Biotech companies like Repligen are likely to be a target for a cyber criminals (possibly with some high-level sponsorship from certain nation states) intent on stealing intellectual property or other confidential data. However, Richard Richison was as concerned about opportunist attacks as he was about more targeted threats.
"Our biggest focus is keeping threat actors out so ransomware is a key thing we have to protect against. We spend a lot of time protecting end users via security awareness training because all it takes is one click on a bad link to let a threat actor in," Richison said.
That end user training is a critical component of Repligen's cybersecurity strategy. The once a year, ten-minute refresher on cybersecurity awareness which is still surprisingly widespread despite agreement that it is, at best, ineffective, is not a tactic Repligen recommend.
The company conducts a monthly simulated phishing attack on all end users - more of which later.
Risk Assessment & Roadmap
According to Richison, whilst Repligen has always been extremely security conscious, up until a couple of years ago the security stack was siloed and ad hoc.
"We had all the tools we were supposed to have but we didn't fully understand our attack surface," he said.
"We have on premise datacentres and assets in AWS and Azure. Just being able to understand threats within all those hybrid infrastructure pieces was challenging. It was also about being able to understand the extent of Shadow IT. Users set up their own Dropbox, what were they putting there? They were connecting into Gmail from corporate end points. Why? It was about understanding what we had, where it was and what those devices were communicating with."
Eventually, last year, Repligen hired a third party to assess their entire security program. They decided on a security framework which consists of 20 controls. The third party addressed every one of these controls and how Repligen measured against them. A roadmap was then created for presentation at board level to priorities could be chosen and the right tools and automation put in place.
Regulation differs around the world. How is a global organisation like Repligen affected?
"As a global business we have to be GDPR compliant. However, we aren't FDA regulated so the only real regulation we're subject to is Sarbanes-Oxley. We do however take the GDPR very seriously and consult with a legal firm to ensure compliance. The state of California has its own version of GDPR which we follow too."
Richison also mentioned the federal Cybersecurity & Infrastructure security Agency (CISA.)
"CISA have done a lot of good things in terms of keeping security awareness top of mind. They've announced they are going to be requiring public companies to have a person responsible for security to present to the board of directors in the same that finance teams have had to post Enron. We already do that and board executives are aware of the security policies and controls we have in place."
Richison had an interesting take on the risks posed by third parties and supply chains - something that is featuring prominently in many security strategy discussions at present. The attack on software vendor Kaseya is a good example of this kind of attack, as it's a remote management tool, often used by MSPs and other third parties. The criminal logic of attacking was made demonstrably clear by the sheer number of companies affected by the breach. However, Repligen managed to avoid the worst.
"Our Kaseya infrastructure isn't connected to the internet. We manually download and patch. One way we mitigate against risk is to not be completely dependent on third parties. We don't assume they're protected. Everybody is at risk, including them."
The weakest link
Repligen's end user awareness training is a fundamental plank of their cybersecurity roadmap. Users are targeted for extra training based on their responses to the simulated phishing attacks that the company conduct.
"Our security awareness training platform uses AI. It's based on user behaviour over previous months so we can identify where risks are and focus on that. We also have specific training for finance and customer service employees because they're exposed to greater risks. They get their own special training."
Repligen also conduct mandatory quarterly awareness training for everyone regardless of their role or behaviour. Until they get 100% in that training, they continue to get reminders and the issue is escalated if the training is ignored. The company also has digital signage at each global location and security reminders that cycle through displays in corporate areas.
Richison believes strongly in regular communication with board level executives.
"We had a board meeting recently and could list the accomplishments of last year and what we expect in the coming year. The assessment we conducted meant that we could identify a cyber security model maturity number. That number continued to increase for all 20 different controls under our security framework so they can see that maturity level grow every quarter."