As opposed to popular belief, the intricacies of information security involved in running small and medium-sized enterprises (SMEs) are often tricky. For one, formulation of information security management practices, which are primarily developed for bigger enterprises, has not traditionally included SMEs. Further, the unique nature of the ways in which these businesses operate warrant customized approaches.
Ironically, the very distinctive characteristics of their operations have kept SMEs out of information security management approach formulations. And it is needless to reiterate that information security practices designed for larger corporates cannot be successfully implemented for SMEs. But while regulatory obligations are as strictly applicable to SMEs as they are to corporate houses, a belief permeates that individual information security system failures of SMEs are too insignificant to be cared for and that their disparate nature will efficiently resist any collective failure.
On the other hand SMEs themselves are at no less fault. It is observed that mid-tier companies sometimes endeavor to adopt an information security management strategy, which often ends up unfulfilled due to various business-related issues. Small businesses usually seek arguments, such as being too small to focus on information security management. These viewpoints do exist despite the fact that SMEs form a significant part in the present day global financial activity, spurring growth both in developed and emerging economies.
Apart from the challenging scenarios discussed already, there are some fundamental challenges in information security management in SMEs. They are presented below:
The challenge of technology: The explosive growth of the Internet and its related technologies has enabled SMEs to collect valuable information. But the asset of information brings many-fold challenges for SMEs: processing and storing the information, lack of resources to develop and implement security software, and costly cloud and the risks associated with it – all accentuated by financial constraints and constantly accompanied by the risk of losing customer trust.
Absence of framework for information security management: While the challenge of technology limits the preliminary efforts to manage information security risks, the lack of an efficient framework renders the strategies to tackle the threats ineffective. This creates a gap between where a mid-level business wants to be and where it actually is in the context of its ability to desirably manage information security risks. Absence of a risk management framework also makes SMEs unable to counter resource constraints with adequate planning and strategy.
Non-implementation of ISO 27001:2013 standard: As opposed to multinational firms that adopt an information security management system (ISMS), it is often difficult for SMEs to comprehensively implement the prescriptive requirements of the ISO/IEC 27001:2013 standard. The inability of SMEs, who are vulnerable to a variety of risks that bring regulatory, operational and financial threats, to effectively put into practice necessary guidelines such as policies and procedures for mitigating information security risk.
Lack of information security policy: While some small and medium-sized enterprises aspire for achieving the larger goal of full information security, many often fail to create a well-defined information security policy. The lack of it obviously blurs the larger vision, while impairing the immediate task of identifying any potential harm.
Untrained resources and non-maintenance of software tools: While small entities are unable to train their critical manpower resources primarily due to financial limitations, medium enterprises expect their workforce to be already trained enough to identify and take protective measures against rising risks. On the other hand critical personnel handling important software architecture needs to be periodically trained to face any new threat. Otherwise, lack of training results in poorly managed information systems and even complete non-maintenance of security systems.
These information security challenges in SMEs contribute to weakening any existing risk culture. On the other hand, an efficient risk aware culture – where information assets safety is prioritized by adequate investment and efficient workforce – could improve information security in SMEs. Therefore, the onus is on SMEs themselves to meet the information security priorities and achieve spectacular economic progress.