When I am talking to pharma companies about their GDPR preparations, one of the most frequent questions I get asked is how companies can protect their data from ever increasing levels of cyber threats.
This is a vital part of GDPR compliance since the GDPR obliges firms to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” (article 32). In my previous article “GDPR Compliance for Pharmaceuticals: 6 Key Issues to Consider” I talked about the need to implement the right technologies and business processes to deal with external security threats, and that is something I wanted to expand on in today’s blog.
Cyber security breaches are now a widespread issue, with the government’s Cyber Security Breaches Survey 2017 revealing that 52% of small firms and 66% of medium sized firms had identified a cyber security breach or attack in the last 12 months. The types of attacks experienced are diverse, ranging from fraudulent emails such as "phishing" attacks, where criminals attempt to obtain access to confidential information or passwords, through to "ransomware" attacks, such as the recent WannaCry attack on the NHS and many other organisations, where criminals hold your data to ransom by encrypting it and demanding money for its decryption. The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.
As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Board level involvement with establishing and maintaining an effective information risk management regime around cyber security.
Such policies will involve a multifaceted approach, which needs to include:-
1. Identify where your data is held
This could include in-house servers, company and employee owned portable devices such as laptops, tablets and smartphones, data that has been copied to removable media such as USB sticks, data that has been shared with business partners and other third-party organisations, copies of data taken for backup purposes and data that is stored in the cloud. Until you have identified where your data is, it is nigh on impossible to protect it adequately. Indeed, because it is so hard to control information which is dispersed over a wide range of devices and/or geographical locations, many firms are choosing to now pull all their information together into a central, UK based repository which makes it much easier to protect.
2. Identify who has access to your systems, both within and outside the company
What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers?
3. Regularly review how your network is secured
Nowadays having a firewall and some anti-virus software is just the tip of the iceberg, and a much wider array of technologies is needed to provide full protection from today’s sophisticated threats.
4. Have in place strict and timely procedures for applying security software updates to your systems
This is important as vendors are releasing a constant stream of security updates to fix potential vulnerabilities in their software, and it is vital that these are applied in a timely manner, since it is these vulnerabilities that cyber criminals most commonly exploit.
5. Put in place safeguards, procedures and policies around mobile working
The risk of data leakage increases with mobile working, and as such this area needs particularly careful planning in relation to cyber security.
6. Implement ongoing staff training around cyber security threats
It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary administrative worker who unwittingly opens a seemingly legitimate attachment or website link which turns out to be something much more sinister. It is therefore important that ongoing cyber security training takes place for all staff.
7. Consider gaining Cyber Essentials Certification
This is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, and as such is something we’re helping many of our Pharma clients to obtain. There is more about Cyber Essentials in this article
8. Have contingency plans to fall back on should the worst happen
These should include incident response plans, frequent backups and full disaster recovery plans.
9. Have an independent vulnerability scan and/or cyber security audit carried out on your network
This is always advisable, as, like anything, it can be difficult to assess the effectiveness of your cyber security policies when you are very close to them. We often get called upon to carry out an independent third party vulnerability scan or cyber security audit as clients find this is helpful to identify any element of their cyber defences that may have been overlooked, as well as providing a useful benchmark report that can be used as evidence of an effective cyber security strategy for GDPR compliance purposes.
It is also worth remembering that that securing your pharma business against cyber security threats is not a one-off task, as with the constantly changing security threat landscape, it is critical that all risk management activities around cyber security are reviewed and updated on a continual basis.
I hope this has given you a useful insight into some of the key areas to consider around cyber security management when preparing for GDPR. If, having read this article, you are concerned that your cyber security defences may not be adequate, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help. Our services include providing independent vulnerability scans and/or cyber audits, consultancy around Cyber Essentials accreditation, and implementing technologies and processes to ensure your cyber security defences are in line with industry best practice.
_________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/
No comments:
Post a Comment