This paper uses student conducted cybersecurity audits of SMEs to determine if SME cybersecurity behavior has evolved over the last 20 years. The cybersecurity audits were performed using a core set of audit areas plus other audit items as needed for the audit subject. Findings included observations on the lack of cybersecurity resources, both in terms of personnel and knowledge. Additionally, 10 issues were identified that were common in SMEs, with 5 of those occurring in 50% or more of the subjects. Another 3 issues were found to no longer be common issues, implying that these 3 issues have been corrected. Conclusions include encouraging all SMEs to perform cybersecurity audits, using managed service providers to provide personnel and knowledge resources, and changing SME pricing practices so that they recognize the costs of being cyber secure.

Alahmari, A., and Duncan, B. (2020, June). Cybersecurity risk management in small and medium-sized enterprises: A systematic review of recent evidence. In 2020 international conference on cyber situational awareness, data analytics and assessment (CyberSA) (pp. 1-5). IEEE.

Alharbi, F., Alsulami, M., Al-Solami, A., Al-Otaibi, Y., Al-Osimi, M., Al-Qanor, F., and Al-Otaibi, K. (2021). The impact of cybersecurity practices on cyberattack damage: The perspective of small enterprises in Saudi Arabia. Sensors, 21(20), 6901.

Antunes, M., Maximiano, M., Gomes, R., and Pinto, D. (2021). Information security and cybersecurity management: A case study with SMEs in Portugal. Journal of Cybersecurity and Privacy, 1(2), 219-238.

Ashley, C. and Preiksaitis, M. (2022). Strategic Cybersecurity Risk Management Practices for Information in Small and Medium Enterprises. Business Management Research and Applications: A Cross-Disciplinary Journal, 1(2), 109-157.

Bada, M. and Nurse, J. R. (2019). Developing cybersecurity education and awareness programmes for small-and medium-sized enterprises (SMEs). Information and Computer Security, 27(3), 393-410.

Chidukwani, A., Zander, S., and Koutsakis, P. (2022). A survey on the cyber security of small-to-medium businesses: challenges, research focus and recommendations. IEEE Access, 10, 85701-85719.

Dimopoulos, V., Furnell, S., Jennex, M.E., and Kritharas, I. (2004). "Approaches to IT Security in Small and Medium Enterprises", 2nd Australian Information Security Management Conference, November 2004.

Dzimiela, C. and Jennex, M.E. (2023). An Inside View of A Ransomware Attack Response And Recovery. Journal of Information Systems Security, 19(2), pp. 97-114.

Jennex, M.E., Addo, T.B.A., and Walters, A. (2004). "SMEs and Knowledge Requirements for Operating Hacker and Security Tools" Information Resource Management Association Conference 2004, IRMA2004, Idea Group Publishing, May 2004.

Jennex, M.E. and Durcikova, A. (2014). "Integrating IS Security with Knowledge Management: Are We Doing Enough To Thwart The Persistent Threat?" 47th Hawaii International Conference on System Sciences, HICSS47, IEEE Computer Society, January 2014.

Jennex, M. E., Durcikova, A., and Ilvonen, I. (2022). Modifying Knowledge Risk Strategy Using Threat Lessons Learned from COVID-19 in 2020-21 in the United States. The Electronic Journal of Knowledge Management, 20(3), pp. 138-151, ISSN 1479-4411, available online at www.ejkm.com

Kajiyama, T., Jennex, M.E., and Addo, T.A. (2017). "To Cloud or Not To Cloud: How Risks And Threats Are Affecting Cloud Adoption Decisions." Information and Computer Security, 25(5), pp. .634-659.

Mburu, M. (2023). Cyber Security in Small and Medium Enterprises. Unpublished thesis, Uppsala University, Sweden, retrieved on February 10, 2024 from file:///C:/Users/murph/OneDrive/Documents/0d85eabd-26cd-45e1-af94-fd9df9946dd.pdf

Nagahawatta, R., Lokuge, S., Warren, M., and Salzman, S. (2021). Cybersecurity Issues and Practices in a Cloud Context: A Comparison Amongst Micro, Small and Medium Enterprises. arXiv preprint arXiv:2111.05993. Presented at the Australasian Conference on Information Systems, Sydney, Australia, 2021.

Pawar, S., and Palivela, H. (2022). LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs). International Journal of Information Management Data Insights, 2(1), 100080.

Raghavan, K., Desai, M., and Rajkumar, P. V. (2020). Multi-step Operations Strategic Framework for Ransomware Protection. SAM Advanced Management Journal, 85(4), 16-2.

Wilson, M., McDonald, S., Button, D., and McGarry, K. (2023). It won't happen to me: Surveying sme attitudes to cyber-security. Journal of Computer Information Systems, 63(2), 397-409.