Information Security Management in SMEs: Beyond the IT Challenges

In this paper we report some results of a survey involving 33 Small and Medium-sized Enterprises (SMEs) in the UK on how they approach information security risks and what the human and organisational issues related to their risk-management practices are. All of the interviewed employees are handling sensitive data, needed to do their job, but without necessarily having the most knowledge or responsibility related to information security. The qualitative approach used was intended to be more deeply insightful and informative than others, for the purpose to understand security practices gaps, and how to improve them, as normal employees are the ones concerned with the deployment of security controls and measures in their own work practices. Our findings show that while there is a wide agreement about the importance of security and its potential impact on company performance, the understanding of security is rather taking a technology-oriented perspective. Actual work practices and routines of most employees were however ignored or not intertwined with security management efforts. Deficiencies were identified in preventive mechanisms, in incident reporting and management as well as in risk analysis process. Beyond the IT challenges, SMEs will need to have in place more efficient training and awareness programmes and organizational processes to develop more resilient security capabilities. Our conclusion is that there is a much-needed involvement of practitioners with operational knowledge in risk management and security policy definition.