Enhancing Cybersecurity Compliance in Finnish SMEs: Evaluation and Adoption of Scalable GRC Tools

Abstract

The evolving cybersecurity regulatory landscape pose a significant challenge for Small and Medium- sized Enterprises (SMEs), which often lack the financial resources, in-house expertise, and time to achieve compliance efficiently. This thesis investigates the potential of Governance, Risk, and Compliance (GRC) tools as a solution, focusing specifically on their scalability and adoption within the Finnish SME context. The study includes review of related scientific literatures, comprehensive survey of Finnish SMEs and comparative analysis of four GRC solutions. The literature review established a foundation for analysing cybersecurity compliance practices and adoption of GRC tools by SMEs. The survey served to quantify the compliance challenges, tool preferences and adoption barriers for the SMEs in Finland. The strategically chosen open source to commercial and global to regionally focused tools were evaluated against a framework of economic, operational, technical and viable scalability criteria. The findings reveal a critical scalability gap in the GRC tool market. Finnish SMEs are predominantly challenged by cost, staff time, expertise and framework complexity constraints leading to reliance on manual and ad-hoc methods for compliance. The analysis demonstrates that available tools force a trade- off between economically and operationally scalable options. The thesis provides tripartite recommendations suggesting SMEs to adopt a strategic tool selection approach, GRC vendors to develop lightweight SME focused solutions and policymakers to enhance outreach efforts and provide simplified implementation guidance. This study concludes that bridging the identified scalability gap requires a coordinated effort from all stakeholders to ensure GRC solutions are effective and accessible for Finnish SMEs.