The Need for Information Security Management for Small to Medium-Sized Enterprises - Literature review Example

RUNNING HEAD: ТHЕ NЕЕD FОR INFОRMАTIОN SЕСURITY МАNАGЕMЕNT FОR SMАLL TО МЕDIUM-SIZЕD ЕNTЕRРRISЕS The Need for Information Security Management for Small to Medium-sized Enterprises Name Institution Date Table of content 1. Introduction 1 2. Justifying the Need for Sound Information Security Management in SMEs 3 3.Incident Response Management and Disaster Recovery 5 4.Mobile Device Security Management 8 5.Linking Business Objectives with Security in SMEs and Larger Entreprises 9 6. Biometric Security Devices and their Use 9 7.Ethical Issues in Information Security Management 10 8. Security Training and Education 10 9. Defending Against Internet-Based Attacks 11 10.Industrial Espionage and Business Intelligence Gathering 12 11. Governance Issues in Information Security Management……………………………12 12. Personnel Issues in Information Security…………………………………………13 13. Physical Security Issues in Information Security 14 14. Cyber forensic incident response………………………………………………….14 15. Conclusion………………………………………………………………………...15 Introduction Small to medium-sized business enterprises constitutes a significant portion of the global/international economic activity. OECD (2006) argues that while there is no agreed definition of SMEs, they can generally be defined as non-subsidiary-independent firms that employ or make use of less than a specified employee number varying between countries, with the most common upper-limit being 250 employees. According to Tawileh et.al (2007), both the large and the small to medium-sized business enterprises have often invested significant amounts of resources so that their presence could be felt within the global networks. Due to this, more information is increasingly created and even converted into the digital format, where it is saved in various storage mediums and transmitted via interconnected networks. As highlighted by Lacey & James (2010), there is currently a growing amount of reliable information as well as knowledge available owing to significant developments in terms of information and communication technology (ICT) services. As Lacey & James (2010) further highlights, alongside knowledge, information is currently regarded as a very significant asset other than the traditional production elements such as labour, required materials and capital. The business activity outcomes including the products available to consumers are often information. Information and in particular knowledge are therefore argued to be significant success factors that are critical to the activities of any particular business. Interest in terms of information and knowledge security has thus been regarded as increasing with the increasing developments/growths in information and communication technology (ICT). While it is argued that businesses benefit significantly from the increasing developments initiated by the growth of ICT, there have been significant challenges associated with these particular developments that have massively impacted negatively on the small to medium-sized business enterprises, key being challenges associated with information security. According to Bidgoli (2006), the small and medium-sized business enterprises experience an increasing array of threats associated with information security. A great number of these enterprises have however been argued to view security as other people’s problem, or even wish it was so while minimizing their involvement as well as commitment. The former point is highlighted to have been a generally consistent view conveyed by all small and medium-sized enterprises as well as consulted experts. This particular endemic attitude is argued to be encouraged by the sales pitches in relation to the new technology promoting business benefits while hardly mentioning the difficult areas including security, which is quite capable of impeding business sales. This particular paper therefore intends to provide an analysis as regards the need for information security management for small to medium-sized enterprises. As defined by Brotby (2012), information security management basically describes the various controls that organizations ought to put in place to make sure that it is effectively managing information security risks. As highlighted by Laudon & Laudon (2006), information systems are basically interrelated components collecting, processing, storing and distributing an array of information in support of decision-making, coordination as well as facilitating control within organizations. From the business perspective, information systems are solutions to the management and the organization of businesses mainly by applying information technology to address challenges resulting from the business environment. Information systems are thus useful to managers and employees in terms of analyzing problems, creating new products and visualizing complex subjects. According to Laudon & Laudon (2006), while information systems entail information regarding significant individuals, places and other things within given organizations and the surrounding environment, information in this particular case is essentially data that are actually shaped to take a form meaningful and helpful to people. This is a particular trend that is commonly evident within the 21st century globalized world of businesses (digital firms) where internet plays a significant role. Apart from the numerous benefits that have come along with the developments of information technology systems, there have also been concerns regarding the security of information thereby bringing about information security management. Justifying the Need for Sound Information Security Management in SMEs Just as Probst et.al (2010) state, information security management is basically a complicated or complex combination of various organizational policies, processes as well as functions employed by businesses in determining, implementing, maintaining and updating information security counter-measures. Probst et.al (2010) further highlights that the primary goal behind the information security management relates to enabling organizations/businesses respond to the manner in which both the information processing as well as its storage is carried out so that the information processing achieves the intended objectives without the organizational/business information experiencing undue risks. Information security management therefore offers various processes that assist in evaluating information risk levels while also providing a means of responding to such risk levels. In this particular period of globalized economies characterized by the constantly-evolving enterprise risks, cross-organizational collaborations and online tradings, information security has turned out to be a significant business enabler/facilitator than was ever thought to be possible. As new, evolving research, tools, technologies and standards emerge, business enterprises have been presented with various mechanisms to enable them secure their transactions together with the basic infrastructure and the information involved. Nevertheless, many business enterprises still face challenges associated with risk management. As highlighted by ISACA (2009), the precise role and significance of sound information security management remains unclearly defined within many enterprises, especially many small to medium-sized enterprises. ISACA (2009) argues that while some small to medium-sized enterprises still regard information security to be a cost center, there is compelling evidence that effectively-managed information security within organizations is instrumental in enabling such enterprises achieve their business goals as a result of improvement in efficiency and the alignment of business objectives. While information technology offers tools crucial in terms of protecting information within small to medium-sized enterprises, ISACA (2009) emphasizes that technology alone cannot provide the solution. To ISACA (2009), protecting information requires sound information security management within the small to medium-sized enterprises in view of the dire need of establishing effective policies on information security supported not only by recommended standards but also by guidelines and procedures. As such, sound information security management through its guidance establishes directions for programs relating to information security and expectations relating to how the information is to be applied, shared, disseminated and destroyed. In a number of enterprises, though, technology strategies, process, standards and policy are designed devoid of a clear understanding of the manner in which organizational culture affects the effectiveness of programs. This therefore implies that security initiatives that do not put into consideration how individuals respond to and utilize technology more often than not do not achieve the intended benefits. As such, in such matters, sound information security management become handy in ensuring that programs of information security incorporate details of the manner in which the enterprises and its employees, processes and the applicable technologies interact. Sound information security management additionally ensures that matters regarding organizational governance, architectural support, culture and human factors are taken into account with specific emphasis on how they facilitate or deter the enterprise’s ability to secure (protect) information and manage risks. Sound incidence response management and disaster recovery ought therefore to play an integral role of an enterprise’s overall mitigation of risk as well as security policy strategies. Incident Response Management and Disaster Recovery How prepared an enterprise’s information technology department is in terms of handling security incidences is quite important, especially in view of the fact that a number of small to medium-sized enterprises, in comparison to larger enterprises often respond to security incidences only after experiencing attacks. By then, such incidences often turn out to be very costly than expected (Ellis & Speed, 2001). As highlighted by Schweitzer (2007), incident response and disaster recovery are terms that both describe an enterprise’s manner of dealing with the computer and network threats following a disastrous occurrence. However, implementing such responses may never be experienced in case a particular enterprise plans ahead of such possibilities prior to the actual occurrence. Schweitzer (2007) highlights that pre-emptive measures are capable of heading off serious debilitations such as legal ramifications lose relating to finances and even tainting of the enterprise’s good image. According to Morreale (2006), incident response management is actually more than just managing breaches initiated by outside intruders. It can be viewed as the ability to effectively manage various incidents ranging from minor virus infestations to major data losses as well as losses in productivity instigated by malicious within or outside of the business enterprise. As highlighted by Morreale (2006), unlike large enterprises, a large number of the small to medium-sized enterprises consider themselves as safe from various incidents since they often process data particularly irrelevant to the outside parties. They perceive themselves as very small in that they cannot imagine an individual from outside the enterprise finding such data, leave alone attacking them. In addition, they often do not perceive themselves as having adequate resources that warrants worrying over the occurrence of incidence unless they experience one. While to the small to medium-sized enterprises such views are a commonality among them, Morreale (2006) argues that such assumptions are actually mere fallacies. A particular reality, though harsh to the small to medium-sized enterprises, is that the 2007 Federal Bureau of Investigation’s Computer-crime survey indicated that the insider network access abuse and email abuse was actually the most dominant security issue ranging between 52 percent to 59 percent of all the total incidents. In addition to this, the average yearly loss due to security-related incidents has sky-rocketed to approximately 350,424 US dollars. These are however staggering figures given the resource amounts typically spent by such enterprises on external-related versus the internal-related security they face. According to Morreale (2006), it is therefore critical for such enterprises to adopt a holistic approach towards security management giving considerations for all the kinds of threats, and not just merely those that receive significant media attention. It is evidently obvious that later if not sooner, all small to medium-sized enterprises shall have experienced an incident; however the small to medium-sized enterprises that did prepare adequately will actually emerge from the particular incident with minimal damage. Successful enterprises often operate not only in view of their particular revenue growth but also in terms of loss prevention. According to GFI (2013), small to medium-sized enterprises are predominantly affected as compared to larger enterprises in case either one or all of the business requirements are hit hard. Data leakages, down time and enterprise reputation loss can without any difficulty avert potential as well as existing clients in case the situations are ineffectively and reluctantly handled. This may as a consequence affect an enterprise’s bottom-line and eventually the profit margins. As DuBois & Yezhkova (2009) highlight, according to the research conducted by the International Data Corporation (IDC),small to medium-sized enterprises and the larger enterprises do actually have distinct overall information technology (IT) infrastructure characteristics, staffing requirements as well as budgeting requirements in matters regarding information backup, its retention and the recovery. However, DuBois & Yezhkova (2009) state that even though the differences between the small to medium-sized enterprises’ and the larger ones’ encounter in terms of technical requirements and the features/functions involved have begun to fade, some significant distinctions still exists. In small to medium-sized enterprises, the disaster recovery plans are often relatively unsophisticated and straightforward. The larger enterprises, On the other hand, often involve many facilities, the entire departments as well as corporate/business strategic plans. Nonetheless, according to Dulaney (2011), in both cases; the overall purpose is developing the means as well as the methods of restoring services as fast as possible besides protecting the enterprises from unwanted losses in case of a disastrous event. While disaster recovery plans enable enterprises respond appropriately in case of disasters, Dulaney (2011) asserts that sound disaster recovery plans enable enterprises to respond effectively to disasters such as failures in networks, systems, infrastructures and natural disasters. The primary goal of such plans is therefore to re-establish services while also minimizing losses. Dulaney (2011) additionally highlights that a disaster recovery plan’s key component remains accessing and storing information, hence data back-up plans are integral to the whole process of how an enterprise responds to disasters. Mobile Device Security Management As highlighted by WatchGuard Technologies (2008), a lot of sensitive data is often compromised each year when enterprise employees accidentally forget or lose their portable device such as USB sticks, smart phones and in most cases laptops containing vital data either in cabs, hotel rooms and even commuter trains. WatchGuard Technologies (2008) thus emphasizes that during data storage on small, portable devices, it is wiser for the administrators to stop imagining what will happen or what they will ever do in case such devices get lost but instead have strategic plans in place to address such incidences in case they occur. In this particular case, sound mobile-device security management strategy should focus on mitigating data loss by managing the mobile devices from a central point. This calls for investments in softwares and servers centrally managing the mobile devices. Such steps significantly minimize the negative impacts that come with such device losses. An instance is in the case of Research in Motion’s Blackberry-enterprise Server that ensures that all transmissions become encrypted whereby also in case an employee notifies the management of their lost phone, the data within those particular phones can be remotely wiped. According to Rashid (2013), a large number of the small and medium-sized enterprises are often either uninformed on or helpless when it comes to predominant network security threats post by their employee-owned portable devices. As Rashid (2013) highlights, SMEs are often poorly/inadequately prepared to guard their mobile devices since their IT professionals, as opposed to the IT professionals of larger enterprises, are often uninformed on particular critical threats that target mobile devices. Actually, according to Rashid (2013), a survey on network security threats revealed that over 50% of the IT professionals within SMEs were unaware of the advanced and persistent threats targeting various mobile devices. The spear phishing attacks present a unique scenario with about 45% of the IT professionals within SMEs being unaware of their potential problem to the mobile users. Linking Business Objectives with Security in SMEs and Larger Entreprises As Whitman & Mattord (2010) state, a great number of information security professionals acknowledge that linking information security requirements with the objectives of a given enterprise ought to be accorded a higher priority. As Aoufi (2011) argues, for security programs to be effective, they must be aligned with the enterprise’s objectives as well as strategies. Aoufi (2011) also notes that security alignment can be attained where balancing of security initiatives and business requirements is accorded a higher consideration. According to Whitman & Mattord (2010), linking information security with the business objectives entails the persuasion of the enterprise’s top managements as well as the fund injectors on the viable protective measures or even the returns in terms of the investment on security. In formulating the security agenda, some disciplines that require great consideration include accessing, strategizing, aligning and communicating respectively. This particular framework is argued to be especially helpful to the small to medium-sized entreprises. In the large entreprises, characterized by widespread departments and employees across several places, business units as well as offices, there are often challenges and difficulties as compared to the SMEs in terms of accessing and collecting the needed information within the discipline. Biometric Security Devices and their Use Biometric security devices are devices that identify individuals by their distinctive and measurable characteristics/traits in relation to their behavioural and biological characteristics. The extensive or selective application of these particular devices within SMEs depends largely on a particular business type (nature) as well as the extent of security need. Jain & Ross (2008) however highlights that the increased cost incurred during the deployment of such device solutions is among the many considerations within SMEs. As such, in determining such a need, SMEs ought to assess the probable costs before initiating such moves. It is thus crucial that entreprises decide on the relevance of such devices in their facilities, whereby if deemed unnecessary other security devices could be adopted. Since biometric devices are often employed at large scale where the security is more demanding, they are often used by larger enterprises, if not certain governments enforcing compliance to their use. Ethical Issues in Information Security Management As highlighted by SearchSecurity (2008), security professionals should be conscious and knowledgeable on issues regarding human rights to privacy since matters regarding human rights more often than not generate outrage of every sort in comparison to the rest of sociological issues that might be involved. SMEs in particular ought to carefully observe ethical issues pertaining to information security management. An instance would be consideration of installing surveillance cameras in appropriate places to avoid infringing on any individual’s privacy Security Training and Education According to Aoufi (2011), the threats facing enterprises are continuously increasing right from the financial crisis to the organized crime and even more. Even with this, technology has been regarded not only as a problem but also a solution. In actual fact, technology is argued to have perhaps increased the level of risks faced by enterprises. However; technology on its own cannot satisfactorily solve the problems. The challenge is therefore putting in place sound risk-management processes in addition to offering training and education for employees. Without training and education of employees on matters regarding information security, the information security infrastructure is bound to be feeble hence will fail to safeguard the enterprise’s assets. As such, Stoneburner et.al (2001) highlights that continuous education and training on Information Technology security is fundamental in minimizing human errors. On the other hand, Kelly (2011) highlights that SMEs are quite different from the larger enterprises not in terms of security threats which are similar, but significantly in terms of how they operate. SMEs emphasize on quick cost-effective control strategies and solutions easily managed as they lack adequate knowledge, finances and motivation. As such, they do not value labour-intensive controls much favoured by larger enterprises. While larger enterprises focus on maximizing security budgets even in terms of education and training, SMEs have been known to be frugal and customer-focused. Since most secure enterprises spend their resources on employee education and training, SMEs will only be secure if they emphasize on training awareness. Defending Against Internet-Based Attacks Generally, all entreprises having internet presence are particularly vulnerable to internet attacks. Bespoke and Custom-made applications within the internet to be accessed by the public face greater risks associated with common attacks including URL re-writing and input-validation attacks. Web attacks, as Bidgoli (2006) highlights, are more dangerous since firewalls often do not filter information reaching given web ports. In SMEs, as the Ayrmer Software Limited (2010) indicates, the bespoke software can be considered as the commonly used as compared to the costly turnkey solutions; hence it is crucial for the development teams to be quite knowledgeable on matters regarding web attacks. Such awareness is the main key to protection from internet-based attacks. As well, secure coding and control of ports can serve as additional measures. Industrial Espionage and Business Intelligence Gathering One dominant issue that often relates to industrial espionage among the SMEs is not the manner in which to initiate such against competitors but rather to prevent and protect themselves from such. Having successfully dominated a saturated market, SMEs often have particular competitive edge over their competitors facilitated by better business processes and techniques hence may attract industrial espionage driven by competition. According to Warkentin & Vaughn (2006), industrial espionage has been widely acknowledged to be the stealing of an enterprise’s crucial trading information and secrets (business intelligence) through unethical ways whereby it has strict punitive measures as stipulated by laws in many nations. Education has been regarded as one of the most effective ways of defending an enterprise against any acts of industrial espionage. As such, it is imperative to educate or inform the enterprise’s employees on common signs as well as espionage behaviours that secret agents commonly display. Espionage within SMEs is often as a result of motives associated with revenge, competition and blackmail. The SMEs should therefore have prerequisite knowledge on this including the potential reasons for such actions, before initiating any defense as this forms one major steps to espionage prevention (Tschetschonig, 2012). Governance Issues in Information Security Management According to OECD (2010), ICT deployment is not the end of successful implementation of information security initiatives within entreprises. A vital element in the successful implementation of sound strategies relating to information security is quality management that ensures investment in information security yields positive outcomes in the long run. As Bougaardt & Kyobe (2011) highlights, SMEs still experience significant challenges associated with management of information security. Good governance therefore requires that a comprehensive, detailed scrutiny as well as the implementation of effective processes be carried out to achieve the desired outcomes. Personnel Issues in Information Security According to Chapple (2003), personnel issues are among the most important yet often overlooked issues in terms of information security. Challenges associated with hiring and welfare of employees are actually some of the most serious concerns within the SMEs in particular where fundamental security infrastructures have to be placed. An enterprise that is able to terminate or offer golden handshakes to employees ought to make sure that such an employee never engages in any illegal activities. In this particular case, agreements relating to non-disclosure and non-competence ought to be agreed upon between the two to act as the legal binding prohibiting such an employee from revealing sensitive information that has been accumulated throughout his/her employment term. SMEs need also to embrace the culture of retaining and developing employees rather than replacing them since retaining them proves to be cost-effective more than replacing them in the long run. In other cases, employees that leave such entreprises with dissatisfactions may have defection issues which may come as a disadvantage to the enterprise. As such, Brotby & Hinson (2013) suggest that entreprises ought to consider conducting proficient exit interviews apart from the human resource departments engaging extensively with such employees in order to assist leave the enterprise in good terms and reduce ill feelings or even more offer placements in their partner entreprises. Physical Security Issues in Information Security Physical security basically relates to the issues of governance and protection of an enterprise’s physical assets including issues regarding physical access as well as control of the premises. As highlighted by Purser (2004), when physical security is effectively implemented, the benefits are often associated with prevention of interruptions associated with computer services, theft, damages and illegal information disclosure. Unlike larger entreprises, the SMEs have small as well as easily monitored information technology infrastructure along with associated assets. Apart from this, SMEs often have specific locations that are locked from unauthorized personnel and only meant for their IT facilities mainly to ensure the protection of vital information. However, issuing of mobile devices to some important managerial staff owing to the nature of their roles may compromise information security and result in physical attacks. Due to this, better security technologies are still emerging including centralized control of such devices. Cyber forensic incident response Cyber forensic incident response involves various procedures that security personnel follow while providing assistance during forensic investigations. The entire incidence response process often involves gathering evidences within the appropriate places, preserving such evidences and eventually examining them. According to Casey (2004), owing to the fact that forensics gathering, evaluation, findings and the final judgments are not often within the SMEs scope, third-party forensic experts are often relied upon to perform such tasks. Casey (2004) argues that the initial action to be undertaken during incidences involving scenes requiring forensics is basically securing such scenes appropriately. This involves limiting not only physical accessibility but also logical accessibility to the machines, devices or systems that have been affected. In this case, it is often important to single out devices that are to be investigated and determine their functioning status. In such cases, devices that are turned off should not be turned on while those that are turned on and have visible displays should have their screens and the surrounding environment photographed as much as possible. Conclusion Security within the small to medium-sized entreprises is actually more than merely preventing viruses or blocking spam. It is a complex threat that is anticipated to heighten given the increasing criminal attempts at exploiting weaknesses within systems and among individuals. While entreprises are different, in most cases the security threats they face are common and a cost to business operations. From the analysis, what is clearly evident is that enterprises have more than before gone global, a factor that is without a doubt attributed to, among other things, the expanse of e-commerce capabilities. The enterprises have as well been increasingly dependent on the third party vendors in as far as business operations go. As result, this has posed serious challenges to the departments in charge of information security, and which have the responsibility of ensuring that important customer data as well as internal business information is adequately protected when there is a communication between the business enterprise and other enterprises. Since it requires complex systems to deal with such complex opportunities, information security has to therefore keep pace with the changing situations/trends. All security models ought to recognize and integrate the dynamic relationships to the enterprises both internally and externally. External relationships, involving third-party vendors and the internal relationships constituting individual units within the enterprise contribute significantly to the various dynamics shaping the enterprise’s culture. Many enterprise activities often relate in some way to security, safety and assurance. Typical departments often include information security, physical security, risk management, privacy, audit, facilities, compliance, legal, human resources, information security, and quality control. The activities within these particular departments are often viewed as silos while also perceived as not typically linked, have distinct reporting structures, communicate differently and collectively consume a significant portion of an enterprise’s resources. Nonetheless, all are involved in activities related to security. Integration of the activities within a model making open the very interrelationships as well as impacts among the related tasks has the capacity to deal with issues regarding the general assurance-process integration and the more important cost-effective security. In general, security is basically a cost in business operations, however, those entreprises that prepare adequately against potential threats stand to benefit more in the long run. Reference Aoufi, S. (2011).Information Security Economics. The Stationery Office Ayrmer Software Limited. (2010). Understanding the Total Cost of Ownership, Retrieved on October 7th, 2013 from Brotby, K & Hinson, G. (2013).Practical Information Security Metrics.CRC Press Brotby, K. (2012).Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement. Taylor & Francis Bidgoli, H. (2006).Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management: Volume 3 of Handbook of Information Security. John Wiley & Sons Bougaardt, G & Kyobe, M. (2011). Investigating the Factors Inhibiting SMEs from Recognizing and Measuring Losses from Cyber Crime in South Africa, Electronic Journal Information Systems Evaluation, Vol.14 Iss.2 Chapple, M. (2003).Brush up on Personnel Security, Retrieved on October 7th, 2013 from Casey, E. (2004).Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Academic Press Clinch J. (2009) .Best Management Practice for Portfolio, Programme, Project, Risk and Service Management: ITIL V3 and Information Security. Clinch Consulting Dulaney, E. (2011). CompTIA Security+ Deluxe Study Guide Recommended Courseware: Exam SY0-301, John Wiley & Sons DuBois, L & Yezhkova, N. (2009). Distinctions between SMB and Enterprise Requirements for Protection, Archiving, and Recovery Ellis, J & Speed, T. (2001).The Internet Security Guidebook: From Planning to Deployment. Academic Press GFI. (2013).Security Threats: A Guide for Small and Medium Businesses, Retrieved on October 4th, 2013 from Jain, A & Ross, A. (2008).Introduction to Biometrics. Handbook of Biometrics. Springer Kelly, L. (2011).The Top Five SME Security Challenges. Computer Weekly Lacey, D & James, B. (2010).Review of Availability of Advice on Security for Small/Medium Sized Organizations Laudon, K & Laudon, J. (2006).Management Information Systems: Managing the Digital Firm, 9th Edition. Prentice Hall Morreale, T. (2006).Incident handling for Small to Medium Enterprises OECD. (2006).The SME Financing Gap. Theory and Evidence.OECD Publishing OECD. (2010).Good Governance for Digital Policies: How to Get the Most out of ICT the Case of Spain's Plan Avanza: The Case of Spain's Plan Avanza. OECD Publishing Probst, C, Bishop, M, Gollmann, D & Hunker, J. (2010).Insider Threats in Cyber Security. Volume 49 of Advances in information security, Springer Purser, S. (2004).A Practical Guide to Managing Information Security. Artech House ISACA. (2009).An Introduction to the Business Model for Information Security Rashid, F. (2013).Most Small to Medium Enterprises Clueless on Common Mobile Threats: Survey. Security Week Schweitzer, D. (2007).Know the Difference between Disaster Management vs. Incident Management: Hope for the best, but prepare for the worst, Retrieved on October 4th, 2013 from Stoneburner, G, Goguen, A & Alexis, F. (2002).Risk Management Guide for Information Technology Systems SearchSecurity. (2008).Spotlight article: Domain 8, Laws, Investigations and Ethics Tawileh, A, Hilton, J & McIntosh. (2007).Managing Information Security in Small and Medium- sized Enterprises Holistic Approach Tschetschonig, K. (2012). How SMEs protect critical knowledge in joint innovation activities with external partners. GRIN Verlag WatchGuard Technologies. (2008).Top 10 Threats to SME Data Security, Retrieved on October 4th, 2013 from Whitman, M & Mattord, H. (2010).Principles of Information Security. Cengage Learning Warkentin, M & Vaughn, R. (2006). Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues. Idea Group Inc Read More