Impacts of Cybersecurity Practices on Cyberattack Damage and Protection Among Small and Medium Enterprises in Thailand

Sammanfattning: Small and medium enterprises (SMEs) are a significant factor that drives the global economy, especially in developing countries such as Thailand, where SMEs contribute more than one-third of the Thai GDP. With digital transformation allowing businesses to access new technologies easily, most SMEs have shifted from traditional businesses to digital businesses. However, adopting technologies without any protections could make SMEs become a target of cyberattacks. This study, therefore, aims to explore cyber securities that are used to protect against cyberattacks in Thai SMEs and also the challenges of implementing cybersecurity frameworks and controls in SMEs. The research questions of this study are “How do SMEs in Thailand protect their organization from cyberattacks?” and “What challenges do SMEs in Thailand face during implementing cybersecurity frameworks or controls?” A mixed method combining surveys for quantitative data and interviews for qualitative data was used in this study. The online survey questionnaires were used to find out the overview of cybersecurity in SMEs, followed by the semi-structured interview to investigate the challenges of implementing cybersecurity in SMEs. There were 75 SMEs participating in the survey along with three respondents working for SMEs and an IT consultant for SMEs participating in in-depth interviews. The quantitative data were analyzed with descriptive statistics, while the thematic analysis was used to analyze the quantitative data. The findings indicate that SMEs in Thailand implement some cybersecurity controls to protect their organization instead of complying with the cybersecurity standards or frameworks, such as ISO2700X series, NIST, and PCI DSS. However, SMEs are also concerned about the laws, including Thailand’s PDPA, Computer Crime Act, and Personal Information Act, to which they have to comply. In addition, the biggest challenge of implementing cybersecurity frameworks and controls in SMEs is lack of financial resources, as cybersecurity frameworks and controls require a lot of budget, tools, and also experts or consultants to implement.