Document Type



Over the last few years the risks that threaten Internet connected computer systems and the business critical information stored on them have been widely publicised. To address these threats many companies have implemented security measures, to protect themselves.

Current research indicates that use of an information security policy alongside the actual implemented security measures can greatly minimise such threats. However implementation of such a policy can be expensive and not feasible for Small businesses.

This paper presents a study of Small businesses in South Wales that use a mixture of Internet connected standalone computers and Local Areas Networks (LANs). It looks at the security measures they have in place and whether or not they have an information security policy. Findings show that most Small Medium sized businesses do not have such a policy document, but many are using components that would normally form part of such policy, within their staff employment manuals. This is a much cheaper and less time consuming way of using the more important and relevant components that usually make up such a policy.