Understanding cybersecurity threats and risks and how to deal with them is critical to the protection of intellectual properties, data, and patient privacy, and to continuous regulatory compliance.
Contact USDM and connect with our cybersecurity compliance experts.
I’m really excited about this discussion today between Roger and Dom. First, they’re going to cover the state of digitalization and the data landscape across your organization. They will then discuss various types of threat actors that are targeting life sciences companies, as well as blind spots and considerations for minimizing cybersecurity risk with your vendors and suppliers.
Your data is generated, stored, processed, and accessed in a myriad of different ways, and even very early-stage companies develop a surprisingly complicated landscape that includes combinations of technologies, platforms, and endpoints, and this last piece is really important but easy to overlook these critical vendor relationships.
Your information is only as safe as your vendors and partners are able to keep it. As you grow, the complexity will continue to increase. All of these create different concerns and risks with respect to security. Vendor relationships impact almost all of these in some way.
Potential security impacts are both obvious and less obvious, and when a company managing your data is at arm’s length, like a CRO or even a CMO, it’s easy to lose oversight.
I think in the industry as a whole, we’ve been seeing increases in threat activity really focusing on that first bullet—the cloud—whether that’s SaaS, PaaS, or Infrastructure-as-a-Service. Especially in technology areas, threat actors are really focusing efforts on authentication weaknesses, usernames and passwords, or the absence or inefficient or just missing data protection controls, whether it’s access to data or encrypting data, or obfuscating information that is stored.
I think it’s also important to recognize those threat actors today are a little more business savvy. They do have business intelligence into the life sciences industry, whether that’s from employee social media posts, company press releases, or just that valuable marketing information. You see those as business enablers; looking at it from the attacker or the threat actor’s point of view, that’s recon—reconnaissance information—which ultimately leads to compromise attempts or security incidents.
Impact on Your Organization
Can you characterize some of the impacts that we’re seeing on life sciences organizations?
Yeah, absolutely. The slide has Reputation, Financial Impact, and Intellectual Property; those are certainly the first three that come to mind. When you talk about reputation, you’re really talking about the company’s brand reputation. Damage of an impact from cyber-attacks can impact customer confidence, cause a loss of new customers or existing customers, and may have an impact on investor confidence.
Something that’s not often touched upon when you think about cyber impacts on reputation is employee morale and employee retention.
The other things that should factor into financial impact are the direct or indirect costs of a breach. The time to recover, potential regulatory penalties, follow-on privacy protection for the victims of information that was breached and may be publicly posted, and ultimately, revenue loss. A breach has a significant financial impact.
Lastly, intellectual property, the thing that makes life sciences companies competitive, that competitive edge in the market. This isn’t just the formula in the secret sauce of a company, it is the process behind that. The process of how one bit of information moves to the other to become an end product.
Threat Actor Targets
We are generally talking about people, processes, and technology. Before we get into it, I mentioned that threat actors tend to take the route of least resistance.
For an in-depth look at threat actors (competitors, organized crime, insiders, state-sponsored, and hacktivism), watch the full-length, on-demand webinar.
Think about the types of technologies that life sciences companies have in place. It’s fair to say that there are firewalls, there is some type of antivirus in place, web servers probably have some web application firewall, and there’s some form of hard drive encryption data. So those are all items that increase the level of difficulty for the threat actor, which is good for the life sciences company, bad for the attackers. People are still the top attack vector simply because people still do not make great firewalls, people are not great antivirus products. They’re really driven by success and can fall victim to social engineering, whether that is from phishing, social media, or text messages. The number of communication tools today available to a typical remote worker in the life sciences environment is pretty significant.
There’s obviously a lot of different threat actors; there’s a lot of different threat actor targets. Are we seeing that there are increasing numbers of successful breaches? Or is the industry being more successful at managing and eliminating breaches?
I think it’s a combination of both. Industry awareness and cyber visibility have increased in recent history, so that’s a positive on why there are more breaches that are detected earlier and reported more often due to regulatory controls.
The second piece to that, we’re seeing more breaches because the attack surface is constantly changing and the number of life sciences companies with a high level of cyber maturity or expertise isn’t equal to the velocity and impact of the change in the threat landscape.
Vendor Risk Management
More and more, the operational model of our life sciences customers rely on a network of vendors, and those vendors are playing ever more significant roles in early-stage R&D, clinical trials, manufacturing, and all kinds of things. So, it seems like data managed by vendors is a real blind spot for some organizations. When we talk about vendors, that includes people like cloud software providers and Software-as-a-Service and things like that, that are fairly obvious, but it also extends to those research partners that are working on your behalf, generating data on your behalf. What can you say about vendor risk management and cybersecurity issues and risks?
In vendor risk management it’s important to recognize that it’s an interconnected ecosystem of data systems and responsibility; responsibility is shared for sure.
You touched upon it briefly: clinical research partners, marketing contract manufacturers, business processes that are outsourced, even staffing agencies and contractors, are all part of your risk management, interconnected ecosystem. They have access to intellectual property, customer sensitive data, and personal health records; the same information that you’re safeguarding needs to have the same or greater controls.
Risk management is really assessing the risks and the controls of your vendor. Are they more secure than you? Are they the same? Or are they less secure? In order to answer that question, you need to have the answers to those questions yourself. How are you doing with access control? How are you doing with encryption? Do you have an incident response policy? Do you do tabletop exercises and practice them? Those same questions that you’ve internally reflected on from a business perspective and then from a tactical execution perspective, are the same impact and risk decisions that you’re asking vendors.
Minimizing Cybersecurity Risks
Really assessing where you are at a maturity level is an important step to all three of these, the people process, and technology triad.
It does provide a lot of visibility to the company as a whole to illustrate deficiencies and really prioritize spending in resources to protect information that is important to a business decision. Once you have that, you can start to focus on the right level of awareness. What are we at risk of and what is our top priority in awareness? Without awareness, the people factor that we mentioned earlier in the session will continue to be a significant cyber risk and a significant disruptor to life sciences performance.
These frameworks that you can apply to manage cybersecurity, there are many that are quite well known, they’re not really one size fits all. How do you know what’s the right one for you?
It’s a combination of all the business units collecting the requirements, so it’s business-driven positively. There are regulatory compliance requirements that factor into it, and it is capability. Companies that are ready for the ISO standard tend to have larger, more mature practices and significantly more staff. Companies that are in the early stages of cybersecurity moving it from maybe a managed service or an IT shared responsibility to devoted responsibility. The CIS framework may be the better framework, sizing it to the organization’s business needs, capability, and regulatory requirements.
Thanks for that insight, Dom. It sounds like the whole industry has lots of opportunities to improve cybersecurity and address those threats.
Contact USDM and connect with our cybersecurity compliance experts.