The Need For Information Security Management Information Technology Essay
Small to Medium Size Enterprises contribute greatly to the economy in many countries despite the many challenges that they face. Lesser budgeting, resource planning and time management are just some of the limitations that they might encounter. Comparing this to a larger enterprise or government body, SMEs seems to have different approaches with regards to information security, sometimes understating the importance due to the constraint mentioned. This paper aims to study the issues relating to introduction and implementation of info security regimes in SMEs compared to larger organisations.
Small and medium enterprise are defined by the number of personnel working for the company, around the upper limit of 250 to the lower of 50. They usually lack resources, competencies and management to implement strategies externally and internally for their operations. This paper will focus on the implementation of information security regimes of SMEs and provide a comparison to large enterprises. The paper explores the multiple categories of information security, attempt to list the disadvantages faced by SMEs and how sometime large enterprises are unable to match a SME in the capability to respond to security threats
Justifying The Need for Sound Information Security in Any Organisation
The internet age brought upon new challenges to the business world, both SMEs and large organisation are continuously investing substantial resources to secure their presence on the internet. With increasingly virtualized business networks and expanding corporate ecosystem, more information have been created or converted into digital format. Digitalized information can be saved in different storage devices and transmitted over a plethora of interconnected network both internally and externally (Radding, 2012). Understandably, crime and security threats to information are becoming more commonplace as the reliance on Internet in business activities increase . Threats such as hackers, business competitors or even foreign governments can employ a host of different methods to obtain information from any organisation (Symantec). Yet no effective business would totally isolate themselves from using digitalized info to prevent such incidents; competitiveness or success of these organisations is linked to right information delivered on time. At its worst erroneous info may result in serious loss of potential earnings and damage to the organisation’s “brand”(Juhani Anttila, 2005).
A significant element of information security are the cost and personnel expertise required with the designing, development and implementation of an effective security system. There is a need for major investment to be invested to build and maintain reliable, trustworthy and responsive security system (Anderson, 2001). Since most SMEs tend to have to operate under tight budgeting, extreme limited manpower and many different needs competing for limited supply of resources, thus placing information security down the priorities list (Tawileh, Hilton, & Stephen, 2007). Additionally, the lack of awareness to the negative consequences of info security issues and threats and the perception of less strict regulatory compliance requirements, information and communications infrastructure within these SMEs remain highly unsecured. Despite that, most organisations do at least have some form of basic security in the form of anti-virus softwares. Other types of security software like firewall or authentication software/hardware are considerably less popular; perhaps due to the additional complexity of having to install and configure them for the organisation usage (ABS, 2003).
Linking Business Objectives with Security
Incident Response Management and Disaster Recovery
Incident response management is the process of managing and responding to security incidents. As organisations may encounter plenty of incidents throughout the day, it is important that incident responses are carefully managed to reduce wastage of manpower and resources. The most appropriate level of response should be assigned to on any security incident to maximize efficiency; there is no merit in involving senior management in a response to an incident that has minimal impact on business (BH Consulting, 2006)
Disaster recovery is the process used to recover access to an organisation’s software, data and hardware that are required to resume the performance of normal, critical business functions. Typically this will happen after either a natural disaster or manmade disaster. (Disaster Recovery)
Incident response management used to be separated into different entities, natural disasters , security breaches and privacy breaches were handled by risk management, information security department and legal department. This increased the cost of incident management and reduce utilization of existing resources and capabilities. By merging the 3 into one overarching incident management methodology specified with an incident response team and a charter, reduced cost and efficient usage of resource can be achieved (Miora, 2010)
In larger organizations, incident response team may contain both employees and third party observers from vendors. External vendors may provide the expertise to manage an incident that could be overwhelming to the current employees. This however may not be feasible for SMEs due the financial constraints. Most likely, the incident response management team would be formed using few employees with a senior manager or director leading the team. The response team would be the ones who do the planning scenario for each different types of incident and the type of responses required, ensure that clear processes and procedures are in place so that responses to incident are coherent. Communications between members are typically standardized be it for large organisations or SMEs; method of contact such as emails and non-email like phone calls or messages are used to inform team members (BH Consulting, 2006).
Disaster recovery extremely important as well, more so for SMEs. A survey from US Department of Labor provided an estimation that around 40% of business never reopen after a disaster and of the remaining around 25% will close down within 2 years (Zahorsky). Unfortunately, not many SMEs have a disaster recovery plan in place to protect themselves. This is due to the idea that disaster recovery is costly and requires alot of resources and expertise to put in place one. This is true to a certain extend as large organisations normally spend amounts to put in place backup servers and remote hot recovery sites. However with increasing cloud-based technologies and availability of server virtualization, disaster recovery can become affordable even for SMEs. Up and coming cloud solution and renting space in secure data center via colocation are some of the solutions that SMEs can consider. Even without any or little IT staff, by paying the colocation provider they can assist to manage the setup and maintenance services (Blackwell, 2010).