Small and Medium-sized Enterprises (SMEs) are considered the backbone of global economy, but they often face cyberthreats which threaten their financial stability and operational continuity. This work aims to offer a proactive cybersecurity approach to safeguard SMEs against these threats. Furthermore, to mitigate these risks, we propose a comprehensive framework of practical and scalable cybersecurity measurements/protocols specifically for SMEs. These measures encompass a spectrum of solutions, from technological fortifications to employee training initiatives and regulatory compliance strategies, in an effort to cultivate resilience and awareness among SMEs. Additionally, we introduce a specially designed a Java-based questionnaire software tool in order to provide an initial framework for essential cybersecurity measures and evaluation for SMEs. This tool covers crucial topics such as social engineering and phishing attempts, implementing antimalware and ransomware defense mechanisms, secure data management and backup strategies and methods for preventing insider threats. By incorporating globally recognized frameworks and standards like ISO/IEC 27001 and NIST guidelines, this questionnaire offers a roadmap for establishing and enhancing cybersecurity measures.
References
[1]
World Bank (2024) Small and Medium Enterprises (SMEs) Finance. https://www.worldbank.org/en/topic/smefinance
[2]
European Commission (2024) SME Definition. https://single-market-economy.ec.europa.eu/smes/sme-definition_en
[3]
IBM (2024) IBM Cost of a Data Breach Report. https://www.ibm.com/reports/data-breach
[4]
Chaudhary, S., Gkioulos, V. and Katsikas, S. (2023) A Quest for Research and Knowledge Gaps in Cybersecurity Awareness for Small and Medium-Sized Enterprises. ComputerScienceReview, 50, Article ID: 100592. https://doi.org/10.1016/j.cosrev.2023.100592
[5]
Erdogan, G., Halvorsrud, R., Boletsis, C., Tverdal, S. and Pickering, J. (2023) Cybersecurity Awareness and Capacities of SMEs. Proceedings of the 9th International Conference on Information Systems Security and Privacy, Lisbon, 2003, 296-304. https://doi.org/10.5220/0011609600003405
[6]
Junior, C.R., Becker, I. and Johnson, S. (2023) Unaware, Unfunded and Uneducated: A Systematic Review of SME Cybersecurity. arXiv: 2309.17186.
[7]
Wilson, M., McDonald, S., Button, D. and McGarry, K. (2022) It Won’t Happen to Me: Surveying SME Attitudes to Cyber-security. JournalofComputerInformationSystems, 63, 397-409. https://doi.org/10.1080/08874417.2022.2067791
[8]
Alahmari, A. and Duncan, B. (2020) Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, 15-19 June 2020, 1-5. https://doi.org/10.1109/cybersa49311.2020.9139638
[9]
Pleshakova, E., Osipov, A., Gataullin, S., Gataullin, T. and Vasilakos, A. (2024) Next Gen Cybersecurity Paradigm Towards Artificial General Intelligence: Russian Market Challenges and Future Global Technological Trends. JournalofComputerVirologyandHackingTechniques, 20, 429-440. https://doi.org/10.1007/s11416-024-00529-x
[10]
European Union Agency for Cybersecurity (ENISA) (2024) What Is Social Engineering. https://www.enisa.europa.eu/topics/incident-response/glossary/what-is-social-engineering
[11]
Agazzi, A. (2020) Business Email Compromise (BEC) and Cyberpsychology. https://arxiv.org/abs/2007.02415
[12]
Salahdine, F. and Kaabouch, N. (2019) Social Engineering Attacks: A Survey. FutureInternet, 11, Article 89. https://doi.org/10.3390/fi11040089
[13]
Hadnagy, C. (2018) Social Engineering: The Science of Human Hacking. 2nd Edition, Wiley. https://doi.org/10.1002/9781119433729
[14]
Kramer, S. and Bradfield, J.C. (2009) A General Definition of Malware. JournalinComputerVirology, 6, 105-114. https://doi.org/10.1007/s11416-009-0137-1
[15]
Saeed, I.A., Selamat, A. and Abuagoub, A.M.A. (2013) A Survey on Malware and Malware Detection Systems. InternationalJournalofComputerApplications, 67, 25-31. https://doi.org/10.5120/11480-7108
Aurangzeb, S., Aleem, M., Iqbal, M.A. and Islam, M.A. (2017) Ransomware: A Survey and Trends. Journal of Information Assurance & Security, 6, 48-58.
[18]
SOPHOS (2024) The State of Ransomware, 2023. https://www.sophos.com/en-us/content/state-of-ransomware
[19]
OBERLO (2024) How Many Emails Are Sent Per Day. https://www.oberlo.com/statistics/how-many-emails-are-sent-per-day
[20]
Cyberspace Project (2024) Business Email Compromise BEC Attacks. https://cyberspaceproject.eu/wp-content/uploads/2024/03/CYBERSPACE_T2.3_Topic-15_PN_Business-Email-Compromise-BEC-Attacks.pdf
[21]
Papathanasiou, A., Liontos, G., Paparis, G., Liagkou, V. and Glavas, E. (2024) BEC Defender: QR Code-Based Methodology for Prevention of Business Email Compromise (BEC) Attacks. Sensors, 24, Article 1676. https://doi.org/10.3390/s24051676
Hayden, M.V. (1999) The Insider Threat to US Government Information Systems. National Security Telecommunications and Information Systems Security Committee (NSTISSAM) INFOSEC, 1-99.
[24]
Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y. and Ochoa, M. (2019) Insight into Insiders and It: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Counter-Measures. ACMComputingSurveys, 52, 1-40. https://doi.org/10.1145/3303771
[25]
Mthiyane, Z.Z.F., van der Poll, H.M. and Tshehla, M.F. (2022) A Framework for Risk Management in Small Medium Enterprises in Developing Countries. Risks, 10, Article 173. https://doi.org/10.3390/risks10090173
[26]
ENISA (2024) Risk Management for SMEs. https://www.enisa.europa.eu/topics/risk-management/approaches-for-smes/infosec-smes
[27]
Τhe International Organization for Standardization (ISO) (2024) ISO/IEC 27005: 2022 Information Security, Cybersecurity and Privacy Protection. Guidance on Managing Information Security Risks. https://www.iso.org/standard/80585.html
[28]
Ferreira de Araújo Lima, P., Crema, M. and Verbano, C. (2020) Risk Management in Smes: A Systematic Literature Review and Future Directions. EuropeanManagementJournal, 38, 78-94. https://doi.org/10.1016/j.emj.2019.06.005
[29]
Τhe International Organization for Standardization (ISO) (2024) ISO/IEC 27001: 2022 Information Security, Cybersecurity and Privacy Protection Information Security Management Systems Requirements. https://www.iso.org/standard/27001
[30]
NIST (2024) NIST Special Publication 800-37 Risk Management Framework for Information Systems and Organizations. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
[31]
Lee, J.J., Go, M., Kim, Y., Joo, M., Seo, J., Oh, H., etal. (2020) A Multi-Component Analysis of CPTED in the Cyberspace Domain. Sensors, 20, Article 3968. https://doi.org/10.3390/s20143968
[32]
ENISA (2024) Octave v2.0 (and Octave-S v1.0 for Small and Medium Businesses). https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_octave.html
[33]
Alberts, C.J., Behrens, S.G., Pethia, R.D. and Wilson, W.R. (2024) Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM) Framework, Version 1.0. https://insights.sei.cmu.edu/documents/1210/1999_005_001_16769.pdf
[34]
Barraza de la Paz, J.V., Rodríguez-Picón, L.A., Morales-Rocha, V. and Torres-Argüelles, S.V. (2023) A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0. Systems, 11, Article 218. https://doi.org/10.3390/systems11050218
[35]
AL-Dosari, K. and Fetais, N. (2023) Risk-Management Framework and Information-Security Systems for Small and Medium Enterprises (SMEs): A Meta-Analysis Approach. Electronics, 12, Article 3629. https://doi.org/10.3390/electronics12173629
[36]
Bolun, I., Bulai, R. and Ciorbă, D. (2021) Support of Education in Cybersecurity. ProPublicoBono—MagyarKözigazgatás, 9, 128-147. https://doi.org/10.32575/ppb.2021.1.8
[37]
Kweon, E., Lee, H., Chai, S. and Yoo, K. (2019) The Utility of Information Security Training and Education on Cybersecurity Incidents: An Empirical Evidence. InformationSystemsFrontiers, 23, 361-373. https://doi.org/10.1007/s10796-019-09977-z
[38]
He, W., Ash, I., Anwar, M., Li, L., Yuan, X., Xu, L., etal. (2019) Improving Employees’ Intellectual Capacity for Cybersecurity through Evidence-Based Malware Training. JournalofIntellectualCapital, 21, 203-213. https://doi.org/10.1108/jic-05-2019-0112
[39]
Caulkins, B.D., Badillo-Urquiola, K., Bockelman, P. and Leis, R. (2016) Cyber Workforce Development Using a Behavioral Cybersecurity Paradigm. 2016 InternationalConferenceonCyberConflict (CyConU.S.), Washington DC, 21-23 October 2016, 1-6. https://doi.org/10.1109/cyconus.2016.7836614
[40]
Coull, N., Donald, I., Ferguson, I., Keane, E., Mitchell, T., Smith, O.V., etal. (2017) The Gamification of Cybersecurity Training. In: Tian, F., Gatzidis, C., El Rhalibi, A., Tang, W. and Charles, F., Eds., E-Learning and Games, Springer, 108-111. https://doi.org/10.1007/978-3-319-65849-0_13
[41]
Gonzalez, H., Llamas, R. and Ordaz, F. (2017) Cybersecurity Teaching through Gamification: Aligning Training Resources to Our Syllabus. ResearchinComputingScience, 146, 35-43. https://doi.org/10.13053/rcs-146-1-4
[42]
van Steen, T. and Deeleman, J.R.A. (2021) Successful Gamification of Cybersecurity Training. Cyberpsychology, Behavior, andSocialNetworking, 24, 593-598. https://doi.org/10.1089/cyber.2020.0526
[43]
Malone, M., Wang, Y. and Monrose, F. (2021) An Online Gamified Learning Platform for Teaching Cybersecurity and More. Proceedingsofthe 22ndAnnualConferenceonInformationTechnologyEducation, SnowBird, 6-9 October 2021, 29-34. https://doi.org/10.1145/3450329.3476859
[44]
Rieff, I. (2018) Systematically Applying Gamification to Cyber Security Awareness Trainings: A Framework and Case Study Approach. https://www.semanticscholar.org/paper/Systematically-Applying-Gamification-to-Cyber-A-and-Rieff/20887d51c26bd70860482d3d2c92d217e2dfde46
[45]
Jelo, M. and Helebrandt, P. (2022) Gamification of Cyber Ranges in Cybersecurity Education. 2022 20thInternationalConferenceonEmergingeLearningTechnologiesandApplications (ICETA), Stary Smokovec, 20-21 October 2022, 280-285. https://doi.org/10.1109/iceta57911.2022.9974714
[46]
Ashley, T.D., Kwon, R., Gourisetti, S.N.G., Katsis, C., Bonebrake, C.A. and Boyd, P.A. (2022) Gamification of Cybersecurity for Workforce Development in Critical Infrastructure. IEEEAccess, 10, 112487-112501. https://doi.org/10.1109/access.2022.3216711
[47]
Hsu, F., Wu, M., Tso, C., Hsu, C. and Chen, C. (2012) Antivirus Software Shield against Antivirus Terminators. IEEETransactionsonInformationForensicsandSecurity, 7, 1439-1447. https://doi.org/10.1109/tifs.2012.2206028
[48]
Patil, B.V. and Jadhav, R.J. (2014) Computer Virus and Antivirus Software a Brief Review. InternationalJournalofAdvancesinManagementandEconomics, 4, 1-4.
[49]
Majthoub, M., Qutqut, M.H. and Odeh, Y. (2018) Software Re-Engineering: An Overview. 2018 8thInternationalConferenceonComputerScienceandInformationTechnology (CSIT), Amman, 11-12 July 2018, 266-270. https://doi.org/10.1109/csit.2018.8486173
[50]
Ali, M., Hussain, S., Ashraf, M. and Paracha, M.K. (2020) Addressing Software Related Issues on Legacy Systems—A Review. InternationalJournalofScientific&TechnologyResearch, 9, 3738-3742.
[51]
Santos, B.M., de Guzman, I.G., de Camargo, V.V., Piattini, M. and Ebert, C. (2018) Software Refactoring for System Modernization. IEEESoftware, 35, 62-67. https://doi.org/10.1109/ms.2018.4321236
[52]
Badhon, A.J. and Aggarwal, D.S. (2021) Cybersecurity in Networking Devices. JournalofCybersecurityandInformationManagement, 8, 35-41. https://doi.org/10.54216/jcim.080104
[53]
Mueller, P., Huang, C., Yu, S., Tari, Z. and Lin, Y. (2016) Cloud Security. IEEECloudComputing, 3, 22-24. https://doi.org/10.1109/mcc.2016.117
[54]
Laksmiati, D. (2023) Vulnerability Assessment with Network-Based Scanner Method for Improving Website Security. JournalofComputerNetworks, ArchitectureandHighPerformanceComputing, 5, 38-45. https://doi.org/10.47709/cnahpc.v5i1.1991
[55]
Walden, J., Doyle, M., Lenhof, R., Murray, J. and Plunkett, A. (2010) Impact of Plugins on the Security of Web Applications. Proceedingsofthe 6thInternationalWorkshoponSecurityMeasurementsandMetrics, Bolzano, 15 September 2010, 1-8. https://doi.org/10.1145/1853919.1853921
[56]
Fonseca, J.C.C.M.D. and Vieira, M.P.A. (2014) A Practical Experience on the Impact of Plugins in Web Security. 2014 IEEE 33rdInternationalSymposiumonReliableDistributedSystems, Nara, 6-9 October 2014, 21-30. https://doi.org/10.1109/srds.2014.20
[57]
Cernica, I., Popescu, N. and Tiganoaia, B. (2019) Security Evaluation of Wordpress Backup Plugins. 2019 22ndInternationalConferenceonControlSystemsandComputerScience (CSCS), Bucharest, 28-30 May 2019, 312-316. https://doi.org/10.1109/cscs.2019.00056
[58]
Cram, W.A., Proudfoot, J.G. and D’Arcy, J. (2020) Maximizing Employee Compliance with Cybersecurity Policies. MISQuarterlyExecutive, 19, Article 5.
[59]
Thomas, J.E. and Galligher, G.C. (2018) Improving Backup System Evaluations in Information Security Risk Assessments to Combat Ransomware. ComputerandInformationScience, 11, 14-25. https://doi.org/10.5539/cis.v11n1p14
[60]
Jin, Y., Tomoishi, M., Matsuura, S. and Kitaguchi, Y. (2018) A Secure Container-Based Backup Mechanism to Survive Destructive Ransomware Attacks. 2018 InternationalConferenceonComputing, NetworkingandCommunications (ICNC), Maui, 5-8 March 2018, 1-6. https://doi.org/10.1109/iccnc.2018.8390376
[61]
Alharbi, T. and Portmann, M. (2019) The (in)security of Virtualization in Software Defined Networks. IEEEAccess, 7, 66584-66594. https://doi.org/10.1109/access.2019.2918101
[62]
Dabbagh, M., Hamdaoui, B., Guizani, M. and Rayes, A. (2015) Software-defined Networking Security: Pros and Cons. IEEECommunicationsMagazine, 53, 73-79. https://doi.org/10.1109/mcom.2015.7120048
[63]
Barker, E. and Barker, W. (2018) Recommendation for Key Management, Part 2: Best Practices for Key Management Organization. National Institute of Standards and Technology.
[64]
Abrham, T., Kaddoura, S. and Al Breiki, H. (2023) Artificial Intelligence Applications in Cybersecurity. In: Kaddoura, S., Ed., Handbook of Research on AI Methods and Applications in Computer Engineering, IGI Global, 179-205. https://doi.org/10.4018/978-1-6684-6937-8.ch009
