The basic pillars on which any organization stands are the information security management policies adopted by the organizations and their levels. The system may be built on chaos if the basic parameters of security are not clearly defined. Medium-sized organizations are a major part of global economic activity but the normal information security standards are not feasible for these organizations since they are mainly developed for large organizations. This results in a growing risk for sensitive data security breaches. Thus, there is significant need to combat these security threats. Some of the problems related to security and their solutions are given as follows.
1. No dedicated resource/s for information security, only for physical security
Personal firewalls must be installed in company laptops to prevent security attacks via dial-up or wireless networks. Company servers must be hardened to support improved security mechanisms, removing unnecessary software or processes from the system, and remove vulnerabilities due to different OS systems. It is also important to use Operating Systems that provide appropriate security baselines.
2. No approved information security policies
Another security measure is to use effective anti-virus software both at the gateway and on each desktop. DMZ networks are recommended for servers that are enabled with Internet access. Thus, there are many considerations to be taken while designing security policies for a company, each of which must be implemented with careful planning and sufficient
3. No security awareness program
Security awareness programs must be specially designed for small and medium-sized enterprises. There is no point in having the most sophisticated security systems out there if the employees are not aware of them, or if they are, they are not aware of how to use them. Insufficient knowledge of employees and users poses a big threat to the security of the company. There are a variety of special products and awareness training programs that can be especially helpful.
4. No deployment of security software and hardware to facilitate security violation logging, monitoring and reporting.
One of the major approaches to effective security includes CIA triad approach. CIA refers Confidentiality, Integrity and Authentication. Confidentiality refers to the necessity of keeping information private and confidential, including sensitive and customer data. This data is typically transferred through a network for various business processes. Here, data integrity comes into picture. Integrity is the concept of complete and unaltered data and prevention of unauthorized changes to the data. Integrity of data in the company databases must also be maintained and mechanisms to prevent illegitimate access and modification must be in place. The final notion of the CIA triad is Authentication. Strong authentication is a necessary mechanism for system logins. To prevent predictable passwords, two-factor authentication system must be adopted. Here, users are permitted access only after verifying by means of a valid username/password and also a security token possessed by the user (One Time Password).
Many different security management techniques have been proposed in literature. Some of them can be outlines as follows.
The paper, “Network Security- A Guide for Small and Mid-sized Businesses”, by SANS Institute is published with the goal of educating IT staff and administrators of SMBs about the various network security threats that can exist. It provides techniques and mechanisms related to the best practices in security and assists in setting priorities while creating security framework perimeter for a typical business network. It aims to guide company by helping it deciding where to start and what to focus on among the myriad of security threats existed out there.
The paper titled “Managing Information Security in Small and Medium Sized Enterprises: A Holistic Approach” in Springer presents some challenges related to security management in small and medium- sized enterprises. The authors propose an approach to facilitate the development of information security management systems through a methodology known as Soft Systems. It deals with the problematic nature of security systems within SMEs and handles these problems effectively.
A white paper called “Security considerations for small and medium-sized enterprises (SMEs)” by GFI talks about level of security required for an SME based on the number of computers or servers that it hosts. It gives several ideas on the technical tools and procedures/policies to be followed for good maintenance and manageability.
A certification paper by GIAC (Global Information Assurance Certification) titled “Information Security Management Systems in Small & Medium Sized Enterprises” addresses the importance of ensuring protection of the SME sector which is largely becoming as technology independent as large enterprises. It provides a simple process for implementing security management system foundations relevant to SMEs.
Security management has become a prime issue to be handles carefully in organizations of all sizes. Sensitive information collected, stored and transferred during the business processes must be subjected to different kinds of protection to avoid incurring negative consequences as a result of data leakage or any other type of security compromise. Medium-sized organizations face many challenges, especially financial and knowledge-level, while implementing enhanced levels of security. Security breaches can cost considerable damage to the organization, in terms of both reputation as well as revenue. Security needs to be viewed as a continuous process, with constant monitoring and adaptation of protection to accommodate the growth and changes to system environment.
Thus, there is a need for simple security standards and certification processes for protecting the different technical devices at various levels, starting from the hardware level, OS, server to the network level. SMEs must be guided accordingly and suitably to enlighten them about the significant benefits of security and the bad outcomes it can avoid. Some of the actions recommended for SMEs are as follows:
- Perform a security risk assessment
- Develop an information security policy
- Use well enhanced authentication (CIA triad)
- Design a stable security network (firewalls)
- Use anti-virus software
- Use adequate baseline equipped Operating Systems
- Develop an effective incidence response plan
SMEs play a major role in the economic factor in many countries, even globally. Thus it is in the best interests of the economy to invest more effort on this SME sector to ensure future development and prosperity. Attackers will always look for vulnerable areas everywhere, and we need to see to it that all the security holes within an enterprise are completely boarded up.
Dinerman, B. (2011). Security considerations for small and medium-sized enterprises (SMEs).
Hietala, J. (2005). Network Security- A Guide for Small and Mid-sized Businesses. SANS Institute.
Smears, A. (2004). Information Security Management Systems in Small & Medium Sized Enterprises. SANS Institute.
Tawileh, A., Hilton, J., & McIntosh, S. (2007). Managing Information Security in Small and Medium Sized Enterprises: A Holistic Approach. Springer, 331-339.