Data breaches, ransomware attacks, and security hacks occur every day, affecting companies of all sizes and types. Any business that has not yet implemented a Written Information Security Plan (WISP) is taking a huge risk. These attacks are not limited to billion dollar corporations. Small and medium-sized companies are also targets for cyberattacks – however, these attacks often go unreported and rarely make headlines. Here are just two examples of the impact on small and medium-sized businesses:
- A car dealership in the Midwest U.S. lost $23,000 when hackers broke into their network and stole bank account information. They also added nine fake employees to the company payroll in less than 24 hours and paid them a total of $63,000 before the company caught on.
- An escrow company in California was forced to close when cybercriminals stole more than $1.5 million from its bank account using a form of “Trojan horse” malware. The hackers wired over $400,000 from the company’s bank to an account in Moscow, followed by two more transfers totaling $1.1 million, this time to banks in China. Unlike with consumer accounts, banks are under no obligation to recoup losses in a cyber-theft against a commercial account.
Not having a WISP for your company is a problem on many levels:
- Data breaches, ransomware, and other cyberattacks are a rapidly expanding plague that affects businesses of all types and sizes: 32% of small- and medium-size businesses have suffered a cybersecurity attack in the past 12 months, an increase from 25% since last year
- 26 states (including Massachusetts, Rhode Island, Connecticut, Vermont, New York, and Maryland) require any organization that possesses personal data on customers, employees, or subcontractors to have and maintain a WISP
- The consequences of suffering a cyberattack without an up-to-date WISP in place can be expensive and devastating, with the financial repercussions of an attack averaging $104,296 in 2020, almost double the figure reported in 2019 ($53,987)
Do I have your attention yet?
As its name implies, a WISP is a written document that details a company’s security policies, controls, and procedures. The WISP helps to ensure that a business implements and maintains reasonable security processes for the information they hold. Aside from the legal requirements, a WISP provides a company with solid security procedures that can help reduce the chances of data breaches and limit the liability if one occurs in the future.
What Data is Covered?
Most cyber security laws and regulations apply to any organization that holds or accesses personally identifiable information (PII) that can be used alone or with other data to identify an individual. If you think you don’t hold this information, you are probably wrong. PII can include a person’s full name, Social Security number, tax records, financial or banking information, payroll data, driver’s license, or medical records. You almost certainly have some or all this data on your employees, customers, and vendors, and are therefore likely subject to the regulations.
What Goes into a WISP?
Writing and implementing a WISP is not a simple process. It is a project that requires reviewing the business processes of your company, an understanding of the laws and regulations that apply to the IT systems and data used in those processes, identifying potential information security gaps and weaknesses, finding the right compromises between business practices and security, and educating end users about the policy once it is approved by company management.
Every business should have a WISP that is customized specifically for the organization. Typically, a WISP addresses the following:
- Designation of the employee or employees responsible for the security program
- Identification and assessment of security risks
- Policies for storage of data, as well as access and transportation of personal information
- Disciplinary measures imposed on WISP violators
- Limiting access by/to terminated employees
- Managing the security practices of third-party vendors and contractors
- Methods of restricting physical and digital access to records
- Monitoring and reviewing the scope and effectiveness of the WISP
- Documentation of data security incidents and responses
Implementing Your WISP
Policies and procedures are useless unless and until they are communicated and implemented throughout an organization. Part of your WISP implementation, therefore, must include notifying, educating and training employees, customers, and vendors about the data security procedures that are required. All employees should be trained on the policies appropriate to their level of access to data and be required to sign off to confirm their training and understanding of the policies. All new employees should receive data security training as part of their onboarding or orientation.
Training should not be a one-time thing. As new threats emerge from clever cyber criminals, additional security steps must be taken, and more training done. Many companies use outside consultants to run simulated phishing attacks on a regular basis to test employees’ (and management’s) alertness and compliance.
You must also ensure that third parties who may have access to your data also develop, implement and maintain their own WISP. This may include banks, credit card companies, accountants, consultants, subcontractors, and others. If they are the cause of a data breach and you did not confirm they have a WISP, you may be held responsible for the breach.
Keeping a WISP Current
For a business whose security is breached, when regulators or prosecutors come knocking the worst possible posture is to not have a WISP in place. The second-worst position is to have a WISP tucked in a drawer with no indication it was ever implemented or updated.
A WISP is not a document you can simply “file and forget.” Because both the cybersecurity landscape and IT systems are constantly evolving (not to mention data security laws) a WISP that was drafted just a few years ago may not be sufficient to address today’s threats. In addition, any event that may have an impact on data security requires an update to your WISP. For example, an upgrade to your computer network, moving your data storage to the cloud, acquiring a competing company, or opening an office in another state will trigger a WISP update to keep your company in compliance with the law.
The Massachusetts data security law (which has been used as model legislation by multiple states) requires companies to provide notice of any breach to the state’s Attorney General and identify any steps taken or plans to take relating to the incident, “including updating the written information security plan.” Some additional information regarding the Massachusetts data security law can be found here.
Want Cyber Insurance? Better Have a WISP
Many companies are investing in cyber insurance to help mitigate the cost of a data breach. But most cyber insurance policies provide coverage for “first party” damage to the insured, such as the cost of communicating a data breach to individuals whose data has been compromised. It does not cover damage done to third parties. There have also been cases documented in which the insurance company refused to pay damages because the insured did not have a WISP in place.
Conclusion
Nothing about a WISP is simple or easy. That’s because the threat to your organization, your employees and your clients is significant and imminent. Unless you have an internal IT staff, it is usually a good idea to engage an outside consultant to help you prepare, implement and maintain your company’s WISP. An experienced IT services provider is focused on the latest threats, understands how to help you comply with data security laws and regulations, and can help you properly manage the response should a data breach occur.
If your business does not have an active and up-to-date WISP, you are placing your organization in serious peril. For help on how to develop, produce and maintain a workable WISP, please contact me at (781) 407-0300 or bgarrett@gggllp.com.