Cyber-Immunity: How Big Pharma's Little Trust Protects Data and Disease
Cyber security in the pharmaceutical industry has traditionally focused around specialist chemical and drug manufacturing, which encompasses complex supply chains around the world.
Although interconnectivity is important, it does leave pharmaceutical companies vulnerable to cyber attacks.
As drug and pharmaceutical advances often represent millions to billions of pounds in commercial value and intellectual property, big pharma have become seductive targets for individuals, collectives - and as of late - state-sponsored hacking.
The vast level of sensitive data held by pharmaceutical firms requires safe-keeping to prevent viral infection, and not the kind created under lab conditions. But rather, the kind of viral infection that penetrates mainframe computers, the cloud and on-site servers. The nasty kind or virus that has the capability to hijack billion-dollar R&D budgets, yet ever-so-preventable through best practices in cyber security.
And herein lies the quagmire for big pharma - bolster existing measures on established architecture, or explore new frontiers in the cyber security universe which may take longer to implement?
The Bigger Picture - The Cost of Cyber Security for Pharma
According to IBM and Ponemon Institute Research, pharmaceutical breaches cost "an average of $5.20 million."However, it’s important to consider the wider effects of a data breach since $5.20 million may represent mere pocket-chain to some of the industry’s global pharmaceutical giants.
Beyond the costs of a data breach remedy, a cyber attack does more than just steal revenue. History has been unkind to big pharma victims of cyber attacks where it’s not uncommon once news reaches the media and Wall Street, to witness an immediate decline in share prices; wiping millions, if not billions on stock valuations. Stock prices move in tandem with investor confidence, and there’s nothing more damaging to a company’s reputation and PR department like a data breach. Pharmaceutical companies struggle to retain customers after cyber breaches - only behind healthcare and financial services in this regard. And for very valid reason, for it is these very companies that we trust with our health and wellness.
Deloitte estimate "£1.8 billion in damage in 2017 from theft of intellectual property in healthcare, biotechnology and pharmaceuticals."
And in a twist of big pharma irony, there’s no known vaccine for reputation damage, stock valuation loss, investor confidence, and consumer trust from a cyber attack and data breach. Immunity in such regard cannot be easily overcome. An ounce of prevention is truly worth a pound of cure.
Whilst the paltry sum of a mere £1.8 billion may sound insignificant to the total market capitalisation of such companies, it’s not long before the figures start to add up - and quickly.
Why is Cyber Security such a problem for Pharmaceutical Companies?
WHEN ONE OF THE WORLD’S LARGEST PHARMACEUTICAL GROUPS MERCK & CO. SUFFERED A BREACH IN 2017, THE COST WAS VALUED CONSERVATIVELY BY THE WALL STREET JOURNAL AT "$670 MILLION."This was after the Merck & Co security team had detected the breach within a matter of hours - light years ahead of the typical industry average: 206 days. But alas, life imitates art, whereby the spread of damage to the cyber-immunity of pharmaceutical companies can be epidemic before it’s even realised.
A cyber security breach in the pharmaceutical sector can cause wide-ranging and devastating effects across the entire industry. There is no single way to define how damage to a pharmaceutical company will be affected by a cyber attack. Merck may have lost $670 million, but their reputation was tarnished (not to mention the share price beating in global markets during overnight trading). Day to day activities might be disrupted, but the longer term repercussions of a cyber attack are extensive:
What approach can pharmaceutical companies take to improve cybersecurity?
The Merck incident was in many ways a watershed moment for the industry. Companies have responded by beefing up cyber security and turning their focus away from incident response approaches, in favour of prevention methods.
The risks of poor cyber security should be enough motivation for pharmaceutical companies to protect their information, but surprisingly, such is often not the case. There is a positive correlation between more sophisticated cyber security software and more sophisticated hacking and breaches. Security teams have fallen into the trap of waiting for attacks and focusing on responding, rather than minimising the likelihood of an attack happening in the first instance. Systems need to be reviewed regularly on a proactive basis, rather than being changed as reactive measures.
One immediate remedy is a dedicated specialist, (enter the) Chief Information Security Officer (CISO) to help bridge the gap between the boardroom and the I.T. department.
Yet 25% of pharmaceutical firms have not appointed a CISO for such crucial role.
A CISO is an experienced veteran of cyber security and will understand the importance of reviewing - not just day-to-day approaches - but a viewpoint of the bigger (long term) picture.
A second option is to adopt a completely different approach to cyber security, such as a “Zero Trust Architecture”.
This APPROACH assumes that everything is a threat until it can be safely vetted and approved.
Until such point, accessibility is limited only to those who have the relevant authority or credentials for access.
Zero Trust architecture is somewhat reminiscent of being underage and trying to get into that nightclub all your +18 friends can’t stop talking about. Without ID, you can’t be safely vetted (no access/entry to the club). That means it’s Netflix at home for now (no access) in the world of zero trust architecture.
Although this might not be suitable for pharmaceutical firms, the same principles can be applied for a top-down approach to cyber security. Senior managers need to review all practises and approaches, taking into account the acceptable levels of risk at each level of the business hierarchy. For future improvements, clear implementation processes and plans need to be thoroughly defined and staff need to be identified to help drive, manage and remain accountable. Training needs to become a monthly, and potentially a weekly exercise to ensure people are constantly aware of the latest trends, threats and issues regarding cyber security and the pharmaceutical industry.
A final key point: it isn’t merely suffice for pharmaceutical companies to ensure they are internally watertight regarding their cyber security. Pharmaceutical companies need to work with third party application developers and supply chain companies.
What does the future hold for pharmaceutical companies?
The pharmaceutical industry, like the healthcare industry, need to take positive action in order to resolve the potential of serious cyber security flaws existent in some organisations today.
With some developed medicines, keeping data about trials and the chemical make-up of the drugs are literally a matter of life and death. The same sense of urgency and value on data is required.
Adopting approaches like Zero Trust Models might seem unnecessary at first, but the protection they provide is invaluable.
Every pharmaceutical company needs to ensure robust cyber security architecture is in place to afford protection at every level of the organisation. Today it’s a must for major pharmaceutical firms to employ qualified CIOs and CISOs to help manage these frameworks - and only by doing so - can they hope to guard themselves against the increasingly volatile, coordinated and calculated threat of cyber criminals.
Contact Via Resource today to discover how cyber security measures can be implemented in your pharmaceutical company to protect against the increased threat of cyber crime.
Check out our blog to learn more about Zero Trust Models and be sure to read our recent piece on how the Legal industry is dealing with cyber crime.