全部 标题 作者
关键词 摘要

OALib Journal期刊
ISSN: 2333-9721
费用:99美元

查看量下载量

相关文章

更多...

Cybersecurity Guide for SMEs: Protecting Small and Medium-Sized Enterprises in the Digital Era

DOI: 10.4236/jis.2025.161001, PP. 1-43

Keywords: Cybersecurity, Cybercrime, SMEs (Small and Medium-Sized Enterprises), Risk Management, Ransomware, Phishing, Social Engineering, Malware

Full-Text   Cite this paper   Add to My Lib

Abstract:

Small and Medium-sized Enterprises (SMEs) are considered the backbone of global economy, but they often face cyberthreats which threaten their financial stability and operational continuity. This work aims to offer a proactive cybersecurity approach to safeguard SMEs against these threats. Furthermore, to mitigate these risks, we propose a comprehensive framework of practical and scalable cybersecurity measurements/protocols specifically for SMEs. These measures encompass a spectrum of solutions, from technological fortifications to employee training initiatives and regulatory compliance strategies, in an effort to cultivate resilience and awareness among SMEs. Additionally, we introduce a specially designed a Java-based questionnaire software tool in order to provide an initial framework for essential cybersecurity measures and evaluation for SMEs. This tool covers crucial topics such as social engineering and phishing attempts, implementing antimalware and ransomware defense mechanisms, secure data management and backup strategies and methods for preventing insider threats. By incorporating globally recognized frameworks and standards like ISO/IEC 27001 and NIST guidelines, this questionnaire offers a roadmap for establishing and enhancing cybersecurity measures.

References

[1]  World Bank (2024) Small and Medium Enterprises (SMEs) Finance.
https://www.worldbank.org/en/topic/smefinance
[2]  European Commission (2024) SME Definition.
https://single-market-economy.ec.europa.eu/smes/sme-definition_en
[3]  IBM (2024) IBM Cost of a Data Breach Report.
https://www.ibm.com/reports/data-breach
[4]  Chaudhary, S., Gkioulos, V. and Katsikas, S. (2023) A Quest for Research and Knowledge Gaps in Cybersecurity Awareness for Small and Medium-Sized Enterprises. Computer Science Review, 50, Article ID: 100592.
https://doi.org/10.1016/j.cosrev.2023.100592
[5]  Erdogan, G., Halvorsrud, R., Boletsis, C., Tverdal, S. and Pickering, J. (2023) Cybersecurity Awareness and Capacities of SMEs. Proceedings of the 9th International Conference on Information Systems Security and Privacy, Lisbon, 2003, 296-304.
https://doi.org/10.5220/0011609600003405
[6]  Junior, C.R., Becker, I. and Johnson, S. (2023) Unaware, Unfunded and Uneducated: A Systematic Review of SME Cybersecurity. arXiv: 2309.17186.
[7]  Wilson, M., McDonald, S., Button, D. and McGarry, K. (2022) It Won’t Happen to Me: Surveying SME Attitudes to Cyber-security. Journal of Computer Information Systems, 63, 397-409.
https://doi.org/10.1080/08874417.2022.2067791
[8]  Alahmari, A. and Duncan, B. (2020) Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, 15-19 June 2020, 1-5.
https://doi.org/10.1109/cybersa49311.2020.9139638
[9]  Pleshakova, E., Osipov, A., Gataullin, S., Gataullin, T. and Vasilakos, A. (2024) Next Gen Cybersecurity Paradigm Towards Artificial General Intelligence: Russian Market Challenges and Future Global Technological Trends. Journal of Computer Virology and Hacking Techniques, 20, 429-440.
https://doi.org/10.1007/s11416-024-00529-x
[10]  European Union Agency for Cybersecurity (ENISA) (2024) What Is Social Engineering.
https://www.enisa.europa.eu/topics/incident-response/glossary/what-is-social-engineering
[11]  Agazzi, A. (2020) Business Email Compromise (BEC) and Cyberpsychology.
https://arxiv.org/abs/2007.02415
[12]  Salahdine, F. and Kaabouch, N. (2019) Social Engineering Attacks: A Survey. Future Internet, 11, Article 89.
https://doi.org/10.3390/fi11040089
[13]  Hadnagy, C. (2018) Social Engineering: The Science of Human Hacking. 2nd Edition, Wiley.
https://doi.org/10.1002/9781119433729
[14]  Kramer, S. and Bradfield, J.C. (2009) A General Definition of Malware. Journal in Computer Virology, 6, 105-114.
https://doi.org/10.1007/s11416-009-0137-1
[15]  Saeed, I.A., Selamat, A. and Abuagoub, A.M.A. (2013) A Survey on Malware and Malware Detection Systems. International Journal of Computer Applications, 67, 25-31.
https://doi.org/10.5120/11480-7108
[16]  (2024) Opentext Cybersecurity.
https://www-cdn.webroot.com/8916/9999/2485/Ransomware_Survey_2023_Final.pdf
[17]  Aurangzeb, S., Aleem, M., Iqbal, M.A. and Islam, M.A. (2017) Ransomware: A Survey and Trends. Journal of Information Assurance & Security, 6, 48-58.
[18]  SOPHOS (2024) The State of Ransomware, 2023.
https://www.sophos.com/en-us/content/state-of-ransomware
[19]  OBERLO (2024) How Many Emails Are Sent Per Day.
https://www.oberlo.com/statistics/how-many-emails-are-sent-per-day
[20]  Cyberspace Project (2024) Business Email Compromise BEC Attacks.
https://cyberspaceproject.eu/wp-content/uploads/2024/03/CYBERSPACE_T2.3_Topic-15_PN_Business-Email-Compromise-BEC-Attacks.pdf
[21]  Papathanasiou, A., Liontos, G., Paparis, G., Liagkou, V. and Glavas, E. (2024) BEC Defender: QR Code-Based Methodology for Prevention of Business Email Compromise (BEC) Attacks. Sensors, 24, Article 1676.
https://doi.org/10.3390/s24051676
[22]  Cisa.gov (2024) Defining Insider Threats.
https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats
[23]  Hayden, M.V. (1999) The Insider Threat to US Government Information Systems. National Security Telecommunications and Information Systems Security Committee (NSTISSAM) INFOSEC, 1-99.
[24]  Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y. and Ochoa, M. (2019) Insight into Insiders and It: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Counter-Measures. ACM Computing Surveys, 52, 1-40.
https://doi.org/10.1145/3303771
[25]  Mthiyane, Z.Z.F., van der Poll, H.M. and Tshehla, M.F. (2022) A Framework for Risk Management in Small Medium Enterprises in Developing Countries. Risks, 10, Article 173.
https://doi.org/10.3390/risks10090173
[26]  ENISA (2024) Risk Management for SMEs.
https://www.enisa.europa.eu/topics/risk-management/approaches-for-smes/infosec-smes
[27]  Τhe International Organization for Standardization (ISO) (2024) ISO/IEC 27005: 2022 Information Security, Cybersecurity and Privacy Protection. Guidance on Managing Information Security Risks.
https://www.iso.org/standard/80585.html
[28]  Ferreira de Araújo Lima, P., Crema, M. and Verbano, C. (2020) Risk Management in Smes: A Systematic Literature Review and Future Directions. European Management Journal, 38, 78-94.
https://doi.org/10.1016/j.emj.2019.06.005
[29]  Τhe International Organization for Standardization (ISO) (2024) ISO/IEC 27001: 2022 Information Security, Cybersecurity and Privacy Protection Information Security Management Systems Requirements.
https://www.iso.org/standard/27001
[30]  NIST (2024) NIST Special Publication 800-37 Risk Management Framework for Information Systems and Organizations.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
[31]  Lee, J.J., Go, M., Kim, Y., Joo, M., Seo, J., Oh, H., et al. (2020) A Multi-Component Analysis of CPTED in the Cyberspace Domain. Sensors, 20, Article 3968.
https://doi.org/10.3390/s20143968
[32]  ENISA (2024) Octave v2.0 (and Octave-S v1.0 for Small and Medium Businesses).
https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_octave.html
[33]  Alberts, C.J., Behrens, S.G., Pethia, R.D. and Wilson, W.R. (2024) Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM) Framework, Version 1.0.
https://insights.sei.cmu.edu/documents/1210/1999_005_001_16769.pdf
[34]  Barraza de la Paz, J.V., Rodríguez-Picón, L.A., Morales-Rocha, V. and Torres-Argüelles, S.V. (2023) A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0. Systems, 11, Article 218.
https://doi.org/10.3390/systems11050218
[35]  AL-Dosari, K. and Fetais, N. (2023) Risk-Management Framework and Information-Security Systems for Small and Medium Enterprises (SMEs): A Meta-Analysis Approach. Electronics, 12, Article 3629.
https://doi.org/10.3390/electronics12173629
[36]  Bolun, I., Bulai, R. and Ciorbă, D. (2021) Support of Education in Cybersecurity. Pro Publico BonoMagyar Közigazgatás, 9, 128-147.
https://doi.org/10.32575/ppb.2021.1.8
[37]  Kweon, E., Lee, H., Chai, S. and Yoo, K. (2019) The Utility of Information Security Training and Education on Cybersecurity Incidents: An Empirical Evidence. Information Systems Frontiers, 23, 361-373.
https://doi.org/10.1007/s10796-019-09977-z
[38]  He, W., Ash, I., Anwar, M., Li, L., Yuan, X., Xu, L., et al. (2019) Improving Employees’ Intellectual Capacity for Cybersecurity through Evidence-Based Malware Training. Journal of Intellectual Capital, 21, 203-213.
https://doi.org/10.1108/jic-05-2019-0112
[39]  Caulkins, B.D., Badillo-Urquiola, K., Bockelman, P. and Leis, R. (2016) Cyber Workforce Development Using a Behavioral Cybersecurity Paradigm. 2016 International Conference on Cyber Conflict (CyCon U.S.), Washington DC, 21-23 October 2016, 1-6.
https://doi.org/10.1109/cyconus.2016.7836614
[40]  Coull, N., Donald, I., Ferguson, I., Keane, E., Mitchell, T., Smith, O.V., et al. (2017) The Gamification of Cybersecurity Training. In: Tian, F., Gatzidis, C., El Rhalibi, A., Tang, W. and Charles, F., Eds., E-Learning and Games, Springer, 108-111.
https://doi.org/10.1007/978-3-319-65849-0_13
[41]  Gonzalez, H., Llamas, R. and Ordaz, F. (2017) Cybersecurity Teaching through Gamification: Aligning Training Resources to Our Syllabus. Research in Computing Science, 146, 35-43.
https://doi.org/10.13053/rcs-146-1-4
[42]  van Steen, T. and Deeleman, J.R.A. (2021) Successful Gamification of Cybersecurity Training. Cyberpsychology, Behavior, and Social Networking, 24, 593-598.
https://doi.org/10.1089/cyber.2020.0526
[43]  Malone, M., Wang, Y. and Monrose, F. (2021) An Online Gamified Learning Platform for Teaching Cybersecurity and More. Proceedings of the 22nd Annual Conference on Information Technology Education, SnowBird, 6-9 October 2021, 29-34.
https://doi.org/10.1145/3450329.3476859
[44]  Rieff, I. (2018) Systematically Applying Gamification to Cyber Security Awareness Trainings: A Framework and Case Study Approach.
https://www.semanticscholar.org/paper/Systematically-Applying-Gamification-to-Cyber-A-and-Rieff/20887d51c26bd70860482d3d2c92d217e2dfde46
[45]  Jelo, M. and Helebrandt, P. (2022) Gamification of Cyber Ranges in Cybersecurity Education. 2022 20th International Conference on Emerging eLearning Technologies and Applications (ICETA), Stary Smokovec, 20-21 October 2022, 280-285.
https://doi.org/10.1109/iceta57911.2022.9974714
[46]  Ashley, T.D., Kwon, R., Gourisetti, S.N.G., Katsis, C., Bonebrake, C.A. and Boyd, P.A. (2022) Gamification of Cybersecurity for Workforce Development in Critical Infrastructure. IEEE Access, 10, 112487-112501.
https://doi.org/10.1109/access.2022.3216711
[47]  Hsu, F., Wu, M., Tso, C., Hsu, C. and Chen, C. (2012) Antivirus Software Shield against Antivirus Terminators. IEEE Transactions on Information Forensics and Security, 7, 1439-1447.
https://doi.org/10.1109/tifs.2012.2206028
[48]  Patil, B.V. and Jadhav, R.J. (2014) Computer Virus and Antivirus Software a Brief Review. International Journal of Advances in Management and Economics, 4, 1-4.
[49]  Majthoub, M., Qutqut, M.H. and Odeh, Y. (2018) Software Re-Engineering: An Overview. 2018 8th International Conference on Computer Science and Information Technology (CSIT), Amman, 11-12 July 2018, 266-270.
https://doi.org/10.1109/csit.2018.8486173
[50]  Ali, M., Hussain, S., Ashraf, M. and Paracha, M.K. (2020) Addressing Software Related Issues on Legacy Systems—A Review. International Journal of Scientific & Technology Research, 9, 3738-3742.
[51]  Santos, B.M., de Guzman, I.G., de Camargo, V.V., Piattini, M. and Ebert, C. (2018) Software Refactoring for System Modernization. IEEE Software, 35, 62-67.
https://doi.org/10.1109/ms.2018.4321236
[52]  Badhon, A.J. and Aggarwal, D.S. (2021) Cybersecurity in Networking Devices. Journal of Cybersecurity and Information Management, 8, 35-41.
https://doi.org/10.54216/jcim.080104
[53]  Mueller, P., Huang, C., Yu, S., Tari, Z. and Lin, Y. (2016) Cloud Security. IEEE Cloud Computing, 3, 22-24.
https://doi.org/10.1109/mcc.2016.117
[54]  Laksmiati, D. (2023) Vulnerability Assessment with Network-Based Scanner Method for Improving Website Security. Journal of Computer Networks, Architecture and High Performance Computing, 5, 38-45.
https://doi.org/10.47709/cnahpc.v5i1.1991
[55]  Walden, J., Doyle, M., Lenhof, R., Murray, J. and Plunkett, A. (2010) Impact of Plugins on the Security of Web Applications. Proceedings of the 6th International Workshop on Security Measurements and Metrics, Bolzano, 15 September 2010, 1-8.
https://doi.org/10.1145/1853919.1853921
[56]  Fonseca, J.C.C.M.D. and Vieira, M.P.A. (2014) A Practical Experience on the Impact of Plugins in Web Security. 2014 IEEE 33rd International Symposium on Reliable Distributed Systems, Nara, 6-9 October 2014, 21-30.
https://doi.org/10.1109/srds.2014.20
[57]  Cernica, I., Popescu, N. and Tiganoaia, B. (2019) Security Evaluation of Wordpress Backup Plugins. 2019 22nd International Conference on Control Systems and Computer Science (CSCS), Bucharest, 28-30 May 2019, 312-316.
https://doi.org/10.1109/cscs.2019.00056
[58]  Cram, W.A., Proudfoot, J.G. and D’Arcy, J. (2020) Maximizing Employee Compliance with Cybersecurity Policies. MIS Quarterly Executive, 19, Article 5.
[59]  Thomas, J.E. and Galligher, G.C. (2018) Improving Backup System Evaluations in Information Security Risk Assessments to Combat Ransomware. Computer and Information Science, 11, 14-25.
https://doi.org/10.5539/cis.v11n1p14
[60]  Jin, Y., Tomoishi, M., Matsuura, S. and Kitaguchi, Y. (2018) A Secure Container-Based Backup Mechanism to Survive Destructive Ransomware Attacks. 2018 International Conference on Computing, Networking and Communications (ICNC), Maui, 5-8 March 2018, 1-6.
https://doi.org/10.1109/iccnc.2018.8390376
[61]  Alharbi, T. and Portmann, M. (2019) The (in)security of Virtualization in Software Defined Networks. IEEE Access, 7, 66584-66594.
https://doi.org/10.1109/access.2019.2918101
[62]  Dabbagh, M., Hamdaoui, B., Guizani, M. and Rayes, A. (2015) Software-defined Networking Security: Pros and Cons. IEEE Communications Magazine, 53, 73-79.
https://doi.org/10.1109/mcom.2015.7120048
[63]  Barker, E. and Barker, W. (2018) Recommendation for Key Management, Part 2: Best Practices for Key Management Organization. National Institute of Standards and Technology.
[64]  Abrham, T., Kaddoura, S. and Al Breiki, H. (2023) Artificial Intelligence Applications in Cybersecurity. In: Kaddoura, S., Ed., Handbook of Research on AI Methods and Applications in Computer Engineering, IGI Global, 179-205.
https://doi.org/10.4018/978-1-6684-6937-8.ch009

Full-Text

Contact Us

service@oalib.com

QQ:3279437679

WhatsApp +8615387084133