BEGINNING THE INFORMATION SECURITY JOURNEY FOR SMALL AND MEDIUM ENTERPRISES THROUGH BUSINESS CONTINUITY PLANNING AND INFRASTRUCTURE AUTOMATION

Technology has become an essential component of enterprises, driving productivity, innovation, and defining entire processes and product categories. However, these advances come with additional risk; the devices that drive an enterprise can fail at any time or be attacked by malicious actors. Larger enterprises have learned to deal with these risks, but small and medium-sized enterprises (SMEs) have been largely left behind. This project sought to investigate the cybersecurity-related problems SMEs experience and what SMEs can do to solve them. In addition, the project examines the types of information security incidents that occur within SMEs and their financial preparedness for such security incidents. The literature findings are that SMEs lack financial preparedness for information security and natural disasters, lack an effective company culture that generates and keeps, and need a more technical or operational approach to improve information security performance. Given these observations, cost-effective solutions are presented for Incident Response Testing, Business Continuity Planning, Employee Training, and DevSecOps Automation. Suggested areas of future research include developing Infrastructure Automation strategies for SMEs, focusing on employee training and validation processes. Additional real-world data about information security breaches must also be brought forward and analyzed to assess business risk correctly

Preparing for GDPR:helping EU SMEs to manage data breaches

Over the last decade, the number of small and medium (SME) businesses suffering data breaches has risen at an alarming rate. Knowing how to respond to inevitable data breaches is critically important. A number of guidelines exist to advise organisations on the steps necessary to ensure an effective incident response. These guidelines tend to be unsuitable for SMEs, who generally have limited resources to expend on security and incident responses. Qualitative interviews were conducted with SMEs to probe current data breach response practice and to gather best-practice advice from SMEs themselves. The interviews revealed no widespread de facto approach, with a variety of practices being reported. A number of prevalent unhelpful-practice themes emerged from the responses, which we propose specific mitigation techniques to address. We therefore propose a SME-specific incident response framework that is simple yet powerful enough to inform and guide SME responses to data breach incidents

IASME: Information Security Management Evolution for SMEs

Most of the research in information risk and risk management has focused on the needs of larger organisations. In the area of standards accreditation, the ISO/IEC 27001 Information Risk Management standard has continued to grow in acceptance and popularity with such organisations, although not to a significant extent with SMEs. An interesting product recently developed for ENISA (European Nations Information Security Association) based on the Carnegie-Mellon maturity model and aimed at SMEs has not so far filled the gap. In this paper, a researcher and two practitioners from the UK discuss an innovative development in the UK for addressing the information assurance needs of smaller organisations. They also share their perceptions about the security of national information infrastructures, and concerns that SMEs do not get the priority that their position in the supply chain would suggest they should have. The authors also explore the development and roll out of IASME (Information Assurance for SMEs), which they have developed in the context of a tight market, where spare cash is in short supply, and many SMEs are still in survival mode. The question for the business is therefore not seen as “can we afford to spend on information security” but “can we afford not to spend…” As well as the effect on being able to do business at all of having an SMEs systems compromised, there are also matters of reputation, and the growing threat of fines as a result of not complying with laws and regulations. The paper concludes with achievements of real businesses using the IASME process to cost-effectively achieve information assurance levels appropriate for themselves

Cyber supply chain security: a cost benefit analysis using net present value

Cyber supply chain (CSC) security cost effectiveness should be the first and foremost decision to consider when integrating various networks in supplier inbound and outbound chains. CSC systems integrate different organizational network systems nodes such as SMEs and third-party vendors for business processes, information flows, and delivery channels. Adversaries are deploying various attacks such as RAT and Island-hopping attacks to penetrate, infiltrate, manipulate and change delivery channels. However, most businesses fail to invest adequately in security and do not consider analyzing the long term benefits of that to monitor and audit third party networks. Thus, making cost benefit analysis the most overriding factor. The paper explores the cost-benefit analysis of investing in cyber supply chain security to improve security. The contribution of the paper is threefold. First, we consider the various existing cybersecurity investments and the supply chain environment to determine their impact. Secondly, we use the NPV method to appraise the return on investment over a period of time. The approach considers other methods such as the Payback Period and Internal Rate of Return to analyze the investment appraisal decisions. Finally, we propose investment options that ensure CSC security performance investment appraisal, ROI, and business continuity. Our results show that NVP can be used for cost-benefit analysis and to appraise CSC system security to ensure business continuity planning and impact assessment

Towards a better understanding of the political economy of regional integration in the GMS: Stakeholder coordination and consultation for subregional trade facilitation in Thailand

This paper examines the importance, involvement, influence, impact and interest of various group of Thai stakeholders in GMS regional integration, focusing in particular on trade facilitation initiatives, i.e., the GMS Economic Corridors and the Cross-Border Transport Agreement (CBTA).Political economy, GMS, Trade Facilitation,Thailand

Understanding the adaptive capacity of Australian small-to-medium enterprises to climate change and variability

Abstract Small-to-medium enterprises (SMEs) comprise 96 per cent of all private businesses in Australia. The SME sector is the economy’s largest employer and the largest contributor to GDP. Moreover, SMEs play a significant role within socio-economic systems: they provide employment, goods and services and tax revenue for communities. Climate change may result in adverse business outcomes including business interruptions, increased investment and insurance costs, and declines in financial indicators such as measures of value, return and growth. After natural disasters, SMEs face greater short-term losses than larger enterprises, and may have lower adaptive capacity for various reasons. This study examines the underlying factors and processes shaping adaptive capacity of Australian SMEs’ to climate change and associated sea level rise. Specifically, the research asks the following questions: 1) How have SMEs considered and integrated adaptation into business planning? 2) What are the key underlying processes that constrain and influence the adaptive capacities of SMEs? and 3) What types of support are required to promote SME business continuity under a changing climate? The study adopts theories from Political Ecology and draws on literature on vulnerability and hazards to understand the processes that mediate the adaptive capacity of SMEs. The empirical research involved an online survey targeting SMEs, attending business engagement events hosted by chambers of commerce, 30 semi-structured interviews with secondary stakeholders, five case studies involving SMEs and secondary stakeholders, and finally a stakeholder workshop which brought together participants from both groups. The central conclusion of this study is that underlying contextual processes are critical to enhancing the adaptive capacity of SMEs. These processes include: the social relationships between SMEs and support organisations; the relationships within support organisations themselves; the agency of SMEs to direct resources toward building resilience into business continuity; SMEs’ perceptions of climate risks; and power struggles between support organisations. Unfavourable combinations of these processes have the potential to limit the adaptive choices that SMEs can adopt in order to overcome climate change and other related stresses on business continuity. These processes generate vulnerability and often occur at scales external to the SMEs;including relationships between different tiers of government as well as between various support organisations working with SMEs. These contextual processes have been largely overlooked in formal programmes that aim to build business resilience. The programmes have tended to be reactive and have tended to focus on business recovery during and after disasters rather than on altering the vulnerability context of SMEs through anticipatory prevention and preparedness or adaptation planning. This study suggests that the success of efforts to build the adaptive capacity of SMEs to future climate and related stresses will depend on how they address these underlying processes to facilitate the ability of SMEs to exercise their agency in pursuing adaptive choices that they value

SMEs, electronically-mediated working and data security: cause for concern?

Security of data is critical to the operations of firms. Without the ability to store, process and transmit data securely, operations may be compromised, with the potential for serious consequences to trading integrity. Thus the role that electronically-mediated working plays in business today and its dependency on data security is of critical interest, especially in light of the fact that much of this communication is based on the use of open networks (i.e. the Internet). This paper discusses findings from a 'WestFocus' survey on electronically-mediated working and telework amongst a sample of SMEs located in West London and adjacent counties in South-Eastern England in order to highlight the problems that such practice raises in terms of data security. Data collection involved a telephone survey undertaken in early 2006 of 378 firms classified into four industrial sectors ('Media', 'Logistics', 'Internet Services' and 'Food Processing'). After establishing how ICTs and the Internet are being exploited as business applications for small firms, data security practice is explored on the basis of sector and size with a focus on telework. The paper goes on to highlight areas of concern in terms of data security policy and training practice. Findings show some sector and size influences.WestFocus* under the Higher Education Innovation Fund (HEIF 2