By Chris Souza
The cyber security situation for nearly every industry is a precarious one, but few have it worse right now than biotech and pharma. I see this first hand in the day to day work my company does protecting Pharmaceutical and Biotechnology businesses from cyber threats, but I’m not the only one witnessing a trend.
According to one recent study, the pharmaceutical sector is the biggest target of criminals around the world. The total amount of damages incurred due to intellectual property theft alone come to billions of dollars every year. Even large corporations with thousands of employees have suffered severe consequences for inaction. Merck, one of the largest pharma companies in the United States, went through a breach in 2017 that ended up costing hundreds of millions in damages by the end of the year.
But at the same time, the situation is not as black and white as it may first appear. Yes, there are people outside of your organization located all over the world who want to do you harm. But the real threat that you should be focusing on is also the one you least expect:
The one that's already inside your business.
Breaking Down the Insider Threat in Biotech and Pharma
External threats to biotech and pharma businesses get more attention because they're far more visible. It becomes a "good versus evil" fight. What executives in particular don't understand, however, is that the reason these external threats were successful is because they took advantage of an insider.
Insider threats come in two forms: the employees with malicious intentions and the employees who made a mistake. 75% of security breach incidents are caused by insider threats, but of that number over 80% are caused by human error as opposed to rogue agents.
In biotechnology and pharmaceuticals, insider threats present every bit as much a public health issue as they do an economic one. Whether intentionally or unintentionally, these actors make it difficult for companies to maintain competitiveness within an industry - which also presents a risk to potential patients, too.
Not only does the drug or intellectual property in question become potentially inaccessible, but the market perception of that content is also potentially harmed beyond repair. The costs of addressing the issues associated with this type off threat are extremely high from both a financial and a public relations standpoint. If the pharmaceutical company making your child's medication goes out of business after a data breach, where is your child going to get their medication?
Equally important is the issue of compliance for the organizations. Many of the tools that regulatory agencies within the industry require include the ability to track and monitor the type of insider threat activity under discussion. Unfortunately, biotech and pharma is notorious for poor marketing and education about what these tools are and what they do - making it difficult for even seasoned executives to see how they apply to any given business.
These are the types of long-term ramifications that other industries don't have to think about and they're chief among the reasons why executives should care about insider threat dangers. Not only when they have an audit coming up, or not only on a yearly basis. They should care all day, every day, with absolutely no exceptions.
Addressing the Insider Threat: Protection Requires Action Moving Forward
The most important thing for biotechnology and pharmaceutical companies to understand is that IT - and more specifically, security and compliance - are changing at break neck speeds. Executives in the space cannot afford to distance themselves from IT by assigning that responsibility to a silo of companies. Adequately addressing threats both internal and external requires a deeply rooted collaboration between IT leadership, staff and vendors. Only then will an organization be able to maintain the strongest security possible moving forward, particularly when it comes to the actions of rogue employees or other malicious individuals.
Education will also play an invaluable role in these efforts. More often than not, employees are totally unaware of how their actions impact the security of the networks they're using. They don't understand how to spot a phishing email and even if they did, they're unclear about the severe consequences that a business could suffer as a result. They don't understand why it's a big deal that they left their work phone behind in a taxi cab, as now anybody who finds that device has a secure access point to the business' network.
Investing in thorough, regular education for all employees - both new hires and existing staff - is of paramount importance. The number one reason why security breaches happen comes down to human error. People make mistakes and if you educate them about how to avoid them, you stand the best chance at actual protection moving forward.
Not educating your employees can turn them into an insider threat, particularly in the pharmaceutical industry. Pharma companies are prime targets for insider threat activity because of the sheer value of the intellectual property they hold, as well as the enormous black market demand for prescription medications of all types.
That education also extends to executives, too. Traditionally, many leaders in the pharma and biotech space view IT as something outside their purview. It may have been at one point, but it isn't any longer - even the largest organizations can't afford to take that stance.
Instead, executives need to make a proactive effort to continually learn about how IT is changing in their industry and, more directly, how it impacts their own field and roles on a daily basis.
Not only does this present a valuable opportunity to better safeguard the types of intellectual property that biotechnology and pharmaceutical companies are dealing with, but it's also a chance to learn how to do your job, role or function better and more efficiently.
Every industry is different and every business within that industry is unique - which is why there is truly no "one size fits all" approach to cybersecurity. To begin addressing both the insider threat and those coming from outside of your four walls, you need to arm yourself with information like the following:
- Find out what critical data you have that needs to be protected at all costs. For many biotech and pharma companies, this takes the form of intellectual property. You need to know which systems that information is stored on and who has access to that information.
- Should anything critical become compromised, do you know what damage you would incur? What would you lose in terms of productivity if that data was lost? What type of damage to your company's reputation would it sustain? Is your security strategy validated?
- Threat modeling is key. This is a technique that forces you to think how your adversaries do, allowing you to remain one step ahead of them. In a spreadsheet, create three columns. In the right column, list all of your critical data and the systems that store them. In the left column, write down all of the different threats that your specific business is likely to face. In the middle column, list your vulnerabilities as they relate to the information you've already provided. This can help clue you in on not symptoms but causes - like if too many people have access to critical data, or if you're not proactively monitoring in the way you should be.
In the End
Making an effort to stay ahead of the changes with technology doesn't just make sound business sense. For many biotechnology and pharmaceutical organizations large and small, it will be the cornerstone of their continued survival over the next decade and beyond.
About Chris Souza
Chris Souza is CEO of Technical Support International (TSI), where helps biotech, pharma and other hi-tech businesses stay protected from both external and insider threats.