The cyber resilience of the pharmaceutical industry
The pharmaceutical industry is one of the most strictly regulated in the world, especially when it comes to clinical testing, manufacture or advertising. New requirements are continually cropping up as well as data-protection and law-abidance obligations. It is one of the sectors that have invested most in their digital transformation in recent years but securitization of the process is especially important in this case. Industrial espionage, the theft of patents, data, contacts and clinical testing results are only some of the cybercriminals’ aims.
GlobalData’s report Emerging Technology Trends Survey 2019 reveals that over 70% of pharma executives, who have some level of responsibility with regards to the implementation of new and emerging technologies, prioritize cybersecurity (73%), cloud storage solutions (71%) and Big Data (71%). Big data, blockchain, cloud computing and cybersecurity are all interrelated. Big datasets need a high level of security pertaining to information-processing, -transfer and -storage. Cybersecurity’s ROI, based on hypothetical situations, is hard to pin down. Overlooking it, however, can turn out to be very expensive, cutting of revenue, breaking the supply chain, damaging brand reputation and provoking lawsuits.
Cybersecurity, therefore, is absolutely crucial for the pharma industry. Witness two well known cyber attacks. In June 2017 pharma industries’ worldwide operations were interrupted, including manufacture, research and sales. The impact on turnover and related expenses added up to 695 million dollars while insurance companies coughed up only 45 million dollars.
In April 2019 another industry reported fierce cyber attacks, blaming them on Wicked Panda Group, cybercriminals of Chinese origin. Industrial espionage was behind it all and the goal was patent theft.
This all begs the question of how good is the Spanish sector’s cybersecurity strategy? A study by the insurance company Hiscox in collaboration with Forrester Consulting weighed up the cybersecurity situation of the sector in 7 different countries. Spanish pharma and healthcare companies came out badly, showing the lowest percentage of ICT budget spent on cybersecurity (4.6%) in comparison with the sector mean of 8.4% in other countries. Asked about their investment forecasts for the next 12 months, 74% of Spanish firms claimed they planned to increase the cybersecurity outlay, in this case outperforming the mean in other countries of 68%. Although Spanish firms are the lowest cybersecurity investors, therefore, their plans to increase this outlay at least show they are mindful of the risk they run. Seventy four percent of respondent Spanish pharma and healthcare firms acknowledged having suffered a cybernetic incident in the previous year.
These cyber attacks happen because there is a lucrative market for health-related data. Access to pharma companies’ systems, the increase in teleworking, videoconference client meetings, external access to information systems and document exchanges all expose us to greater threats and compromise our companies’ very sensitive information, without any doubt of great interest to cybercriminals.
Hence the top-priority need to speak about cybersecurity in the pharma sector, just as the banking sector has already done, and especially when cybercriminals see it as such an easy target. The pharmaceutical industry’s cybersecurity outlay should be spent not only on new product R&D but also the phasing in of new protection technology to boost their cyber-surveillance capability as well as the detection and control of any security breaches, the issuing of early warnings in critical systems or ensuring rapid response to any attacks. In short, set up a prevention strategy.
Cybersecurity also comes into play in the convergence between traditional and industrial IT systems, hitherto unconnected. Here people pose one of the main challenges. Employees are usually the weak link in the security chain due to lack of awareness of its importance. Cybercriminals are only too aware of this and therefore set their sights on employees with privileged-access to data, systems or sensitive contacts. Their modus operandi is simple: they send the worker in question a scam email inviting him or her to open an attached file or click on a link that leads to a malware site.
By way of conclusion, threats are growing and, consequently, cyber attacks too. To make matters worse, it is more expensive and time-consuming to put these attacks right. This is the conclusion reached in the annual report of Ponemon Institute “Cost of a data Breach Report”. The average yearly cost of data theft for any company now stands at 3.92 million dollars. The effects can last for years too. Sixty seven percent of the expense is accrued in the first year, with lingering effects as long as three years later. According to this study it takes an average of 206 days to detect an attack and 73 days to contain it. Breaches produced by malware are the most costly, 27% more expensive than a breach caused by human failure. A cybernetic attack, in short, could bring the whole firm down as well as exposing it to whopping GDPR fines.
Boosting cybersecurity cuts down cybercrime risk, costs and consequences. Top priority, therefore, has to be given to protection from cyber attacks targeting sector professionals; this can be done by investing in technology that limits information loss and business interruption and by taking up security-cost minimizing technology.
Author: Inmaculada Pérez Garro