Effective Information Security and Risk Management Strategy for SMEs

Verified

Added on 2020/05/03

AI Summary

This report delves into the crucial aspects of information security and risk management strategies tailored for Small and Medium Enterprises (SMEs). It highlights the increasing dependence of businesses on IT and networks, emphasizing the need for robust security measures to protect against breaches. The report examines the current state of security practices within SMEs, particularly in the USA and Europe, focusing on the significance of risk assessment. It reveals common shortcomings, such as a lack of dedicated IT security resources and documented policies. The discussion covers security threats, risk assessment procedures, and the importance of structured risk management, especially given the resource constraints faced by SMEs. The report also presents findings from studies, highlighting the absence of formal security policies and the impact of globally accepted standards like ISO 17799. It concludes by emphasizing the need for improved risk analysis and management methods to address the specific vulnerabilities of SMEs and mitigate the financial impact of cybercrimes. The report also includes a detailed list of references from various publications and studies.

RUNNING HEAD: EFFECTIVE INFORMATION SECURITY & RISK MANAGEMENT
STRATEGY FOR SMALL & MEDIUM ENTERPRISES 1
EFFECTIVE INFORMATION SECURITY & RISK MANAGEMENT STRATEGY FOR
SMALL & MEDIUM ENTERPRISES
Student Name
Institute Name

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

EFFECTIVE INFORMATION SECURITY & RISK MANAGEMENT STRATEGY FOR
SMALL & MEDIUM ENTERPRISES 2
Contents
Introduction...........................................................................................................................................3
Security Threats.....................................................................................................................................3
Conclusion.............................................................................................................................................4
Reference...............................................................................................................................................6

EFFECTIVE INFORMATION SECURITY & RISK MANAGEMENT STRATEGY FOR
SMALL & MEDIUM ENTERPRISES 3
Introduction
Companies of all kind of size are now most importantly dependent on IT and network for the
functions of the business operations. Thus, all have a constant need to make sure that their
system and information are protected in right manner against any kind of security breaches.
But, there are so many evidences that suggests that security based practices are not upheld
with strength within small as well as medium organization environments. The discussion also
presents as a survey of security practices within such companies in countries like USA and
Europe with specific attention on whether right attention is placed on issue associated with
risk assessment (A. Harris and P. Patten, 2014). The study also reveals that small and
medium enterprises are featured by lack of right attention on IT based security measures with
associated accountability and it is constantly unassigned or allocated to someone without
right qualifications.
Security Threats
At the time when company was facing new threats and vulnerabilities on a routine basis, the
crucial step in setting the right security for the system is assessed properly that present risks
to which it can be exposed. Without this, a company cannot ensure to have right kind of
appreciation of the threats and vulnerabilities faced by its current assets and hence this will
lead to the rise of the counter measures as well. A method to achieve is by conducting the
proper kind of risk assessment which can be defined as a systematic as well as analytical
procedure to focus on the likelihood that the present threat will further endanger an asset,
people or operations and to recognize the work to decrease the overall risk as well as mitigate
the results of the attack (Johnson, 2014). Assessment of the risk can be divided into two
separate procedure and the first process of risk analysis can be discussed as the assessment
based on threats to influence on issues and vulnerabilities associated with data and
information processed from facilities and the chances of the occurrences. It also involves
steps like recognizing the assets that require to be protected and recognition of threats as well
as vulnerabilities associated with the assets.
With this, there is a need to focus on the risk management process as well which are
important for the SMEs as they lack all the necessary resources which are related to the
human capital, database and the specific knowledge patterns as well. Here, the structured risk

EFFECTIVE INFORMATION SECURITY & RISK MANAGEMENT STRATEGY FOR
SMALL & MEDIUM ENTERPRISES 4
management are employed with the different positions where the focus is on the
administrative function as well.
The small and medium enterprise based study is conducted in places like Europe and US by
different universities respectively, to make the right comparison between small and medium
companies attitude towards security (Kimwele, 2014). The factor for considering
geographical as well as distinct security and protection of data legislation applied on each
place and the motive is to evaluate the extent and how they impact the approaches of the
company to security. The study is presently ongoing and the solution in the paper are entirely
based on study from different companies. The study has shown many facts that were
unknown before and the absence of the risk assessment is not the only methods in which
there is lack of awareness and can be properly manifested (Peltier, 2016). The findings also
show that the small and medium enterprises usually lack a formal and documented security
based policies. While considering the globally accepted standards like ISO 17799, the
security standards are important which leads to the handling of the risks management like the
inadequate infrastructure, management and the technical expertise, lack of finance and the
intellectual resources that are for the technological development and changes. Thus, what is
acceptable in this case and what is not is also determined by the study. It is important to
understand that without any specific and defined objectives, a company cannot be proceeding
to comprehensive level of risk assessment (Soomro et al., 2016). It is also important to note
that the company’s security policy can be updated as per their findings. But the study also
investigated the overall share of small and medium size organizations that have further
documented the security policy. The discussion also indicates that in the survey, responses
like don’t know are effectively like no responses. But even if the company is concerned do
have the right policy and this evidently does not promote it the staff and in an appropriate
manner (Wang, and He, 2014).
Conclusion
The discussion has shown many evidences of important security issues in SME level culture
and it may further lead to experiencing many unavoidable security cases and this happened
mainly due to not performing a risk based analysis and not executing the right corrective
measures. Recent study has also shown that the cost of cybercrime recovery for small firm is
huge since it covers clean-up as well as recovery from viruses based outbreaks that can put

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

EFFECTIVE INFORMATION SECURITY & RISK MANAGEMENT STRATEGY FOR
SMALL & MEDIUM ENTERPRISES 5
the company network out in action for many days and at the same time also produces an
average cost of huge amount to clean the mess (Wu et al., 2014).
But with identified constraints as per the expertise, awareness and budget, it is challenging to
see how the current situation for SME will further improve without more basic changes to
approaches present to them. One of the upcoming issues arising from the findings is the need
for a new kind of risk analysis and management based methods which will focus on removing
the disadvantages and help SMEs to evaluate the risk to which assets are exposed to
(Wynarczyk et al., 2016).

EFFECTIVE INFORMATION SECURITY & RISK MANAGEMENT STRATEGY FOR
SMALL & MEDIUM ENTERPRISES 6
Reference
A. Harris, M. and P. Patten, K., 2014. Mobile device security considerations for small-and
medium-sized enterprise business mobility. Information Management & Computer
Security, 22(1), pp.97-114.
Johnson, P.F., 2014. Purchasing and supply management. McGraw-Hill Higher Education.
Kimwele, M.W., 2014. Information technology (IT) security in small and medium enterprises
(SMEs). In Information Systems for Small and Medium-sized Enterprises (pp. 47-64).
Springer Berlin Heidelberg.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. CRC Press.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs
more holistic approach: A literature review. International Journal of Information
Management, 36(2), pp.215-225.
Wang, F.K. and He, W., 2014. Service strategies of small cloud service providers: A case
study of a small cloud service provider and its clients in Taiwan. International Journal of
Information Management, 34(3), pp.406-415.
Wu, D.D., Chen, S.H. and Olson, D.L., 2014. Business intelligence in risk management:
Some recent progresses. Information Sciences, 256, pp.1-7.
Wynarczyk, P., Watson, R., Storey, D.J., Short, H. and Keasey, K., 2016. Managerial labour
markets in small and medium-sized enterprises. Routledge.