By Shirley O’Sullivan
The attempted attack on the organisation for the Prohibition of Chemical Weapons (OPCW) highlighted the nature of the threats being faced in Biopharma. Although the attack was compromised by the spies’ amateur performance, it illustrated the sensitivity of the data and the consequence of exposure. Most of all it highlighted that this is a global threat to the industry. The consequences of theft for the industry include
- Intellectual Property (IP) theft
- Compromised clinical trials (and having to repeat them)
- Breach of contract for compromised data and product delays
- Loss of revenue
Any of these issues has the potential to cause severe risk to the business, and loss of trust among partners and customers. Here are some of the areas wherein Biopharma CISO’s must ensure firms are suitably protected.
Appropriate Cloud Security
Cloud Architectures such as AWS are well suited to the processing requirements for Biopharma Companies, because their data processing usually involve very high quantities of data analysis. In Biopharma the data to be protected will be slightly different to Pharma. Large molecule drugs are optimised versions of endogenous proteins. Producing them is difficult and may involve over 1000 process steps. The method of manufacture, and operating procedures, are therefore high value IP, and data analysis will reveal the firm’s “crown jewels”. The data that is critical to the company’s success and which would cause major consequences if it were stolen or exposed. In addition to manufacturing details, this could include:
- Details of clinical trials
- Research and Development – for example clinical assays
- Company and product strategy
The PAYG type cost control offered by some cloud vendors is attractive but Security Leaders must ensure that Cloud Strategy is also supported by an effective risk management strategy.
Once you fully understand your data you can verify that it is adequately protected. You need to define how it is protected both in storage and during transfer. Is any of the data allowed out of the company, to be shared with partners, or taken on a laptop for example? Who will have access to the data, under what role? Will administrators and super-users have privileged access?
Some of the data may be difficult to control, such as unstructured data or clinical assays. This needs to be assessed and company procedures agreed. In addition to access control on data, you also need to manage access to the applications that access the data. Finally, you need to implement a security regime that will identify who is accessing your most sensitive data. An audit tool will identify all accesses to the data, generating an audit trail that cannot be modified or deleted, even by administrators.
Understanding your threat vectors allows you to set up suitable protection for sensitive data. We can categorise threats into 6 types:
- User – foreign states may break in through an insider, perhaps a previous employee with a grudge against the company, or a compromised current employee. There may also be attacks using deception – such as social networking – to manipulate employees into giving access.
- Network – breaking through the firewall at the perimeter of the network, or compromising an Edge processing device
- Internet application – for example using SQL Injection to gain access to data by including malicious code in SQL syntax in data entry fields
- Cloud Applications – Is effective Identity & Access Management configured, risk based controls applied using a risk managed approach, are certificates and tokens being managed effectively, secure lambdas, and validated and tested architecture
- Email – Phishing attacks which trick employees into giving away passwords; attachments which when opened will run malware
- Company Mobile – an increasing threat, data present on the mobile can be hacked, or it can be used as a conduit to feed malware into the company network
Security Measures – Board Level
The UK Government recently issued a set of questions to facilitate discussion between executives and the CISO . CISOs and technical managers will have cyber security as part of their job description, but the backing of the executives will be needed to drive this through the business. The questions take the threat vectors – phishing, email etc – and explain them in layperson’s terms. This will help the CISO to explain the company security strategy, ensuring a reasonable level of understanding.
Security Measures – Management Level
Line of Business managers can help to spread the message about security throughout the company. While the CISO can define security policy and procedures, you can encourage good practice by appointing security champions to raise awareness on a day-to-day level.
You can reduce the risk from threat vectors by minimising the attack surface. Taking Internet applications as an example, you can minimise the amount of code that is processed by end-user actions, possibly by turning off product features. You can drive through the data analysis, leading to definition of the crown jewels and how data is to be protected. You can ensure that a robust access control regime is implemented, that end-users are only granted the level of access required, that employee accounts are reviewed and managed, and that audit trails are checked. You may also insist on a security testing programme to verify that security precautions are effective.
The scale of risk from cybercrime, and the potential damage it can do means that the industry must face up to the threat. Your biopharma security strategy must be driven by the CISO, it must be backed at board level, and it must involve everyone in the company.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.