Information risk management in the digitalization of SMEs by Sara Carlsson

Data security is not just about technology. Most of the data security depends on the company’s personnel and communications. Therefore, it would be important to train staff and develop data security policies for the company.

In her thesis, Sara Carlsson – a student at the Centria University of Applied Sciences – examines the data security risks in companies’ digital operations and how to prepare for them. In her work, she presents three different risk assessment patterns on topics such as e-commerce, remote work, and supply chain management. Full text: Tietoriskien hallinta pk-yrityksen digitalisoitumisessa


In the case of e-commerce, significant risk factors are cybercriminals who are lurking for the company and its customers. The most important ways to fight cybercriminals are software updates, strong customer passwords and informing of security updates.

Other e-commerce data risks are property risks such as data destruction and personnel risks. In practice, risks can be prepared for by outsourcing the e-commerce service to a service provider that also takes care of the risk management as part of the service. In this case the companies own personnel just need to know how to use the service.

Remote workers

The company should provide a VPN connection for remote workers. VPN allows employees to securely access the company’s encrypted network. When working outside the workplace, employees should remember to follow the same security practices as in the workplace. The risks of remote work are strongly related to the fact that the information may leak outside the company. Also, the employee is not under the supervision of a supervisor or workplace safety controls.

Data security risks consist of borrowing work equipment for family members, or the work equipment may be forgotten, for example, on public transport. There is also always a risk that a person outside the company will hear a mobile phone conversation. Clear remote work instructions can help prevent incorrect operations.

Supply chain

The most important for the supply chain and critical for the company’s operations is the ERP system. Failure in the system can bring company’s operations to a halt. A management plan should be drawn up, with guidelines for dealing with different situations. Other threats for the supply chain are phishing messages as well as fake orders, personnel risks and contract risks. These can be prepared for through guidance and increased interaction, as well as through data recovery policies and backups.


It would be important to train staff and develop security policies accordingly. In SMEs it is easiest to outsource most of the software and other information systems for professionals. Data security plays a huge role in the company’s overall security and has a serious impact on the reputation among both corporate and private customers.