An Analysis of IS/IT Risk Management for Small and Medium Enterprises

Verified

Added on 2021/04/16

AI Summary

This report provides an in-depth analysis of IS/IT risk management specifically tailored for Small and Medium Enterprises (SMEs). It emphasizes the growing reliance of SMEs on information systems and the associated security risks. The report highlights the importance of implementing international security standards like ISO/IEC 27001 and 27002 to mitigate these risks. It details various threats faced by SMEs, including internal attacks, phishing, DDoS attacks, malware, BYOD vulnerabilities, website security issues, and lack of cyber security knowledge. The report also explores the significant impact of data breaches, including financial losses, reputational damage, and regulatory penalties. The conclusion stresses the urgent need for robust information security measures and risk mitigation strategies to safeguard SMEs from the adverse effects of cyber threats and data breaches.

Running head: IS/IT RISK MANAGEMENT
IS/IT RISK MANAGEMENT
Name of Student:
Name of University:
Author note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1IS/IT RISK MANAGEMENT
In the recent times, small and medium Enterprises (SMEs) can be of utmost importance
for presenting innovative business models, which in turn can lead to the economic growth and
upliftment of the country. Thus, if we can lend a helping hand to the SMEs in order to tackle the
obstacles that hamper their business growth, then number of innovations can be foreseen in the
near future. In the present era, we can see that the SMEs are getting more dependent on the
information system to provide services to their customers as well as to meet their business goals.
An ample number of SMEs have already marked their presence in the internet. Electronic
communication, digital services are an important aspect of the increased number of such SMEs.
We can say that, increased utilization of the Information technology involves greater security
risks to the SMEs. Thus, an extensive security process is necessary for addressing such security
issues of the company which can lead to tremendous loss not only to the small and medium sized
enterprises but also to the large organizations as well. Thus, there is an utmost need of
International Security Standards such that the proper maintenance of potentially important data
can be maintained.
In order to provide the SMEs with a stringent security approaches a number of privacy as
well as information security standards have been brought to light. ISO/IEC 27001 and ISO/IEC
27002 are some of the standards (Romanosky 2016). The ISO/IEC 27001 assists the SMEs to
implement the IS management system (ISMS). We know that the ISO/IEC 27001 is considered
to be one most implemented standard since its year of establishment. ISO 27001 have greatly
enabled the small scale industries to cope up with the present global market trends. Risk
assessment is one of the key factors of ISO 27001 implementation. Thus, we can say that this
step is also crucial for beginning the information system security project. The ISO 27001
standardization first aims to assess the probable risk factors and then provides ways for

2IS/IT RISK MANAGEMENT
mitigating those risks. The security management system established with the help of ISO 27001
will be improved, monitored and checked on regular basis (Martínez-Pérez et al., 2015). The ISO
27002 framework is useful for maintaining the controls but we can say that for assessing risk
ISO 27001 can be regarded as the best option. We have seen that the many SMEs still struggle to
adopt such frameworks due to lacking of basic guidance. The ISO 27002 specifies certain
practices for ensuring basic protection. Such practices include user awareness, antivirus software,
access control backup and protection of essential paper-based files. Therefore, we can say that
for a SME it is essential that they implement the basic level of security while setting up their
business such as the antivirus software can fight the virus attacks; the back-ups would reduce the
chances of data loss (Simpson 2016). The ISO provides the SMEs with easy handling of the risk
factors.
The small and medium sized enterprises encounter numerous threats and vulnerabilities
issues. The SME’s are vulnerable to the internal attack which comprises a huge part of the
security threats that small industries face in the modern world. The employees of the company
who have access to sensitive data, network servers and admin accounts posses the capability of
leaking the vital information. Thus, the company suffers internal attacks threats which affect the
security of the organization adversely (Janakiraman, Lim and Rishika 2018). In addition to the
internal threats SME’s may also fall victim to phishing attacks in which the attackers introduce
malicious code thus, introducing malware in the business. This attack is also difficult to be
recognized as the mails appear to be sent by someone whom the recipient knows and trusts.
Moreover, the SME’s also fall victim to the Distributed Denial of Service (DDoS) attacks. In this
attack there are unusual cases of websites crawling and also forces certain crucial services to get
offline.

3IS/IT RISK MANAGEMENT
We can also state that it hampers the functioning of the business by massive increase in
the amount of web traffic. Malware is yet another form of threats by which almost all the small
as well as medium sized enterprises are affected (Ab Rahman and Choo 2015). It is a kind of
software that gets installed in the machine and incorporates the capability to perform such tasks
that would lead to the sole benefit to the third party and lead to harmful consequences for the
host organization (Peltier 2016). It basically locks the important files and demands some amount
of compensation for unlocking the files. The usage of the Bring Your Own Device technology by
the small and medium sized industries incorporate threats to the data secured within the
organization as there may be the cases that they might be using such devices that would include
malicious applications (Rajeyyagari and Alotaibi 2018). Thus posing risk to the corporate
network as the malicious application in the private devices of the employees posses the potential
to bypass the security thus, enabling them to access the network from within the company.
Moreover, the poor security maintenance of the websites by the small and medium sized
enterprises opens up to data theft by the attackers and the cyber criminal. SQL injection is one of
the major threats to the organization among the other existing security threats that adversely
affects the websites. It not only has its impact on the small and medium sized enterprises but also
on the large sized business as well (Kerzhner, Tan and Fosse 2015). This threat allows the
attackers to tamper and steal potential data and information from the database by utilizing the
back end of the web applications. The hackers incorporate malicious code into the server
database which includes the capability to extract potential and secured information thereby,
posing security threats to the organizations.
We can also say that the lack of cyber security knowledge also impart threat to the small
and medium sized business and also increases the chances of the cyber security risks (Topping

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4IS/IT RISK MANAGEMENT
2017). This can lead to data breaches as the employees would reveal the secured data due to the
lack of cyber security awareness. The data breach can lead to tremendous loss to the company
leading to loss of reputation and business profits.
The computer security is of utmost importance for the small, medium as well as large
business enterprises. The computer security incorporates the proper security maintenance of data
such as to prevent the instances of data breaches (Schatz and Bashroush 2016). The impact of
data breaches lead to the decrease in revenue of the organization as well as implementing the
regulatory penalties. It may also lead to the loss of the confidence of the customers. It may also
lead to reputation damage and also leads to serious impact on innovation and loss of prototypes
and product design. According to the cyber security report 59% of the organizations become
vulnerable to the cyber security threats (Champbell 2018). Moreover, we can also say that due to
the lack of awareness of the cyber security and information security there has been a tremendous
increase in the data breaching activities. The small and medium sized organizations that are
under security threats are also vulnerable to the reputational damage. According to the
researchers, about 49% of the organizations are victim to the loss of reputation due to leakage of
data ( Skroupa 2018). It leads to the loss of customers and decrease in the business as they lose
the confidence of the customers. The impact of loss of security extends to the financial losses as
well. The financial losses incurred by the small and medium sized organizations may extend to
an average amount of $38000 such that they could recover from a single data breach (Skroupa
2018). Thus, we can see that the data breaches have huge impact on the small and medium sized
organizations. Moreover, there are monetary penalties incorporated with the cases of data
breaches. These penalties are incorporated on those organizations who fail to prevent data

5IS/IT RISK MANAGEMENT
breaches. The penalty imposed on the organizations also leads to the financial losses of the
organization.
Thus, with the above discussion it can be inferred that there is a huge need for
International Information Security Standard for Small Medium Enterprises as the after effects of
Information Security breaches are far more adverse and pose a negative impact on the small as
well as medium sized organizations. We also mentioned the devastating effects of the data
breaches on the organizations. It may cause huge financial loss and loss of reputation. Moreover,
the penalty issues also demand great concerns and demand for International Information Security
Standard. The data breaches impart various threats and vulnerabilities to the small medium sized
organizations such as denial of service attacks, phishing attacks including spear phishing. These
attacks lead to data breaches and loss of customers. Moreover, the usage of the risk mitigation
techniques provides protection against data breaches but still there is a huge need for the
introduction of International Information Security Standard.

6IS/IT RISK MANAGEMENT
Reference
Ab Rahman, N.H. and Choo, K.K.R., 2015. A survey of information security incident handling
in the cloud. Computers & Security, 49, pp.45-69.
Champbell, N. (2018). Forbes Welcome. [online] Forbes.com. Available at:
https://www.forbes.com/sites/edelmantechnology/2017/10/11/cyber-security-is-a-business-risk-
not-just-an-it-problem/#3108aaf57832 [Accessed 27 Mar. 2018].
Janakiraman, R., Lim, J.H. and Rishika, R., 2018. The Effect of Data Breach Announcement on
Customer Behavior: Evidence from a Multichannel Retailer. Journal of Marketing.
Kerzhner, A.A., Tan, K. and Fosse, E., 2015. Analyzing cyber security threats on cyber-physical
systems using Model-Based Systems Engineering. In AIAA SPACE 2015 Conference and
Exposition (p. 4575).
Martínez-Pérez, B., De La Torre-Díez, I. and López-Coronado, M., 2015. Privacy and security in
mobile health apps: a review and recommendations. Journal of medical systems, 39(1), p.181.
P. Skroupa, C. (2018). Forbes Welcome. [online] Forbes.com. Available at:
https://www.forbes.com/sites/christopherskroupa/2017/07/11/cyber-security-effects-company-
financial-performance/#18e8b5185c09 [Accessed 27 Mar. 2018].
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. CRC Press.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7IS/IT RISK MANAGEMENT
Rajeyyagari, S. and Alotaibi, A.S., 2018. A study on cyber-crimes, threats, security and its
emerging trends on latest technologies: influence on the Kingdom of Saudi Arabia. International
Journal of Engineering & Technology, 7(2.3), pp.54-58.
Romanosky, S., 2016. Examining the costs and causes of cyber incidents. Journal of
Cybersecurity, 2(2), pp.121-135.
Schatz, D. and Bashroush, R., 2016. The impact of repeated data breach events on organisations’
market value. Information & Computer Security, 24(1), pp.73-92.
Simpson, M.D., 2016. All Your Data Are Belong to Us: Consumer Data Breach Rights and
Remedies in an Electronic Exchange Economy. U. Colo. L. Rev., 87, p.669.
Topping, C., 2017. The role of awareness in adoption of government cyber security initiatives: A
study of SMEs in the UK.