Small and Medium Enterprises (SMEs) are a priority focus area for government economic policy and are considered to be of key importance to socio-economic growth in South Africa. SMEs are usually born out of entrepreneurial passion and limited funding, with business systems that are often heterogeneous and independent. Moreover, tangible and intangible business assets of SMEs are rudimentary defined, and the value of such assets is often only partially known. Typically this is the case with one of the most important assets, namely, information.
Much like any other business asset, information needs to be strategically managed and protected. Information security is the protection of information within a business, including the systems and hardware used to store, process and transmit this information. It is imperative that SME business leaders understand the value of information contained within their business systems and have a framework for assessing and implementing information security. Numerous internationally approved security frameworks and schemes may be implemented to safeguard an organisation against information loss and potential liability. Since these frameworks are complex, all embracing, and ultimately costly to implement, they are mostly adopted by large organisations.
Usually, due to the dynamic and ad hoc development of many SMEs, neither integration nor security issues are systematically addressed in the building-up phase. Thus, policies and frameworks for information security planning and disaster recovery are usually very rudimentary or even nonexistent. It is often the case that the basic understanding of information security risk in SMEs does not extend much beyond viruses and anti-virus software. Inadvertent threats pose some of the highest information security risk to SMEs, and yet personnel training and awareness programmes are often neglected.
Survey results reveal that the level of information security awareness among SME leaders is as variable as the state of their information systems, technology and security. Although a minority of SMEs do embrace security frameworks such as ISO / IEC 27001 or the International equivalent ISO 17799, most SME executives have not heard of security standards and consider information security only as a technical intervention designed to address virus threats and data backups. Far from blaming SME executives for not understanding the critical issue surrounding information security, research concludes that SME leadership needs to engage, understand and implement formal information security processes, including technical and organisational measures. Without such measures, their organisations may be severely impacted by inadvertent threats / deliberate attacks on their information systems which could ultimately lead to business failure.
Based on the contents of this information package SMEs will be able to perform risk assessments on their environments, select and apply suitable measures for performing and managing information security related risks. In this document we assist SMEs in defining such an effort, in deciding the way to initiate and perform it and, if they have sufficient resources, we provide guidelines for performing a self-assessment of information risks. For this purpose, we offer a simple risk assessment method that leads to a quick and encompassing identification and mitigation of information risks.
The assessment method presented in this document is based on a simplified model that has been generated for small organisations which share certain common characteristics. First, their organisational structures are relatively flat, and people from different organisational levels are accustomed to working with each other. Second, people are often required to multi-task, exposing staff members to the entire variety of processes and procedures used across the organisation.