Cyber security risks in the biotech and pharmaceutical industry

Historically the biotech and pharma industries were most at risk from insider threats or espionage being carried out by people who infiltrated an organisation to learn secrets or directly steal information, data or intellectual property.  Now though much of the work they do, although resulting in physical products, happens online and the resulting intellectual property, data and information is stored online too. In an industry where the competition is high and the stakes are often higher, as are the rewards, cyber security should be a business imperative – if you work hard enough to create something you should work equally as hard to protect it from threats.  One UK based medical research company was set to begin work on trials of Covid-19 vaccines when it was targeted by the Maze ransomware group, as reported by Computer Weekly.  In this sector media coverage, or past successes, can create a target where there wasn’t one before, so being prepared to defend yourself is a key thing to look at before any announcements or breakthroughs are communicated. Big data growth has made it possible to collate and store vast amounts of medical, trial and genetic information for organisations in these fast moving, high growth sectors.  It’s no surprise then that the most commonly understood threats are focused on data, intellectual property or results from tests and trials.  Biotech and pharma companies tend to have a bias towards protecting technology as it both holds this information and facilitates much of the work being done, but the reality is that their security risks go beyond this. As an example we see further risks once drugs go in to production as raw materials are being shipped and can be identified, essentially giving away some of the hard earned intellectual property.  Production can also be disrupted by cyber criminals who target parts of the supply chain in an attempt to bring down the business through their suppliers. Anything that isn’t within your direct control should be considered as a third party risk, and with the supply chain being so complex and essential to biotech and pharma businesses, due diligence across your suppliers is paramount to more secure business operations.  Cyber security doesn’t stop at the edges of your business, and any potential weakness in a supplier business are attractive to cyber criminals as they can potentially disrupt many organisations with one attack.  You can find out more about securing your supply chain in a series of articles over on our blog. Physical security for businesses operating in biotech and pharma is also a key area of risk.  Very much in the same way that cyber criminals are able to access valuable information, the risk from either being infiltrated by someone out to harm the business or from one of their own staff posing an insider threat further places these businesses under pressure to invest in physical security measures.  Doing this will provide a further layer of defence that isn’t always required in other industries.  Additional layers of protection may be required regarding building access, levels of data or systems access and vetting of new staff and leavers. It is important to highlight that these risks are not just present for the larger firms.  There is a huge global network of start-up and scaleup businesses in this sector and as there appear to be no formal requirements for them to report whether they have been targeted in cyber-attacks, there isn’t an easy way to know how often these organisations are being targeted.  Being nimble in this space is an advantage but that often means that elements of security can be overlooked or compromised as there is often no dedicated resource looking at this aspect.  It is also possible that staff are arriving quickly as the business scales and onboarding doesn’t cover basic security hygiene, which can create risks especially around phishing and ransomware attacks leading to data breaches. The same adaptability and capacity to pivot that is seen in the core business should be harnessed for the benefit of protecting data, intellectual property and systems. Cyber security is often cited as being everyone’s responsibility, and in many ways it is.  However, there needs to be a high level of both engagement and ownership within the leadership team as without this it is unrealistic to expect the wider organisation to play their part in securing the business.  Many leaders in this industry may come from the academic or scientific communities and not bring with them a working knowledge of cyber and information security, and this is where investing in raising levels of awareness and competency across the workforce will provide great benefits. There are two key ways in which this can be done, either by bringing in a Chief Information Security Officer (CISO) or if there is not the need or justification for this being a full time role many organisations opt for a virtual Chief Information Security Officer (vCISO).  A vCISO will enable your organisation to quickly have the knowledge and experience needed to assess your current security position and start shaping what needs to be done to build a cyber security strategy and its delivery. Alongside this, training all staff should be seen as a key part of the cyber security strategy, whether it’s the leadership team who need this support in terms of how to manage security across the whole organisation, or the wider staff team who have low awareness of the everyday risks and need this to become embedded in their roles. If your organisation operates in the biotech or pharma industries and you need support in understanding and managing the risks you face, CyberScale can help you on that journey.