BUSINESS DOMAIN-SPECIFIC LEAST CYBERSECURITY CONTROLS IMPLEMENTATION (BDSLCCI) FRAMEWORK FOR SMALL AND MEDIUM ENTERPRISES (SMES)
Abstract
SMEs (Small and Medium Enterprises) are the most important contributors to the
global economy, accounting for over two-thirds of worldwide job opportunities and
more than half the GDP of the developed economies. It is also very visible through
various cyber-attack statistics and news that they are the most vulnerable to cyber
threats, with major consequences for their continued existence if successful cyberattacks
by cybercriminals are carried out. With the existence of different ecosystems
reliant on them, there is a growing need to defend the entire SME segment from cyber
threats. There are currently no solid security standards or frameworks in place for any
organization, given the large number of cyber-attacks targeting SMEs followed by
successful cybercrimes. It is one of the main reasons this research was more interested
in identifying probable gaps in their adoption. There is a need to comprehend the issues
that the SME segment faces, particularly in terms of planning and successfully
implementing cybersecurity standards, frameworks, or controls to be cyber secure.
This research thesis will be a good attempt to shed light on the current cybersecurity
posture having various controls implemented within different types of SMEs, as well
as the challenges they are facing about the same. This research will try to find the
reason that is preventing them from deciding, planning, and implementing
cybersecurity controls. I would like to thank the top management of one hundred and
fifteen SMEs who voluntarily participated in the research survey conducted by us. In
addition, based on the analysis of their valuable inputs and keeping the core
cybersecurity principles at the center of the new implementation strategy, this research
study will present a recommended solution that will assist any SME by providing a
few directions to overcome the obstacles they are encountering in enhancing their
cybersecurity posture. According to the research findings, more than half of SMEs lack
cybersecurity standards or structures. It was interesting to know that their top four
obstacles which are stopping them from going ahead with the implementation of
cybersecurity controls are (i) cost involved in implementing cybersecurity controls, (ii)
lack of resources to implement and maintain, (iii) not finding a roadmap to invest in
cybersecurity control implementation, and (iv) available cybersecurity standards or
frameworks need a big investment. To design the recommended solution for the SMEs,
research interviews were conducted among the top management of SMEs to
understand the critical assets contributing to their business. This research also gave a
few more inputs about important components they are more concerned about. Taking
these inputs while providing the recommended solution to the problems identified,
research has considered a few unavoidable or must-have cybersecurity controls
implementation and safeguarding BDSMCA based on domain-wise prioritization of
Confidentiality, Integrity, and Availability (CIA triad). This strategic solution design
can help SMEs in a particular business domain. The Business Domain-Specific Least
Cybersecurity Controls Implementation (BDSLCCI) framework is the probable
recommended solution as a result of the research, which is the actual step-by-step
implementation of cybersecurity controls, contributing to each and/or multiple areas
in the CIA triad considering BDSMCAs.