Information Technology Security Practices And Performance Of Small And Medium Enterprises In Nairobi County, Kenya

ABSTRACT

Small and medium enterprises are major stakeholders in developing countries economies. In Kenya although SMEs take off on a high note their life span is short. SMEs are more exposed to information security risks, short life and thus poor performance. The general objective of this study was to investigate the on the influence of information technology security practices on the performance of small and medium enterprises in Nairobi County. This research study used a descriptive research design. The targeted population was the 1,221 owners or general managers of all the SMEs in the hotel sector operating in Nairobi County. Random sampling was used to choose a sample size of 292 SME owners or managers from the targeted population. Semi structured questionnaires were used to collect primary data. To test the reliability and validity of the instruments of research a pilot test was conducted. Thematic content analysis was used to analyze qualitative data realized from open-ended questions while quantitative data was analyzed using inferential and descriptive statics by employing Statistical Package for Social Sciences (SPSS version 22). Descriptive statistics and multiple regression analysis were employed to determine the relationship between independent and dependent variables. The study found that privacy and confidentiality policy, back up policy as well as policies on sharing, storing and transmitting of data influence the performance of SMEs in Kenya. In addition, communication channels, security training and education as well as frequency of training influences the performance of SMEs in Kenya. The study established that use of passwords was the most used access control measure to enhance information technology security, followed by smart cards and biometric access controls. The study recommends that SMEs that have adopted information technology to come up with an IT security policies. The policies should comprise of use of passwords, encryption and consequences of misuse of ICT resources among others. In addition, the management of SMEs should plan for training programs on information technology security. This will help in ensuring that the staff have up-to-date information on security risks and how to mitigate them.