Life science companies face unique cybersecurity risks. See how your security posture measures up.
The potential impact of a cyberattack to a life sciences company is complex. On the line is highly critical intellectual property and patient information, production delays or lost batches of high-cost product, and even brand identity. No one wants to be the drug maker that can’t provide critical medication to patients in need.
While the ROI of security is found in risk avoidance, we’ve seen time and time again how this risk translates into direct material impact on company valuation and the bottom line. Remember the $310 million lost by one pharmaceutical company due to NotPetya? No organization is immune.
The good news is, pharma and biotech companies have been dealing with security-related regulations, data integrity and compliance requirements for some time. But as technology evolves, so do vulnerabilities, meaning vigilance is a must.
Take a minute and ask yourself the following questions about your current cyber hygiene practices and how you measure up.
Do you know your vulnerabilities?
The amount of connectivity in today’s manufacturing environment means more attack surface – or vulnerabilities – for cyber threats to latch on to. Securing your production means looking beyond defense in depth strategies and addressing cyber risk across the attack continuum. But how?
Following the NIST cybersecurity framework is a good place to start.
- Identify what you have (asset inventory) and the associated risks.
- Leverage protective mechanisms like patching, tracking and access control to help protect what you have.
- Detect anomalies and events which bypass those protection mechanisms.
- Implement response capabilities.
- Develop a system to support rapid backup and recovery.
Successfully implementing these basic cyber hygiene tenets is the first step in building an effective cybersecurity program and improving your ability to defend against future cyberattacks.
How are you dealing with obsolescence?
There will be vulnerabilities. There will be obsolescence. And updates aren’t as easy as simply replacing hardware or applying a patch. You need to be mindful of the regulations and environment you’re in.
Consider the following when evaluating the risks of maintaining hardware or software:
- What is the impact of someone exploiting this vulnerability?
- Is there a way to address this vulnerability by applying an alternative mitigating control?
- If not, can you justify migrating to a supported platform/solution/product for this application?
There’s no one right answer. Depending on the controls and prevention mechanisms you have in place, you may choose to continue to produce or run a batch as-is because you feel protected and your risk mitigated. But asking these questions before an incident, understanding your security posture, and having proper documentation and controls in place, will help you be more confident in your decisions.
Is your organization prepared to respond?
Can you quickly and clearly define your strategy and know how you’ll respond to a cyberattack? The best prepared organizations create a culture of operations and IT working together to answer those questions. Make sure teams collaborate well, driving issues through resolution. How would you engage them? What tools are available and are new ones needed?
Together, you should complete regular assessments that measure and manage risk. If you feel confident that you’ve covered the five NIST pillars, you may be good. But really challenge yourself as a team to dig deeper into this framework and put your organization to the test.
We often suggest running a tabletop exercise, a meeting to simulate an event. Play out in real time how you’d respond and recover after detecting an event. This kind of concrete drill will help expose any gaps in your program.
Are you ready to think differently?
Cybersecurity isn’t a set-it-and-forget-it discipline. You should continually seek to understand your exposure, risk and preparedness. Challenge your organization to identify what’s changing, both internally and externally. What can you do differently? Where do you need help?
Those that succeed in creating a solid cyber hygiene foundation aren’t just buying tools and technology. They’re addressing the human and organizational aspect of creating a culture of change. One where operations, IT and management embrace security as part of their everyday jobs and where workers know how they contribute to the end goal.
With so much at stake, frequent attention to these questions can have a big impact on securing your operations and helping to protect the bottom line.