Why You Need a WISP
by Bobby Garrett, Gray, Gray & Gray, LLP
Securing private data is no longer an option — it’s an absolute necessity
Our most recent survey of the energy industry revealed that only 14% of the companies that responded have prepared a Written Information Security Plan (WISP) for their business. This is a problem on many levels.
- Data breaches, ransomware, and other cyber attacks are a rapidly expanding plague that affects businesses of all types and sizes; 32% of small- and medium-size businesses have suffered a cybersecurity attack in the past 12 months, an increase from 25% since last year.
- 26 states (including Massachusetts, Rhode Island, Connecticut, Vermont, New York, and Maryland) require any organization that possesses personal data on customers, employees, or subcontractors to have and maintain a WISP.
- The consequences of suffering a cyberattack without an up-to-date WISP in place can be expensive and devastating, with the financial repercussions averaging $104,296 in 2020, almost double the figure reported in 2019 ($53,987).
Do I have your attention yet?
As its name implies, a WISP is a written document that details a company’s security policies, controls, and procedures. The WISP helps to ensure that a business implements and maintains reasonable security processes for the information they hold. Aside from the legal requirements, a WISP provides your business with solid security procedures that can help reduce the chances of data breaches and limit your liability if one occurs in the future.
What Data is Covered?
Most cybersecurity laws and regulations apply to any organization that holds or accesses personally identifiable information (PII) that can be used alone or with other data to identify an individual. If you think you don’t hold this information, you are probably wrong. PII can include a person’s full name, Social Security number, tax records, financial or banking information, payroll data, driver’s license, or medical records. You almost certainly have some or all this data on your employees, customers, suppliers and subcontractors, and are subject to the regulations.
What Goes into a WISP?
Writing and implementing a WISP is not a simple process. It is a project that requires reviewing the business processes of your company, an understanding of the laws and regulations that apply to the IT systems and data used in those processes, identifying potential information security gaps and weaknesses, finding the right compromises between business practices and security, and educating end users about the policy once it is approved by company management.
Every company should have a WISP that is customized specifically for the organization. Typically, a WISP addresses the following:
- Designation of the employee or employees responsible for the security program
- Identification and assessment of security risks
- Policies for storage of data, as well as access and transportation of personal information
- Disciplinary measures imposed on WISP violators
- Limiting access by/to terminated employees
- Managing the security practices of third-party vendors and contractors
- Methods of restricting physical and digital access to records
- Monitoring and reviewing the scope and effectiveness of the WISP
- Documentation of data security incidents and responses
Implementing Your WISP
Policies and procedures are useless unless and until they are communicated and implemented throughout an organization. Part of your WISP implementation, therefore, must include notifying, educating and training employees, vendors, and subcontractors about the data security procedures that are required. All employees should be trained on the policies appropriate to their level of access to data, and be required to sign off to confirm their training and understanding of the policies. All new employees should receive data security training as part of their onboarding or orientation.
Training should not be a one-time thing. As new threats emerge from clever cybercriminals, additional security steps must be taken, and more training done. Many companies use outside consultants to run “simulated phishing attacks” on a regular basis to test employees’ (and management’s) alertness and compliance.
Additionally, you must ensure that third parties who may have access to your data also develop, implement and maintain their own WISP. This may include banks, credit card companies, accountants, consultants, subcontractors and others. If they are the cause of a data breach and you did not confirm they have a WISP, you may be held responsible for the breach.
Keeping a WISP Current
A WISP is not a document you can simply “file and forget.” Because both the cybersecurity landscape and IT systems are constantly evolving (not to mention data security laws), a WISP that was drafted just a few years ago may not be sufficient to address today’s threats. In addition, any event that may have an impact on data security requires an update to your WISP. For example, an upgrade to your computer network, moving your data storage to the cloud, or acquiring a competing business will trigger a WISP update to keep your company in compliance with the law.
The Massachusetts data security law, which has been used as model legislation by multiple states, requires companies to provide notice of any breach to the state’s Attorney General and identify any steps taken or planned in response to the incident, “including updating the written information security plan.” Additional information on the Massachusetts law can be found at mass.gov/files/documents/2017/11/21/compliance-checklist.pdf.
Want Cyber Insurance? Better Have a WISP
Ironically, 37% of respondents in our 2021 Energy Industry Survey reported they are protected by cyber insurance, nearly three times the number that have a WISP. But most cyber insurance policies provide coverage for “first party” damage to the insured, such as the cost of communicating a data breach to individuals whose data has been compromised. This does not cover damage done to third parties. There have also been documented cases in which the insurance company refused to pay damages because the insured did not have a WISP in place.
Last WISP Words
Nothing about a WISP is simple or easy. That’s because the threat to your business, your employees and your customers is significant and imminent. Unless you have an internal IT staff, it is usually a good idea to engage an outside consultant to help you prepare, implement and maintain your company’s WISP. An experienced IT services provider is focused on the latest threats, understands how to help you comply with data security laws and regulations, and can help you properly manage the response should a data breach occur.
If your fuel oil or propane company does not have an active and up-to-date WISP, you are placing your organization in serious peril.
Bobby Garrett is Director of IT and Cybersecurity at energy industry accounting and advisory firm Gray, Gray & Gray, LLP. He can be reached at 781-407-0300 or firstname.lastname@example.org.