Security Risk Management in IT Small and Medium Enterprises

Data breaches, security incidents and the threat landscape has been widely researched and documented. Different defence measures and policies, their effects and implications have also been researched extensively. However, most security research focuses on different sectors or on large companies. This research aims to map the prevalence of defence measures, policies and their use in small medium enterprises (SMEs) in a single industry (the IT service industry). Data is elicited by using a questionnaire. Results imply that SMEs indicating that their infrastructure is vital to the business, did not log access to their website, while SMEs indicating that their websites are unimportant did often log access. Therefore, SMEs are often not able to tell if they are victimized. Furthermore, the use of the cloud for file-exchange increases as opposed to the use of thumb drives. This trend introduces new security risks and allows attackers to access this storage via stolen mobile devices. Furthermore, the rampant use of pirated software and lack of enforcement of installation policies allow authentication details to be stolen rather easily. Those stolen details are a precursor for more targeted privilege escalation. SMEs reported theft of mobile devices, yet they did not have any policy or recovery plan concerning this matter. Most operating systems do offer remote wipe functionality to prevent escalation of this kind attack. This can be a cost effective solution and is presumably an easy-to-implement solution.

[1]  Do-Yeon Kim Cyber security issues imposed on nuclear power plants , 2014 .

[2]  Mohamed Ali Kâafar,et al.  Digging into Anonymous Traffic: A Deep Analysis of the Tor Anonymizing Network , 2010, 2010 Fourth International Conference on Network and System Security.

[3]  Sajjad Arshad,et al.  Performance Evaluation of Shared Hosting Security Methods , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[4]  Neal Leavitt,et al.  Internet Security under Attack: The Undermining of Digital Certificates , 2011, Computer.

[5]  Steven Furnell,et al.  Approaches to IT Security in Small and Medium Enterprises , 2004, AISM.

[6]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[7]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[8]  Paul Hyman,et al.  Cybercrime: it's serious, but exactly how serious? , 2013, CACM.

[9]  Markus Kammerstetter,et al.  Vanity, cracks and malware: insights into the anti-copy protection ecosystem , 2012, CCS '12.

[10]  Edward Sobiesk,et al.  Strengthening the Weakest Link in Digital Protection , 2006, IEEE Security & Privacy.

[11]  Mario Piattini,et al.  Managing the Asset Risk of SMEs , 2010, 2010 International Conference on Availability, Reliability and Security.

[12]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[13]  Brian B. Kelly Investing in a Centralized Cybersecurity Infrastructure: Why "Hacktivism" Can and Should Influence Cybersecurity Reform , 2012 .