Introduction
Small businesses form a critical part of the economy and play a key role in the creation of jobs and improving the livelihoods of many individuals in the society. However, in the advancement of technology and the use of information systems by these businesses, there has grown a threat to the continued successful operations of these businesses due to the threat of cyber attacks. This paper will focus on researching on the current information security landscape of small businesses, specifically in cloud computing and social networking. The paper will also make a discussion of the potential consequences of not implementing security practices, show the common threats that are associated with small businesses and finally describe the strategies that will provide assurance in information security for small businesses.
Current information security landscape of small businesses
Small businesses are currently faced by contradicting opportunities and challenges. On one hand, there is the growth and advancement in cloud computing and social media marketing which present an excellent opportunity for small enterprises to market themselves and deliver high quality services to their customers. On the other hand, the growth in these sectors have presented very big challenges in the form of the information systems security of those companies that use them and information overload where small enterprises have very high volumes of information which they may not possess the ability to their advantage. According to a Symantec Study titled Internet Security Threat Report 2013 (2013), small businesses offer the path of the least resistance for attackers who intend to maliciously steal information for their own profit.
Currently many small businesses do not have in place well established information security systems because of the belief that they do not have the resources and the know-how that large companies have to protect their information. This has been proved to be a dangerous notion, since by having small margins, security threats mean that the risks that these businesses bear have a higher potential of affecting their very existence. The fact that the business environment has not been friendly in the last few years due to the economic crisis has further made this problem worse since many small businesses simply do not have the necessary resources to implement comprehensive information system security measures which can withstand the constant attacks from cyber hackers.
The use of cloud computing and social networking has opened new avenues through which small businesses can be targeted. Such openings for malicious attacks on the information systems have grown in the last few years, and are currently one of the main issues that small businesses have to deal with in ensuring the security of their information. Though social networking and cloud computing offer what seem to be endless opportunities in cheap marketing and backing up of information, they pose a great threat in that they are one avenue through which hackers can gain access to confidential information stored in the information systems of small enterprises.
The use of social networking has ballooned in the last two years. This use is mainly on mobile platforms, with the use of smart phones expected to grow higher in the next several years, especially in developing nations. There is a misguided notion among small businesses that mobile phones do not pose a threat to their information. However, according to a study by Symantec (2013) mobile phones actually pose a threat to the information systems of companies, and in 2012, there was a 58% increase in the mobile malware as compared to 2011. This makes them potentially dangerous since due to the high number of mobile phones, it is easier to spread them, at very fast. This development is against a backdrop of an environment where companies are developing policies of issuing mobile phones to their employees which are dedicated to internal communication within firms. The advantages of mobile telephony in business communication cannot be overemphasized, but mobile phones and networks remain a fertile ground for cyber attacks which are meant to compromise confidential data held by small businesses.
According to the Symantec study, there was a 42% increase in targeted system attacks in 2012 as compared to 2011. These attacks on average exposed private information of 604826 individuals and it is estimated that billions of dollars are lost every week as a result of such attacks. There has been a growth of underground hacking organizations which target particular groups of business and public organizations, usually at the same time and to disastrous effects. It is in this environment that small businesses must operate, and these underground hacking movements pose a very high risk to the confidential information that is held by most small business entities.
Potential consequences of not implementing security practices
Poor implementation of security practices or non existence of such practices have the potential to cause losses of high magnitude financially and otherwise.
The failure by small businesses to implement easy system security measures can result in the loss of business secrets and strategies to competitors. This threat is mainly in the form of access of internal business information by third parties who then sell or make available such information to competitors. Such losses can result in high financial losses and loss of business in form of intellectual property, customers and trade strategies. A case on point is provided in the study by Internet Security Alliance (2004) in which a former employee of a contractor called Chino in California used his email to read messages of company executives, in the process gaining information which he sold to competitors of the company. This is a situation which could have been prevented by ensuring that the emails of the executives were encrypted. Former employees’ access to information systems should be terminated with their end of duty in the company. Therefore, as illustrated by this case, there is a potential for loss of information to competitors if information systems are not secured.
Another potential loss that small businesses can incur is through the use of computer viruses embedded as email attachments. This can be prevented through simple education of email users on the risks that come through opening email attachments from suspicious sources, and from unknown sources. The use of anti malware software in company computers will also go a long way to ensure that such attacks are prevented. To give an example of this, the Internet Security Alliance (2004) has given a case (Case 2) which illustrates the potential harm caused by malicious software spread through email. MyDoom email worm and variations of it was spread in 2004 in the form of well disguised email attachment which when opened installed backdoor software that would allow unauthorized access to the computer. It is estimated that the total costs to businesses due to the attacks through the MyDoom worm has run into billions of dollars.
Another case provided by the Internet Security Alliance (2004) in which a New Jersey utility consultant allowed his address book of his customers to be used to spread viruses to his customers through bogus emails. This occurred when he did not update the antivirus software on the new computer he had purchased to better his service deliver to his customers. This resulted in some of his clients terminated their business with him due to this. This shows that as a consequence of poor security measures, small business may suffer loss of clientele and business. Deteriorating business relationships may be occasioned by these information security lapses which will lower the reputation of a business to its customers.
Internet Security Alliance (2004) study case four indicates that lapses in information security can result in liability losses for a small business. In this case, it is shown that although most hotels have a wireless network, their security is so low such that guests can hack into their systems and gain confidential data from their clients. This would open these hotels to liability lawsuits from those guests who suffer loss from hackers. Therefore, to avoid liability from such scenarios, little investment in firewalls would go a long way in dealing with the threats posed by such information security lapses.
Lack of physical protection for information systems for small businesses may occur when there are lapses in their security systems. Case six illustrates this by giving an example of an accounting firm in New Jersey that was meticulous in making backups of client’s records. A fire on site caused the loss of all these records and the accountant was saved because he was storing backups in an office off site. This illustrates that small businesses should take measures to backup their information physically in other locations. In this case, measures like this made an impact since the loss of client information would most likely have resulted in the loss of business for the company and probably loss of reputation.
Common threats associated with small businesses
Malicious code ranks as one of the most common threats that are associated with small businesses. This code is usually developed by individuals or organizations whose ultimate aim is to make money through the sale of confidential information gained through malicious software to third parties. This is usually done through the use of email attachments sent to users of a network which contain these programs. Since this type of code tends to operate incognito, it may take a long time before it is discovered, by which a lot of valuable confidential information will have been lost and through which loss of business and funds will have occurred.
Another common threat associated with small businesses is the loss of computing devices. Small businesses may invest in computers, local networks and other information systems which would be in physical form. In such cases, it is expected that measures would be taken to protect these physical assets. Such measures would include the installation of physical barriers to prevent unauthorized access and the hiring of manned protection for the said assets. However, due to their small size, many small businesses do not commit resources towards the protection of their information security assets. This usually results in the ease of the loss of computing assets such as computers and servers. This is a threat is a common to small businesses.
Phishing is another threat which is common to small businesses. Phishing involves the use of dummy email addresses which look similar to the genuine ones. Through this method, hackers are able to access confidential information from these businesses which may result in financial losses. These can be avoided through training of the staff members of such companies on how to avoid phishing attempts that are made to the businesses. Investment should be made towards such training and in a periodic manner so that the advancements that are made in phishing are dealt with in a proper manner and losses that arise from phishing are reduced to the minimum.
Strategies that will provide information assurance for small businesses
Training of employees in security principles is one of the major strategies which can be employed to deal with information security threats. A small business should establish security practices within its operations to ensure that the integrity of its information is protected. One of the ways that this can be done is through training employees on how to set strong passwords and the setting up of levels of control to limit access to information in the company’s network. Through such training, the company should establish appropriate information use and access guidelines for all employees at all levels of management. Guidelines should also be established on the manner of punishing those who violate these established guidelines. The employees should also be trained on the rules that have established the handling and protection of customer information and other important data held by the company.
Another vital strategy that can be employed in the protection of information in small businesses is the establishment of measures to protect information, computing devices and networks from cyber attacks. This would involve having to invest on the most advanced and up to date computers, installing the latest security software and operating systems to protect against computer viruses, malware and other threats to the information system. This strategy would also involve the installation of software updates as soon as they are released by their vendors. Employees should be trained on the operations of the software programs in use by the businesses they work for, how to check for updates and how to install these updates without compromising the integrity of the business information systems.
Since the internet has become a vital part of the operations of many small businesses, information security strategy in these firms should include protection from threats posed by the internet. This would involve ensuring that the computing systems of the business are protected from hackers by firewalls. A small business should invest in the installation of the best available firewall and the training of employees to ensure that they have a full understanding of how such a firewall operates. Such a strategy would play a major role in ensuring that the integrity of a small business’ information system is protected from threats. Employees should also be trained periodically on the developments that are occurring in the computing world and in particular the internet so that they are kept abreast of all the developments which if not taken into account may pose a threat to the operations of the business.
Another significant development that has occurred in the computing domain of small businesses is the use of mobile devices in computing. This means that mobile devices are used by small businesses to conduct transactions and communicate with clients. It is therefore vital for such businesses to create a mobile device action plan so that the threats that are posed to the information systems through the use of mobile devices are dealt with conclusively. This could involve the training of employees of password protection, encryption of their devices and data and the installation of mobile security applications to prevent the loss of confidential information to mobile hackers.
Another strategy in the protection of vital information and systems is through development of backup strategies. Employees should be trained to make backup copies of all information contained in the system at periodic intervals. This data should be backed both on site and off site, and should include both data stored as soft copies and hard copies. With advancement in technology, there is the possibility of using cloud computing to back up data.
Controlling physical access to computing devices that hold business information is another strategy that can be employed by small businesses. This involves limiting access and the use of business computers to unauthorized users. Mobile devices such as portable computers and mobile phones are easy targets for theft and employees should be trained to ensure that such devices are not left unattended. Another strategy that can be employed in the physical protection of the information is through the creation of user accounts for all employees. Through these accounts, a small business can create privilege levels on the kind of information that particular employees can access in the system. Through this method, all those that access information that belongs to the company can be easily tracked and any breaches in the security can be easily identified and promptly dealt with.
As earlier established, wireless networks can open small businesses to liabilities if not well encrypted and protected. Small businesses should therefore invest in the protection of their wireless networks through the use of encryption and password protection. Employees should be trained on how wireless networks operate, how they can be compromised and the best methods of encryption that can be used to assure the security of the business’ information.
Another strategy that small business can employ is in the use of electronic payment. The use of plastic money has become widespread and is one of the most used modes of payment in modern times. It is therefore expected that hackers would likely target information systems for information about payment cards with which it is very easy to make illegal financial gain. Small businesses should therefore, as a security measure, work closely with banks and other issuing agencies of payment cards to ensure that customer data is kept as confidential as possible. One effective strategy that can be employed in this scenario is the isolation of payment systems from the other information systems of a business entity which may be less secure. Employees should be trained to payment processing using electronic payment, and if possible, only a few trusted employees should be tasked with processing these payments.
References
Alter, S. (2003) “18 Reasons Why IT-Reliant Work Systems Should Replace ‘The IT Artifact’ as the Core Subject Matter of the IS Field,” Communications of the Association for Information Systems, 12(23), Oct., pp. 365-394
Beynon-Davies P. (2009). Business Information Systems. Palgrave, Basingstoke
Ciborra, C. (2002). The Labyrinths of Information: Challenging the Wisdom of Systems. Oxford, UK: Oxford University Press.
Galliers, R.D., Markus, M.L., & Newell, S. (Eds) (2006). Exploring Information Systems Research Approaches. New York, NY: Routledge.
GFI White Paper (2010) Security Threats: A guide for Small and Medium Businesses. Retrieved from http://www.gfi.com/whitepapers/security_threats_SMBs.pdf
Grossman, G. and E. Helpman (2005), "Outsourcing in a global economy", Review of Economic Studies 72: 135-159
Internet Security Alliance (2004) Common Sense Guide to Cyber security for Small Businesses
Internet Security Report (2013) Symantec Corporation Retrieved from http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
John, W., and Joe, P. (2002) "Strategic Planning for Information System." 3rd Ed. West Sussex. John wiley & Sons Ltd
Lacey, D. (2004) Responding to the New Information Risk Landscape: New priorities, New skills and New solutions Retrieved from https://www.qualys.com/docs/Responding_to_Risk.pdf
Lindsay, John (2000). Information Systems – Fundamentals and Issues. Kingston University, School of Information Systems
O'Brien, J A. (2003). Introduction to information systems: essentials for the e-business enterprise. McGraw-Hill, Boston, MA
O'Leary, Timothy and Linda. (2008). Computing Essentials Introductory 2008. McGraw-Hill
Rainer, R. Kelly and Cegielski, Casey G. (2009). "Introduction to Information Systems: Enabling and Transforming Business, 3rd Edition
Solutions for Small Business (2010) Cyber Security Strategies for the Small business Market.
