How to Protect your Pharma Business from Cyber Threats: Think like a Hacker!

With so many pharma businesses I speak to concerned about cyber security threats, and the potentially devastating compliance and reputational consequences of a data breach or ransomware attack, I today wanted to explain some of the more sophisticated ways you can mitigate the risks around these threats.

In understanding how Pharma businesses can protect themselves against the reputational damage and the MHRA, GDPR and HIPAA compliance breaches that will occur if they experience a cyber-attack, it is important firstly to understand the different types of cyber-attack that exist. These broadly fall into two categories: commodity attacks and bespoke attacks.

Commodity Attacks

Commodity attacks are where cyber criminals use widely available tools that exploit known vulnerabilities in software or operating systems in order to hack into your system or compromise it.

These types of attacks are easy to deploy and don’t need much technical knowledge. Indeed, some of the most destructive types of cyber-attacks, such as ransomware, are now widely available for would-be cyber criminals to purchase as an off-the-shelf package and deploy as they wish. This type of ransomware-as-a-service means that cyber criminals need minimal technical knowledge and have the opportunity to make plenty of quick and easy money.

So it is little wonder that this type of threat is becoming more and more prevalent. In fact a recent survey by Kaspersky showed that the number of ransomware attacks on businesses tripled last year, with a company now being hit with ransomware every 40 seconds. The same survey showed that 71% of companies targeted by ransomware attacks have been infected.

We now also have the situation where the more sophisticated hackers are making a point of reverse engineering security fixes that vendors like Microsoft bring out to patch newly discovered security loopholes. This means that unless you have applied the security fixes to every device on your network very promptly, there is a real danger that you will be compromised.

As the motivation behind these sort of attacks is generally about making money, whether that be through demanding ransoms to give you back your data or through stealing confidential information to sell it on, the cyber-criminal is generally not picky who he targets and as such commodity attacks tend to be widespread.

Bespoke Attacks

While the vast majority of cyber security attacks are commodity attacks, a small number are bespoke attacks. These are very different, as they are attacks where cyber criminals target one or more individual companies for a specific reason e.g. to steal IP, or cause reputational damage.

Again cyber criminals will start by using commodity attack tools to find out if there is an easy way to compromise your system. In many cases this will provide a route in, but if not, then the cyber criminals will take time to research your organisation, your security, individual employees, social media activities and much more through a wide range of digital reconnaissance and sometimes physical reconnaissance measures and then develop bespoke hacking tools to attempt to breach your defences. These types of attacks are carried out by much more sophisticated and determined cyber criminals.

So how can Pharma companies manage their risk around Cyber Threats?

Well putting yourself into the mindset of the cyber-criminal is a really good starting place. He or she’s going to be looking for known vulnerabilities in your system where they can get in. These vulnerabilities are a constantly moving target, because software updates are coming out from software application vendors, operating system vendors like Microsoft and security software vendors the whole time. So the scary reality of the situation is that while your data may be fully protected at 9am this morning, by 10am you may be vulnerable.

So the key here is to be constantly, in real-time, scanning your system for vulnerabilities, using the same tools that the cyber-criminal is using. This way you see your network through the eyes of the hacker and can pre-empt his next move. Of course, the quantity and skillset of human resources required to do this manually would be cost prohibitive for most small and medium sized companies. However, we are now working with Pharma businesses to implement new automated real-time unified security management systems which carry out just this function. So rather than a vulnerability scan being carried out on the network say once a year (which provides a useful benchmark, but only tells you that your data is secure at that one moment in time), these systems carry out a continuous vulnerability scan on your system, all day, every day. Such continuous vulnerability scanning allows risks to be highlighted immediately, and reported back in real-time to our Security Operations Centre. Working with our clients we then ensure these latest security loopholes are closed down immediately and that thus your organisation is kept one step ahead of the cyber criminals.

I hope this article has given you some useful insight into the approach of cyber criminals and the ways you can minimise your risk of becoming a target of cyber-crime. If you would like to find out more about this topic, or you would like information on our continuous vulnerability scanning solution or would like to arrange a one-off vulnerability scan of your network to see how your cyber defences currently measure up, then please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when it will be my pleasure to speak with you.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/

Cyber Security in Pharma: Practical Ways to Manage Risk and Gain Competitive Advantage

In my last blog, I talked about one of the key ways I believe Pharma companies can differentiate themselves from their competitors, as well as addressing challenges around GxP and GDPR compliance, and that is by tackling the thorny issue of cyber security.

We only have to open a newspaper or turn on the news these days to hear about some new cyber threat which has caused major disruption to businesses, and there is increasing pressure in Pharma to ensure that everyone in the supply chain has taken adequate measures to protect their business from cyber threats, since it only takes one organisation in the supply chain to be unable, for example, to ship product, for widespread disruption and reputational damage to occur to all parties.

So today I wanted to talk about practical ways in which pharma companies can implement effective cyber security policies, processes and technologies that will dramatically reduce their risk and help to elevate them above their competitors and put them at the front of the queue to win more contracts.

Firstly, I would say that it is vital that a joined-up approach is taken to cyber security management, as in the ever evolving threat landscape, it is nowhere near enough to just be relying on one or two technical measures like some anti-virus software and a firewall. Rather the company’s cyber security strategy must involve the Board, as well as technical personnel, and be formulated as an integrated suite of risk management measures encompassing business processes, technologies, staff training and procedures.

As a starting point, I always recommend that pharma companies we are working with look at the Cyber Essentials scheme, a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, covering five technical controls:

1. Boundary firewalls 
2. Secure configuration 
3. User Access control 
4. Malware protection (including Ransomware) 
5. Patch management 

Already the government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme, and there is no doubt in my mind that this will become the de facto standard which one day every business in the UK will have to achieve, as organisations increasingly demand that everyone in their supply chain is certified to at least this minimum standard of cyber security management. In the interim period though, those Pharma companies who choose to implement these types of standards and accreditations early on, are immediately giving themselves a competitive advantage, by presenting themselves as a low risk option to their potential customer and winning more points in tenders by demonstrating they are taking cyber security threats seriously and acting accordingly.

We are already in the throes of working with several of our clients to Implement Cyber Essentials, which, aside from the obvious commercial benefits, they see as having a plethora of other business benefits including assisting with MHRA and HIPAA compliance, demonstrating care of personal data for GDPR compliance purposes and ensuring that their company’s risk of suffering costly downtime and/or reputational damage is minimised.

Whilst Cyber Essentials won’t protect your business against every possible cyber threat – and in my next blog I will go on to talk about the different types of threats that exist in more detail, and some of the more sophisticated ways you can mitigate the risks around these threats - it certainly provides a very good foundation as the first step towards good practice in cyber security management.

If you would like more information on the Cyber Essentials scheme or you would like to explore ways in which you can successfully manage your business risk around cyber security and gain competitive advantage, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

--------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/