ICT502 Applied Information Security Management (s1, 2024)

Assignment 1
Table of Contents
Introduction....................................................................................................................2
Methodology..................................................................................................................2
Main Body......................................................................................................................3
1. Justifying the need for sound information security management in SMEs.....3
2. Biometric security devices and their usefulness..............................................6
3. Security training and education and implementing SETA programs.............10
4. Linking business objectives with security......................................................12
Conclusion....................................................................................................................13
References....................................................................................................................13
 The Need for Information Security
Management for Small to Medium Size
Enterprises (SMEs)

Introduction

In today’s digital environment, small and medium-sized enterprises (SMEs) face

numerous cybersecurity challenges. With increasing reliance on digital infrastructure,
robust information security management is critical.

This study emphasizes the important need for information security management
within SMEs. By exploring topics such as the need for sound information security
management in SMEs, biometric devices and their usefulness, the implementation of
security training programs, and the alignment of security with business objectives, we
emphasize the importance of protecting digital assets within SMEs. Moreover, we
made comparisons to the demands and strategies of larger organizations.
Ultimately, this article seeks to contribute to the continuing debate on information
security management by making practical recommendations and emphasizing the
importance of prioritizing cybersecurity in the SME sector.

Methodology

In this study, we utilized online search tools like Google Scholar and IEEE Xplore to
gather literature on the information security needs of SMEs. We employed keywords
such as ‘SMEs’, ‘information security, cyber threats, ‘biometric security’, etc., to find
the most relevant and recent studies.
After collecting the literature, we conducted a detailed review to understand each
paper’s main points, arguments, and conclusions. This approach helped us gain an in-
depth understanding of SMEs’ needs in information security management and how to
meet these needs through effective strategies and practices.

Main Body

1. Justifying the need for sound information security

management in SMEs

I. The Impact of Information Security on SMEs

SMEs often face budget constraints and limited security resources,

necessitating more effective methods to protect sensitive information. ( Khan,
Tanwar, & Rana, 2020)
 Each year, cyberattacks and data breaches impact more than 50% of SMEs
worldwide ( Khan, Tanwar, & Rana, 2020). These attacks may cause financial
losses, data loss, company interruptions, or even firm closures. Businesses
may suffer greatly from data breaches, including declining customer
confidence and legal ramifications. Malware infections and DDoS attacks are
examples of cyberattacks that can damage company networks and cause
revenue losses. SMEs may not be able to survive if they suffer reputational
damage in addition to financial losses. Economic losses could result in hefty
fines and damages. Reputational hazards impact customer loyalty and market
share.

II. Specific Information Security Threats Faced by SMEs

SMEs, accounting for nearly 95% of global enterprises and contributing over
70% to GDP, face unique information security risks due to their size and
resources ( Khan, Tanwar, & Rana, 2020).

A. Phishing Attacks: SMEs worldwide are vulnerable to phishing attacks,

which use deceptive emails or messages to trick employees into revealing
sensitive information.
B. Ransomware: SMEs, heavily reliant on digital systems and often having
limited cybersecurity measures, are increasingly targeted by ransomware
attacks that lock up files or systems and demand payment for release.
C. Social Engineering Scams: SMEs are often targeted by social
engineering scams, which manipulate people into sharing sensitive
information or taking actions that compromise security, leading to data
breaches and financial fraud.
D. Supply Chain Attacks: SMEs are targeted by supply chain attacks that
exploit weaknesses in business partnerships and vulnerabilities in third-
 party vendors or service providers, gaining unauthorized access to systems
or data and posing serious security risks.

III. The Importance of Sound Information Security Management

for SMEs

SMEs need sound information security management to protect customer and

business information, maintain trust, ensure business continuity, and
implement critical security measures like encryption, access restrictions, and
data backups. Compliance with GDPR and PCI DSS regulations is required to
avoid penalties and maintain trust (Wallang, Shariffuddin, & Mokhtar, 2022).
Information security compliance reduces legal risks and improves market
competitiveness. Effective information security management assists SMEs in
establishing customer trust and reliability, which promotes business success.
Also, protecting consumer data and guaranteeing business continuity can
improve reputation and competition.

Furthermore, investing in information security measures displays a

commitment to safeguarding the interests of stakeholders, such as consumers,
employees, and shareholders. This proactive approach not only reduces the
danger of data breaches and cyberattacks but also promotes long-term
corporate sustainability and growth.

IV. Strategies for Addressing Information Security Challenges

SMEs can implement the following strategies to address information security

challenges:
 A. Implementing Comprehensive Information Security Management
Frameworks.
SMEs can use frameworks such as ISO 27001 to efficiently identify and
manage security issues. These frameworks assist in the implementation of
controls and constant monitoring of security systems.

B. Employing Advanced Security Technologies and Encryption

Authentication
Measures SMEs should use advanced security solutions, including
intrusion detection systems (IDS), firewalls, SIEM, encryption, and multi-
factor authentication to detect, respond to security issues, and protect
sensitive data from unauthorized access and breaches. These tools and
measures improve network, system, and information security.

C. Continuous Assessment and Improvement of Information Security

Measures
Regular security assessments and risk assessments assist SMEs in
identifying and responding to possible threats. Continual improvement
based on current threat intelligence enhances information security
resilience.

2. Biometric security devices and their usefulness

I. The Importance of Biometric Security Devices

A. For Small and Medium-sized Enterprises (SMEs):

Biometric security systems, with techniques like fingerprint or facial
recognition, provide efficient security measures for SMEs, as traditional
 methods like passwords may not adequately protect their information. By
using biometrics, SMEs strengthen their defenses against cyber-attacks,
reinforcing their operations and maintaining their integrity and cost-
effectiveness (Phadke, 2013).

B. For Large Enterprises:

Large organizations have significantly greater security issues due to their
large staff and complicated systems. Conventional security techniques
frequently fall short of securing their massive assets. Biometric security plays
an important role in this situation ( Iyer, Karthikeyan, Khan, & Mathew,
2020). Technologies such as iris scanning and voice recognition provide
strong authentication mechanisms for major companies, guaranteeing that
only authorized users gain access to their networks. By adopting biometrics,
these organizations strengthen their defenses against complex cyber threats,
ensuring operational continuity and protecting their interests.

II. The Methods of Biometric Security Devices

Biometric security devices utilize various methods to authenticate individuals,

ensuring robust protection against unauthorized access. These methods, as
highlighted by (Phadke, 2013), include:

A. Fingerprint Recognition: This method captures and analyzes unique patterns

on an individual's fingertips, offering reliability and ease of implementation.

B. Facial Recognition: By analyzing distinct facial features, this method

verifies an individual's identity with convenience and accuracy.

C. Iris Scanning: Iris scanning provides highly accurate identification by

analyzing intricate patterns in the iris of the eye.
 D. Voice Recognition: This method leverages unique vocal characteristics for
authentication, particularly valuable in hands-free scenarios.

E. Palm Vein Recognition: By examining vein patterns in the palm, this

technique offers a highly secure form of identification.

F. Retina Scanning: Retina scanning provides unparalleled accuracy by

analyzing unique blood vessel patterns in the retina.

SMEs often adopt cost-effective solutions like fingerprint and facial

recognition, while large enterprises may deploy a broader range of methods,
including iris scanning and voice recognition, to enhance security across
diverse operational areas. Both recognize the importance of biometric security
devices in safeguarding sensitive information.

III. The Advantages of Biometric Security Devices

Biometric security devices offer distinct advantages for both SMEs and large
organizations, with variations in application due to scale and requirements.

A. Advantages for SMEs:

Cost-effectiveness: SMEs often operate within budget constraints and limited

resources, making traditional security measures prohibitively expensive.

Biometric technology provides a relatively affordable and efficient security
solution, requiring minimal infrastructure investment (Phadke, 2013).

Simplicity and User-friendliness: SMEs may lack dedicated IT personnel to

manage complex security systems. Biometric technology offers simplicity in
operation, requiring no specialized knowledge, and is user-friendly for
 employees, reducing management and training costs (Phadke, 2013).

B. Advantages for Large Enterprises:

Enhanced Security: Large enterprises face more sophisticated security
challenges, where traditional measures may fall short in safeguarding
extensive assets. Biometric technology offers heightened security measures,
preventing unauthorized access and data breaches, thus protecting corporate
interests ( Iyer, Karthikeyan, Khan, & Mathew, 2020).

Scalability and Customization: Large enterprises need scalable and customizable

security solutions due to their vast workforce and complex system architectures.

Biometric technology meets these needs by allowing for customized deployment. ( Iyer,

Karthikeyan, Khan, & Mathew, 2020).

In conclusion, biometric security devices offer significant advantages to both

SMEs and large organizations, while practical implementation may vary
depending on aspects such as company size, budget, and security
requirements ( Iyer, Karthikeyan, Khan, & Mathew, 2020).

IV. The Influences on Both SMEs and Large Organizations

A. Impacts on SMEs:
Enhanced Efficiency: Biometric security systems streamline operations for
SMEs, allowing employees to access premises swiftly with minimal hassle
(Phadke, 2013).

Resource Optimization: These systems are cost-effective and require

minimal maintenance, enabling SMEs to allocate resources more efficiently
(Phadke, 2013).
 B. Impacts on Large Enterprises:
Risk Mitigation: Biometric devices significantly reduce security risks by
offering robust authentication measures, deterring unauthorized access, and
preventing potential breaches ( Iyer, Karthikeyan, Khan, & Mathew, 2020).

Regulatory Compliance: Large organizations benefit from biometric

security's ability to ensure compliance with industry regulations and data
protection laws, safeguarding data privacy and meeting regulatory
requirements ( Iyer, Karthikeyan, Khan, & Mathew, 2020).

Biometric security systems offer significant advantages for both SMEs and
large organizations. For SMEs, these systems provide efficient security
measures within budget constraints, while for large enterprises, they offer
robust protection against cyber threats and regulatory compliance.

3. Security training and education and implementing SETA

programs

I. Importance of InfoSec Training for Both SMEs and Large

Organizations

Security Education, Training, and Awareness (SETA) programs are crucial for
both SMEs and large organizations. While both SMEs and large organizations
face cybersecurity challenges, their approaches to implementing SETA programs
may diverge due to differences in resources, workforce size, and threat
landscapes.
A. Resource Allocation and Capability: Large organizations typically have
more resources and dedicated security teams, enabling them to undertake
comprehensive SETA initiatives, while SMEs may face resource
constraints that hinder the implementation of comprehensive SETA
initiatives. (Chen, Ramamurthy, & Wen, 2015). Limited budgets and staff
at SMEs may limit their capacity to develop and provide effective security
training to employees.

B. Workforce Size and Training Challenges: The size of the workforce

presents unique challenges for both SMEs and large organizations
regarding security training. Large organizations with extensive employee
bases encounter logistical hurdles in delivering training to a larger
audience. Additionally, the diverse nature of roles within large
organizations necessitates tailored training programs to address specific
job functions and associated security risks (Chen, Ramamurthy, & Wen,
2015). Conversely, SMEs with smaller teams may find it easier to
disseminate training materials and ensure uniform understanding among
employees due to their close-knit structure.
C. Cybersecurity Threat Landscape: Growing cybersecurity concerns,
such as malware, network intrusions, and social engineering, affect both
large and small businesses. However, studies show that because SMEs
lack specialized cybersecurity teams and resources, they are more
vulnerable to being targeted by cybercriminals (Chen, Ramamurthy, &
Wen, 2015). Larger companies, on the other hand, might be able to invest
more money and technological resources in cybersecurity, making them
somewhat more resistant to threats. However, SMEs are more easily
targeted by attackers due to their often less strict security procedures,
 which can lead to significant data breaches, system outages, or financial
losses.

D. Effectiveness of SETA Programs: Despite the relevance of SETA

programs, issues remain about their effectiveness in molding employee
behavior and cultivating a security-conscious culture (Chen, Ramamurthy,
& Wen, 2015). Raising awareness of security rules may not be sufficient
to establish a strong security culture within organizations. As a result, both
small and large businesses must focus on developing and implementing
SETA programs that actively engage employees and cultivate a culture of
cybersecurity awareness.

While the challenges and strategies for implementing SETA programs differ
across SMEs and large organizations, the overall goal remains consistent: to
cultivate a security-aware workforce capable of effectively reducing cyber threats.
Organizations can adjust their security training activities to meet individual needs
while also strengthening their overall cybersecurity posture by drawing on
existing literature.

4. Linking business objectives with security

A. Focus and Priorities: SMEs often prioritize cost-saving and resource

management, while large companies may focus more on their reputation and
customer satisfaction (Alqatawna, 2014).

B. How They Do Security: SMEs usually have fewer resources and know-how,
so they might prefer using outside help for security, like cloud security
services or outsourcing security tasks. But big companies often build their
 own security teams and use custom-made solutions they develop themselves.
This shows how the two types of organizations balance flexibility and
practicality in their security strategies.

C. Dealing with Risks: Both SMEs and big companies need to handle different
security risks, but they might do it in different ways because of their size and
resources. SMEs might focus more on staying flexible and being able to react
quickly to problems. They use simpler ways to manage risks that work for
their smaller operations. But big companies might use more structured and
systematic risk management methods to cover all their different business parts
and information.

From these points and what we know, it's clear that connecting business goals
with security is a big deal and needs to be customized based on the organization's
size, industry, and resources. Understanding the differences between SMEs and
large companies is crucial for making effective security plans that fit each
organization's needs.

Conclusion

In summary, this paper emphasizes the information security challenges faced by

SMEs in the current digital environment. It also compares these challenges with
those encountered by large enterprises and proposes solutions. Looking ahead,
further research and practical implementation of information security
management strategies tailored to SMEs are essential for their sustainable
development in the digital era. Additionally, research on biometric technologies
and security training programs should be strengthened to address evolving
security threats and technological advancements.
References

Iyer, A. P., Karthikeyan, J., Khan, R. H., & Mathew, B. P. (2020, 4). AN ANALYSIS
OF ARTIFICIAL INTELLIGENCE IN BIOMETRICS-THE NEXT LEVEL
OF SECURITY. Journal of Critical Reviews, 7(1), 571-576.
doi:10.31838/jcr.07.01.110
Khan, M. I., Tanwar, S., & Rana, A. (2020). The Need for Information Security
Management for SMEs. 2020 9th International Conference System Modeling
and Advancement in Research Trends (SMART), 328-332.
doi:https://doi.org/10.1109/SMART50582.2020.9337108
Alqatawna, J. (2014). The Challenge of Implementing Information Security Standards
in Small and Medium e-Business Enterprises. Journal of Software
 Engineering and Applications, 7(10), 7. doi:10.4236/jsea.2014.710079
Chen, Y., Ramamurthy, K. (., & Wen, K.-W. (2015). Impacts of Comprehensive
Information Security Programs on Information Security Culture. Journal of
Computer Information Systems, 55(3), 11-19.
doi:10.1080/08874417.2015.11645767
Phadke, S. (2013, 10). The Importance of a Biometric Authentication System. The SIJ
Transactions on Computer Science Engineering & its Applications (CSEA),
1(4), 128-132. doi:10.9756/SIJCSEA/V1I4/0104550402
Wallang, M., Shariffuddin, M. D., & Mokhtar, M. (2022, 12 31). CYBER SECURITY
IN SMALL AND MEDIUM ENTERPRISES (SMEs): WHAT’S GOOD OR
BAD? Journal of Governance and Development (JGD), 18(1), 75–87.
doi:https://doi.org/10.32890/jgd2022.18.1.5