隨著數位化和全球化，資料安全保護已成為中小企業必須面對的重要議題。面對人力、資源和技術的限制，中小企業在資訊安全保護方面往往處於劣勢。IT領導者需有效制定資料保護策略來應對這些新需求。本研究強調了資料保護作為防禦"天災"、"人禍"的最後一道防線的重要性，提出了3-2-1的備份資料保存規則。現行的學術研究和商業實務中，對於大型企業的資訊安全保護策略已有相當完善的討論，但對於中小企業的研究相對不足。期望透過這些具體的建議，能夠提升中小企業在資訊安全上的意識和實力，並為數位經濟的健康發展提供助力。
本研究通過文獻分析法，建議中小企業應組織小型的資訊安全保護團隊或是聘請外部的資訊安全專家來進行資訊安全的評估與規劃，進行資訊安全風險評估，選擇適當的資訊安全保護工具與服務，以及進行定期的資訊安全保護培訓等等。文章總結認為，創設資訊安全保護機制並非足夠，必須持續監督並調整以確保其效能，藉此提升中小企業的資訊安全保護水平。

As digitalization and globalization advance, data security has become a critical issue that small and medium-sized enterprises must address. Faced with limitations in human resources, technology, and capital, medium-sized enterprises often find themselves at a disadvantage when it comes to information security. IT leaders need to effectively formulate data protection strategies to address these new demands. This study emphasizes the importance of data protection as the last line of defense against "natural disasters" and "human disasters", proposing the 3-2-1 backup data preservation rule. Existing academic research and business practices have discussed information security strategies for large enterprises extensively, but research on medium-sized enterprises is relatively lacking. It is hoped that these specific suggestions can enhance the awareness and strength of medium-sized enterprises in information security, and provide a boost to the healthy development of the digital economy.
Through literature analysis, this study suggests that small and medium-sized enterprises should organize small information security protection teams or hire external information security experts to conduct information security assessments and planning. This involves conducting information security risk assessments, selecting appropriate information security protection tools and services, and carrying out regular information security protection training, among others. The article concludes that the establishment of information security protection mechanisms is not sufficient. Continuous supervision and adjustments are required to ensure their effectiveness, thereby improving the level of information security protection in small and medium-sized enterprises.

林品仲（2022）。以資訊科技框架理論 探討資訊系統委外建置成敗因素之分析 - 以某公司MES系統為例。中山大學資訊管理學系研究所碩士學位論文，未出版，高雄市
陳昶憲 （2012）。適用於雲端運算的個人資料隱私保護機制之設計。長庚大學資訊管理學系碩士學位論文，未出版，桃園市
經濟部中小企業處（2022）2022年中小企業白皮書，2022年10月，取自https://book.moeasmea.gov.tw/book/doc_detail.jsp?pub_SerialNo=2022A01686&click=2022A01686#
鍾沛原、曾賢寶、楊嘉麗、李柏毅、蔡一郎（2014）。我國電腦機房異地備援機制參考指引，2014年3月取自https://www-api.moda.gov.tw/File/Get/acs/zh-tw/TrjgYxMTKiiyueC
Barthélemy, J. (2001). The hidden costs of IT outsourcing. MIT Sloan management review, 42(3), 60-69.
Barthelemy, J. (2003). The seven deadly sins of outsourcing. The Academy of Management Executive, 17(2), 87-98.
Dibbern, J., Goles, T., Hirschheim, R. & Jayatilaka, B. (2004). Information Systems Outsourcing: A Survey and Analysis of the Literature. The DATA BASE for Advances in Information Systems, 35(4), 6–102.
Kakabadse, N., & Kakabadse, A. (2000). Outsourcing: a paradigm shift. Journal of Management Development.
National Institute of Standards and Technology (2018). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. NIST. https://nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.04162018.pdf
Quelin, B. V., & Duhamel, F. (2003). Bringing Together Strategic Outsourcing and Corporate Strategy: Outsourcing Motives and Risks. European Management Journal, 21(5), 647–661.
Sheltered Harbor.(n.d.).The Sheltered Harbor Standard. Sheltered Harbor Website. https://shelteredharbor.org/