The State Of IT Security In The Pharma Industry Today
By Chris Souza
As someone who works day in and day out with the technology leaders at pharmaceutical and other hi-tech, high-growth organizations, I personally get to see the state of IT security from the front lines. I see the types of threats that people are facing as they develop and the frequency of which these various types of attacks actually happen — not just how often they're reported in the newspaper. Based on all of this first-hand experience, I started doing a little bit of research to see if the state of IT security today was really as bad as it seemed and if my perception reflected today’s reality. Do you know what I found?
That impression is spot on.
To put it simply, the current state of cybersecurity — especially pharmaceutical, biotechnology, or other high-sensitive environments such as those in the financial sectors — has never been more pressing than it is right now.
The State of Cybersecurity: The Story So Far
First, you should know that this is not a problem that discriminates. Hackers and other people with malicious intentions are regularly targeting a lot of specialized industries like biotechnology and pharmaceuticals because the value of the information they can obtain is very high on the black market; if a hacker steals a credit card, they might be able to get off a few hundred dollars in fraudulent charges before things are shut down — no big deal. However, if they could do that, there’s no reason to disbelieve they could steal intellectual property from a pharmaceutical or biotechnology company, which there’s no telling how much damage they can do until after the fact. At that point, especially in terms of IP, they’ve already taken away your competitive advantage in an instant and damaged your reputation across the industry.
So when you read the following statistics, read them through those lens.
According to IBM Security and Ponemon Institute's most recent Cost of Data Breach Study, the average cost of a single data breach incident rose to $3.86 million in 2018 — a stunning 6.4 percent increase from the year before. That number breaks down to a cost of about $148 per individual compromised record. If this current trend continues, total cyber crime damages around the world are poised to hit $6 trillion per year by as soon as 2021 - a figure that experts say represents the single greatest economic transfer of wealth in human history.
Is this the type of cost your compliance required, downtime intolerant and cost sensitive pharmaceutical company can afford to take?
But equally concerning is the fact that it took businesses an average of 196 days to detect that a breach had occurred in the first place. Not only are breaches happening more frequently and becoming more costly, but they're also taking longer to detect — a perfect storm in the worst possible way.
It's important to acknowledge that a data breach is more than just "another security incident." It instantly creates the type of ripple effect that could bring even the strongest brand to its proverbial knees. Not only does it cause the type of downtime with costs estimated at around $5,600 per minute, but it also does something far worse — erode the fragile trust that you've worked so hard to build with your clients and future patients.
Still think you’re too small to consider the impact cyber security has on your organization? According to another recent study, an estimated 60 percent of all small businesses in particular that suffer a cyber attack will be totally out of business within just six months. For the record, that's 180 days — or a shorter amount of time than most businesses will take to even discover that they have a problem to begin with.
The Time Is Now to Do Something About It
If all of this sounds particularly distressing, that's because it is; there really is no sugar coating it. Luckily, it's also a situation that none of us have to take laying down.
According to one recent study, a massive 95 percent of all successful cyber attacks are the result of the same basic cause: a phishing scam. Investing in awareness training can reduce your organization's risk of a breach by as much as 70 percent in some cases. This means that your technology didn't fail, your people and your processes did. Someone made an all-too-human error and you're about to pay dearly for it. But if your people are also your biggest weakness, the good news is that you also can turn them into your best defense as well.
As the leader of a high-tech or pharmaceutical company, your workforce is already savvier than most. Training is a way of life for them, so we encourage that you take that one step further. Every last member of your team needs to be trained as often as possible to the changes of today’s dynamic cybersecurity and the role they play in protecting everything you've worked so hard to build. They not only need to know how to spot a phishing attack, what ransomware is and why things like two-factor authentication are so important, but also how these issues specifically apply to their specific roles and day to day activities.
But above all else, you need to be proactive about cybersecurity - especially in an industry that is constantly under attack like pharmaceuticals, which it is. The reactive break-fix approach to anything is rarely the solution in IT, but it's especially weak when it comes to digital activity like this. By the time you realize you have a problem, the damage has already been done — so you need to do what you can to stop the problem from happening in the first place.
You need to acknowledge that an attack isn't a question of "if" but "when" and act accordingly. You’re going to be hacked — it’s how you address it WHEN it happens that is most important, rather than implementing the tools to "stop these attacks" which will never actually happen. Make sure that you're going deeper than "general best practices" as those are only the beginning of the story, never the end of it.
About Chris Souza
Chris Souza is CEO of Technical Support International (TSI). He had over 16 years of experience in high technology before joining TSI.