Winter is Coming
Cyber attacks are an increasing threat for all industries – so pharma needs to ensure its security measures are up to scratch.
Cybersecurity is still a mysterious area for numerous organizations and is often not taken seriously because it is “just computers” – until you experience a cyber attack. Cybersecurity, also known as information security, focuses on securing assets in the digital world and covers all measures to protect, detect and react to incidents affecting intellectual property, sensitive data or critical IT systems. It is just as important as a lock, CCTV or alarms in the physical world.
Winter is coming for cybersecurity – the threat becomes more tangible (and serious) every day, with new cyber attacks, incidents or major IT vulnerabilities being frequently disclosed. This summer, two malware programs – Wannacry and NotPetya – infiltrated global organizations via Ukrainian subsidiaries, primarily infecting computer networks through a compromised accounting software update. The situation was devastating for Ukraine; more than 1500 companies’ business activities were halted, bringing the country to a standstill. But it also spread to the rest of the world. Most infected organizations had no internal network, no email and no core IT systems for more than a week – the irony being that even emergency (continuity) procedures were not accessible. Can you work without IT systems for a week? And with limited systems for weeks after that? Other companies around the world were also hit. For example, Merck, Sharp & Dohme was affected in June, with manufacturing, research and revenue suffering as a result. At the end of October, the company released its Q3 financial results and attributed a $135 million dip in revenue to the attack (1).
In the pharma industry, cyber attacks have a real impact on the physical world in terms of industrial control systems – and subsequently on human lives, when the ability to produce medicines is impaired. Unfortunately, as organizations continue their digital transformation, the potential likelihood of an attack increases. In many cases, a cyber attack is used by criminals to make money, but sometimes the purpose is simply to cause damage and disruption.
Cybersecurity is not going away. Organizations must continue to fight. (And if you haven’t started, then you need to join the fight – pronto!) Finding the right level of priority and consideration for the topic, however, is not easy. First of all, remember that tackling the challenge requires a collective effort. No matter your business activity, it is not a task or problem for the chief information security officer alone – no matter the allocated budget or the size of the team. Your security measures must be embedded in your systems, processes, and the behavior of your people. When traveling by car, you have seatbelts, airbags, anti-breaking and anti-collision detection systems all working together to secure your journey – but people must wear their seatbelts and not deactivate other safety features. IT systems also require a seamless integration with multiple elements to ensure security.
To ensure the correct user behavior, and to employ the right processes or technologies, you need to be supported by business lines; it must be part of the company’s strategic objective. Knowing the top 10 most business-critical assets is a given for board members – but securing those assets involves everyone – and even includes the actions of the board members themselves. Each and every individual – from top to bottom – within a company has an essential role to play; after all, attacks frequently start with a “human vector,” such as a forged email – the target of which may be a privileged user so that access rights can be stolen to infiltrate and navigate the whole network. Most attacks usually start with the unfortunate opening of a attachment, or clicking on an intriguing link leading to a fake or compromised website. The good news is that each individual (both within the professional environment and at home) is part of the solution; weird looking emails with typos or formatting issues, or random requests from other departments (for example, asking to urgently transfer an important amount of money to a third party) should raise suspicion and be double checked before moving forward.
Cybersecurity is becoming an increasingly challenging issue – and it is unlikely that the problem will disappear. I urge organizations to consider the topic at the same level as other fundamental business dimensions, such as financial viability. And whatever your role in your organization, you can definitely contribute to a more secure business environment, if only with “alert” behavior.
- Merck, Sharpe and Dohme, “Merck Announces Third-Quarter 2017 Financial Results” (2017). Available at: bit.ly/2lsXRAU. Last accessed October 30, 2017.
Florian Pouchet is the Head of Cybersecurity and Digital Trust at Wavestone, UK.