Does your company have a written information security program? If not, you could be an easy target for cybercriminals AND end up on the wrong side of the law, regardless of where your company is located or what size it is. Which law? Something they passed about two years ago in the Commonwealth of Massachusetts, something that is usually referenced with the snappy title of 201 CMR 17.00. And before you go thinking that this does not apply to you because you don't do business in the Bay State, bear in mind that 201 CMR 17.00 applies to personal information about residents of Massachusetts, and that means it does apply to your company if you take orders from Bay Staters.
To be accurate, 201 CMR 17.00 is not a law but a regulation that implements the provisions of a law, and that law is Chapter 93H of Massachusetts General Law Part I, Title XV (M.G.L.93H for short), which states, in part:
"Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards..."
In other words, you need to have a Written Information Security Program or WISP to comply with the law. Note that this applies to "every person" and includes one-person companies through SMBs to large enterprises. If your company suffers a security breach and does not have a WISP, then things are probably not going to turn out well. Indeed, the penalties can be severe, and don't expect to be let off with a slap of the wrist just because you are a small company.
Consider what happened a year ago to Ned Devine's, the Irish pub that is a Boston landmark. The Briar Group, the company that owns Ned's and several other popular venues, was fined $110,000 by the the Attorney General to settle allegations that the restaurant chain "failed to take reasonable steps to protect its patrons' personal information, thereby putting the payment card information of tens of thousands of consumers at risk." Here's what AG Coakley said at the time:
"When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected...In this instance, the Briar Group did not take proper protections to protect customers' personal information. In addition to the payment [of the $110,000 fine], this agreement also works to ensure that steps have been taken to protect consumer information moving forward. Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers."
That's a pretty big stick, one that should encourage you to implement a WISP if you operate a business in Massachusetts or do business with citizens of that state. But there is also a carrot to go with the stick. Having a WISP can add a lot of value to your company, whatever business you are in, even if you never do business with people from Massachusetts. Why? Because a written security policy or program is often a prerequisite for doing business with other companies.
While Joe Consumer is probably not going to ask to see your WISP before he buys an inkjet paper from your office products store, Office Products Inc. may well ask to see your WISP if you want to be an approved vendor supplying them with paper or servicing their inventory management software. I have seen the lengthy compliance documents that some large companies present to smaller companies with whom they want to do business and, without a WISP, it is going to be hard to comply in a timely fashion, which means you could lose the business to a competitor who already has their security program in place and documented.
If you're wondering why larger companies are increasingly taking this approach, or why I am even bringing up a two-year old security law from Massachusetts, consider these findings in the recent Verizon Data Breach Investigations Report or DIRB, which I strongly encourage you to download and read:
- 97% of breaches were avoidable through simple or intermediate controls.
- 79% of victims were targets of opportunity.
- 85% of breaches took weeks or more to discover.
- 92% of incidents were discovered by a third party.
This is a pretty dismal state of affairs, but if you create a WISP and the controls that go with it, then train your employees to comply, you can avoid the all-too-common, and increasingly expensive scenario of finding out from a third party that you've been leaking sensitive data for weeks just because you missed an obvious step in securing your data.
Here are some links to free information and samples that can help you tackle the WISP creation and implementation:
- Massachusetts Written Information Security Plan developed by Buchanan & Associates of Boston (.pdf)
- Common misconceptions about the Mass privacy law
- A Small Business Guide: Formulating A Comprehensive Written Information Security Program (.pdf)
- A Sample Information Security Policy from Advanced System Integrators (.pdf)
There are several commercial vendors that offer tools for implementing policy, for example Info-Tech's Security Policy Implementation tool.
Having a written security policy leads to better security awareness amon employees, something we saw in our survey of the BYOD phenomenon. The security risks of BYOD alone are ample reason to document your security program now rather than later (for example, what is your company policy on letting friends and family access personal devices on which company data is stored or accessed? We found 46% of employees were allowing this to happen).
If you are an SMB then a WISP might sound like too much work, but consider the exposure you suffer if you continue to delay implementing a WISP. You might want to take in our latest free webcast: Are SMBs Targets for Cyber Criminals? Let me leave you with a sobering quote from the DIRB:
"Smaller organizations represent the majority of these victims...this relates to the breed of “industrialized” attacks mentioned above; they can be carried out against large numbers in a surprisingly short timeframe with little to no resistance (from the victim...). Smaller businesses are the ideal target for such raids, and money-driven, risk-averse cybercriminals understand this very well. Thus, the number of victims in this category continues to swell."