Information security challenges combined with rapidly rising related regulatory concerns have made large corporations constantly realign their business strategies, backed by substantive resources with management guidelines often tweaked to suit their needs. The result? Well, not too convincing. Small and medium enterprises (SMEs) on the other hand, despite being at distinct disadvantage of scant resources and lack of well-defined guidelines, are expected to overcome information security challenges with the same efficiency and at no lesser scale as penalties – financial or reputational.
A June 2014 IMF paper states, “SMEs on aggregate account for about 99 percent of the total number of enterprises in the EU with an estimated share of 58 percent and 66 percent in the EU nonfinancial business sector’s value added and employment, respectively.” On the other hand, the International Finance Corporation (IFC) estimates that SMEs contribute about 29 percent of formal GDP in low-income countries, and SMEs’ share of GDP ranges from 20 percent to 50 percent in the majority of APEC economies.
These are indicative of the role of SMEs in rebuilding international business while spurring domestic economic growth by contributing to almost all economic sectors. However, growth constraints relating to infrastructure, technology, skilled labor, red tape and targeted recommendations constantly threaten to render them incapable to handle the opportunities and threats of information security. These and some more fundamental challenges in information security management in SMEs contribute to weakening any existing risk culture.
Despite the challenges and to sustain business continuity, SMEs must meet the stringent levels of information security and stay ahead of the challenges by implementing best practices. SMEs would do well not to wait for too many favorable developments and start seeking success by practicing the following.
A risk-based approach and information security policy: Overcoming information security challenges in SMEs is contingent upon adopting a risk-based approach and an open information security policy under a holistic framework. The risk strategy must involve setting security goals, defining and executing actions, and regular monitoring with effectiveness and efficiency assessments. While information security objectives will provide directions for enterprises, defining actions and the subsequent implementation will ensure that immediate threats are mitigated. An ongoing monitoring helps against complacency and enables the organization counter a risk event before it takes effect.
The overall risk-based approach should include information security as a key component and should entail a vision and belief that the goals of information security are enablers of growth that ensures business continuity. While the lack of systematic research – due primarily to cross-country constraints – deprives SMEs of widely accepted guidelines, an open information security policy opens up participation where all members intuitively become a custodian of information safety. Such a risk policy is conducive for the creation of awareness leading to willful, coordinated vigilance through voluntary risk identification and effective mitigation.
Counter resource insufficiency: SMEs world over are facing a major bottleneck of access to capital, especially following the global financial crisis. Surprisingly, despite the significant contribution of SMEs to economic development, market growth and social progress, the issue of financing these businesses has remained a subject of idle interest with governments in general. Ironically, SMEs sometimes are also victims of their successes as lack of funds render them unable to accept additional workflow, even as lack of security assets limit their capacity to obtain bank debts.
While SMEs themselves can do little to ensure reversal of government and banks’ policies, they must continue to find sources of fresh capital infusion and create scenarios for banks to participate in their success. Easier said than done, the difficult route to this lies in diligent cash flow management. Entrepreneurs must continue to attract investors by carefully chalking out plans that portray the actual needs and the potential profits.
Implementation of ISO 27001:2013 standard: The implementation of an information security standard was difficult for larger corporations, let alone SMEs. However, with ISO 27001:2013 information security management system (ISMS) implementation has adopted a flexible approach, suitable for small and medium businesses in particular. To effectively manage regulatory, operational and financial threats, organizations need to choose a proven solution, which is easy to use and cost-effective. As one of the most important countermeasures of information security challenges, a mature tool assists in gaining competitive advantage and allows you time and resources to concentrate on other activities with surety that your risk management and compliance requirements are being taken care of.
Despite operating in environments of high complexity and rapid change, SMEs have started collaborating with public sector organizations, and domestic and foreign partners. Further, due to the features that differentiate SMEs from larger businesses, they are better equipped to handle evolving market conditions by providing differentiating products. Deployment of information security measures will allow SMEs to leverage their unique strengths which will contribute to sustainable socio-economic development.