Issues of IT Governance and Information Security from an SME & Social Enterprise Perspective
Padfield, C. (2015). Issues of IT Governance and Information Security from an SME & Social Enterprise Perspective (MSc Strategic ICT Leadership Dissertation). Edinburgh Napier University (Cruickshank, P.,
The aim of this research is to explore the awareness of IT governance as a concept in the context of Small to Medium Sized businesses (SMEs) and its impact on implementation of IT security and Information Security best practice. Related to this are frameworks and standards, and the practicality of scaling these to fit the SME environment. The research also explores levels of awareness of threats and vulnerabilities and barriers to adoption of best practice.
Social Enterprises (SEs) are included in the research, and are contrasted with SMEs in an attempt to ascertain whether sector has more influence than structure.
The research approach gathered data through six interviews with Business Advisors working for business support organisations in South Wales.
The results reveal that IT governance is virtually unknown as a concept. SMEs are predominantly owned, governed and managed by the same person, and trust, relationships and culture take precedence over formal processes and controls. Whilst SEs have the structures in place to separate governance and operations, their boards are primarily focused on delivering their social aims, often to the detriment of economic goals.
There is a general low awareness of threats and vulnerabilities, and a persistent belief that attackers only target large organisations with significant assets. Risk management is problematic, as intangible assets, such as information held electronically, are not recognised as valuable or at risk.
IT systems are loosely managed by unqualified individuals who have more in common with average Home Users than IT professionals. Systems grow organically with little reference to strategic business needs.
There is a need for access to expert advice, but this has to be in a format that is understandable and practically useful.
This work offers insight into the value of a bottom-up approach to disseminating good practice, and will be used to create a resource for use by Business Advisors to better inform their clients.