Introduction
With Small to Medium Enterprises (SMEs) facing increasing pressure to use, adopt and integrate technological-based solutions, the challenges associated with maintaining secure operations are becoming increasingly complex. In the modern age, SMEs are dependent on digital platforms to streamline operations, assist customers, receive feedback, and ultimately promote business growth. Although this digital transformation has a huge range of benefits, there comes an increased exposure to cyber threats and vulnerabilities, and SMEs are not looking towards information security (IS) management to supplement the dependency [1]. With businesses storing confidential customer, client, and operational data, it is essential for SMEs to prioritise IS management to reduce the risks associated with cybercrime.
A SME is defined by the number of employees in a business. For this essay, the Australian Cyber Security Centre’s (ACSC) definition of a SME has been considered, which is a business ranging from 1 to 199 employee(s) [2]. Despite their stature, SMEs play a key role in economic development, occupying 98% of businesses in Australia [3] and 90% globally [4]. Small businesses have been reluctant to implement Cyber Security measures with security often an afterthought. Unfortunately, most business owners do not fully understand the risks associated with an attack [5]. Furthermore, they do not believe that they would be targeted, assuming that it is only a problem for larger organisations.
Many SMEs do not have the overhead to recover from a disaster, with over half who have experienced an attack going out of business within 6 months [6]. With many businesses still recovering financially from the COVID-19 pandemic [7], cybercrime poses a serious threat to the longevity of SMEs and the economy worldwide. Additionally, the COVID-19 pandemic has impacted the workplace paradigm with a shift to more home-oriented initiatives [8], further increasing the cyber threat landscape.
This case study's intended use is to provide an overview of IS management, raise awareness for the necessary implementation of IS management for SMEs, strategies for implementing Security Education Training and Awareness (SETA) programs, and the issues associated with governance of IS management in SMEs.
Overview of Information Security Management
Information Security is defined as “a set of security procedures and tools that broadly protect sensitive enterprise information from misuse, unauthorized access, disruption, or destruction” [9]. It provides a framework for effective IS management by maintaining the three pillars of the CIA triad: confidentiality, integrity and availability of information data and a business’s digital assets.
Until recently, information security was more narrowly focused on upholding the CIA triad within the technological aspects of a business. The management of IS has now broadened to an all-encompassing procedure, capturing physical, digital, application, and environmental security, access control procedures, incidence response, disaster recovery cybersecurity, and vulnerability management [9].
Risks Associated with poor Information Security Management
Almost half of SMEs (48%) only allocate $500 annually to cybersecurity [2], due to business owners not prioritising IS, as well as resource constraints limiting the ability to successfully implement IS management. It has been reported that SMEs feel the risk associated with cybercrime is low compared to larger organisations [10], with business owners under the assumption that size and turnover are the driving factors for cybercrime [11]. This assumption develops a distorted view of how secure their businesses are.
Research has shown that SMEs face the same risks as larger organisations but lack resources and departmental support to address them effectively [5]. Criminals are now looking towards attacking SMEs opposed to larger organisations, considering them easier to target due to lack of security initiatives, with Accenture’s Cost of Cybercrime Study reporting that 43% of all cyberattacks are aimed at small businesses alone [12]. SMEs are often digitally interconnected to larger organisations and are utilised as a backdoor for attackers to pivot to a more lucrative target [10]. SMEs cannot afford constant monitoring to detect more subtle attacks, such as malware, exfiltrating data [6] in comparison to larger organisations with sufficient budgets, dedicated departments, and skilled staff to monitor a network. The decision to outsource Information Security in SMEs is dependent on annual turnover [2] and a lack of resources has been the biggest roadblock to implementation [13].
In Australia, 42% of small businesses believed that limiting their online presence safeguarded their business from the risks associated with cybercrime [6]. Not only is this practice unsustainable as it limits the growth potential of a business, unfortunately, it is untrue, as any business using email communications in their operations is threatened by phishing, social engineering, and malware attacks [14].
Between 2022 and 2023, the average cost associated with cyberattacks rose by 14%, as well as the frequency of attacks by 23% [19]. SMEs are increasingly facing threats from external actors targeting owners who choose to leave themselves vulnerable by not prioritising IS management within their business.
Justification for Implementation of IS in SMEs
Research has shown that small businesses struggle to financially recover from a disaster due to the proportionate impact of cybercrime [6]. Australia’s Cyber Security Centre (ACSC) reported that the average cost per cybercrime in FY21-22 for small businesses was $49,000, and $88,000 for medium [12], an increase of 14% from FY20- 21. With 62% of Australian SMEs having experienced some form of cyber incident [2], sound implementation of IS management is critical to the longevity and success of a business.
Wilson et al. proposed that the actions of cyber criminals are indiscriminate [11]. Therefore, contrary to business owners’ beliefs [5], the chance of experiencing cybercrime is substantial, with an ACSC’s Small Business Survey reporting that 62% of small businesses had been affected by a breach [6] at some point. Implementing IS management in SMEs protects confidential data from unauthorised access and theft [16] mitigating the risks associated with data breaches, such as financial loss, reputational damage, and the unauthorised disclosure of market secrets and intellectual property.
From an ethical standpoint, SMEs are responsible for maintaining the privacy of their client’s data [1], especially businesses that store contact information, identity information or financial information [19]. Implementation of IS management has been shown to increase customer retention through a commitment to corporate social responsibility [17]. Perera et al. explain that customers consider the security of their data in high regard, with security breaches being the most significant factor affecting an organisation's reputation in their respective market [18].
With cyber criminals looking to target SMEs associated with larger organisations, such organisations are taking into consideration SMEs IS initiatives to ensure that sufficient implementations are in place [17]. With that said, implementing sound IS management will provide a SME with a competitive advantage over other businesses that choose to neglect their security [18].
Information Security Challenges faced by SMEs
The human element is the most concerning for IS management. Researchers at Stanford, partnered with a leading cybersecurity firm, found that approximately 88% of IS breaches are caused by human error [20]. Hackers are capitalising on the negligence of human’s digital behaviour, putting their focus into targeting them as opposed to computer systems to infiltrate a business [27].
The Australian government defines the biggest threats to SMEs as scam messages, email attacks and malware [25]. Encompassed with social engineering, these threats are perpetrated at the human level within an organisation [27]. Training has been shown to mitigate the risks linked to human behaviours, however, with one in five SMEs not knowing the term ‘phishing’ [2] and Wilson et al. reporting 45% of SMEs had never implemented any form of cyber security training [11], many SMEs lack any Security Education Training and Awareness (SETA) policies to bolster their cyber resilience.
Security Education Training and Awareness (SETA)
The National Institute of Standards and Technology (NIST) defines SETA as the “awareness programs which set the stage for training by changing organisational attitudes to realise the importance of security and the adverse consequences of its failure” [20]. The primary functions of a successful SETA program include increasing an employee’s knowledge of IS threats, clarification of existing countermeasures, determination of policy violations within the business and improving the awareness of roles and responsibilities pertinent to protecting information assets [21].
The major constraints SMEs face when considering the implementation of SETA programs are a limited understanding of cybersecurity and its practises, and the importance of human factors such as training and compliance [11]. A survey by Alyami et al. found that the most important implementations of SETA critical success factors included raising cyber awareness and knowledge thereby increasing employee maturity and resilience, evaluate employee digital awareness at a frequency that fits a business’s budget and structure and empowering upper management to encourage and support employees to influence IS policy compliance [21].
Research shows that SMEs have difficulty finding a SETA program that is in line with a business’s goals and objectives [13]. A reason for this is a lack of dynamic policy with many SETA programs being directed at larger organisations, by providing one-size-fits-all approaches. In fact, when implementing an effective SETA program, one factor for success is SMEs should avoid implementing a one-size-fits-all solution [21]. These solutions may not be fit for purpose for SMEs as there is an increased complexity in implementation. These programs are targeted at larger businesses that have greater outreaching scope and attack surface. Currently, there appears to be no research applied to developing a framework to better suit SMEs [22] therefore business owners need to focus on multiple frameworks, choosing what best suits the organisation's goals and objectives.
SETA programs have been known to fail in the long term in SMEs due to unengaging content that does not focus on individual learning types or are not designed to fit the target audience's job roles [22], with user feedback rarely taken into consideration by the implementing body. Initiatives such as the application of educational activities within a SME to promote cyber awareness have been seen as the first step towards the mitigation of threats against data and the operational aspects of a business [8]. Such activities have been shown to remain in the participant's memory, influencing their behaviours permanently [22]. This shows that a simple activity can be highly effective at managing IS within a business and comes at a low-cost threshold compared to other more advanced solutions that larger organisations would implement with their extensive resources.
Governance issues of IS Management in SMEs
The most established information security governance (ISG) frameworks currently available, much like the respective SETA initiatives, are universal one-size-fits-all approaches predominately designed for larger, resource-rich, organisations [23] requiring dedicated departments to implement successfully. Due to the inherent complexity of frameworks, and resource constraints that inhibit the ability to successfully implement ISG in SMEs [24], business owners are unsure of where to even begin to govern IS.
SMEs in Australia are lacking governance policies as 1 in 4 of them are still using unsupported operating systems, running Windows 7 or earlier [2] and research showing that SMEs will implement technologies to increase customer satisfaction without considering the risks associated with the technology [5]. Larger organisations scrutinise any technology through ISG policies and procedures to ensure its security before implementing it into the business. Many SMEs lack top management support and technical knowledge in comparison to larger organisations with dedicated teams responsible for implementing governance policies such as cloud-based backups [26], an ISG task crucial for limiting the extent of a cybersecurity incident.
Although there is not a single best framework to implement into a SME due to the unique structures of SME environments [23], a SME can develop, implement, and embed a strategy following a guideline more generically suited to their business structure. Benz and Chatterjee developed a scalable cyber evaluation tool (CET) using NISTs Cyber Security Framework (CSF), focusing on a smaller pool of NIST standards (35 out of 96) that are more particular to SMEs, reducing the complexity associated with the implementation of ISG [5]. The CET gives recommendations to improve a business's cyber resilience following NIST CSFs to identify, protect, detect, respond, and recover, providing value ratings for each recommendation’s importance.
To successfully govern IS management in a SME, The Australian Institute of Company Directors (AICD) suggests setting clear roles and responsibilities in the organisation. This can be achieved by documenting who has a responsibility for cybersecurity and appointing cyber champions within departments to promote cyber resilience [15]. Most importantly, a SME needs to plan for a significant IS incident, having safeguards in place, such as regular data backups, to prevent the downtime associated with cyber incidents.
Recommendations for further research
With the lack of available resources the biggest roadblock to the implementation and governance of IS management frameworks, research should be applied to the possibility of government grants to supplement the gap that SMEs face. Furthermore, research should be applied to cost-efficient implementations of SETA and ISG programs specifically tailored toward SMEs [13] that are scalable, and adaptable to a business’s values, goals and objectives.
Conclusion
With SMEs facing an inherent dependency towards adapting to digital-based solutions, the need for sound IS management is critical to the longevity of a business. Cybercrime is on the rise, and SMEs need to do their due diligence to protect themselves, their reputation, their clients, and their business partnerships from the risks associated with cybercrime, particularly from the human element within an organisation.
The main hurdle SMEs face is a lack of resources to sufficiently implement IS management procedures. Frameworks for SETA and IS governance are also generally one-size-fits-all solutions targeted for larger organisations, which leaves ambiguity when it comes to implementing policies into a SME. Although not a perfect fit, NISTs CSF provides an avenue for SMEs to analyse their cyber awareness, with researchers emphasising narrowing the spectrum of the framework to tailor more towards SMEs. This case study provided insight into the current landscape of IS management and governance in SMEs, highlighting the risks associated with poor IS management, a justification for the implementation of sufficient IS management, and the challenges faced by SMEs when it comes to implementation and governance.
Further research needs to be applied to creating scalable and adaptable policies and procedures to better suit the needs of SMEs. As SMEs take up 90% of the global business landscape, governments should be looking towards creating grant programs to supplement financial limitations faced by business owners.
Reference List
[1] M.S Khan, S. Tanwar and A. Rana, “The Need for Information Security Management for SMEs”, in International Conference on System Modeling & Advancement in Research Trends (SMART) Dec 03-04, 2020, Moradabad, India [Online]. IEEE Xplore: IEEE, 2021. https://ieeexplore.ieee.org/abstract/document/9337108/authors#authors [Accessed: April 18, 2024]
[2] Australian Cyber Security Centre, “Cyber Security and Australian Small Businesses,” Mar. 2023. [Online]. Available: https://www.cyber.gov.au/sites/default/files/2023- 03/2023_ACSC_Cyber%20Security%20and%20Australian%20Small%20Businesses%2 0Survey%20Results_D1.pdf [Accessed: 18 April, 2024]
[3] “Small Business”, Australian Banking Association Nov 2022 [Online]. Available: https://www.ausbanking.org.au/small- business/#:~:text=98%25%20of%20businesses%20in%20Australia,of%20businesses% 20employing%20no%20staff. [Accessed: April 18, 2024]
[4] S. Pawar and H. Palivela, “LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs),” International Journal of Information Management Data Insights Volume 2, Issue 1, April 2022. [Online]. Available: ScienceDirect, https://www.sciencedirect.com/science/article/pii/S2667096822000234?via%3Dihub [Accessed: April 18, 2024]
[5] M. Benz and D. Chatterjee, “Calculated risk? A cybersecurity evaluation tool for SMEs,” Business Horizons vol 63, no 4, July–August 2020, Pages 531-540. [Online]. Available: ScienceDirect, https://www.sciencedirect.com/science/article/pii/S0007681320300392?casa_token=l cScaeCb2rIAAAAA:5FNlR-2q6N2Fg_cGC-m9GG65q8tggwqDVSYPL- Jt1JmwGrW8Oyk82k1bY-6eUe2D9Qd-oUhcag [Accessed: April 18, 2024]
[6] T. Tam, A. Rao and J. Hall, “The good, the bad and the missing: A Narrative review of cyber-security implications for australian small businesses,” Computers & Security Volume 109, October 2021. [Online]. Available: ScienceDirect, https://www.sciencedirect.com/science/article/pii/S0167404821002091?casa_token= mhwQ_PdZ9PoAAAAA:cxcAg9A4mNjMj9aTwfkPyJgPm1Dx4Vveihe7PVt2yDb7oZVl_8sDB B0iIq7OCjnDi6MJP8SJyvw [Accessed: April 18, 2024]
[7] D García-Pérez-de-Lema, A. Madrid-Guijarro and A. Duréndez, “Operating, financial and investment impacts of Covid-19 in SMEs: Public policy demands to sustainable recovery considering the economic sector moderating effect,” International Journal of Disaster Risk Reduction Volume 75, 1 June 2022. [Online]. Available: ScienceDirect, https://www.sciencedirect.com/science/article/pii/S2212420922001704?casa_token= QpT8vqx5N2gAAAAA:HLS6APkU_PwstG7KEYuowk_T6R2_4l3H4A3UMFcHW9cGnxWGr A6rttPQEszqhMK3dNLszcI8Tg#sec4 [Accessed: 18 April, 2024]
[8] M. Antunes, M. Maximiano, R. Gomes and D. Pinto, “Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal,” Journal of Cybersecurity and Privacy, p219-238, April 2021. [Online]. Available: MDPI, https://www.mdpi.com/2624-800X/1/2/12 [Accessed: 18 April, 2024]
[9] Microsoft, “What is information security (InfoSec)?,” Microsoft Security, [Online]. Available: https://www.microsoft.com/en-au/security/business/security-101/what-is- information-security- infosec#:~:text=Information%20security%2C%20often%20abbreviated%20(InfoSec,%2 C%20access%20control%2C%20and%20cybersecurity. [Accessed: 18 April, 2024]
[10] I.F. De Arroyaba and J.C.F de Arroyabe. “The severity and effects of Cyber-breaches in SMEs: a machine learning approach,” Enterprise Information Systems vol. 17, no. 3, June 2021. [Online]. Available: Taylor & Francis Online, https://www.tandfonline.com/doi/full/10.1080/17517575.2021.1942997 [Accessed: 18 April, 2024]
[11] M. Wilson, S. McDonald, D. Button and K. McGarry, “It Won’t Happen to Me: Surveying SME Attitudes to Cyber-security” Journal of Computer Information Systems vol. 63, p. 397-403, May 2022. [Online]. Available: Taylor & Francis Online, https://www.tandfonline.com/doi/full/10.1080/08874417.2022.2067791 [Accessed: 18 April, 2024]
[12] “Australia—Small businesses vulnerable to rising cybercrime”, Export Finance Mar 2023 [Online]. Available: https://www.exportfinance.gov.au/resources/world-risk- developments/2023/march/australia-small-businesses-vulnerable-to-rising- cybercrime/ [Accessed: April 18, 2024]
[13] O. Olabode, “The Relevance Of Cybersecurity Awareness Training For Employees In Small and Medium Enterprises (SMEs),” Faculty of Science and Technology Bournemouth University, Dec. 2023. [Online]. Available: https://www.researchgate.net/publication/376538971_The_Relevance_Of_Cybersecuri ty_Awareness_Training_For_Employees_In_Small_and_Medium_Enterprises_SMEs [Accessed: 18 April, 2024]
[14] A. Chidukwani, S. Zander and P. Koutsakis, “A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and Recommendations,” IEEE Access, vol. 10, p. 85701-85719, 2022. [Online]. Available: IEEE, https://ieeexplore.ieee.org/abstract/document/9853515 [Accessed: 18 April, 2024]
[15] Australian Institute of Company Directors, “Cyber Security Governance Principles,” Cyber Security Cooperative Research Centre, Oct. 2023. [Online]. Available: https://www.aicd.com.au/content/dam/aicd/pdf/tools-resources/director- tools/board/cyber-security-governance-principles-web3.pdf [Accessed: 18 April, 2024]
[16] “The Importance of Cybersecurity of Small Businesses,” Bamits, Jul. 21, 2023. [Online]. Available: https://bamits.com.au/the-importance-of-cybersecurity-of-small- businesses/ [Accessed: 18 April, 2024]
[17] G. Lloyd, “The business benefits of cyber security for SMEs,” Computer Fraud & Security, vol. 2020, no. 2, p. 14-17, February 2020. [Online]. Available: ScienceDirect, https://www.sciencedirect.com/science/article/pii/S1361372320300191#cesec20 [Accessed: 18 April, 2024]
[18] S. Perera, X. Jin, A. Maurushat and D-G.J. Opoku, “Factors Affecting Reputational Damage to Organisations Due to Cyberattacks,” Feature Papers in Infomatics in 2022, vol. 9, no. 1, March 2022. [Online]. Available: MDPI, https://www.mdpi.com/2227- 9709/9/1/28 [Accessed: 18 April, 2024]
[19] Australian Signals Directorate, “ASD Cyber Threat Report 2022-2023,” Australian Cyber Security Centre, Nov. 14, 2023. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber- threat-report-july-2022-june- 2023#:~:text=Critical%20infrastructure%20assets%20and%20networks,organisations %20and%20critical%20infrastructure%20sectors. [Accessed: 18 April, 2024]
[20] Computer Security Resource Center, “Awareness, Training, and Education Controls,” National Institute of Standards and Technology, [Online]. Available: https://csrc.nist.gov/glossary/term/awareness_training_and_education_controls [Accessed: 18 April, 2024]
[21] A. Alyami, D. Sammon, K. Neville and C. Mahony, “Critical success factors for Security Education, Training and Awareness (SETA) programme effectiveness: an empirical comparison of practitioner perspectives,” Information and Computer Security, vol. 36, p. 94-125, 2023. [Online]. Available: emerald insight, https://www.emerald.com/insight/content/doi/10.1108/ICS-08-2022-0133/full/html [Accessed: 18 April, 2024]
[22] M. Brehmer, A.E. Abbas and N. Vaidyanathan, “TOWARDS DESIGNING A METHOD TO CREATE STICKY INFORMATION SECURITY TRAINING FOR SMES: IDENTIFYING DESIGN FACTORS,” ECIS 2021: European Conference on Information Systems, 2021. [Online]. Available: https://www.semanticscholar.org/paper/The-critical-success- factors-for-Security-Training-Alyami- Sammon/8e1e1c6ba1f78facf52c1c293f9be69d4c1698b3 [Accessed: 18 April, 2024]
[23] A. Levstek, A. Pucihar and T. Hovelja, “Towards and Adaptive Strategic IT Governance Model for SMEs,” Journal of Theoretical and Applied Electronic Commerce Research, 2022. [Online]. Available: MDPI, https://www.mdpi.com/0718-1876/17/1/12 [Accessed: 18 April, 2024]
[24] H.K. Skrodelis, J. Strebko, A. Romanovs, “The Information System Security Governance Tasks in Small and Medium Enterprises,” 2020 61st International Scientific Conference on Information Technology and Management Science of Riga Technical University (ITMS), 2020, Riga, Latvia. [Online]. Available: IEEE Xplore, https://ieeexplore.ieee.org/abstract/document/9259305?casa_token=ov6- 20ujphYAAAAA:GW971m_PDXPXkLeklNw1GE0wpnQLQz0JeeRUVbi20tWaVWkw8aRa2t EXMkWtDMBsrkFZTqrK6w [Accessed: 18 April, 2024]
[25] Australian Signals Directorate, “Small Business Cyber Security Guide,” Australian Cyber Security Centre, Jun. 16, 2023. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber- security/small-business-cyber-security/small-business-cyber-security-guide [Accessed: 18 April, 2024]
[26] A. Balobaid and D. Debnath, “An Effective Approach to Cloud Migration for Small and Medium Enterprises,” 2020 IEEE International Conference on Smart Cloud (SmartCloud), p. 7-12, November 2020. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/9265935?casa_token=8QZBgeBYU0AAA AAA:vj_3gWz2kIHSXcWVBT4jnXsmLi7MH3jOX5TMch_K4QUh7Lt- IS3qV2sG_A0TWSyq2y8nSMHxhw [Accessed: 18 April, 2024]
[27] N. Klimburg-Witjes and A. Wentland, “Hacking Humans? Social Engineering and the Construction of the “Deficient User” in Cybersecurity Discourses,” Science, Technology, & Human Values vol. 46, no. 6, p. 1316-1339, February 2021. [Online]. Available: SageJournals, https://journals.sagepub.com/doi/full/10.1177/0162243921992844 [Accessed: 18 April, 2024]