Technology Advisor Blog

A Written Information Security Plan (WISP) acts as your small business's shield against cyber threats, protecting both your data and financial health. Research shows 43% of cyber attacks target small businesses directly, making clear protocols and response strategies a must-have for your operations. Verizon 2024 Data Breach Investigations Report

Your company faces real risks without proper security measures in place - from financial losses and extended downtime to damaged client relationships that can take years to rebuild. This straightforward document becomes your roadmap for protecting information, meeting regulatory requirements, and keeping your business running during security incidents. You can start protecting your business today with the right planning and implementation steps.

The Hidden Costs of Operating Without a WISP

You might think that creating a Written Information Security Plan (WISP) is just another bureaucratic task to add to your endless to-do list as a small business owner. You may believe that your business is flying under the radar and that you don't need to worry about cybersecurity incidents. However, operating without a WISP can lead to significant financial and reputational damages when your business experiences a data breach.

Compliance Requirements and Cybersecurity Checklist

A WISP is specifically required by the Massachusetts Data Security Regulation (201 CMR 17.00), and by the IRS for tax repairers, and insurance companies often ask for it. You can think of a WISP as a cybersecurity checklist for your small business. Many regulations, such as CMMC, FTC Safeguards, and HIPAA, require you to have a WISP in place.

Two Cybersecurity Mindsets

When it comes to cybersecurity, there are two kinds of businesses:  Those that have been hit - and those that haven't yet.

If you've experienced a cybersecurity incident, you'll likely want to do everything possible to ensure it doesn't happen again. You've felt the pain of potential reputational and financial damage, loss of customers, and more. On the other hand, if you've never experienced an incident or don't know someone who has, you may wonder if investing in cybersecurity is necessary.

Just the other day, I had a conversation with a local small business owner who said, "You know, I've been getting by all these years. I kind of think I should do more with cybersecurity, but I've gotten by this far. Do I really need to spend this money?"

The Costs of a Data Breach

A data breach can cost your small business a significant amount of money in various ways:

• Regulatory fines and penalties
• Legal defense expenses
• Lost revenue from downtime
• Customer loss

In many cases, ransomware attacks may even target your clients, leading to further damage to your reputation and relationships. These types of attacks are known as "double extortion".  The time and cost of public relations recovery and the impact on client acquisition can also be substantial.

Real-World Example

We recently worked with a local firm that experienced a cybersecurity incident. They were completely down for at least two weeks and lost many of their customers. Their employees were unsure about their job security and didn't know if they should start sending out their resumes.

While large corporations may be able to rebound from a cybersecurity incident, many small businesses struggle to recover. Having a WISP in place can save you a lot of grief and anxiety after an event. If it's required for compliance, it can also save you a significant amount of money by demonstrating that you acted in good faith.

A WISP, often referred to as a cybersecurity checklist for small businesses, is an essential tool for protecting your company from the hidden costs of operating without one.

Proactive Security Through WISP Implementation

Your Written Information Security Plan (WISP) is essentially a survival guide for your business. It helps you maintain a clear perspective on your cybersecurity needs during calm times, and it will prove invaluable when incidents occur.

Keeping Your WISP Concise

You want to keep your WISP concise. A lengthy document will only add stress during a cyber incident.  Even a one-page summary with bullet points can suffice, covering the essential requirements.

Designating a Security Point Person

Begin by designating a point person for security who will coordinate efforts and maintain the security program. Restrict access to protected information to only those who need it to perform their job duties.

Secure Storage and Access Control

Store all information in physically locked containers and ensure appropriate computer safeguards are in place to protect data. Your WISP should include a management process that outlines consequences for rule violations. This demonstrates to clients, the public, government, and your insurance company that you take security seriously and follow through on your commitments.

Incorporate secure access control measures and encrypt transmitted data. Here's why: Sending sensitive information like credit card numbers, driver's license numbers, or financial details via regular email is akin to mailing a postcard instead of using a secure envelope.

Monitoring and Incident Response

Implement reasonable monitoring systems to detect unauthorized use. These systems will prove invaluable in the event of a cyber incident. They'll help determine what happened and accelerate your recovery process, even if they may seem unnecessary before an incident occurs.

If you store protected information on portable systems like laptops, ensure they are fully encrypted. This changes your computing requirements, as encrypted data remains secure even if the device is lost or stolen.

Malware Protection and Security Patching

Maintain an up-to-date malware protection program, advanced antivirus protection, and security patching. While it may not be the most exciting aspect of your security program, it is a fundamental starting point.

Employee Cybersecurity Awareness Training

All security protocols require a program for cybersecurity awareness training for your employees. Provide meaningful training, not just a checkbox exercise. Consider this: The more exposure your employees have to various cyber scams, the less likely they are to fall for them.

You can implement:

• Weekly micro-training sessions.
• Simulated phishing tests to educate your team and demonstrate that anyone can fall for a scam.

Documenting and Communicating

Your WISP should document in writing how you protect data and respond to incidents. Designate a point person for all communications and be aware that "breach" is a specific legal term referring to outsiders gaining access to data. Not every cybersecurity incident constitutes a breach.

A clear communication plan and organized business practices will make a significant difference in your cybersecurity efforts. By implementing a comprehensive WISP and following this cybersecurity checklist for small businesses, you can proactively protect your company's sensitive information and be prepared to respond effectively to any potential incidents.

Small Business Cybersecurity Checklist Benefits

Your Written Information Security Plan (WISP) should be a simple, straightforward document that serves as a cybersecurity checklist for your small business. Avoid creating a lengthy, 100-page document that you will never want to reference in an emergency.  In a very stressful moment, no one will be able to concentrate or have the patience to go through a "book" - it's almost like having no plan.

Building Trust with Clients

Increasingly, your clients will want to know how you safeguard their information. Having a security policy that you can post on your website, discuss with people, and be transparent about will provide clients with a great deal of reassurance.

The Reality of Cyber Attacks on Small Businesses

According to the Verizon Data Breach Investigations Report (DBIR), 43% of cyber attacks target small businesses. A common theme among small businesses that have experienced a cyber attack is, "I wish we had taken security seriously before it was too late." In contrast, we have conversations every day with people who have not experienced a security incident and wonder, "Why should I worry if it hasn't happened to us?" This is human nature.

A recent conversation with a civil engineer responsible for physical dam safety revolved around having difficulty getting first responders to take flood risk seriously. Human nature in action - "it won't happen to me!" Cybersecurity is a parallel universe, where the probability of an event occurring is much higher. You must have a plan in place for what to do when an incident occurs, or you will be caught off guard, and the damage will be significant.

Competitive Advantage and Partnership Opportunities

Trust-building elements include how you protect client information and document your compliance with standards. Cybersecurity is also an area for competitive advantage. Taking cybersecurity seriously can help you:

• Attract clients or donors if you are a law firm, accounting firm, or non-profit
• Improve your industry leadership position
• Increase partnership opportunities

Many times, when doing business with a larger organization, they will want to check your security standards before bringing you into their supply chain. Having your WISP ready is key.

Employee Awareness and Incident Response

Employees should have a clear understanding of the organization's security protocols, expectations, acceptable use policy for technology, and how to respond efficiently to an incident.

Let me share a story about a local firm we worked with many years ago that experienced a cybersecurity incident. The owner had been on our mailing list for a long time and later told me, "I know you talked about disaster recovery over and over again, but I never really got it. Our office is on the second floor, so I didn't know why we needed to worry about this. I thought we wouldn't get flooded in a brick building." When they had a cyber incident, they realized the importance of disaster recovery and couldn't install our backup and disaster recovery services fast enough.

Understanding Your Risk and Tolerance

It is essential to understand your risk and your tolerance for risk. For some businesses, being down for two weeks would be painful but not an existential threat. For others, a two-week outage could cost hundreds of thousands of dollars. In such cases, investing in a security license that costs the equivalent of a latte from Starbucks a month is an attractive option compared to the potential damage.

Safeguards and Regulations

Consider simple safeguards and read up on the regulations that apply to your business, as each state has different protocols. In Massachusetts, for example, the computer system security requirements are straightforward, with eight different requirements, including security awareness training.

You may not be able to implement everything at once, but you can work with employees who specialize in security awareness training. Without it, you will not be able to obtain cyber insurance. Lying on a policy to get insurance will result in the inability to recover from a claim in the event of an incident.

Think of your WISP as a small business cybersecurity checklist – your survival guide for your business.

Legal Requirements for Written Information Security Plans

As a small business owner, understanding the state and industry regulations related to written information security plans (WISPs) is essential. Each state has its own requirements, such as the Massachusetts State of Security Law, which has been in effect for 15 years. This law is well-written, simple, and covers the basics of what you need to do.

Insurance Requirements and Federal Regulations

Insurance requirements can also provide guidance on what safeguards you should have in place. Insurance companies ask to see certain measures implemented because they have seen all the incidents and know the statistics. They understand the risk they are taking on with a business that doesn't have:

• Multi-factor authentication
• Managed Detect and Respond (Think Antivirus on Steroids)
• Other essential security measures

Federal regulations, such as the Cybersecurity Maturity Model Certification (CMMC), are in place for anyone in the defense supply chain. More regulations will likely come into play due to the significant financial damage caused by cybercrime.

Treating Your WISP as a Cybersecurity Checklist

Don't be intimidated by a WISP. Think of it as a cybersecurity checklist for your small business. The investments you make before an incident are tiny compared to what happens afterward. Many business owners wish they had taken it more seriously after experiencing a cyber incident.

Have a conversation with your tech team and understand exactly who owns the risk. Every business has different costs associated with being down for a day, a week, or longer. Conducting a business impact analysis can help you plan accordingly and make smart investments ahead of time.

Let's say an insurance company has to come in and do forensics analysis, and you don't have any log retention. It will take longer to recover. You might decide not to pay for log retention now, but make sure you understand the implications of that decision.

Examining Your Security Measures

Don't assume all these different security measures are being done when you've never looked at them in detail. Going through the WISP process will make you examine:

• Access controls
• Auditing systems
• Employee offboarding processes
• Physical security of paper records
• Clean desk policies
• Minimum security requirements for personal devices connecting to your network

Document these policies and communicate them to your staff. Your WISP can be a one-page document, which is infinitely better than not having one at all.

Understanding Reporting Obligations and Consequences

Understand the reporting obligations in your state or industry. While it's unlikely that someone will come in and audit your WISP, it's a terrible thing to have to explain to your customers why their information was leaked because you didn't make small, simple investments ahead of time.

Conduct a business impact analysis and work with professionals in the industry who have seen the consequences of not having a proper WISP in place. Here are a few examples of what can happen:

• Some small businesses have had to completely shut down
• Others have drained their savings
• Many have paid hundreds of thousands of dollars in out-of-pocket expenses, even with insurance

Treating Your WISP as a Survival Guide

Treat your WISP as a survival guide for your small business. With smart, strategic, and affordable choices today, you can save yourself from significant hardship in the future.

Your Next Step: Protecting Business Value with a Strong Security Foundation

Your business value grows from keeping data safe and operations running smoothly. A Written Information Security Plan puts smart protections in place before problems occur, saving you money while building trust with your clients.

 

 

Our team helps businesses like yours create and implement security plans that match your specific needs and budget. We guide you through each step of building your WISP, from initial review to staff training. Ready to protect your business? Contact us today for a no-cost consultation and see how a well-designed security plan strengthens your company's future.