Unfortunately, the doomsday scenarios portrayed by the media have become a permanent fixture of the daily news. As if COVID-19 alone isn’t troublesome enough, we are constantly bombarded with the threat and news of actual cyberattacks.
Our Prime Minister Scott Morrison is correct – the Chinese and other foreign governments have had our health sector in their crosshairs for years. To us in the IT industry and front-line cybersecurity engineers, the threat from nefarious activities perpetrated and sponsored by nation states isn’t new or random. It’s the daily reality we face when trying to protect our client’s intellectual property (IP).
The premise is simple – if you have something of value, someone else will try and steal it. Most Biotech and Pharma organisations have IP that’s valuable and presents a tangible monetary value. In fact, the Australian Cyber Security Centre (ACSC) receives one cybercrime report every ten minutes from Australian organisation, with over 62% of businesses having been a subject of a cyberattack. The most severely affected businesses are those with under 200 employees (ACSC Small Business Survey Report, June 2020).
COVID-19 has added also played an additional role in accelerating the uptake of cloud and collaborative platforms. These platforms expand the boundaries of the data that needs to be protected and significantly increases the cyberattack surface.
Outsourcing to an IT services provider doesn’t guarantee that all your assets are adequately protected. The aforementioned ACSC report highlights a clear lack of visibility and oversight across many outsourced vendors, which leads to security gaps and potential vulnerabilities. Your organisation is still accountable for protection and privacy of its information assets.
Managing competing priorities with limited resources presents a challenge to SMEs. These include a lack of dedicated staff with an IT security focus, the complex field of cyber security, challenges in understanding and implementing security measures, underestimating the risk and consequences of a cyber incident, and a gap in planning for ,and responding to, cyber incidents. Hence a targeted approach specific to our industry is required in order to implement good cybersecurity practices.
This newsletter is the first step in a comprehensive cybersecurity improvement series Exigence will publish over the next few months aimed at raising the Cybersecurity Maturity of the entire Biotech and Pharma sector.
Before you buy your next antivirus software, plan your next IT infrastructure upgrade, or purchase a cybersecurity insurance policy, ensure that a comprehensive Cybersecurity Risk Assessment has been conducted. During the assessment we ask the three key questions:
- Who could the attacker be? – Cyber criminals are looking for a pay day. Competitors? Insiders? Nation states?
- What are they after? – Intellectual Property? Money? Private Information?
- How would the attack most likely be perpetrated? – Compromised login credentials? Brute force hack? Email phishing?
The primary goal is to evaluate your current cybersecurity posture, pinpoint risks by identifying critical areas related to your IT, line-of-business applications, cloud services, and data exchange with other parties.
The first step to achieving this is by conducting an independent and comprehensive Cybersecurity Risk Assessment. The assessment will not only provide your organisation with greater visibility across your IT environment but also compare your defences with industry best practices in terms of technology implementation, configuration and cybersecurity.
Understanding cyber security risks is a critical step in recognising, responding to, and recovering from a cyber incident. It helps you mitigate the impact of a cyber incident and determine which security practices to implement.
The assessment will also provide your organisation with a report summarising business level risk and recommendations that can be presented to your executive and board members. The outcomes of the Cybersecurity Risk Assessment are:
- Identification of current risks by highlighting critical vulnerability areas related to configuration of IT infrastructure, line-of-business applications, cloud services and information exchange between various partners, entities and organisations.
- Cyber Security Program Dashboard: Your current program maturity baselined against the ASD “Essential 8” and delivered in an easy to understand scorecard that highlights key focus areas and relevant risks. A priority matrix is included that will drive your remediation roadmap.
- Threat Assessment Reports and Supporting Documentation: Your organisation receives the output of all the exercises and scans conducted as part of the security assessment exercise and evidence of relevant threats. This enables you to determine where to invest in technology or processes to mitigate critical threats.
- High Impact Strategy and Prioritised Roadmap: A strategy will be presented in the form of a roadmap, along with a snapshot of identified risks. We provide a business centric determination of which remediation offers the best risk mitigation.
The outcome will enhance your organisations’ cybersecurity risk posture and provide management with confidence in ensuring the confidentially, integrity and availability of their data.
Finally, understanding your weaknesses will allow you to build a pragmatic cybersecurity strategy with an emphasis on Security (controls that oversee data protection, perimeter defences and identity management), Resilience (disaster recovery and business continuity) and Audit Trail (monitoring, detection of malicious activities and threat intelligence).
In addition to making it harder for adversaries to compromise systems, implementing the Essential Eight Mitigation Strategies can be more cost-effective for SMBs in terms of time, money and effort than having to respond to a cyber security incident.
Need help taking the suggested steps?
Please get in touch to further discuss the tangible benefits of an Exigence Cybersecurity Risk Assessment and how Exigence is helping Pharma/Biotech organisations meet the expectations of boards and investors today.