Managing Cybersecurity as a Business Risk in Information Technology-based Smes

Abstract

Digitization has led to an increase in exposure to risks of cybercrime especially if minimal or no controls are put in place. SMEs are core to the growth of the African economy however their continued dependency on technology is driving them deeper into risk as they lack adequate cybersecurity controls. Problem SMEs that are developing technology-based solutions need an effective way to manage cyber-risks as part of their business risks. There is therefore need to determine key factors that influence the management of cyber-risks in Kenyan SMEs that are developing technology-based solutions and develop a strategy which will provide a roadmap for managing cyber-risk as a business risk. Purpose The aim of this study was to determine the key cybersecurity risks being faced by Kenyan SMEs and to develop an implementation strategy which will provide a roadmap for managing cyber-risk as a business risk. Methodology The research was a case study. It focused on in depth understanding of the cybersecurity risk management practices within the selected SME. Both quantitative and qualitative research was done. The quantitative data obtained was classified numerically for it to be analyzed. The qualitative data collected from primary sources was systematically organized to facilitate analysis. Findings The research findings reveal that cybersecurity investment, cybersecurity management, training and awareness, cybersecurity policy programs, cybersecurity vulnerability management programs, real time network monitoring and incident management play a big role in the management of cyber-risk within SMEs. The implementation strategy developed provides a roadmap with proposed timelines to assist in the management of cyber-risk. Conclusion The study proved that the NIST cybersecurity framework is suitable for the SME environment. This cybersecurity strategic plan was developed outlining an implementation roadmap to improve the cybersecurity posture of the organization based on the gaps identified within the environment supplemented by literature review.