Abstract
Nowadays companies have become highly dependent on digital technology for running their business, regardless their size or domain. Smaller organisations require a specific attention because of their lower level of protection, capability of reaction and recovery while they are increasingly being targeted by cyberattacks. In order to improve their level of cybersecurity and resilience, a first step is to raise awareness. It is however not an easy task because it is highly dependent on human factors, spread across the whole organisation, including managers, business users and IT staff. This paper aims at supporting the development of a cybersecurity awareness program for small and medium enterprises. In order to build the program on strong foundations, the current state of awareness of such companies is presented and a SWOT analysis carried out. Different instruments for efficiently supporting the deployment of the program are then presented. A practical experience carried out in Belgium to implement some of the proposed instruments is also presented and some lessons learned are discussed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ANSSI: SecNumacadémie (2017). https://secnumacademie.gouv.fr
Ashford, W.: SMEs more vulnerable than ever to cyber attacks, survey shows, October 2017. http://bit.do/computer-weekly-SME-cybersecurity
Ashik, M.: Building an effective cybersecurity program (2018). https://securereading.com/building-an-effective-cybersecurity-culture
Bada, M., Nurse, J.R.C.: Developing cybersecurity education and awareness programmes for small and medium-sized enterprises (SMEs). CoRR abs/1906.09594 (2019)
Bada, M., Sasse, A.M., Nurse, J.R.C.: Cyber security awareness campaigns: why do they fail to change behaviour? (2019). http://arxiv.org/abs/1901.02672
BBB: State of cybersecurity among small businesses in North America. Better Business Bureau (2017). http://bit.do/2017-state-of-cybersecurity
BDO: Forte augmentation de la demande de services de cybersécurité suite au GDPR (2018). http://bit.do/bdo18-cyber-gdpr
Ben-David, Y., et al.: Computing security in the developing world: a case for multidisciplinary research. In: Proceedings of the 5th ACM Workshop on Networked Systems for Developing Regions, pp. 39–44. ACM (2011)
BSI: Cyber security for SMEs (2018). https://www.bsigroup.com/en-GB/Cyber-Security/Cyber-security-for-SMEs
CCB: Cyber security guide for SME (2016). http://www.ccb.belgium.be/en/guide-sme
CIS: CIS Controls - Implementation guide for Small and Medium-Sized Enterprises (SMEs) (2017). https://www.cisecurity.org/wp-content/uploads/2017/09/CIS-Controls-Guide-for-SMEs.pdf
CIS: CIS control - V7 (2018). https://www.cisecurity.org/controls
Cooper, A.: The Inmates are Running the Asylum. Macmillan Publishing Company Inc., New York City (1999)
Cyber Security Coalition: Cyber security KIT (2018). https://www.cybersecuritycoalition.be/resource/cyber-security-kit
Cyber Security Coalition: SME security scan (2018). https://www.cybersecuritycoalition.be/sme-security-scan
CybSafe: Enterprise IT leaders demanding more stringent cyber security from suppliers, July 2017. http://bit.do/cybsafe
Dahslane: How secure is my password (2019). https://howsecureismypassword.net
Davies, T.: Cybersecurity in Europe is improving: thank you GDPR? (2018). https://gdpr.report/news/2018/12/27/cybersecurity-in-europe
Digital Wallonia: Keep IT secure (2018). https://www.digitalwallonia.be/keepitsecure
Dlamini, Z., Modise, M.: Cyber security awareness initiatives in South Africa: a synergy approach. Case Stud. Inf. Warf. Secur. Res. Teach. Stud. 1 (2013)
EC: Proposal for a European cybersecurity competence network and centre (2017). https://ec.europa.eu/digital-single-market/en/proposal-european-cybersecurity-competence-network-and-centre
EC: Supporting specialised skills development: big data, Internet of Things and cybersecurity for SMEs. EASME/COSME/2017/007 Interim Report, March 2019
ECSM: European cyber security month quiz (2018). https://cybersecuritymonth.eu/references/quiz-demonstration
ECSO: European Cyber Security Organisation (2016). https://ecs-org.eu
ECSO: European Cyber Security Certification: a meta - scheme approach v1.0 (2017). https://www.ecs-org.eu/documents/publications/5a3112ec2c891.pdf
ENISA: Indispensable baseline security requirements for the procurement of secure ICT products and services (2016). http://bit.do/ENISA-baseline-security
ENISA: Posters for organisations (2019). https://www.enisa.europa.eu/media/multimedia/material/awareness-raising-posters
Fricker, S.: D2.3 security awareness plan report (2017). https://www.smesec.eu/doc/SMESEC_D2.3_Security_Awareness_Plan_Report_v1.0.pdf
Ghobadian, A., Gallear, D.: Total quality management and organization size. Int. J. Oper. Prod. Manag. 17(2), 121–163 (1997)
Global Cyber Alliance: GCA cybersecurity toolkit for small businesses (2019)
GoPhish: Open-source phishing framework (2019). https://getgophish.com
Grudin, J.: Why personas work: the psychological evidence. In: The Persona Lifecycle: Keeping People in Mind Throughout Product Design, January 2006
Heat, E.: How to improve phishing awareness by 300% in 18 Months. In: RSA Conference, San Francisco, 13–17 February 2017
Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009)
Interreg: Regional policies for competitive cybersecurity SMEs (2018). https://www.interregeurope.eu/cyber
ISF: Effective security awareness. Information Security Forum, April 2002
Juul, J.: The game, the player, the world: looking for a heart of gameness. In: Digital Games Research Conference, 4–6 November 2003, University of Utrecht, The Netherlands (2003)
Kabanda, S., Tanner, M., Kent, C.: Exploring SME cybersecurity practices in developing countries. J. Organ. Comput. Electron. Comm. 28, 269–282 (2018). https://doi.org/10.1080/10919392.2018.1484598
Kapp, K.M.: The Gamification of Learning and Instruction: Game-Based Methods and Strategies for Training and Education, 1st edn. Pfeiffer & Company, Ablar (2012)
Kasperski: Secure password check (2019). https://password.kaspersky.com
Keeper Security: 2018 state of cybersecurity in small and medium size businesses study (2018). https://start.keeper.io/2018-ponemon-report
Ki-Aries, D., Faily, S.: Persona-centred information security awareness. Comput. Secur. 70, 663–674 (2017)
LimeSurvey: The online survey tool - open source surveys (2017). https://www.limesurvey.org
Lockheed Martin: Are you a cybersecurity ninja or n00b? (2018). http://bit.do/lookheedmartin-quiz
Mead, N., Woody, C.: Cyber Security Engineering: A Practical Approach for Systems and Software Assurance. Pearson Education, London (2016)
Muller, P., et al.: Annual report on European SMEs 2014/2015. European Commission (2015)
NCSA: stay safe online - cybersecurity awareness toolkit for SMB. National Cyber Security Alliance (2018)
NIST: Cybersecurity framework (2014). https://www.nist.gov/cyberframework
O’Flaherty, K.: How gamification can boost cyber security (2019). https://www.information-age.com/gamification-can-boost-cyber-security-123479658/
Osborn, E., et al.: Business versus tech: sources of the perceived lack of cyber security in SMEs. In: 1st International Conference on Cyber Security for Sustainable Society, Feburary 2015
PhishingBox: Phishing simulator and test (2019). https://www.phishingbox.com/phishing-test
Ponsard, C.: Cybersecurity quizz (Google Play Store) (2018). http://bit.do/QuizzCyberSecurity
Ponsard, C., Grandclaudon, J., Bal, S.: Survey and lessons learned on raising SME awareness about cybersecurity. In: Proceedings of the 5th ICISSP, Prague, Czech Republic, 23–25 February, pp. 558–563 (2019)
Ponsard, C., Grandclaudon, J., Dallons, G.: Towards a cyber security label for SMEs: a European perspective. In: Proceedingsthe 4th ICISSP, Funchal, Madeira, pp. 426–431 (2018)
PwC: Game of threats (2017)
SafeOnWeb: Test your digital health (2018). https://campagne.safeonweb.be/en
Sánchez, L.E., Santos-Olmo, A., Fernández-Medina, E., Piattini, M.: Security culture in small and medium-size enterprise. In: Quintela Varajão, J.E., Cruz-Cunha, M.M., Putnik, G.D., Trigo, A. (eds.) CENTERIS 2010. CCIS, vol. 110, pp. 315–324. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16419-4_32
SANS: Computer security training and certification (1989). https://www.sans.org
SANS: 10 tactics for rolling out a successful awareness program (2018). https://www.sans.org/sites/default/files/2019-04/poster_10-tactics.pdf
SANS: Security awareness posters (2018). https://www.sans.org/security-awareness-training/resources/posters
SBDC, M.: Small business, big threat (2018). https://smallbusinessbigthreat.com
SPARTA: Strategic programs for advanced research and technology in Europe (2019). https://www.sparta.eu
UK Government: Cyber essentials (2016). https://www.cyberaware.gov.uk/cyberessentials
UK Government: Cyber essentials self assessment (2018). https://www.cyberessentials.ie/self-assessment
VDS: A brief assessment for SMEs - quick check for cyber security (2017). http://vds-quick-check.de
Veseli, I.: Measuring the effectiveness of information security awareness program. Msc., Department of Computer Science and Media Technology Gjovik University College, South Africa (2011)
Yeboah-Boateng, E.O.: Cyber-Security Challenges with SMEs in Developing Economies: Issues of Confidentiality, Integrity & Availability (CIA). Institut for Elektroniske Systemer, Aalborg Universitet, Aalborg (2013)
Yunos, Z., Hamid, R.S.A., Ahmad, M.: Development of a cyber security awareness strategy using focus group discussion. In: 2016 SAI Computing Conference (SAI), pp. 1063–1067, July 2016
Zurich Inusrance Group: SMEs’ cyber risk awareness is on the rise (2016). https://www.zurich.com/en/media/news-releases/2016/2016-1123-01
Acknowledgements
This research was partly supported by Digital Wallonia and the DIGITRANS project (grant nr. 7618). We thank Infopole and the companies of the cybersecurity cluster for their support and feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Ponsard, C., Grandclaudon, J. (2020). Guidelines and Tool Support for Building a Cybersecurity Awareness Program for SMEs. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2019. Communications in Computer and Information Science, vol 1221. Springer, Cham. https://doi.org/10.1007/978-3-030-49443-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-49443-8_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-49442-1
Online ISBN: 978-3-030-49443-8
eBook Packages: Computer ScienceComputer Science (R0)