they need to ensure that an adequate governance policy is imbibed within the concern and a strong internal control system is in place so as to protect the information. With regards the security management of information of an organization, due diligence should be assumed to certify that the risks are known to all and well tackled whenever any deficiencies arise. The ISO/IEC 27001 standard determines a measurement for an information security management system (ISMS). The standard is used by all types of entities across the globe as a basis for the management of the organisation’s policy and implementation of information security (Churchman, 2017). SMEs have also been using the said standard for the successful implementation of information security management as it is a very flexible one and hence has become the ‘de facto’ for the information security management overall.
The said standard adopts the PDCA approach which is also known as continuous improvement since the information security management system is being monitored regularly so as to conform that the control is good enough to check upon the risks associated with information security. With regards SMEs and the security standards compliance issues in information security management, they find the same to be an expensive burden. They view the PCI-DSS(payment card industry data security standard) as a long expensive project. SMEs are also seen to be in a fix as to what they should comply with and what not. They say that they can comply with a particular standard but the question is for how long since they undergo changes frequently. Thus as per SME per se it is a costly affair (Kelly 2015).
Apart from complying with the security standards, the number of international standards are also not many so as to help the SMEs towards conforming adequate measures for safeguarding the data. Regrettably, various statements of the standards are demanding for the SMEs to comply for the purpose of identification of the tasks and the activities that is required to be adhered to. The implementation guidelines are also not detailed well so as to help it to apply for the information security and privacy needs. Further the security standards compliance is process driven that may not yet be implemented in a SME and adopting the same would call for designing and reengineering of the internal processes (Humphreys, 2008). SMEs generally have restrictions with regards time as well as money. They prefer to adopt a reactive outlook than a proactive one and adoption of the information security compliance standards demands for commitment of time and finances which a SME would prefer to invest in the business activities which would give a more transparent ROI (Gupta & Hammond, 2005).
However, the bigger organizations do not face such security compliance issues since for them the security of information is a priority and a valuable asset. The cyber attacks are more threatening for the larger companies in comparison to the SMEs and hence they generally are unaffected by the same as they do not store such data which are too critical. As per a survey which was conducted in the year 2013, amongst the small business houses by the UN National Small Business Association, only thirty percent of small entities are worried about the susceptibilities to the attack on their information and simply because of the same the SMEs are under a false impression that the security compliance about information is basically for the larger concerns and not meant much for them (ENISA 2015). It is a fact that the larger concerns have to be more protective towards the information of their business but the smaller ones also cannot avoid.
Topic 2: Bring Your Own Device Security Management
Another very important reason due to which the need for information security management for SMEs have increased is the availability of 3G/4G networks which has made internet accessibility on various devices very easy such as laptops, mobile phones and tablets. This has led to the emergence of gadget mobility trends. A small part of this trend comprises of bring your own device (BYOD) which meant that the staff of a concern were allowed to make use of their personal gadgets during their working hours as well. The term was called “bring you own technology” but the last word of the phrase soon got replaced with “device” since it comprised of both software as well as hardware. With the advent of communication via mobile phones in the field of function design, user experience as well as other segments, the staffs demand for working via the mobile internet has increased. Due to certain apps being easier to use in the mobile phones and giving an experience better than computers, the employees want to become independent enough by getting away of the on-cable networks and laptops and letting in their personal devices for official use. This would help them to make maximum utilisation of their official as well as unofficial office hours.
However, there is a big risk of data leakage because BYOD has led to an increment to the number of accesses of enterprise data. The biggest threat that the BYOD poses is due to the employees or as is rightly said the insiders. Even for a SME, for whom competition is wide and hence they need to be extra careful with regards threats being posed by BYOD. The employees who used their own devices for the official purposes, may unknowingly end up leaking confidential data to another employee of another concern or may even end up opening of such mails which contain malware. A single personal gadget can have a very malicious and unwinding impact on the entire IT infrastructure of a company. Last but not the least, the information security management become a larger concern for SMEs simply because if a BYOD is stolen which has some very critical data stored, then the company can even be at a risk of liquidation owing to the size of the concern. Thus one of the best ways to protect is to decide the limit within which a company official can use its own device for the official work and also specify the devices that can be used for office work as well. One of the ways to control the technical collapse would be the usage of MDM (Mobile Device Management) software which can help the threat to be reduced to a considerable level (Li & Yang, 2016).
Topic 3: Implementing Cyber Security Policy
All organizations have their own information security and privacy policies in place which is needed to ensure that the information is safe and secure. However, simply formulating the policies without implementing them, is a worthless procedure. Thus the information security management would help to the adherence of the cyber security policy that is in place in various organizations, irrespective of their size. Before any policy is implemented, the same needs to be communicated to the staff and their opinion should be sought for in case of any changes to be made or any such suggestions. If the same is done, then it ensures easy implementation of the cyber security policies formulated by the organizations. The same is a very cumbersome and costly affair.
The main issues related to implementation of cyber security policies within a SME is manifolds. The various contents of the standards are challenging for the SMEs with respect to identification of tasks and actions that is required to be performed. Unfortunately, they fail to realise the need behind various security and privacy needs. The information security management will enable the SMEs to become aware of the suppleness that the various standards offer with respect to the implementation and monitoring of controls which otherwise they fail to recognize with regards execution of the cyber security policy. One of the most prominent issue recognised while implementation of the cyber security policy within a SME is that the standards are written in a manner which is less possible for the non-technological SME to understand. The standard cyber security policies are basically framed to support the large scale organizations. The terms are said to be very complex and ambiguous thus making it difficult for the SMEs to adopt with ease. Sadly, the SMEs are unable to customise the standards as per their needs and requirements and the applicable legal, regulatory and contractual requirements. Thus the said issues may to some extent be addressed if a proper information security management is available within a SME (O’Regan & Ghobadian, 2004).
The need of idea to research with elucidations could possible conclude that the policy related issues of cyber security looked upon as something more frightening than it is in the true sense. In this world of cyber space, organizations are working without being much aware of the risks involved. Larger organisations can easily work without sharing their resources, the SMEs unfortunately cannot and hence suffer from lack of accessibility to resources that can help to improvise the security within the stated budgets which are generally small. Thus it can be rightly said that the information security management is the need of the hour for the SMEs so as to ensure that the policies are implemented successfully which otherwise is a cumbersome and a costly work. The larger organizations can work without any specific management system for information security, but the SMEs if work in an unorganized manner, fail to take the advantage of the flexibility these policies offer as well as the high end protection to data that it has to offer (Chak 2015). Thus if the SMEs implement their cyber security policies properly, then they would have a competitive advantage over and above the other SMEs, thus get preference above others.
Topic 4: Security Training And Education
The information breach survey revealed by PWC LLP, UK mainly pointed towards the fact that three fourths of the percentage of small business entities of which the security policy was found out to be poor was mainly due to employee related information security breaches. The survey further showed that around fifty percent of the SMEs did not have the proper education imparted to the employees with regards the information security management. If an SME has a well documented information security policy but the same is not communicated and well comprehended by the employees, it will be subject to such information security threats and the same would be as worse as a SME which does not possess the security policy at all. Simply formulating an information security policy is not enough if the same is not made aware to the employees and trained accordingly. It would be referred to be a waste and the entire management would be treated as unsuccessful (Furnell et al. 2000). Thus adequate training programs should be conducted on a timely basis and an agreement should be made to sign by all the employees regarding the compliance of the confidentiality. Although the same would require involvement of cost but the same is a necessity.
It is thus understood that a continuous education and training program with regards the information security is a must within all types of organizations. Human error is one such area which can be just reduced but not eradicated in totality and thus the importance of training and education comes up. Most of the organizations prefer spending quality time and money in educating their staff but here the organisation size is bigger as SMEs at times cannot afford to park in that much amount in training due to limitation of funds. SMEs are said to be different to the larger organizations not with regards the kind of security issues they face but the way there operations are conducted (Ng et.al. 2013). SMEs are required to tighten their security simply because compliance and adherence to laws and rules are on the priority list of government as well as large entities. The biggest problem in implementing the education and training amongst the employees in a SME is the fact that they tend to follow the footsteps of bigger organizations which will definitely be more concrete and on a larger scale due to their size of business as well as number of staff. They should understand that educating the staff would not cost them an amount equivalent to that of larger concerns (Herold, 2010). Bigger organizations are more focussed upon increasing he security related budgets whereas the SMEs cannot afford to do the same and hence they should concentrate upon their customers. Due to the same their measures should be fast as well as within budgets. Further to this the SME should be more conscious about their reputation in the market as the competition is huge for them and hence any kind of security breach especially from the staff, portrays a bad image in front of the customers thus loosing trust which becomes difficult to regain as compared to that of larger organizations since their reach is wide as compared to the SMEs reach (Sadok & Bednar 2016). Thus training and educating the employees should be one of the priorities for all types of concerns with regards the information security management.
Thus on a concluding note, it is rightly understood that the SMEs also need an information security management as the level of competition or rather the number of competitors are much more and it is easy for any one competitor to wipe off the other one if their confidential data gets leaked. Even though generally the SME may not seem to be too wary of the application of the system for information security management, yet the same is of utmost importance because the benefit is much more than the cost incurred. The security compliance is an issue, BYOD implementation is also a reason as it leads to data leakage with ease and further implementing a cyber security policy is a tedious task wherein it demands for time also along with money. Last but not the least, educating and training the staff is not a one-time process. It is an ongoing procedure. Thus one can say that the need for an information security management for SMEs is situation driven and organization specific unlike the larger organizations wherein the need for the such a system is a compulsion by default.
Abbas,J. Mahmood,H.K. & Hussain,F. (2015). Information Security Management for Small and Medium Size Enterprises. Retrieved from https://www.researchgate.net/publication/308992350_INFORMATION_SECURITY_MANAGEMENT_FOR_SMALL_AND_MEDIUM_SIZE_ENTERPRISES
Alqatawna,J. (2014). The Challenge of Implementing Information Security Standards in Small and Medium e-Business Enterprises. Journal of Software Engineering and Applications. 7. 883-890
Chak,S.K. (2015). Managing Cybersecurity As A Business Risk For Small and Medium Enterprises. Retrieved from https://jscholarship.library.jhu.edu/bitstream/handle/1774.2/38027/CHAK-THESIS-2015.pdf
Churchman,H. (2017). The 3 key challenges of ISO 27001 implementation for SMEs. Retrieved from https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/
ENISA. (2015). Information Security and privacy standards for SMEs. Retrieved from file:///C:/Users/E-ZONE/Downloads/Information%20security%20and%20privacy%20standards%20for%20SMEs%20(1).pdf
Furnell, S.M., Gennatou, M. & Dowland, P.S. (2000). Promoting Security Awareness and Training within Small Organisations, in Proceedings of the 1st Australian Information Security Management Workshop. Deakin University, Geelong, Australia
Gupta, A. & Hammond, R. (2005). Information systems security issues and decisions for small businesses. Information Management & Computer Security, 13(4), 297-310
Herold,R. (2010). Managing an Information Security and Privacy Awareness and Training Program Second Edition. New York: Auerbach Publications.
Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13, 247-255
Helokunnas, T. & Iivonen, I. (2003) Information Security Culture in Small and Medium Size Enterprises, Seminar Presentation, Institute of Business Information Management, Tampere University of Technology, Finland
Kelly,L. (2015). Tackling the IT security and compliance challenges for SMEs. Retrieved from https://www.computerweekly.com/feature/Tackling-the-IT-security-and-compliance-challenges-for-SMEs
Li,P. & Yang, L. (2016). Management Strategies of Bring Your Own Device. MATEC Web of Conferences.
Magklaras,G.B. & Furnell,S.M. (2004). The Insider Misuse Threat Survey : Investigating IT Misuse from legitimate users. Retrieved from https://folk.uio.no/georgios/papers/IWAR04MagklarasFurnell.pdf.
Ng,Z.X. Ahmad,A. & Maynard, S.B. (2013). Information Security Management: Factors that Influence Security Investments in SMEs. Australian Information Security Management Conference. Retrieved from https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1156&context=ism
O’Regan,N. & Ghobadian,A. (2004). Testing the homogeneity of SMEs : The impact of size on managerial and organizational processes. European Business Review. 16. 64-77
Romer,H. (2014). Best Practices for BYOD security. Computer Fraud and Security.
Sadok,M. & Bednar,P. (2016). Information Security Management in SMEs- Beyond the IT Challenges. Retrieved from file:///C:/Users/E-ZONE/Downloads/CSCAN-OA-298%20(4).pdf