WHAT THE PAPERS SAY
CLOUD COMPUTING & SMEs IN UK- A REPORT FROM THE CLOUD STEWARDSHIP ECONOMIC GROUP PROJECT
Iffatt Gheyas and Bruce Hallas, the authors of this report states their findings on a survey carried out in SMEs in the UK exploring fresh insights about the adoption and use of cloud computing. These SMEs of which only 93 responded to the survey were categorized based on their annual turnover rate, years of operation, staff strength, number of their operating locations within the UK and without.
Key findings from this research include the following:
- SMEs with a relatively low annual turnover of under £100k are relying more heavily on IT & cloud computing to sustain and grow than any other organizations.
- Priority areas for IT investment (a key strategic resource) are Operations, Marketing and Sales.
- All respondents hold access or process personal and commercially sensitive information about their clients or clients‘customers.
- In most SMEs, Director/ Chief Executive/Business Owner is responsible for information security and for identifying threats. It means that SMEs are fully aware of the importance of cyber security and understand the concerns of various governments and customers about security.
- Our brief survey suggests that, in spite of their awareness of the prevalence of information security risks and its impact on the business, most of them are not following the IT security best practices.
- Almost half of the small local businesses with annual turnover less than £100k do not have an information security policy.
- A significant majority of the SMEs surveyed do not have a business continuity policy plan and have never assessed the impact of a breach of confidentiality and/or availability would have on their businesses cash flow, profitability and reputation.
- Most SMEs choose price over security.
- The majority of SMEs see Data Retention Policy‘ and Terms & Conditions of Supply‘ as the most important criteria for the BPO vendor selection process.
- An overwhelming majority of respondents, regardless of class characteristics, view ―Legal system which governs SME‘s relationship with their supplier‖ as the most critical success factor for IT outsourcing.
- Companies with higher earnings prefer single vendor solutions, while companies with lower earnings prefer multi-vendor outsourcing.
MY REFLECTION
From this report it is obvious that SMEs with relatively low annual turnover are using cloud computing more intensively than SMEs with a higher level of turnover which negates the postulation of Kelly L, (2014) that “SMEs face the same information security threat as larger enterprises but without their budgets”. Many authors are of the opinion that financial Incapacitation is the main reason why SMEs do not invest in Information Security which may be right. Nevertheless, this report based on a valid survey shows that SMEs are aware of Information Security and beyond lack of finances they just decide not to invest in it because they feel it is not cost-effective.
REFERENCES:
Gheyas, I. and Hallas, B. (2011). Cloud computing and SMEs in UK. Retrieved on 05 March 2014, from< https://www.iisp.org/imis15/CMDownload.aspx?ContentKey=c0d6c3b7-81db-4c64-b9ec-a5e028aea4fd&ContentItemKey=f5a4ded3-937e-4f60-8933-cf1ed948640b>.
Kelly, L. (2014). ComputerWeekly.com. The Top 5 SME Security Challenges. Retrieved 05 March, 2014 from < http://www.computerweekly.com/feature/The-top-five-SME-security-challenges>
EU SMES IN 2012: AT THE CROSSROADS. ANNUAL REPORT ON SMALL AND MEDIUM-SIZED ENTERPRISES IN THE EU, 2011/12
The European Union faced challenging economic conditions in 2011/12, with an intensifying sovereign debt crisis in the euro zone, the spectre of double-dip recession for several countries and weakening growth in even the better performing nations. Throughout the downturn, however, SMEs have retained their position as the backbone of the European economy, with some 20.7 million firms accounting for more than 98 per cent of all enterprises, of which the lion’s share (92.2 percent) are firms with fewer than ten employees. For 2012 it is estimated that SMEs accounted for 67 per cent of total employment and 58 per cent of gross value added (GVA)1. These figures point to a virtual standstill as compared to the preceding year, 2011. With more than 87 million person employed the EUs SMEs continue to be the backbone of the EU economy. However, the difficult economic environment continues to pose severe challenges to them. This is also reflected in the key findings of the report:
1. With the EU economy threatening to dip into recession again, SMEs in the EU as a whole continue to struggle to recover to pre-crisis levels of value added and employment. Yet, SME performance varies considerably among Member States.
2. SMEs in Austria and Germany have exceeded their 2008 levels of gross value added (GVA) and employment in 2011. SMEs in Belgium, Finland, France and Luxembourg have, on average, experienced an anaemic performance since 2008. In the other 20 Member States, SMEs have been so far unable to bounce back to their pre-crisis levels of either GVA or employment.
3. A number of factors explain why in very few countries SMEs have recovered well. First, it appears to help if an economy, such as the Germany’s, is strong in high-tech and medium high-tech manufacturing and knowledge-intensive services. Second, sectoral labour productivity levels are higher when the sector shows higher investment rates, higher export rates, and when the sector belongs to high-tech and medium high-tech manufacturing and knowledge-intensive services. Again, Austria and Germany have generally met these conditions. Third, the real value added growth in these best performing Member States is a result of both employment growth -boosting aggregate demand- and real productivity growth, with the contribution of the former being clearly the dominant one.
4. As regards the industrial picture, most sectors experienced a recovery in GVA growth for SMEs in the EU combined with declining or flat SME employment (overall remaining at much lower than the pre-crisis levels of 2008). The sole exceptions were trade, transportation and services. SMEs operating in the mining & quarrying performed least well.
5. Notwithstanding some positive effects on labour productivity, the main result of these trends is a ‘jobless growth’ for the EU’s SMEs.
REFERENCE:
Wymenga P., Spanikova V., Barker A., Konings J., and Canton Erik (2012). EU SMEs in 2012: at the crossroads. Annual Report on Small and Medium-sized Enterprises in the EU, 2011/12. Retrieved on 5 March, 2014 from <http://ec.europa.eu/enterprise/policies/sme/facts-figures-analysis/performance-review/files/supporting-documents/2012/annual-report_en.pdf>
THE CLOUD DIVIDEND: ECONOMIC BENEFITS OF CC TO BUSINESS AND THE WIDER EMEA ECONOMY
This is a summary of the report on and results of an independent study to quantify the economic benefits of cloud computing to business and to Europe’s five largest economies (in alphabetical order, France, Germany, Italy, Spain and the UK). The study was undertaken by Centre for Economics and Business Research Ltd (Cebr) on behalf of EMC, a global commercial technologycompany, providing systems, software and services to its business clients and the following were discovered:
- The widespread of Cloud Computing adoption has a potential to generate over €763 billion worth of collective financial benefits in years 2010 – 2015, across the five economies.
- A forecasted yearly economic benefit in excess of €177 billion by 2015, which involves a 23.2% share of collective benefits over a six year period and this would cause a high amount of workload to Cloud service providers and customers.
- An excess of 2.3 million net jobs (direct and indirect) created between 2010 – 2015 on a collective basis and CC adoption could yield 446 thousands new jobs annually by 2015 across the five economies.
What this study shows is that, not only is cloud computing an important issue from the micro perspective of boosting the efficiency of individual companies’ IT investment and, hence, general corporate productivity, but also that, especially in the present uncertain economic climate, it will also be a critical macroeconomic factor that is crucial for boosting Europeʹs economic growth. As such, the study is an important contribution outlining one of the most important ways that European economies can revive and emerge from the economic crisis.
From the above it is evident that the benefit of cloud computing is changing the turnover for Organizations and more to come in the next few years which means CC has come to stay and not just that to improve the operations/activities of Organizations that adopt it whether Smes or large.
REFERENCE:
UK. Centre for Economic and Business Research (2010). The Cloud Dividend: Part One. The economic benefits of cloud computing to business and the wider EMEA economy. France, Germany, Italy, Spain and the UK. Retrieved on 04 March, 2014 from < http://uk.emc.com/collateral/microsites/2010/cloud-dividend/cloud-dividend-report.pdf>
IT SECURITY STRATEGIES FOR SMEs
Small and medium enterprises are depending more on their information technology infrastructure but do not have the means to secure it properly due to financial restrictions like limited resources, and adequate know-how. Many SME managers believe that IT security in their company can be compared to having a firewall and updating the antivirus software regularly. Strategic policies, information theft, business continuity, access controls, and many other aspects are only dealt with in case of security incidents. To improve security in a company holistically, four levels (organizational level, workflow level, information level, and technical level) need to be addressed.Parts of existing standards are useful to address issues on the organizational level; Pipkin’s approach is especially useful for SMEs.
SME’S AND LARGE COMPANIES
In highly competitive global markets, SMEs usually are only successful if they provide highly customized solutions for their customers. The knowledge of their customers is also emphasized by the management style of many SMEs. Many SMEs are operated as family businesses managed by their founders or their descendants. Even though the management usually knows a lot about their customers and their core business, they often lack a systematic approach of organizing their business processes. In many cases, the management of SMEs does not see their company as a likely target for hacker attacks or intruders. Therefore, they deem IT security low priority. This is a very dangerous misconception of the evolving threats to modern IT infrastructure. Another aspect, which is often underestimated, is industrial espionage. Since know-how is the most important asset of SMEs, proper safeguards have to be taken to protect this asset from intruders as well as from malicious or disgruntled employees or former employees. This fact becomes even more evident as the IT infrastructure used by many SMEs offers services similar to large companies, such as Internet access on every work desk, remote access for home workers or traveling salesmen, distributed databases, or simple ERP and CRM systems. However, as SMEs usually spend less money —both in absolute and relative figures — on IT management and information security; they are much less prepared for potential attacks from outside or inside.
IT SECURITY STANDARDS FOR SMES
Established Standards Most Information Security Frameworks were originally developed either for large corporations or governmental institutions to establish or keep a certain level of service quality and security. Therefore, a more pragmatic approach is needed that covers all areas that need to be addressed, but which is still feasible for companies with low IT budgets.
A Pragmatic Approach for SMEs Donald Pipkin (2000) developed an interesting approach that is very suitable for smaller companies with a few modifications even though it was originally developed for large corporations. Pipkin suggests an Information Security process model consisting of five aspects: (1) inspection, (2) protection, (3) detection.
CONCLUSION
Security needs to be addressed at four levels (organizational level, workflow level, information level, and technical level). SMEs differ from large companies in many aspects. These differences explain why IT security is usually not that well addressed in SMEs, even though SMEs increasingly depend on their IT systems as much as large companies do. Additionally, SMEs may be more often attacked in the future, as large companies become increasingly difficult to hack.
REFERENCES:
Ji-Yeu P., Rosslin R., Chang-Hwa H., Sang-Soo Y., and Tai-hoon K., (2008). IT Security Strategies for SMEs. International Journal of Software Engineering and Its Application. Retrieved on 05 March, 2013 from < http://www.sersc.org/journals/IJSEIA/vol2_no3_2008/7.pdf>
Pipkin, D. L. (2000). Information security. Upper Saddle River, NJ: Prentice Hall
WHITEPAPER- TOP 10 THREATS TO SME DATA SECURITY- WHITEPAPER
As much as it is difficult to find reality-based, accurate reporting on what the network security threat really is today, Scott Pinzon has identified 10 most common vectors of data compromises that could affect SMEs and also proposed practical techniques and defences to counter these vectors which are:
INSIDER ATTACKS– Verizon’s Intrusion Response Team investigated 500 intrusions in 4 years and could attribute 18% of the breaches to corrupt insiders. Of that 18%, about half arose from the IT staff itself.
MITIGATION
Implement the principle of dual control. Implementing dual control means that for every key resource, you have a fall-back.
LACK OF CONTINGENCY: Many SMEs have found that a merely bad data failure or compromise turns disastrous when there is no Business Continuity Plan, Disaster Recovery Plan, Intrusion Response Policy, up-to-date backup system from which you can actually restore, or off-site storage.
MITIGATION
Certainly if you have budget for it, hire an expert to help you develop sound information assurance methodologies. If you don’t have much money to work with, leverage the good work others have done and modify it to fit your organization.
POOR CONFIGURATION LEADING TO COMPROMISE: Inexperienced or underfunded SMEs often install routers, switches, and other networking gear without involving anyone who understands the security ramifications of each device.
MITIGATION
Perform an automated vulnerability audit scan. If you can’t afford to hire consultants, you probably can afford a one-time, automated scan of your network.
RECKLESS USE OF HOTEL NETWORKS AND KIOSKS HOTEL: Networks are notoriously lousy with viruses, worms, spyware, and malware, and are often run with poor security practices overall.
MITIGATION
Set and enforces a policy forbidding employees from turning off defences.
RECKLESS USE OF WI-FI HOT SPOTS: Public wireless hot spots carry all the same risks as hotel networks and then some attackers commonly put up an unsecured wireless access point which broadcasts itself as “Free Public WiFi.” Then they wait for a connection-starved road warrior to connect.
MITIGATION
Teach users to always choose encrypted connections. Have them connect via a Virtual Private Network (VPN).
DATA LOST ON A PORTABLE DEVICE: Much sensitive data is compromised every year when workers accidentally leave their smart phone in a taxi, their USB stick in a hotel room, or their laptop on a commuter train. When data is stored on small devices, it’s wiser for administrators to stop thinking about what they’ll do “if that device ever gets lost…” and instead, think, “when it gets lost…”
MITIGATION
Manage mobile devices centrally. Consider investing in servers and software that centrally manage mobile devices.
WEB SERVER COMPROMISE: The most common botnet attack today is against web sites; and the fatal flaw in most web sites is poorly-written custom application code. MITIGATION
Audit your web app code. If (for instance) a Web form has a field for a visitor to supply a phone number, the web application should discard excess characters.
RECKLESS WEB SURFING BY EMPLOYEES : A 2006 study by the University of Washington found that the sites that spread the most spyware were (in order)
1. Celebrity fan sites (such as the type that give updates on the follies of Paris Hilton and Britney Spears);
2. Casual gaming sites (where you can play checkers against a stranger)
3. Porn sites (coming in at a surprising third place)
Social networking sites such as MySpace and Facebook have taken the lead as virtual cesspools of spam, trojans, and spyware.
MITIGATION
Implement web content filtering. Use web filtering software such as WatchGuard’s WebBlocker. Web filtering solutions maintain databases (updated daily) of blocked URLs in scores of categories.
MALICIOUS HTML EMAIL : The most common email attack now arrives as an HTML email that links to a malicious, booby-trapped site. One wrong click can trigger a drive-by download.
MITIGATION
Implement an outbound web proxy. You can set up your LAN so that all HTTP requests and responses redirect to a web proxy server, which provides a single choke-point where all Web traffic can be monitored for appropriateness.
AUTOMATED EXPLOIT OF A KNOWN VULNERABILITY
Negligent SMEs get victimized if they don’t install Windows patches during the same month the patch is published.
MITIGATION
Invest in patch management or build an inexpensive test network.
CONCLUSION
The suggested measures can go a long way in mitigating risks in SMEs and protecting their network but these are only examples of the procedures that a diligent IT administrator could implement to increase network security.
REFERENCE
Scott P., (2008). WatchGuard Technologies -Top 10 Threats to SME Data Security. Retrieved on 05 March, 2014 from < https://www.watchguard.com/docs/whitepaper/wg_top10-summary_wp.pdf>
MANAGING INFORMATION SECURITY IN SMALL AND MEDIUM SIZED ENTERPRISES: A HOLISTIC APPROACH
Identified challenges affecting the execution of information security management in SMEs were discussed in this paper with an approach to aid the growth and adoption of ISM Systems based on the Soft Systems Methodology. Also a case study was given to demonstrate the effectiveness of the proposed approach and the stages of the approach was explained diagrammatically.
A Larger part of the Global Economic Movement is constituted by SMEs and as a result of the varying characteristics of these enterprises; the approach to information security management for larger organisations cannot suffice for SMEs which is why Tawileh et al (n.d) proposed an approach.
Raising awareness of the consequences of Information security problems in SMEs alone cannot solve the problem as physical resources, time and a reasonable level of technical expertise must also be put together . I concur to Tawileh et al’s argument that the available approaches were designed specifically without having SMEs in mind since they may not be able to afford the cost implication of solving Information Security Problems.
Below listed are some of the many challenges hindering the development of information security within SMEs
LIMITED FUNDS- They are not financially strong enough to bear the cost of solving Info. Sec. problems,
TIGHT BUDGETS- They have budgets already for running their organisation which cannot allow additional cost
LIMITED HUMAN RESOURCES- Their staff strength is low compared to larger Organisations
UNSTABLE BUSINESS ENVIRONMENT- Due to the pressure from competition, the business environment is ever-changing.
The holistic approach to information security management avoids the limitations of previous methods and is based on four stages:
Define goals- This has to do with defining the objectives they seek to achieve by the proper management of Information Security.
Identify Actions- This is the process of listing out the strategies intended to help solve the challenges facing SMEs and aid proper management of Information Security.
Implement and Monitor- This is the stage where the identified strategies are put to action and are constantly monitored to determine its effectiveness
Review – This is the final stage where evaluation is performed upon determined effectiveness to ensure its integration
A case study was used to illustrate the effectiveness of this approach in identifying required actions to be taken and allocating responsibilities. It was carried out in a short time and with little financial investments proving the capability of the method for SMEs.
REFERENCE
Tawileh, A., Hilton, J., McIntosh, S., (n.d). Managing Information security In Small and Medium Sized Enterprises: A Holistic Approach. Retrieved 04 March , 2013 from <http://www.tawileh.net/anas/files/downloads/papers/InfoSec-SME-ISSE.pdf?download>
KNOWLEDGE MANAGEMENT- GROUP PRESENTATION
Video Posted on Updated on
The above video is group Alpha’s presentation on KNOWLEDGE MANAGEMENT in which I was a member of the group and we were awarded the best. What we discussed basically are: Key concepts/theories of KM, Examples of of Organizations that have used KM effectively and also findings through an information artefact.
Knowledge Management is a concept that arose about two decades ago, roughly in 1990 and it simply means organizing an organization’s information and knowledge holistically. Very early on in the KM movement, Davenport (1994) offered the still widely quoted definition:
“Knowledge management is the process of capturing, distributing, and effectively using knowledge.”
A few years later, the Gartner Group created another second definition of KM, which is perhaps the most frequently cited one (Duhon, 1998):
“Knowledge management is a discipline that promotes an integrated approach to identifying, capturing, evaluating, retrieving, and sharing all of an enterprise’s information assets. These assets may include databases, documents, policies, procedures, and previously un-captured expertise and experience in individual workers.”
Both definitions share a very organizational, a very corporate orientation which is primarily about managing the knowledge of and in organizations.
I will not forget to add that the basis of any derivable knowledge started from DATA which underwent some PROCESSES to become understandable INFORMATION.
There are three categories of Knowledge which are Explicit, Implicit and Tacit Knowledge.
Explicit Knowledge has to do with information that is set out in tangible form.
Implicit Knowledge has to do with information that is not set out in tangible form but could be made explicit.
Tacit simply means Knowledge in one’s head that one would have extreme difficulty operationally setting out in tangible form (Koenig E. D., 2012).
Other KM issues are discussed in the presentation above.
REFERENCES:
Davenport, Thomas H. (1994). Saving IT’s Soul: Human Centered Information Management. Harvard Business Review, March-April, 72 (2)pp. 119-131. Duhon, Bryant (1998), It’s All in our Heads. Inform, September, 12 (8).
Koenig E. D., (2012). What is KM? Knowledge Management Explained. Retrieved on 04 February, 2014 from < http://www.kmworld.com/Articles/Editorial/What-Is-…/What-is-KM-Knowledge-Management-Explained-82405.aspx>.
An Integrative Study of Information Systems Security Effectiveness in SME’s
Organizations are increasingly relying on information systems (IS) to enhance business operations, facilitate management decision-making, and deploy business strategies. The dependence has increased in current business environments where a variety of transactions involving trading of goods and services are accomplished electronically and as organizations become increasingly dependent on IS for strategic advantage and operations, the issue of IS security also becomes increasingly important.. Increased organizational dependence on IS has led to a corresponding increase in the impact of IS security abuses. While such a trend would suggest IS security as a key management issue, this has not been the case in practice.
In the interconnected electronic business environment of today, security concerns are paramount. Management must invest in IS security to prevent abuses that can lead to competitive disadvantage. Using the literature on security practices and organizational factors, this study develops an integrative model of IS security effectiveness and empirically tests the model. The data was collected through a survey of IS managers from various sectors of the economy. SMEs were found to engage in fewer deterrent efforts compared to larger organizations. Organizations with stronger top management support were found to engage in more preventive efforts than organizations with weaker support from higher management. Financial organizations were found to undertake more deterrent efforts and have stiffer deterrent severity than organizations in other sectors. Moreover, greater deterrent efforts and preventive measures were found to lead to enhanced IS security effectiveness (Kankanhalli A., et al., 2009).
Risk analysis is the predominant technique used by information security professionals to establish the feasibility of information systems controls. Yet it fails an essential test of scientific method it lacks statistical rigour and is subject to social misuse. Adoption of alternatives from other disciplines, however, proves even more implausible. Indeed, even improved rigour in risk analysis may limit its usefulness. Perhaps risk analysis is misconceived: its ostensible value as a predictive technique is less relevant than its value as an effective communications link between the security and management professionals who must make decisions concerning capital investments in information systems security (Baskerville R., 1991).
REFERENCES:
Baskerville R., (1991). Risk analysis: an interpretive feasibility tool in justifying information systems security. European Journal of Information Systems (1991) 1, 121–130. doi:10.1057/ejis.1991.20. Retrieved on 28 February 2014 from <http://www.palgravejournals.com/ejis/journal/v1/n2/abs/ejis199120a.html >
Kankanhalli A., Hock-Hai T., Bernard C.Y., Kwok-Kee W., (2009). An Integrative Study of Information Systems Security Effectiveness. International Journal of Information Management Retrieved 0n 28 February 2014 from http://www.researchgate.net/profile/Hock_Teo publication/222417677_An_integrative_study_of_information_systems_security_effectiveness/file e0b495265c7016604b.pdf
SECURE YOUR INFORMATION, STRENGHTEN YOUR BUSINESS
Information is readily available today than it was before with the massive internet resources, increased cheap storage capacity, the phenomenal take up of Cloud computing and social media thus generating new threats and vulnerabilities. Technical equipment and systems are designed to be function and feature rich, not necessarily secure for instance; Windows PCs only had a built-in firewall recently! This means an increase in Information risks and a rise in security breaches for business systems.
However, all is not lost. Adhering to the basics will help to protect from many of the cyber-threats our information systems face today.
“80% of cyber attacks could have been prevented by having basic security in place” ( Paddy 2012).
A clarion call for SMEs to up their game
In all areas the number of attacks and, more importantly, the cost of these attacks has risen but the major impact is the cost on SMEs who are now seeing incident levels only previously seen by large organisations.
This is a worrying trend but perhaps not surprising. In general SMEs spend the least on protecting from an information security incident and are therefore an easier target.
7 BASIC SECURITY CONTROLS TO PROTECT YOUR BUSINESS
These basics will go a long way in Information systems more resilient.
1. Passwords – The use of strong passwords, regular changing of passwords and not reusing already used passwords will help. It is easy to forget passwords if they are changed too often but writing on a sticky note under the keyboard or on the monitor is not a bad idea.
2. Patching – Patching is paramount in protecting your IT hardware and the information it stores from today’s cyber criminals3. Anti-Malware – Install Anti Malware (Anti-Virus) and keep it up to date. In concert with patching anti-malware provides the best means of protecting against new types of attack.
4. Access – Restrict access to your valuable information to only those that need it.
5. Admin Rights – Remove ‘admin access’ from those that don’t need it. Microsoft has made good inroads with regards ‘built in security’ with their latest operating systems, so consider upgrading.
6. Firewall – Work behind a firewall that is switched on! Even the inbuilt windows firewall is better than doing nothing.
7. Encryption – In the ever more mobile workplace encrypting the devices that hold your valuable data becomes essential. Regardless of what the data is stored on (laptop, smartphone, tablet, usb drive or even a humble CD) it’s the data that needs to be protected so if you can’t encrypt the device you really need to consider whether the risk of having the latest (cool) device is worth the risk of losing that valuable data.
Don’t forget, once you have your systems protected test them to make sure the controls have been implemented properly and make sure nothing has been forgotten (Dave, J., 2013)
REFERENCES:
Dave J., 2013. Information Security for SME’s- Cyber threats, Information Security Incidents and Security Controls Retrieved from < http://www.ascentor.co.uk/tag/information-security-for-smes/> [Accessed] February 24, 2014.
Paddy k., 2012. Protect Your Systems from Cyber Threat with 7 Basic Security Controls. Retrieved from< http://www.ascentor.co.uk/2012/02/protect-your-systems-from-cyber-threat-with-basic-security-controls/ >.[Accessed] February 24, 2014.
APPROPRIATE INFORMATION SECURITY FOR SMEs
SMEs basically lack interest in Information Security Management and are incapacitated to do anything about it up to the present time due to lack of motivation and Information Communications Technology (ICT) not being operation critical for their existence and competitiveness. This is rapidly changing given the importance of SME’s to the UK economy and their increasing reliance on Information Technology , it is essentially vital for the UK business world to enable SME’s to do the Information Security they need as efficiently and effectively as possible.
There is increasing pressure building from legislation (for example Data Protection in the UK/EU) and industry Regulations (for example Payment Card Industry – Data Security Standard abbreviated as PCI-DSS) to affect Small and Medium Enterprises (SME’s) that previously only really concerned larger enterprises.
Recently, organizations like the Information Commissioners Office (ICO), the Information Security Awareness Forum (ISAF) and the Information System Security Association (ISSA) have started to turn more of their attention to the ISM deficit in SME’s.
The information security profession has “cut its teeth” on military and large enterprise infosec challenges. SME’s are the next “frontier”, and we need to identify what we can use and reuse profitably from the large enterprise infosec experience without reproducing too many of the mistakes made and identify what needs to be built from scratch due to the different SME perspective and changing environment.
To tackle this, research should be carried out on how we can leverage the lessons of ISO9001 and ISO27000 series of standards, CobIT and ITIL, and more recently the Information Security Management Maturity Model (ISM3) to develop something appropriate for the SME community in general.
REFERENCE:
Allan Wall (2014). Information Security for SMEs- Your Attention Required. Retrieved from http://www.itilnews.com/ITIL_Information_Security_for_SMEs_-_Your_Assistance_Required.html> Retrieved on February 24, 2014.
MSCISSUSANCOLE 