Published on January 11th, 2023 📆 | 6567 Views ⚑
0Cybersecurity Threats & Pharma
The steps companies can take now to better protect themselves and their data.
One unfortunate trend that the pharmaceutical industry is set to face is that of cybersecurity. There is no current government infrastructure in the US to protect individual organizations outside of the government at this time. As such, the pharma industry is on its own and must spearhead its own cybersecurity efforts.
In an interview with Pharm Exec, Lieutenant General (LTG) (retired) Ed Cardon recommends that all companies must think of cybersecurity in the following way: âItâs not if youâre going to get hacked, itâs when.â Everything can be hacked. Itâs a matter of how much time and resources a hacker utilizes to do so.
General Cardon was the commanding general of the US Army Cyber Command. Since his retirement from the US Army, he has continued working with both government and commercial cybersecurity entities to better secure networks and data.
For the pharma and biotech industries, the three key threats when it comes to cybersecurity, according to General Cardon, are 1) advanced persistent threats (APTs), which are nation-state hackers; 2) ransomware, which is normally criminal in nature; and 3) insider threats, such as witting and unwitting insiders within an organization.
There are other threats, such as âhacktivists,â but they are currently not the primary threat. An important feature of cyber actors is that they are constantly evolvingâthe environment is dynamic, not static.
APTs are considered a serious threat because a country (or nation-state) has determined that hacking a particular network is important, such as stealing IP or data. They will look at an organizationâs cybersecurity as a systemâassessing information technology, suppliers/supply chain (such as third partiesâ connections to a companyâs information technology network), the facility itself, as well as analyzing the people and facilities, General Cardon explains.
The problem is: no matter what an organization does to protect itself, they are at a disadvantage. As General Cardon describes it, an APT can attempt to hack a network 10 million times, and they only have to be right once. On the flip side, an organization must be right 100% of the time.
âThis is why I believe a company needs help against a nation-state,â says General Cardon. âThereâs no way a company could defend itself against the nation-state long-term.â
For ransomware, on the other hand, the motivation isnât to acquire IP, data, or other information. Instead, the motivation is moneyâand making it as fast as possible. If a target is too difficult to hack, the criminal will move to the next target, General Cardon notes.
One way to combat cyber threats is what he calls the âzero-trust principles,â which start with the premise that everything can beâand is assumed to beâhacked. General Cardon breaks down the principles further:
- Authentication. This includes passwords, two-factor authentication, etc. to ensure everyone is who they say they are before having access to a network.
- Segment the network. People should only have access to what they need within a network (e.g., not everyone needs access to clinical trial data or IP data).
- Encryption. Even if hackers break into a network, they canât get the data unless they have a supercomputer.
- Monitoring. Sensor the network so the cybersecurity team can âseeâ the network in a way that allows anomalies to stand out.
Another idea is to build resilience, redundancy, and regeneration for the highest-value assets. First, make the network resilient through good âcyber hygiene.â An example is rapidly updating and patching software as soon as it is available. Second, if a process or data is critically important, ensure there is a redundant system. General Cardon explains that you shouldnât have âall the crown jewels in one placeâ (i.e., important data and information in one sole location, network, or server). Finally, have a plan to regenerate the network when all else fails. This capability is accessible via most cloud technologies today.
Itâs impossible to defend everything everywhere all the time. But General Cardon recommends companies consider the following strategies to more effectively limit the opportunities for potential threats.
- Utilize more than firewalls and endpoint security.
- Use threat-informed âmaturity models,â which is the assumption that everything is hackable. Start with an analysis of what systems, processes, and/or data are of greatest value to a hacker and organizing cyber defenses accordingly.
- Put a monitoring system in place to detect anomalies, including computer behavior heuristics, for early detection of a potential problem.
- Use âwhite hat hackersâ (cybersecurity professionals) for penetration testing to attack an organizationâs network to identify vulnerabilities on a periodic basis.
Meg Rivers is Pharm Execâs Managing Editor and can be reached at mrivers@mjhlifesciences.com.
Gloss