Executive Summary

SMEs are the backbone of most economies, especially in developing countries. For instance, they create jobs, reduce regional economic development imbalance and inspire the next generation of entrepreneurs. Many of the SMEs integrate technology into their operations to lower the cost of production. However, SMEs face incessant IT security challenges that result from integration and usage of IT infrastructure. Therefore, this paper discusses the SMEs security issues and outlines the various security threats that SMEs face such as insider attacks and poor configuration of devices. Additionally, this review focuses on how SMEs can tackle IT threats within the organization. Besides, this paper focuses on the human aspects of security since the success of an IT security policy is dependent on the competence and experience of the staff manning the system. The issues discussed in this section are system misconfiguration and social engineering which are the main human errors that increase security vulnerability of IT systems. As well, this paper examines how SMEs can tackle human factors in IT security management through efforts such as two-step authentication and adopting technology which notifies the management in case of unauthorized data access. Also, this paper examines the possibility of outsourcing security expertise from organizations to lower an SMEs cost of operations. In this section, the paper focuses on the qualification of a security provider, the factors to consider while selecting a security provider and the advantages and drawbacks of outsourcing IT security services. Finally, this review provides a brief conclusion of all the components discussed herein.

Importance of SMEs, unique issues that they face and strategies for improving SME security

Small and Medium Enterprises(SMEs) play a great role in the economic growth of emerging economies. In most OECD countries, SMEs contribute 70% of the total employment, and this is the reason why most developing countries have shifted their focus towards empowering SMEs to reduce the unemployment rate. Besides, it is important to note that SMEs have a trickle-down effect since they inspire the next generation of entrepreneurs to commit time and resources to produce a product or generate a service to solve problems facing the community (Wiesner et al. 2007, p.230). Ultimately, the efforts of these relentless entrepreneurial people pay off, and they can employ themselves and to other members of the community.

Additionally, SMEs lays the foundation for big corporations as evidenced by the fact that most of the big corporations started as SME’s. For instance, KFC started as a small business before it was extended to other parts of the world. Due to their small size, the SMEs can integrate innovative business practices in their operations to gain a competitive advantage over the big competitors. Besides, SMEs can come up with a new way of doing things, and since their organizational structure is not static, they can adapt to changes faster hence growing at a faster rate than established corporations. 

Besides, SMEs are a source of reliable income to many families since the profits generated from the business are used to improve the standards of living of the families of the SME owner and the employees. As well, the disposable incomes for the owner and the employee increases and therefore they can save and invest hence generate wealth for themselves. This contributes to equitable economic growth in all regions of a country hence reducing economic growth imbalance between different regions (Wiesner et al. 2007, p.235). Also, SMEs contribute to development and improvement of social amenities such as hospitals and schools since the government and the business community cooperate to construct schools, hospitals, and other social amenities facilities. 

Challenges facing SMEs

Despite the potential of the SMEs to revolutionize the economy of a country, they face myriad structural and policy challenges that weigh down the efforts of the business people.

To start with, most SMEs cannot access formal credit unlike their counterparts the big corporations. This leaves them financially vulnerable since the owners have to depend on family members and friends. However, the finances from these sources are not sufficient to meet business needs, and therefore this adversely affects the owner’s ability to increase the stock and expand the venture (Beck and Demirguc 2006, p.2932).

Secondly, SMEs face critical challenges in managing information security. Most specifically, SMEs often lack effective strategies to protect the information technology(IT) infrastructure due to lack of experienced personnel, financial constraints, and limited resources. As well, most of them ignore IT security measures while adopting the latest technology hence increasing their vulnerability to ill-meaning people (Dojkovski et al. 2006, p.34). Some of the security issues that SMEs face include:

Insider Attack

The people who work within the SMEs can illegally access computer systems and networks hence putting the security of the business’s information in jeopardy.

Poor configuration devices which lead to compromise

Due to lack of experienced personnel and insufficient funds, some of the SMEs often installs switches, routers and networking devices without consulting a security expert with a comprehensive understanding of the inherent risks in this practice. This could eventually lead to data leakages if the devices are used to send data back and forth.

Malicious Email attack

Attackers might opt to send emails with links which lead to malicious websites. A click on these links can lead to the download of malicious content or even disclose confidential information such as passwords.

Cloud security risk

Most SMEs are adopting cloud computing because of its wide range of advantages such pay as you use, saving on hardware cost and its flexibility. However, most of them are not aware that increase the threat of data tampering and reduce confidentiality since the cloud service provider can access the information at will.

Improving SME security

As a security consultant, I would advise Chester Corporation to implement various strategies to mitigate the various security issues that might face them.

1. Improving security education 

Employee education is important to help reduce the risks which might occur due to human error. This education should go beyond policy statement to practical testing.

1. Employing security experts

This would help since the experts have the requisite knowledge and experience of IT security issues. The experts would help in hardware installation, vulnerability testing, and information security assessment among other services.

1. Outsourcing security services to a cyber security company

Outsourcing is a great way to manage IT security since the contracting company does not have to establish complex IT security infrastructure. Currently, there are many companies which only specialize on security matters, and they would be a great option to Chester Corporation since this would help to keep business expenses in check.

1. Improve mobile device management

Bring Your Own Device(BYOD) has been a threat to many businesses if the devices are not scrutinized. Chester Corporation should invest in servers and software that manages worker’s mobile devices in its franchise businesses.

Human aspects of information security

Information is important to the continued success of any business. To protect this information, human beings play a vital role in ensuring the security of the information. Therefore, any information security system that ignores the human aspect is deemed to fail since its operationalization is practically impossible. Any security technology works according to how it was designed and made to operate. Therefore, it is the responsibility of personnel manning the system to ensure that the technology works well and it is equipped with all resources and necessary governance it requires to operate (Eloff et al. 2003, p.132). 

It is also important to note that most information security incidents occur as a result of human interaction with the information security management system. According to Deloitte Touche Tohmatsu’s global security survey of 2009, the human factor is the greatest cause of all security breaches (Ifinedo 2009). Thus, human actions highly determine the information security and the risks which might occur to the information. As an organization grows and the number of its employees increase, it is likely to face more security breaches. Hence an organization that is committed to maintain IT security must develop the IT personnel so that they have the requisite skills and experience to handle IT security threats and issues. 

Social engineering remains a major challenge to information security. Attackers psychologically manipulate users of a given system to perform certain actions to help them access the company’s confidential data. In most cases, the attackers behind the social engineering act do not mean well and may use the information to the detriment of the organization (Luo et al. 2011, p.5). On the other hand, phishing which mainly involves sending emails in the name of a big company and induce the receiver to reveal confidential information or download a malware is still on rampant. Recently, Google confirmed that more than a million Gmail users were affected by a phishing campaign in which attackers were seeking to gain access to entire email user history. However, people are becoming wise on these kinds of attacks and are less likely to fall into the trap of attackers through this devious trick.

Human error by insider mistakes can lead to potential risks as well. Sometimes people opt to assume some security risks despite their full knowledge of the risks involved. For instance, when one fails to install antivirus in his/her a computer or even using weak/default passwords, this puts SMEs information at risk in case of an attack. Some minor human mistakes such as sharing of usernames and passwords among employees, writing them on desks, or even leaving computers unattended while logged in can be costly since this increases the risk of insider attacks (Whitman 2003, p. 91-95). The employees can transfer confidential business information to the SMEs competitor for personal gains such as financial rewards or employment offer.

System misconfiguration by system administrators is another human error that can impact information security. All systems work per their configuration, and in case someone makes an error while configuring the system, it will work below or against expectations. Besides, sending confidential information to the wrong emails also risks the information, and if it lands in the wrong hands, it could leave the organization vulnerable to threats.

How the above human security issues can be improved

The best way to avoid being a victim of phishing and social engineering attacks is to advise all the employees to be cautious of emails and websites asking for confidential information and always to avoid visiting unsecured websites or using unsecured networks (Chantler and Broadhurst 2006, p.5). Encouraging all Chester Corporation system users to use two-factor authentications. This will ensure that even if attackers access their login details, they still can’t use them to log in to the system.

Eliminating all the current strategies that make system users to make errors.

Adopting technology that will detect and prevent users from leaking information outside the corporation. Currently, there are many software which can track user activities in a computer even control access to information from the computer storage devices.

Hacking the system ethically. This should go to the extent of simulating a social engineering attack to test how the users will react to it.

Security knowledge sharing. This will make every employee within Chester corporation aware of the various security risks and how to avoid them.

Security issues of outsourcing security

Although Chester corporation is looking forward lower the cost of operation by outsourcing security services, it is important to note that it can be costly and risky if not properly done. As organization seeks to outsource security services, there are many options from which it can choose from. However, the choice of managed security service provider(MSSP) will depend on its security needs which in return depend on the kind of specialized tools and expertise necessary to protect confidential information. The MSSP chosen should be compatible with the organization’s policies, processes, structure & culture (Samarasinghe et al. 2007, p.189).

To determine the right provider for its security needs, Chester corporation should conduct a feasibility study to establish potential companies available. The evaluation should be aimed at:

1. Obtaining reviews from previous clients of the company.
2. Determining the compatibility of the systems.
3. Determining whether the company has previously dealt with a similar corporation.
4. Getting information about the company’s terms and conditions of service.

After the study Chester corporation should arrive at one MSSP to work with. Probably the organization might need to outsource the entire IT services to the MSSP since it may be difficult to separate security services from the IT department (Lichtenstein et al. 2007, p.1565).

Managed security services that Chester will enjoy from the MSSP

1. Vulnerability scanning and penetration testing

This will involve frequent testing of the system and ethical hacking from a third-party perspective to test how the system’s reaction to attacks and to identify major security loopholes in the system.

1. DDoS protection

This is one of the main services provided by security companies. DDoS attacks are a major threat to business since multiple systems consume the bandwidth of another system. DDoS protection services offered by MSSP will filter the traffic going to Chester systems and block those identified as unauthorized.

1. Firewalls and VPNs

The security company will manage these services on behalf of Chester hence relieving its workers the burden of managing them.

1. Content Filtering

The will provide this MSSP entirely from the cloud and redirect all users accessing blocked content from within Chester corporation. 

However, there are both positive and negative security issues which are likely to emerge as a result of outsourcing the security services.

Impacts of outsourcing ICT Security Services

Superior Technology and true professionals

When outsourcing the organization is hiring a company whose main service is to secure data for other businesses and has the best hardware and software for security. This, therefore, means that the organization will have superior technology and expertise handling and securing its data which would be expensive to hire.

Improved expertise

Since the IT employees of Chester corporation will work with personnel of the security provider, they will gain new skills and experience in data security. This can later be developed into an organizational competence to help the firm gain a competitive edge in the industry.

Loss of confidentiality

After hiring the MSSP, it means that the organization will no longer maintain the confidentiality of its data since a third party will have access to it.

Loss of data control

Chester will no longer have the control of its data since the MSSP will decide where the data will be saved and the security software to be used. It will, therefore, need to comply with the guidelines set by the security provider.

New Security Threats

The more data the MSSP has access to, the higher the chances of data leakage due to increased vulnerability. The personnel of the security company might leak operation secrets of Chester to competitors to the detriment of the company. 

Conclusion

The discussion above has discussed SME security issues that may derail a business from achieving its organizational goals. Key security threats discussed include insider attack, malicious and cloud security risk. These are serious issues whose failure to manage can lead to loss of an SME’s competitive edge. In light of this, this paper has focused on ways in which SMEs can manage IT security issues within the organization. Some of the strategies include outsourcing IT security services, improving employee’s IT knowledge and employing IT security experts who have a hands-on experience security issues. Secondly, this paper has examined the human aspects in IT security since a system will be as effective as the people manning it. Key human aspects while managing IT security include system misconfiguration and social engineering. As well the ways of combating human errors in managing IT security has also been well discussed herein. Some of the ways include promoting ethical hacking to establish security vulnerabilities and promoting sharing of information. Thirdly, this paper has focused on various aspects of IT security outsourcing. Foremost, this paper has established the rationale behind IT security outsourcing and then it has explained the factors an SME should consider while looking for an IT security provider. Also, the paper has examined the services that an SME can expect from an IT security company such as vulnerability scanning and content filtering. Besides, the section on IT outsourcing has also explored the benefits and disadvantages of outsourcing IT security services in an SME. In all, this paper has provided a detailed description of how SMEs can integrate IT security in their information systems to realize optimal benefits of the recent technologies.

References

Ifinedo, P., 2009. Information technology security management concerns in global financial services institutions: is national culture a differentiator? Information Management & Computer Security, 17(5), pp.372-387.

Wiesner, R., McDonald, J. and Banham, H.C., 2007. Australian small and medium sized enterprises (SMEs): A study of high performance management practices. Journal of Management & Organization, 13(3), pp.227-248.

Eloff, J.H. and Eloff, M., 2003, September. Information security management: a new paradigm. In Proceedings of the 2003 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology (pp. 130-136). South African Institute for Computer Scientists and Information Technologists.

Chantler, A.N. and Broadhurst, R., 2006. Social engineering and crime prevention in cyberspace.

Luo, X., Brody, R., Seazzu, A. and Burd, S., 2011. Social engineering: The neglected human factor for information security management. Information Resources Management Journal (IRMJ), 24(3), pp.1-8.

Whitman, M.E., 2003. Enemy at the gate: threats to information security. Communications of the ACM, 46(8), pp.91-95.

Beck, T. and Demirguc-Kunt, A., 2006. Small and medium-size enterprises: Access to finance as a growth constraint. Journal of Banking & finance, 30(11), pp.2931-2943.

Samarasinghe, K., Warren, M. and Pye, G., 2007, January. A conceptual model for security outsourcing. In Proceedings of the 5th Australian Information Security Management Conference (pp. 187-194). Edith Cowan University.

Dojkovski, S., Lichtenstein, S. and Warren, M.J., 2007, January. Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia. In ECIS (pp. 1560-1571).