Cyber-attacks are becoming ever more frequent and ever more
costly, with estimated annual losses from cyber-crime now topping $400bn
(£291bn), according to the Center for Strategic and International Studies.
And the effect of cyber-attacks on pharmaceutical businesses
is wide-ranging: disruption to the business, the potential for large financial
losses (the average cost of a cyber breach was $394,000 in 2017, according to
NetDiligence, whose data is based on actual cyber insurance claims) and the
reputational damage that a cyber-attack is likely to cause the firm. In addition, many cyber-attacks lead to a
breach of personal data which in itself has major regulatory ramifications, especially
under the new GDPR legislation.
On top of this pharmaceuticals have the added complication
of the impact an attack will have on their MHRA and HIPAA regulatory
obligations.
It follows then that risk management around cyber-crime is
now a major issue for all businesses. As such, it is critical that cyber
security is not just treated as an IT issue, and that there is ongoing Board
level involvement with establishing and maintaining an effective information
risk management regime, which incorporates appropriate policies to match the
firm's risk appetite.
Many companies are turning to cyber insurance as a way of
mitigating the risks around cyber-crime, but the reality is that a cyber
insurer will assess your business processes around cyber security in order to
understand their own level of risk and make decisions over the acceptance and
pricing of your policy accordingly. So whilst taking insurance may be a prudent
step, it does not mitigate the requirement to implement suitable processes,
controls and technologies around cyber security management.
There is so much more to cyber security management than
technology. Yes a suite of technological solutions will be part of the solution
(and these days that needs to be a lot more than some antivirus software and a
firewall), but just as important are your organisation’s processes and
procedures surrounding cyber security. Some practical steps that I would
recommend every pharmaceutical business implements to lessen their risk of
falling victim to cyber-crime are as follows:-
1. Implement an
effective security patch management policy
Software vendors are releasing a regular stream of patches
to mitigate newly discovered security flaws. As I discussed in my recent blog “Establishing an Effective Security Patching Regime”,
having a methodology to ensure every device on the network receive patches in a
timely fashion is vital.
2. Get an INDEPENDENT
assessment carried out to benchmark your cyber security defences
Because it’s very easy to be too close to a system and
potentially overlook a security loophole, we frequently get called on to
conduct independent ‘business IT assessments’ around cyber security to provide
a straightforward, visual report to highlight any deficiencies and recommend
how they should be remedied.
3. Implement a
multi-layered data backup strategy
With ransomware now extremely prevalent, effective
procedures around data backup are paramount. More information can be found here.
4. Review and test
your disaster recovery procedures
I see so many disaster recovery plans that, for a plethora
of reasons, don’t work when used in anger. Testing is essential to prove all
your data is being backed up successfully and that your entire system can be
restored in a timescale that is acceptable to the business. I wrote a blog on this subject recently,
which you can find here.
5. Consider Cyber
Essentials Certification
The Cyber Essentials scheme is a government-backed, industry
supported scheme to help organisations protect themselves against common
cyber-attacks. Whilst by no means protecting against every possible threat, the
cyber essentials scheme does provide a framework for good practice around cyber
security.
There’s no doubt that managing the risk around cyber-crime
is not easy, and needs dedicated resources and strict procedures which are
rigorously adhered to. I think that is probably why so many firms are now
moving towards partnering with a specialist IT company to provide this
function, someone who can monitor their system from a security perspective at
all times and is not distracted by the day-to-day operations of the firm. This is certainly the trend we’re seeing here
at Epoq IT, where we are working with pharmaceutical companies to provide all
of the above services on a fully managed basis.
If this article has raised questions or concerns over your
firm’s cyber security strategy or you would like more information on Epoq’s
services which include managed security services, patch management solutions, virtual
CIO services, cyber essentials certification, backup solutions and disaster
recovery solutions, please do not hesitate to contact me on 01494 444065 or
email gswanwick@epoq-it.co.uk when
I will be happy to arrange a no obligation conference call to discuss ways that
Epoq IT can help.
For more information about Epoq IT’s services for
pharmaceuticals, please visit our website.
This blog forms part of our series of informational
resources for senior pharmaceutical professionals. To read more articles, please
visit my blog, IT in Pharmaceuticals.