Architectural and engineering firms that have not yet implemented a Written Information Security Plan (WISP) for their business are taking a huge risk. Data breaches and security hacks occur every day, affecting firms of all sizes and types.
In just one example, a ransomware attack in 2020 forced a London-based architectural firm to bring its network offline, disrupting remote operations that had been instituted during the Covid-19 crisis. Cyber criminals attempted to extort money after breaking into the firm’s servers and stealing confidential information. The firm alerted police after finding messages on its server saying internal company data had been encrypted and would only be released if it negotiated a ransom settlement with the hacker. The message included screenshots of hacked payroll and cash book information. Although the firm’s data was backed up, it is unknown how much information has been stolen.
Not having a WISP for your firm is a problem on many levels:
- Data breaches, ransomware, and other cyber attacks are a rapidly expanding plague that affects businesses of all types and sizes: 32% of small- and medium-size businesses have suffered a cybersecurity attack in the past 12 months, an increase from 25% since last year
- 26 states (including Massachusetts, Rhode Island, Connecticut, Vermont, New York, and Maryland) require any organization that possesses personal data on customers, employees, or subcontractors to have and maintain a WISP
- The consequences of suffering a cyber attack without an up-to-date WISP in place can be expensive and devastating, with the financial repercussions of an attack averaging $104,296 in 2020, almost double the figure reported in 2019 ($53,987)
Do I have your attention yet?
As its name implies, a WISP is a written document that details a company’s security policies, controls, and procedures. The WISP helps to ensure that a business implements and maintains reasonable security processes for the information they hold. Aside from the legal requirements, a WISP provides architectural and engineering firms with solid security procedures that can help reduce the chances of data breaches and limit the liability if one occurs in the future.
What Data is Covered?
Most cyber security laws and regulations apply to any organization that holds or accesses personally identifiable information (PII) that can be used alone or with other data to identify an individual. If you think you don’t hold this information, you are probably wrong. PII can include a person’s full name, Social Security number, tax records, financial or banking information, payroll data, driver’s license, or medical records. You almost certainly have some or all this data on your employees, clients, and subcontractors, and are therefore likely subject to the regulations.
What Goes into a WISP?
Writing and implementing a WISP is not a simple process. It is a project that requires reviewing the business processes of your company, an understanding of the laws and regulations that apply to the IT systems and data used in those processes, identifying potential information security gaps and weaknesses, finding the right compromises between business practices and security, and educating end users about the policy once it is approved by firm management.
Every architectural and engineering firm should have a WISP that is customized specifically for the organization. Typically, a WISP addresses the following:
- Designation of the employee or employees responsible for the security program
- Identification and assessment of security risks
- Policies for storage of data, as well as access and transportation of personal information
- Disciplinary measures imposed on WISP violators
- Limiting access by/to terminated employees
- Managing the security practices of third-party vendors and contractors
- Methods of restricting physical and digital access to records
- Monitoring and reviewing the scope and effectiveness of the WISP
- Documentation of data security incidents and responses
Implementing Your WISP
Policies and procedures are useless unless and until they are communicated and implemented throughout an organization. Part of your WISP implementation, therefore, must include notifying, educating and training employees, vendors, and subcontractors about the data security procedures that are required. All employees should be trained on the policies appropriate to their level of access to data and be required to sign off to confirm their training and understanding of the policies. All new employees should receive data security training as part of their onboarding or orientation.
Training should not be a one-time thing. As new threats emerge from clever cyber criminals, additional security steps must be taken, and more training done. Many firms use outside consultants to run “simulated phishing attacks” on a regular basis to test employees’ (and management’s) alertness and compliance.
You must also ensure that third parties who may have access to your data also develop, implement and maintain their own WISP. This may include banks, credit card companies, accountants, consultants, subcontractors, and others. If they are the cause of a data breach and you did not confirm they have a WISP, you may be held responsible for the breach.
Keeping a WISP Current
For a firm whose security is breached, when regulators or prosecutors come knocking, the worst possible posture is to not have a WISP in place. The second-worst posture, however, is to have a WISP tucked in a drawer, with no indication it was ever implemented.
A WISP is not a document you can simply “file and forget.” Because both the cybersecurity landscape and IT systems are constantly evolving (not to mention data security laws) a WISP that was drafted just a few years ago may not be sufficient to address today’s threats. In addition, any event that may have an impact on data security requires an update to your WISP. For example, an upgrade to your computer network, moving your data storage to the cloud, acquiring a competing firm, or opening an office in another state will trigger a WISP update to keep your firm in compliance with the law. The Massachusetts data security law (which has been used as model legislation by multiple states) requires companies to provide notice of any breach to the state’s Attorney General and identify any steps taken or plans to take relating to the incident, “including updating the written information security plan.” Some additional information regarding the Massachusetts data security law can be found here.
Want Cyber Insurance? Better Have a WISP
Many firms are investing in cyber insurance to help mitigate the cost of a data breach. But most cyber insurance policies provide coverage for “first party” damage to the insured, such as the cost of communicating a data breach to individuals whose data has been compromised. It does not cover damage done to third parties. There have also been cases documented in which the insurance company refused to pay damages because the insured did not have a WISP in place.
Nothing about a WISP is simple or easy. That’s because the threat to your firm, your employees and your clients is significant and imminent. Unless you have an internal IT staff, it is usually a good idea to engage an outside consultant to help you prepare, implement and maintain your company’s WISP. An experienced IT services provider is focused on the latest threats, understands how to help you comply with data security laws and regulations, and can help you properly manage the response should a data breach occur.
If your architectural firm or engineering firm does not have an active and up-to-date WISP, you are placing your organization in serious peril. For help on how to develop, produce and maintain a workable WISP, please contact me at (781) 407-0300 or firstname.lastname@example.org.