2020

Murdoch University

Sandeep

[ICT380 ASSIGNMENT 1]
This document is an research essay on the requirement of Information Security Management for SMEs
Contents
Introduction .................................................................................................................................................. 2
What is Information Security Management? ........................................................................................... 2
What is Small and Medium Size Enterprises? ........................................................................................... 2
Need of ISM in SMEs ..................................................................................................................................... 3
Challenge faced by SME vs. large organisation......................................................................................... 4
Implementation of Information Security Frameworks ................................................................................. 5
Disaster Recovery Planning in Information Security Management .............................................................. 6
Regulatory Compliance in Information Security Management .................................................................... 8
Smartphone Security Management .............................................................................................................. 9
Conclusion ................................................................................................................................................... 11
References .................................................................................................................................................. 11

Page 1 of 13
Introduction
In this document we will discuss importance of Information Security Management in an
organisation and will look into the aspect of its impact in the Small and Medium Size
Enterprises. In this day and age information is seen as one of the most valuable asset of an
organisation and as the value of something increases, the risk of it being stolen also increases
with it. In almost every industry, major business decisions are taken based on the information
accumulated by the company and Information technology plays a very vital role in the process.
The theft of information from any corporation or individual is considered to be a serious crime
in most of the countries. Here in this research essay we will try to analyse empirically with the
data gathered from various sources, the need of a proper ISM for any SME to protect the
interest of the organisation and keep potential offenders away from exploiting the data of the
organisations.

What is Information Security Management?

As in laymen’s terms, Information Security is a set of process applied to an organisation to
protect and preserve its integrity, confidentiality and availability of data assets belonging to the
company. In ISO/IEC 17799:2005 (ISO, 2005), the guidelines and principle of implementing
information security is defined. They discusses the best practices in controlling different
domains of ISM like access control, security policy, compliances of the employees, asset
management etc. ISM may include the below process:

 Performing risk analysis and determining the venialities of the system. This process is
commonly termed as Risk Management.
 Maintains total quality management, means the restrictions, standards or the
compliance guidelines will not only be applicable to applicable to production servers but
will be applicable throughout the organisations.
 There should be a defined structure of monitoring and reporting any unusual activities
related to data assets.
 Different set standards for people, process and technology being used.
 Compliance evaluation of the whole organisation is a major part of the whole process.
As data suggest that majority of the information security incidents originates due to
non-compliance of the set standards.

(Al-Dhahri & Al-Sarti & Abdaziz, 2017)

What is Small and Medium Size Enterprises?

A SME is a type of organisation which employs no more than 250 employees. So what is so
special about SMEs and why we need to discuss about ISM in SMEs. The reason behind it is that
SMEs unlike large organisation thrive on innovation and utilises every piece to technology at its

Page 2 of 13
disposal to make the best out of its resources. In SMEs, usually the CEO is the founder, owner
and manager of the organisation and carefully distributes his time and effort towards different
activities of the organisation. Technology today has revolutionised the way these SMEs work
and create productivity, and it’s very important to protect the information assets of these
organisations.

(Al-Herwi, 2019)

Need of ISM in SMEs

The prediction from Cyber security Ventures sponsored by Herjavec Group (Herjavec, 2019)
tells us that the loss due to cybercrime will be $6 trillion in 2021 and Symantec suggests that
there is an increase of 600% in cyber-attack cases (Symantec, 2019). The biggest losers due to
these attacks in the past have been large companies like Yahoo, AOL, Uber, Facebook etc.
(Powel, 2019) but as per reports from report presented by Verizon in 2018 suggested that 58%
of all the attacks (Verizon, 2018) were focused on the Small business which comes up to
increase by 425% in 2018 as reported by 4iQ Identity Breach Report (4iQ, 2018). The reason
behind that is as per report from Ponemon Institute LLC in 2018, only 28% of the total surveyed
SMEs can be considered as truly prepared for any cyber-attacks and rest of the companies
either don’t have allocated fund towards cyber security or consider themselves too-small to be
of any interest for a cyber-criminal (Ponemon, 2018) but here they might be wrong because
data published by Denverpost in one of their article suggest that 60% for SMEs shuts down in
six months once they face any type of major incident of information security (Miller, 2016).
Below is the data presented by Ponemon Institute related to the reasons of security breaches in
SMEs in 2018 and compared with the data from 2017.

Page 3 of 13
 Chart Title
2017 2018

60%
54%

43%43%
37%
33% 34% 32%31%
30%

7% 7%
2% 1%

Negligent Third party Hacker System Malicious Unknow Other

employees mistakes Error insider Reason

As we can analyse from the above chart is that the highest volume of breaches happens due to
negligent of security guidelines from employees or contractors of the organisation. The non-
compliance of set industry standard Information Security guidelines leads to maximum of loses
caused due to information security incidents. Few of the reasons like system error or unknown
reasons or other reasons have declined due to improvement in overall technologies or software
but the main concern is the risk created by the insiders of the company like employees or
contractors. These reasons can be eliminated by implementing proper Information Security
Managements. Without proper ISM its takes average of 146 days to detect the presence of an
intruder in a system as reported by Microsoft in its Advanced Threat Analytics report
(Microsoft, 2016).

Challenge faced by SME vs. large organisation

The growth of technology has enabled the SMEs to embrace the new option to boost their
productivity like the current move towards the cloud environment where SMEs totally depends
on the third party suppliers to provide platform to accumulate, store information and
protecting the information whereas for large organisation they choose to store information at
their local site for better security and authority. As per report from Continuum (Moraes, 2019)
states that about 80% of SMEs assumes to outsource their Information Security Management
to other companies.

About 13% of the cyber security market revenue comes from SMEs that means that majority of
the large organisation have the mind-set to invest in Cyber security whereas SMEs focuses
more on providing services to customer rather than on Information Security. Report from

Page 4 of 13
Juniper Research (Smith, 2018) suggests that SMEs invest as low as $500 per year on Cyber
Security.

SMEs many times don’t ever consider having disaster recovery as an important attribute of an
organisation whereas every large organisation spends a lot of money on building alternative
locations and implementing business continuity plans. Large organisations showcase these as a
additional strength or plus points while pitching business ideas to their clients. Report from
Nationwide (Nationwide, 2017) 68% of the SMEs don’t care about having a disaster recovery
plan.

As report from Duo (The 2018 Duo, 2018) states that about 62% of Phishing involve around one
commonly shared user credential in the organisation in SMEs. But in large organisation, they
put a lot of emphasis on password management and security. They have periodical trainings on
protecting user credentials and campaign against sharing credentials.

Implementation of Information Security Frameworks

The most common standards in use today are ISO/IEC 27001 which is an international
organisation and provides guideline and certification related to ISM. The 2nd one which I would
like to mention is very popular HIPAA in USA which provides data privacy and security
provisions for protecting medical data but the standards can be followed in any organisations.
To adopt any of the available frameworks comes with challenges for any SME as discussed
below:

 As technology grows, SMEs are the first ones to adopt them and utilize them to fetch
profit out of them, but as new technologies comes with new vulnerabilities also. SMEs
most of the times does not have resources of money or experienced resource to
implement security systems.
 The absence of risk management system in SMEs differs it from Large businesses.
Adequate Information Security Framework requires efficient risk detection and
mitigation plan.
 Applying and earning a certification in Information Security for any organisation is a
time consuming process and since SMEs operates in a very Dynamic fashion and are
sometime not able to invest or wait for months to receive a certification to start
operating.
 Lack of specific IS Framework for SMEs is a challenge as all the available international
frameworks are generalised for all companies but the operational procedure for every
size company is different.

Page 5 of 13
  Lack of IS policy is a typical challenge faced by SMEs as many companies don’t even
consider to set up a IS policy for the organisation and it blurs the vision of the
cooperation to detect any potential hazard.
 As pointed out by Business.com in one of their article that many of SMEs turn towards
the cloud based solution so that they could outsource the data security to other bigger
companies providing cloud services, but cloud services are not completely secure from
vulnerabilities.
 No proper monitoring and reporting leads to delayed or no detection of any attempt of
unauthorized access. As reported by Verison that about 68% of breaches are discovers
months after the security incident.
 Lack of compliance training program for the employees and contractors leads to about
60% of the breaches as presented by Ponemon Institute.

(Marvi, 2018) (Alqatawna, 2014)

Disaster Recovery Planning in Information Security Management

Objective of a DRP is to minimise the effect on the IT systems due to any security incident and
resume and continue business operations as before. It provides a plan to recover any effected
IT system and will have the structure defined of resources can be employed for business
continue plan. There are three main strategies of disaster recovery planning and they are:

 Keeping backup of the data in some place so that, in case of any disaster the data can be
recovered to the last know correct state.
 If a location and whole network has been compromised then the whole network should
be shut down till the threat have been eliminated and the business is continued from
some other location which is known as backup location.
 If some systems have been infected by some malicious software then wiping the
complete data many not be enough. They may have to replace whole system to resume
business. As for example in the infamous case of breach in Saudi Armco by the virus
named Shamoo, the company had to shut down the whole facility and every hard drive
was replaced by a new one (Symantec, 2012).

As implementation of these type of planning comes with its own set of problems and challenges
and SMEs faces difficulties in maintaining a Business Continuity Plan. Below are some of the
challenges faced by SMEs in planning for Disaster Recovery in Information Security:

 Top Management Support: SMEs are managed by small group of people as compared to
large organisation, it’s very necessary to convince the top management that there is a
requirement of a disaster recovery plan for information security. Many times the

Page 6 of 13
 management supposes that the organisation will not be attacked by any cybercriminal
and there is no risk to the company from such element. The profitability is of top
priority for such organisation and customer deliverables are of much more important
for them. In such condition it is very difficult for anyone to take the DRP seriously and it
has been mentioned in one of the article published by Nationwide that 68% of SMEs
doesn’t have thought of planning for Information security. In SMEs all the decisions are
taken by the top management and they have to realise first that DRP is also a very
import factor in business management and preplanning is very necessary.
 Staff Issues: It has been found that SMEs lacks proper staffs who will be responsible to
take care of the application and testing of disaster recovery plan along with their
regular duties. In every SMEs the regular business duties are given more priorities and
there is no expertise or responsible personal assigned to the duties of disaster recovery
planning. Specially trained and expert staffs are required provide effort towards Risk
estimation and Risk mitigation planning but in SMEs it’s very rare to be seen. As per the
report presented by Better Business Bureau, 55% of the SMEs consider the resource
allocation towards Information Security as a challenge in their organisation. The activity
of disaster recovery planning is considered as time consuming and no effort is spent
towards it.
 DPR Maintenance: DPR not only have to be applied but also have to be maintained.
There needs to be constant updating of the IT infrastructure and business functions.
This requires regular monitoring and review of the systems which will require extra
effort. As continuous inspection of the systems and detection possible breaches should
be done and this is a very important part of disaster recovery planning.
 Alternative Site: An alternative site should be available in the case of any Information
security disaster and having two sites adds up to the enhancement of the availability of
the IT infrastructure in the case of disaster. If any site or network is left unusable by any
cyber-attack then there should be an alternative site available to continue the business
activities so that no deliverable should be affected. As in the research paper presented
by the UMEA University conducted a study and survey among the employees of several
SMEs, it is very common to find non-availability of any backup or alternative site to
recover from any disaster. Backup of the data is also required to be taken time to time
so that if any breach happens and the original data have been wiped out then the
original data could be recovered from the backups.
 Cost Issue: All these planning, effort, resources, backups and alternate sites cost money
and in the case of SMEs operates at lower cost valuations. In the study published in
Juniper Research, SMEs represent only the 13% of the total money invested in cyber
security industry. This cost issue is a really big challenge for a SME to issue a proper
disaster recovery planning for the information security management.

Page 7 of 13
(Buecker & Amado & Druker & Lorenz & Muehlenbrock & Tan, 2010, Pages 3-14)

(Ghannam, 2017)

Regulatory Compliance in Information Security Management

Compliance in Information Security Management means that the organisation is following all
the set regulation, policy, procedure and rules to operate the IT systems. As set of auditing by a
designated body can provide a proof that the set standards for IT infrastructure is being
maintained in the company. There can be three parties who can perform audits and produce a
report regarding the compliance of the organisation, they are:

 Internal Audit: A set of employees will have the responsibility to check the compliance
status of the company and they will produce reports to the higher management. This
will give confidence to the organisation and the data asset will be safe and secure with
the company.
 Supplier Audit: This will be done by the party from customer who will provide an
assurance to the customer that they information asset is safe with the company and
they can trust the business procedures to be safe from potential attackers.
 Third party Audit: It can be done by a third party like International Standards
Organisation which will provide a certification signifying that the organisation complies
with the international standards of Information Security.

A compliance system will train the associates to identify potential breach or attacks on the
system and they will gain knowledge related to information security. This process will reduce
the percentage of breaches happen due to negligence by the employees. There are several
factors effecting Information Security Compliance Management:

 Following the principle of checking the IT infrastructure and the current compliance
status of the organisation at a particular time. Monitory of the system is required for a
longer period of time so that no new breaches happen.
 The frequency of the checks also matters. It provides the audit frequency of the
configuration system and also the frequency of any threat been neutralised.
 The scope of the compliance system set the perimeter for the configuration and
resources to be audited under the system.
 In depth reports are generated for different level of management to external parties like
clients and potential customers.
 There can be automation for faster compliance test but every tool might not be checked
via automated software, some level of human effort will always be there.

Page 8 of 13
  The mind-set to implement IS compliance management seriously in an organisation;
this is a very important factor.

(Mattord & Whitman, 2007)

The definition of IT security compliance is set very well and the rules and standards are well
defined but still there are challenges faced by the SMEs in implementing compliance system in
their organisations:

 The maintenance of compliance system is difficult because the systems are constantly
updated, new patches are being applied and required configuration changes are
implemented. To keep up with these changes the compliance system also need to be
consistently updated.
 Very few SMEs claim that they have a homogeneous system working in their facility, in
most cases a very diverse and heterogeneous have been implemented and was not
planned to have same version of software and operating system in all the system. These
varieties of systems are a nightmare for the compliance management.
 Any changes made in the system after the IT compliance management system has been
installed in the system. There changes might be last minute changes to keep the system
running or some configuration changes made by any hacker to cover his tracks.
 Cost is always the biggest factors for the SMEs, they are trained to do more with less but
in the case of compliance management the quality of the is much more important and
the method cannot be compromised. So there is an involvement of money and effort in
the IT compliance management system.
 The use of cheap cloud base architecture is becoming common for SMEs but the
compliance management is difficult to implement. For starters the cloud based system
is being provided by some other company and SME will have to trust the compliance
report provided by the cloud company.

(Mmasi & Christine, 2012, )

Smartphone Security Management

Business mobility capabilities are becoming more and more common for the SMEs. They want
their employees to take advantage of the rapid improvement in mobile technology and be
connected and available to their clients or customer at every time. The prompt response from
the SME employee to its client creates a trust and better customer service to the clients which
can result in more revenue for the company. Bigger organisations were able to buy a huge lot of
smartphones, implement security provisions in those devices and then only distribute the
smartphone within the company employees. But for the SMEs another approach known as

Page 9 of 13
BYOD (Bring You Own Device) approach was much more profitable in which employees can
bring their own device to work and perform official work on those devices. This process cuts the
cost for security policy and compliance system implementation in the system and achieves the
benefits of the mobility solutions. These processes chosen by the SMEs are less expensive and
high risk system for business mobility and this is very difficult to be managed by the compliance
systems. There are many benefits of implementing Business Mobility solutions in SMEs like:

 SMEs are not restricted to use inflexible and legacy systems which make them very
flexible in implementing new technologies. SMEs were the first one to adopt the new
mobility solutions in their business to compete with other companies and provide best
support to their customers.
 The size of an SME organisation is always small that’s why it’s very easy to implement
any new technology in the organisation.
 The process of implementing a solution in a SME is very simple due to the small size of
the organisation and employees have better bonding with each other and the level of
bureaucracy is less to adapt a new technology.
 SMEs have dynamic work places which require dynamic communication devices to
respond to any customer query at any time and this is how they keep up with the
competitions.

As the new technologies are useful to the organisations, there are some downsides also to the
adaption of business mobility solution:

 As the smartphone market is increasing and the number of third party apps available in
the app stores of the popular smartphones and as reported by Businessofapps, Google
play has 3.3 million apps in its store and Apple apps store has 2.2 million apps (Dogtiev,
2019). So with the increase in the third party apps there is a huge increase in malwares
within the apps. It was reported by Kaspersky in 2013 that almost 99% of the malwares are
written for Android devices. This malwares can steal data, intercept transactions or leak
confidential information.
 There are different alternative platforms which promise to provide cheaper and better
application to the users but are almost every time infused with some kind of malwares
or backdoors present for the intruders who will in return gain unauthorised access to
the smartphone and may cause havoc for the organisation. Apple’s platform is stricter
than compared to Android’s platform.
 The platform restrictions are being removed by the method of jailbreaking or rooting.
Although the fascination with Jailbreaking a device is fading day by day but the problem
still exits. This allows the users to exploit the device in any way they want and not

Page 10 of 13
 platform restriction will be applicable. But that also means the security feature that was
provided by the platform provider was also lost.
 Connecting to a Wifi/VPN is a concern for any smartphone, if a mobility device is
connected to an unsecured or public Wifi then the cybercriminal may connect to the
same WiFi and can take control of the smartphone and this may lead to serious security
breach. In 2010 Elcomsoft’s Wireless Security Auditor was able to break 10300 WPA2
passwords per second. Public VPNs are also not safe as they are managed by third party
organisations.

(Harris & Patten, 2014)

Conclusion
SMEs are the backbone of any country whether it is a European, Asian, African country or in
America. SMEs play a vital role in a country’s economy and produce more jobs than that of the
large organisations. In order to thrive, survive and complete with the competitions, these SMEs
utilises every possible trick in their disposal to produce better product and provide better
service to their customers. But in this run for serving the clients in a better way they sometimes
overlooks the serious concern of Information Security Management and which is very necessary
in protecting the interest of the company and its clients. As pointed out by research from
Ponemon Institute, that 60% of the SMEs will shut down just after 6 months of any serious
security breach. So it is very necessary for a SME to devote some finance and resource towards
the Information Security Management to safe guard the interest of the company and the
customers it is serving.

This clearly suggests that Large organisation are putting efforts towards their Information
Security and taking it very seriously. Information security is a plus point and unique selling point
for large organisations but SMEs need to change their point of view towards cyber security and
divert their focus towards protecting the data belonging to their clients and the to their
organisation. Now clients are also getting more and more educated on the part of security and
to achieve good business, SMEs will have to change their strategy and invest more in creating
expertise in this area.

References
[1] ISO/IEC 17799:2005, 2005, Information technology — Security techniques — Code of
practice for information security management, ISO.
[2] Al-Herwi, Somaya. (2019). What are SMEs?
[3] Al-Dhahri, Sahar & Al-Sarti, Manar & Abdaziz, Azrilah. (2017). Information Security
Management System. International Journal of Computer Applications.

Page 11 of 13
 [4] Herjavec Group, 2020, The 2020 Official Annual Cybercrime Report, Herjavec Group.
[5] Symantec, 2019, 2019 Internet Security Threat Report, Symantec-Broadcom Inc.
[6] Powell, M, 2019, 11 Eye Opening Cyber Security Statistics for 2019, CPO Magazine.
[7] Verizon, 2018, 2019 Data Breach Investigations Report, Verizon USA.
[8] 4iQ, 2018, Identity Breach Report
, 4iQ Los Altos, CA 94022 USA.
[9] Ponemon Institute LLC, 2018, 2018 State of Cybersecurity in Small & Medium Size
Businesses, Keeper Security Inc.
[10] Miller, G, 2016, 60% of small companies that suffer a cyber attack are out of business
within six month, Denverpost.
[11] Microsoft, 2016, Microsoft Advanced Threat Analytics, Microsoft, USA.
[12] Moraes, M, 2019, It's National Small Business Week: Here are 19 SMB Security
Statistics You Need to Know, Continuum.
[13] Smith, Same, 2018, Cybersecurity Breaches To Result In Over 146 Billion Records Being
Stolen By 2023, Juniper Reseach, Hampshire, UK.
[14] Nationwide, 2017, 2 in 3 Small Businesses Lack a Written Disaster Recovery Plan,
Nationwise, Columbus, OH.
[15] Duo, 2018, Trusted Access Report, The 2018 Duo.
[16] Marvi, M, 2018, SMEs and Cybersecurity Challenges: A Wakeup Call, Business.com,
Waltham, MA 02451.
[17] Alqatawna, Ja’far. (2014). The Challenge of Implementing Information Security
Standards in Small and Medium e-Business Enterprises, Journal of Software Engineering
and Applications.
[18] Buecker,A & Amado,J & Druker,D & Lorenz,C & Muehlenbrock,F & Tan,R, 2010, IT
Security Compliance Management Design Guide with IBM Tivoli Security Information
and Event Manager, 2nd edition,International Business Machines Corporation.
[19] Ghannam, M, Z, 2017, Challenges and Opportunities of Having an IT Disaster Recovery
Plan,UMEA University.
[20] Symantec, 2012, The Shamoon Attacks, Symantec-Broadcom Inc.
[21] Mattord, Herb & Whitman, Michael. (2007). Regulatory Compliance in Information
Technology and Information Security.
[22] Mmasi, S, M, & Christine, M, 2012, Compliance Of Small And Medium Enterprises With
Government Regulations: A Case Study Of Metal Works Smes In Arusha Tanzania,
International Journal Of Scientific & Engineering Research.
[23] Harris, Mark & Patten, Karen. (2014). Mobile device security considerations for small-
and medium-sized enterprise business mobility. Information Management & Computer
Security.
[24] Dogtiev, A, 2019, App Stores List, Businessofapps.com.

Page 12 of 13
 [25] Kaspersky, 2013, Find and Call: Leak and Spam,Kaspersky, USA.

Page 13 of 13