Network Security In Small And Medium Business

Published Date: 02 Nov 2017

This dissertation will evaluate the network security issues, its current situation, existing network policies, key network security factors and challenges in Small and medium sized business (SMB), and aims to propose the recommendations for improving the current policies and procedures to reduce or alleviate the impact of the security risk. The research plan includes survey, primary and secondary data collection on studying network security aspects.

Background of the study

Today the world becoming more interconnected than it was few years ago and the reason is fast growing network technologies and Internet. Nowadays it is almost impossible imagine world without Internet and network. As the speed is increasing the security issues related to the network security going up as well. If in early years we had minor threats and worries about the vulnerability and protection of our data in the internal and external network in a SMB nowadays we should take care more than it was. About 10-15 years ago there was not even a sign that the technology will grow so fast. As an example the speed of Local Area Network will change from 10 M/bits to 1G/bit, the wireless technology such as Wi-Fi and WiMAX will come up, the mobile network technology will evaluate and could reach the speed when everyone can watch a movie in HD format.

Fast and reliable network has born other new problems and concerns how to keep the internal data secure and not to be compromised (Richardson, 2008). Every technology and invention has another side as well such as security aspect. Network security has huge importance as the intellectual property and security data can be acquired easily through Internet if the organization has not any information and security policy. The lack of security knowledge or inability of the SMB to afford own IT specialist poses big threat and might have big impact on the SMB’s operational ability. From what was said above we can define the Network security as: The combinations of policies and procedures and countermeasure acts implemented to avoid and keep track of exploitation, destruction, disclosure and well-implemented policies for blocking viruses, hackers from the accessing or changing secure information.

Purpose and significance of the research area

The pace of network technologies has raised and the hazards and threats, hacker’s attacks (Christian S. Fötinger, Wolfgang Ziegler , 2005) to the business on the rise as well. With this speed we need to be aware and prepare network security policies and procedures in order to be ready to face any possible attacks, attempts to destroy, obtain or change any data being held by the business.

The main purpose of this research is to define the awareness of network security and its effect to the SMB by the employees, find out the current security policies and procedures and help to improve it and alleviate existing problems. Also this document will provide to SMB owners and employees with a better understanding of network security and make recommendations to understanding and acknowledging the threats. Statement of the problem

This research will be conducted by using case study strategy and ASTRA hotel in Central London which can successfully represent SMB. In the interest of the hotel here the name and location of the hotel was changed and cannot be revealed.

Briefly about ASTRA hotel: it has 200 different types of rooms, with average turnover 7-10 million pounds a year. It has accountant, reservation, housekeeping and maintenance departments along with front and back offices. Reservation and accountant departments owe sensitive customers data such as credit/debit cards details, address and the names of the family. Hotel in its everyday routine uses OPERA property management systems and booking system through own web-site. Except this the reservation information comes from the agents via fax and e-mail. All this important and sensitive information is stored in main server which is based on Windows 2003 operating system. The full description organization’s technical assets will be given in the case study assets audit section.

Statement of the Problem

The personal computer (PC) is generally just a single entity and any network security breaks impact is not distributed beyond that PC. For an ordinary PC user the impact of virus attack or security breaches can be much less that if it had a place in an organization. But if it was in an organization premises it could have more serious impact not only on that particular work station also it could be spread among the organization as well. Most companies there are often consist of a number of different systems, different types of data, terminals for processing customer’s data, servers (Knapp, 2011). Having such a complex structure has resulted in multiple points of entry and sources of vulnerability which can be used by hackers, viruses and who has any intention for espionage or attacks.

Internet connection adding additional problems to maintain SMB’s network environment secure and safe. The business use e-mail and Internet to communicate inside and outside the organisation. This poses other secure issues like spreading computer viruses and provided an additional opportunity for the hackers, which can easily enter an organization network and wreak havoc on total intranet. By growing the pace of online business the network security has become significantly important and costly to be ignored.

Absence or lack of knowledge about computer and network security by the users can cause another problem (Kenneth C. Laudon, Jane P.Laudon, 2012). It might be result of lack of education in network policy of the organization or even not existence such policy. Most of SMBs have limited fund to keep their own IT specialist or to have some IT companies on the side. Therefore the security aspect is not covered enough or they just relaying on their contractors or service companies. But having that contract is not warranty of your safety as the threat assessment time might be long and have painful results.

All these problems stated above have impact on the business securities and can reduce company’s ability to ensure confidentiality, authenticity and data integrity.

Main research question and Sub questions

Main research question:

What are the key aspects and impact of the current network security of SMB and what recommendation could be made to enhance the network security in a SMB?

Sub questions

a) What are key defining factors and impact of a Network security?

b) What are key defining factors and impact of a Network security for SMB?

c) What are challenges in Network Security of SMB?

d) What recommendations can be made to enhance network security to any general SMB?

Chapter summary

Network security has become an essential need for any organization. The security issues and threats are increasing everyday and making high speed broadband weather wired or wireless insecure and less reliable. Working out the weak sides of the network security and improving the security policy and procedures are most important things towards which every owner or manager of SMB must pay their attention (Spivey, 2007). This dissertation aims to help a SMB to improve or alleviate that burden and network issues what they face in everyday base and what countermeasures taken and related literature, articles and survey analysis will be critically reviewed in the next chapter.

Chapter 2 Preliminary literature review

Chapter introduction

This chapter will provide the collection of information and critical literature review which was collected and examined for the purpose of the study. Information mostly related to the network security issues and to the main and sub-questions question of this dissertation. Chapter will critically review following issues in Network security: Issues related to past and current network security management, Cyber crime: Hackers and Viruses, highlighted nowadays security trends, will review current Security Policies and Procedures and how it has changed over the years.

2.1. Background of the Network security

The computer security problem has the same age as the computer itself. Necessity of proper hardware-based protection already recognized in early 1950s. ( Karl Maria Michael de Leeuw, Jan Bergsta, 2007). But that was a time when everything could be controlled physically and have not had that complexity. Later the Internet took a birth on 1969 by Advanced Research Project Agency Network (ARPANet) which was accredited by USA Department of Defence (DoD). ARPANet was successful from the beginning and in two years it had 15 nodes (23 hosts) and the e-mail application was invented. Despite the fact that originally it was designed for the research purposes and was aimed to allow scientist to share their data and access remote computers, electronic mail quickly becomes one of the most popular application. This gives for ARPANet to become a high-speed digital office of that time, where people could collaborate on their research projects and have a discussion various interests and topics. On October 1972 the International Conference on Computer Communications at the Washington DC formed International Network Working Group (INWG) which main role was to identify the needs for a combined effort in advancing networking technologies and Vinton Cerf appointed first Chairman who becomes known as "Father of the internet" (H'obbes', 2012).

In 1982 the Transmission Control Protocol (TCP) and Internet Protocol (IP) – TCP/IP, as the protocol suite, were established for ARPANET and it was first time when all computers in the network were presented as a collection of networks or Internet. Shortly in 1984 as the number of hosts become more than 1,000 it becomes more complicated to remember each host address. Therefore the Domain Name Service (DNS) was presented the main purpose of which was to translate the numeric computer addresses presented as173.194.34.132 into understandable host name www.google.com. In 20 years the number of Internet hosts broke 1,000,000 and in this time period the Internet users already have faced with accidentally-propagated status-message virus in 1980, Internet worm which has affected ~6,000 of the 60,000 hosts on the Internet in 1988, and presented many different network protocols such as DNS, DHCP, UUCP, NNTP. It also has connected the Europe and North and South America continents (H'obbes', 2012).

Internet becomes available to the public from 1990s. The main reason the World Wide Web (WWW) protocol was introduced and become more popular. Netscape and Microsoft, who produced first Internet browsers, were competing by that time. Since then the Internet has become the source of threats for network security and any business’ network face constant threats from various types of viruses, worms, malware and spyware software and more. Design and achieving plans and network policies for network security for SMB requires big effort to protect the business from these threats. Although numbers of studies were carried and information security law in operation we still facing new threats and it cannot be overcome by single and simple action.

The design of the network secure must not contend with the threats, which are a vulnerable part of the system and instead it must predict and illuminate the reasons and sources of these attacks which possibly might have success. This is the basic principle that guided, and then we formulate the requirements for network security. In order to fulfil this principle here will be first critically reviewed the key defining factors, challenges and main security factors first and after the requirements and recommendations for the SMB will be formulated.

2.2. Key defining factors for Network security

2.2.1. Technical and procedural factors

Regarding the key factors of network security different sources has controversial and different opinions and views. Depends on the place and auditorium where the survey or research was conducted this factors have different outcomes and sometime they have completely opposite results.

The SANS Institute in 2005 presented Network security guidance for SMBs in which few key actions were proposed to protect or improve the protection of SMB. The recommendation defined following key actions: users must be educated and informed, network design to secure network via implementing packet filtering in routers and firewall, anti-virus and operational systems patches and updates must be applied, implementing security incident plan. In this guidance was pointed out the fact that the businesses undoubtedly believe that they are either too small or too unknown to be targeted and the industry where they are working wouldn’t attract any attacks as their data has not high-value or sensitive proprietary data (Hietala, 2005). Despite the recommendations in the list given in the guidance above most small and medium-sized business never paid attention in combination of these measures, particularly in terms of the default password in routers or firewall. This issue was published on the InformationWeek web site after hacker Robert Moore was convicted, who broke into 15 telecommunication companies and hundreds of companies worldwide as it was unbelievable easy just because of IT mistakes and default routers and firewall password (Gaudin, 2007).

In 2007 CISCO SYSTEMS has revealed in a white paper where they enlisted top five security issues for SMBs. In this paper CISCO SYSTEMS paid special attention to Worms and Viruses, Information theft, Business availability and security legislation and document stated: "According to recent studies, security is the biggest challenge facing small and medium-sized businesses. Ever-changing security threats from both inside and outside the business network can severely impair business operations, affecting profitability and customer satisfaction. In addition, small and medium-sized businesses must comply with new regulations and laws created to protect consumer privacy and secure electronic information." (Cisco Systems Inc., 2007).

2.2.2. Physical factor

Leading USA network service company Black Box Corporation, who has more than 35 years experience in networking, in his white paper covers physical network security aspects as other side of the Network security. Big emphasize was given in this paper to the physical security of the network such as securing access to the servers, routers, hubs and laptops, PCs. Laptops or PCs defined as the main point. Through this point anything on the network can be infected by virus can be used by connecting simple USB flash drive or inserting infected CD or DVD (Black Box Network Service, 2009). Laptop, tablet PC or any mobile devices can be brought out easily because of his compact dimension and might pose real threat to the business starting from lost confidentiality to wrecking the whole company’s network.

Having lack network security or access policies might lead another problem as well which is related to the compact photo and video cameras or mobile phone. These devices can be used as an instrument to copy, make a photocopy of the security or sensitive data. By using these devices it is easy just copy anything into its internal or external memories and carry out that sensitive or important information. If the organisation or SMB owes such sensitive or censored information they should revise their internal policies regarding these devices.

Emerged possibility to keep all your data in the Cloud or virtual data storage like DROPBOX becoming more popular and lures more and more users on their side. Yes it is convenient to have an access to your data at any time from any place as long as you have Internet connection. But did anyone ask a question IS IT SAFE? Does the company have a policy regarding these stores? Can they track their user’s activity? Every new emerged technology and possibilities bringing new sources of threat and possibility completely to lost control over the data and security. By enabling or accepting such services an organization put themselves at a big risk if the security assessment of these services was not evaluated and have no idea or lack of view.

Cloud study analysis was brought into the light by CA Inc. and Phenomenon Institute in 2010 shows that more than 50% of respondents do not believe in Cloud security and have less intention to keep important financial, health and credit card information. Additionally the study found that: confidentiality of control user access less than 30%, almost 38% agree that their organization considered too sensitive information to be stored in the cloud and only 14% believe to cloud computing and it can improve their security posture (CA PLAZA, 2010).

2.2.3. Human factors

The information security breaches survey in UK conducted by PwC, with association InfoSecurity Europe, Reed Exhibitions and BIS in April 2012 find out interesting facts. According to this survey report up to 76% of SMBs had security breaches, 54% of SMB do not have any plans or programme for improving or educating their staff about the security risks. At the same time controls are not keeping same pace with business changes and most of SMBs (56%) did not carry out and checked their external provider’s security and just rely on contracts. The tendency to move towards mobile technology poses another risk and threats. As this is nowadays’ requirement almost 34% of SMBs allows mobile devices to connect to their systems without insuring or mitigating the security risks. Over 58% of SMBs in the UK even not tried to evaluate the network security effectiveness. Another key factor was the staff network security awareness. Nearly 45% of the staff were not informed or have lack information. (PwC, Infosecurity Europe, Reed Exhibitions, BIS, 2012). Almost the same percentage - 48% the network security awareness have resulted another survey which was conducted by an international software company GFI Software in 2007 (GFI, 2007). Dave Aitel, from Immunity Inc. has the same opinion regarding the staff awareness and has proposal how to inform and train the staff (Aitel, 2012). Audry Agle, an independent consultant in the San Diego area, who assisting businesses in the development and maintenance of risk management programs has proposed 7 steps for security awareness. Each step in this proposal has short reason and explanation of the issue. For instance he suggested to appeal to personal lives as how to secure home-based wireless network by proper password or what needs to be shredded or safely kept at home. Another point was to bring the security articles, particularly related to SMB’s industry, or information on the latest incident that have happened, into their computer screen by using e-mail or if you have a company newsletter.

Although, the surveys has 5 year time difference and the survey was conducted in different countries the security awareness by the staff are still remain the same. Does it means SMB’s manager or owner has not learned anything from the other companies’ previous mistakes and loses?

2.2.4. Bring Your Own Device

Bring your own device (BYOD) is emerging and burgeoning trend and new type of threat to the organization’s network and Network security (Trustwave, 2012). In our days it is not surprise if any employee has connected to their intranet directly or remotely. This phenomenon began since mobile devices such as smart phones and tablets with powerful features and sleek and nice form factors are widespread among consumers.

According to the survey report conducted by RedC and WIN Research group the global trends shows an explosive growth of mobile devices and the number of ownership has almost doubled. This figure for smartphone ownership changed from 19% to 35% and the number of tablet owners shifted from 8% to 16% between 2010 and 2011. In the same report said the tendency of growth will remain in 2012 (RedC, WIN Research group, 2012).

These devices equipped with touch screen and quite powerful processors with its mobility and user-friendly interfaces allow employees to be more efficient on the go. All you devices Androids, BlackBerrys and all that i-Things come to the job with you. By bringing these devices employees wants to be attached to the corporate network, get access their email, contacts, calendars and even more they asking to get access to their business applications. By this employee gets opportunity to have all everything what he needs in one device for work and life. According to the Centre for Telecom Environment Management Standards the organization realised if the personally-owed devices enabled that can make employee happier and increase the productivity (Zenprise, 2012).

Despite the effect of BYOD which has direct influence on the employee’s productivity it is also opening the company’s network door to the threats. The threat increase posed from the BYOD usage was confirmed by the Sophos security survey, which was conducted through 571 IT decision makers globally (Bourne, 2012). The reasons for these are: letting everyone to connect to company’s network without any authorization, lack or absence of access to e-mail, corporate application, and sensitive data and assess control policies. An extra care must be taken for these devices to ensure that the corporate data not presents on your tablet or smartphone.

The habit or careless behaviour to connect own devices not only to network but attaching another user’s devices such as a portative photo and video camera or a mobile phone to any organization’s computer can increase the threat level for any SMB. If these devices were reviewed from the physical perspectives above, here they will be assessed from another point as a source of threat and this fact still have not been realised and understood yet. The reason why a mobile phone has been added into this list as a source is of threat is it has internal or external memory and uses as photo camera as well. In most of situations in the life a photo or video cameras or mobile phone never have been taken as a source of threat or infection despite the fact of this devices can be infected when we attach to other computers via USB port. By attaching the virus can be transported easily and since that moment this devices becoming the source or a medium for spreading and delivery viruses, worms or any type of threat. This problem was not reviewed or mentioned in any books related to the Network security aspects yet. The networked devices are becoming more widespread in any SMB organizations today.

2.2.5. Operation system or patch factors

Have you ever heard a question: How often do you update or patch your operating system? Or Have you patched you system? Let’s first define what is patch. In the Network+ guide to network book a patch defined as "correction, improvement, or enhancement to a particular piece of a software application" (Dean, 2010). And it is not software upgrade and its main purpose is to change only a part of that application. Patches mostly distributed by software vendors in an attempt to fix bugs in their application at no cost and if it is significant patches it calls operating system (OS) service packs.

Why it is so important? According to the Kaspersky security bulletin for 2011, in 2011 by the Kaspersky security system detected more than 2 million unlawful penetration attempts; this stated twice as many attempts as in 2010. And most of these are exploits which took advantage of OS’s vulnerabilities, especially if the OS not patched. This pattern is common mostly in Asian countries, such as India, Indonesia and Vietnam by 21%, 16% and 18% respectively; again the reason is OS updated less frequently than it suppose to be (Namestnikov, 2012).

According to the website: gs.statcounter.com (Statcounter, 2013), Windows family operating systems are the most popular and about 87% computers in the world running on this OS. From this statistical data follows that most SME using this operating system in their everyday activities as well. The data which was obtained from the web-site also suggested that the most threats and viruses, vulnerabilities can be made and found in most widespread OS, especially in Windows based computer. Kaspersly security bulletin again made an accent on this OS’s family. For instance in this bulletin stressed that Windows XP was attacked almost twice more than Windows 7 and Vista all together which expresses in figures 63% and 37% respectively (Namestnikov, 2012). Almost the same figures have GFI Software companies on its article related to the vulnerable applications and OS for 2011 (Florian, 2012).

Regarding the software vulnerabilities Adobe Acrobat Reader become a favourite followed by Java and Windows components. In figures it becomes Adobe Acrobat reader – 35%, Java – 25% and Windows – 11% (Namestnikov, 2012). The most of Adobe Reader’s vulnerability was connected with PDF files in which JavaScript exploit code was embedded. GFI Software suggested to make sure and always keep full patched: most popular Adobe products, Java, products from Apple and Microsoft Office. All these enlisted software products have highest vulnerability rates (Florian, 2012). By patching OSs and Software business can saves cost and time; these actions in respond will help to reduce the security risk and yield with customer confidence increase (A. Aldini, R. Gorrieri and F.Martinelli, 2005).

2.2.6. Impact to the business

Any company cannot predict the impact and implication of how dangerous and unpredictable results company might get from the lack of its security policy and uncontrolled actions taken by its employee. Depends on the time of detection and the area the results can be scaled from minor to dangerous and might have massive effect on the business. It might affect the ability, availability and security of the business. Ability might be affected in terms of operation and availability here mostly related to do its business online and ability to operate without loss any data. Not only tangible assets of the company can be affected by this, the impact might have affect on intangible assets as well, mostly in company’s reputation.

As a main source of threat to the Network security and operability of the business will be virus. Depends on the type of the virus and the area it has infected its behaviour will by vary ranging from annoying to the destructive, even some of them will be hidden and can change itself to avoid detection.

According to the US government website an US power company become a victim when a technician inserted its USB, which was infected and the company was attacked by a computer virus after. The company was paralysed for three weeks (Finkle, 2013). This virus was similar to Stuxnet, which has surged since 2010 and used to attack Iran’s nuclear program. Although in this source the implication of this virus was not stated to present the effect of this virus not difficult. It could lead to chaos with vast environmental and financial lost with posing threat to human life.

In Parliament cyber crime report (volume II) gave an average cost of investment for combating malware viruses and defined it as much as $525 per employee per-annum (House of Commons, 2012). There is asymmetrical number of threat actors and who is combating against them. It was compared with guerrilla war where small number of threat actors can cause large havoc for large and organised opponent.

As more companies embrace BYOD policy, many questions arise. BYOD policy which was mentioned previously stressed on the problem if the owner suddenly lost or forgot the device somewhere, when had a meeting or discussion outside of the company’s premises. This problem has direct relation to the company’s security and Network as well. Even there was not stored any sensitive data inside the device but as long as device has been connected once into intranet or enterprise application they might be used by intruder or "bad boy" to use the possibility to sniff out something from the organization. TDM group has the same concern (TDM Group, 2012). The other side is the device might have access all your e-mails, Dropbox services even installed corporate application. Some employees have direct access to the company’s CCTV cameras via Internet.

Minimal price what can be paid for the lost of the device might be £500-£600 in case that device was not used against the organization or the person who found just wiped out all information inside and happily using it in his purpose. But what if device was found by someone who has not friendly intention in the mind? We cannot even estimate the range and amount of lost in this case.

2.3. What is behind the threat?

2.3.1. Virus

2.3.2. Hackers

2.3.3. How much does it cost?

2.4. How to protect

2.4.1. Measures of protection

2.4.2 Policies

2.4.2.1 Internet policies

2.4.2.2 E-mail policies

2.4.2.3 Physical access

2.4.2.4 Staff training policies

2.4.2.5 BYOD Security

http://www.networkworld.com/news/2012/100112-byod-262932.html

Beyond security and compliance, simply managing BYOD is a hairy process. Even before you roll out a BYOD program, you’ll need to figure out which devices you’ll support, and for whom. And how you’ll enforce that policy. You’ll have to think about which apps you’ll make available (now and in the future) to groups of users, how you’ll provision those apps, how you’ll ensure users have the correct versions and applicable patches, and how you’ll ensure service levels.

When you actually rollout the program, you’ll need to figure out how to onboard, off-board, and make changes to mobile users and devices. Given how dynamic the mobile market is, with rapid device adoption, turnover, and an increasing ratio of devices-to-users, it makes sense to map your mobile users to your user directory (e.g., LDAP) so you don’t have to manually update your mobile system every time an employee joins, departs, is promoted, or changes groups.

You’ll need to find a way to set policies, map them to users and devices, and easily change them when your business needs change. You’ll need to monitor and support the devices, both proactively (e.g., keeping an eye on device statistics and application performance) and reactively (e.g., locking or wiping a device upon its loss or theft). You’ll need visibility into your mobile network and compliance status, and the ability to see your mobile devices alongside the rest of your IT assets by integrating with corporate security information and event management (SIEM) solutions.

Chapter summary

Summing up this short chapter, where only the key defining factors in Network security were reviewed in brief. Of course, these key defining factors to be documented and appropriate network security policies and countermeasures must be implemented. The staff awareness is not the last issue which must be taken in account in Network security policy. Implementing the network security policies will be individual and different depends on the field where that SMB operates. In this policy must be paid attention to the BYOD and compact photo and video cameras as an emerging network security issue.

Next chapter will review research methods and justification why those particular methods were chosen for this research method.

Chapter 3 RESEARCH METHOD

3.1. Chapter introduction

"Whether we are considering the physical sciences, the life sciences or the social sciences, the research process begins with an interesting thought about the world around us. Without this there is no research. The interesting thought or research question is the common starting point of all research work in all fields of study. From this point research is always concerned with the emergence of theory whereby concepts and notions develop through the application of ideas, the observation of evidence and the evaluation of results. It is worth always keeping in mind that the final result of research is to add something of value to the body of theoretical knowledge." (Remenyi, 2002).

Any research cannot be just taken by simply asking questions: Why, What, When or How? All that Ws and the answers for these Ws must be conducted by using right methods, instruments with relation to the theoretical and practical base, historical and contemporary facts. This chapter describes the research methods used in conducting case study approach in research and will justify the chosen research methods, the components of a case study; the rationale for the procedures used in the study and research and the methods how the study have been analyzed and reported.

3.2. Research approach

There are two types of approach: Deductive and Inductive. The deductive approach normally used if the research works from theory to test in order to approve or reject that theory. It also calls "top-down" approach. But that is not the only way to use theory in research. An inductive approach starts by looking at the focus on specific things (the organisation, a business problem, an economic issue etc) and through investigation it generates a theory from the research. (Greener, 2008). In this research the case study approach will be used and often inductive approach for theory building.

The case study approach was defined by Robson as "a strategy for doing research which involves an empirical investigation of a particular contemporary phenomenon within its real life context using multiple sources of evidence" (Robson, 2002). It provides a rich understanding of the research context and process. This approach mostly generates answer to the question "why?" rather than "what?" and "how?", although it is possible to use all these questions together and it is mostly in use explanatory and exploratory research by using a qualitative method (Saunders, 2007). In this research study this approach was selected as it allows understanding in-deep all internal and external particular phenomena (Tharenou, 2007). Another reason to choose this approach was the Network security is not standing in one place and always subject of change (Sommer, 1991). The study will be a single case study and it will have common characteristics for this type of study.

Case study has three purposes of study. According to Ph.D.Linda T.Kohn it can be applied to explore new areas and issues, to describe ongoing processes or an incident effects or to explain a composite phenomenon (Linda T. Kohn, 1997). The general purpose of the case study is to show and understand why and how consequences happened and to provide explanation for that.

The case study will be conducted in ASTRA hotels in Central London, which is represents a SMB with 100 employees. The real name of the hotel and location of this business cannot be revealed by ethical matter and the Network security is the sensitive part of any organisation.

3.3. Data collection methods

Two main classes - quantitative and qualitative methods of research were identified by Berndtsson (Berndtsson, 2008). A quantitative method to research is likely to be associated with a deductive approach to testing theory and often related to data which can be measured and counted. In opposite to quantitative method a qualitative method to research is more associated with an inductive approach to generating theory and related to attitude, opinions and impressions which are all difficult to quantify. The data which already was collected must be critically weighted. The bias of the gathered data might be hidden and depends on who, where and when was interviewed, observed or questioned. For instance the research might encountered with "good news" syndrome after interviewing top level bosses or managers and the bias might come up if the employee was interviewed next to that boss. The result can be affected by the interview time or will depend on an interviewee’s mood. The probability get wrong data is unpredictable. Therefore it is important to chose "right" time and place.

Before the carrying any survey, questionnaires or observation the instruments properly must be prepared. As in this research questionnaire instrument will be applied few measurements will be taken in forming it. Questionnaire is relatively easy to use and cost effective; can be conducted by email or online. It consists of pre-set standardised questions and highly structured. Although questionnaire is easy to conduct it has problems as well. Common problems were stated and highlighted by Foddy (Foddy, 1993). A few of them are: the people behave differently from what they said, small changing in wording can produce major change in distribution or response and depends on the type of question, open or closed, the same question will give different response. A number of suggestions how to avoid these difficulties were produced by Foddy (Foddy, 1993). Some of this advises suggest: the topic must be defined clearly with stating which and what information required, a pilot must be conducted, and the jargons must not be used in the interview or questionnaire questions. Foddy (Foddy, 1993) generalised and summarised the general principles how to design and conduct questionnaire and interviews and current research will follow this recommendations.

In case study approach a wide range of data collection methods can be applied. It can be observation, interviews, questionnaire, internal documents or even attendance in the meetings. This methods can be combined depends on the terms of their duration and the involvement level (Hartley, 1994).

In current research the mixture of quantitative and qualitative methods will be used in case study strategies and as a primary data source a questionnaire instrument will be developed to gather data for this study. The rationale for mixing is to capture the trends and details of the situation. Usage it in combination, quantitative and qualitative methods complements each other and allows for more complete analysis (Tashakkori, A., Teddlie, C., 1998).

Primary data will be gathered by using questionnaire and the questionnaire will consist of questions related to: BYOD, Network Security policy and awareness of it by the staff, Internet policy, General knowledge of Viruses and vulnerabilities and the questions related to document share services like a Dropbox or similar services. By asking this type of question the research aimed to see real picture of the organization. Although, the questionnaire will give only the shot of the current situation, gathered information will help to predict possible threats which the organization might to face in the future. Additional data will be gathered by examining the company’s network, network security policy and other technical documentations. Collecting a data for this research would not be easy as the nature of the issue is sensitive to be revealed or published. Later the secondary data might be used to compare it with primary data. The secondary data might be collected from the web-sites, white paper, articles and already conducted survey results. The secondary data will be helpful to compare and find analogies which happened already or to analyse any connections between primary and collected from different sources secondary data.

3.4. Sampling methods

This section discusses the population and sample for this study. A population defined as: "the theoretically specified aggregation of survey elements" (Baddie, 1997, p. 47). The population for this study will include: business owner, managers, key employees and the personal who use PC in everyday routine or involved in Network security problems. But before starting the actual sampling the method must be considered first. It has direct effect to the results as research might have some restrictions in time, access to data or in finance (Saunders, 2007).

As the study based on the case study sampling will be conducted among the hotel’s staff by using questionnaires. To insure the research results the questionnaire will be distributed only among the key stakeholders, mainly who has direct access to the company’s network and can use corporate applications. The reason for this is not every staff has an access to the computer and network, and this figures will be around 18 employees. Even if they use their BYOD devices they have no access to the corporate network which implies they cannot bring any additional information or can be used as a source of threat. It is estimated that response rate will be not less than 80%.

3.5. Data analysis

Gathered data in this case study will consist of different types of data. These collected data will include both qualitative and quantitative data types.

Synthesis and analysis is about putting the information together from various sources into a coherent whole (Sommer & Sommer,1991). The end of the case study is a synthesis and explanation, with evidence presented to justify each conclusion in the case. Data analysis and collection are done together in an iterative process. The first part of the analysis is careful description of the data and development of the categories in which to place information. The data can be organised around certain topics, key themes, or central questions. Then the data need to be examined to see how much they fail to fit the expected categories. Tables can be set up to help search for patterns or groupings of similar topics. The categories may need refining. The presence of disconfirming data needs to be taken into account. The final explanation should be an accurate rendition of the facts of the case, include some consideration of possible alternative explanations of these facts, and should draw conclusions based on a single explanation that appears most congruent with the facts.

Analysis of the Data (How are you going to analyse the data)

Central tendency, dispersion, testing relationship between variables correlation, significance, regression)

Chapter summary

Plan to work

Activity

November

December

January

February

Week

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1

Defining topic title, questions and objectives

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2

Revise the topic, questions and objectives. Preparation for the dissertation proposal

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3

Read literature, prepare background and research questions

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4

Prepare proposal draft

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5

Written project proposal (final)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6

Information and data collection. Conduct the case study

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

7

Analysis of the information collected

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

8

Dissertation draft

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

9

Final writing of the dissertation

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

10

Submission