Implementing IT Security for Small and Medium Sized Enterprises

Abstract

Small and medium enterprises (SMEs) increasingly depend on their information technology (IT) infrastructure but lack the means to secure it appropriately due to financial restrictions, limited resources, and adequate know-how. For many managers in SMEs, IT security in their company is basically equivalent to having a firewall and updating the antivirus software regularly. Strategic policies, information theft, business continuity, access controls, and many other aspects are only dealt with in case of security incidents. To improve security in a company holistically, four levels (organizational level, workflow level, information level, and technical level) need to be addressed. Parts of existing standards are useful to address issues on the organizational level; Pipkin’s approach is especially useful for SMEs. Modeling of business processes and taking security/dependability into account can improve reliability and robustness of the workflow level. On the information level, role-based access control is state-of the art. On the technical level, basic security measures (antivirus software, firewalls, etc.) need to be addressed and aligned with a corporate security policy.