Tuesday, 12 June 2018

5 Practical Steps to Protect your Pharma Business from Cyber Crime


 
Cyber-attacks are becoming ever more frequent and ever more costly, with estimated annual losses from cyber-crime now topping $400bn (£291bn), according to the Center for Strategic and International Studies.  

And the effect of cyber-attacks on pharmaceutical businesses is wide-ranging: disruption to the business, the potential for large financial losses (the average cost of a cyber breach was $394,000 in 2017, according to NetDiligence, whose data is based on actual cyber insurance claims) and the reputational damage that a cyber-attack is likely to cause the firm.  In addition, many cyber-attacks lead to a breach of personal data which in itself has major regulatory ramifications, especially under the new GDPR legislation.  

On top of this pharmaceuticals have the added complication of the impact an attack will have on their MHRA and HIPAA regulatory obligations. 

It follows then that risk management around cyber-crime is now a major issue for all businesses. As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Board level involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite. 

Many companies are turning to cyber insurance as a way of mitigating the risks around cyber-crime, but the reality is that a cyber insurer will assess your business processes around cyber security in order to understand their own level of risk and make decisions over the acceptance and pricing of your policy accordingly. So whilst taking insurance may be a prudent step, it does not mitigate the requirement to implement suitable processes, controls and technologies around cyber security management. 

There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your organisation’s processes and procedures surrounding cyber security. Some practical steps that I would recommend every pharmaceutical business implements to lessen their risk of falling victim to cyber-crime are as follows:- 

1. Implement an effective security patch management policy

Software vendors are releasing a regular stream of patches to mitigate newly discovered security flaws. As I discussed in my recent blog Establishing an Effective Security Patching Regime, having a methodology to ensure every device on the network receive patches in a timely fashion is vital.
 

2. Get an INDEPENDENT assessment carried out to benchmark your cyber security defences

Because it’s very easy to be too close to a system and potentially overlook a security loophole, we frequently get called on to conduct independent ‘business IT assessments’ around cyber security to provide a straightforward, visual report to highlight any deficiencies and recommend how they should be remedied.  

3. Implement a multi-layered data backup strategy

With ransomware now extremely prevalent, effective procedures around data backup are paramount. More information can be found here.  

4. Review and test your disaster recovery procedures

I see so many disaster recovery plans that, for a plethora of reasons, don’t work when used in anger. Testing is essential to prove all your data is being backed up successfully and that your entire system can be restored in a timescale that is acceptable to the business.  I wrote a blog on this subject recently, which you can find here.   

5. Consider Cyber Essentials Certification

The Cyber Essentials scheme is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security.  

There’s no doubt that managing the risk around cyber-crime is not easy, and needs dedicated resources and strict procedures which are rigorously adhered to. I think that is probably why so many firms are now moving towards partnering with a specialist IT company to provide this function, someone who can monitor their system from a security perspective at all times and is not distracted by the day-to-day operations of the firm.  This is certainly the trend we’re seeing here at Epoq IT, where we are working with pharmaceutical companies to provide all of the above services on a fully managed basis. 

If this article has raised questions or concerns over your firm’s cyber security strategy or you would like more information on Epoq’s services which include managed security services, patch management solutions, virtual CIO services, cyber essentials certification, backup solutions and disaster recovery solutions, please do not hesitate to contact me on 01494 444065 or email gswanwick@epoq-it.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Epoq IT can help.  

For more information about Epoq IT’s services for pharmaceuticals, please visit our website 

This blog forms part of our series of informational resources for senior pharmaceutical professionals. To read more articles, please visit my blog, IT in Pharmaceuticals.