INFORMATION SECURITY POLICIES AND STRATEGIES AND PRACTICES ADOPTED IN IT: THE IMPORTANCE OF CONSULTANCY IN SMALL AND MEDIUM-SIZED COMPANIES

Abstract

Objective: Companies in the cybersecurity consulting market are expanding their services in periodic training to business stakeholders and enforcement of security policies. The objective of this work is to demonstrate the importance of consulting in information security policies aimed at small and medium-sized companies. Methods: It is characterized as a narrative literature review with a qualitative approach, which does not use explicit and systematic criteria for the search and critical analysis of the selected literature. Results: Tools needed for cybersecurity include endpoint detection and response (EDR), antivirus software, next-generation firewalls, Domain Name System (DNS) protection, email gateway security, intrusion detection and prevention, logging and log monitoring, endpoint protection, authentication and virtual private network (VPN) services, cloud-based security, web application firewalls (WAFs), software-defined wide area networks (SD-WAN), enterprise password management , privileged access management (GAP), vulnerability and threat management, and threat detection. Conclusions: In summary, SMBs seem to implement some of the basic cybersecurity measures only as part of their overall IT implementation. However, it appears that unless cybersecurity controls are included as part of an IT solution, many SMBs do not realize the resulting potential risks to their business.