Life Sciences, Pharmaceutical and Medical Device Companies Need to Trust Less and Question More to Keep High-Value Data Safe

 

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Scot Glover, Managing Director
San Francisco Life Sciences Practice Leader

 

Life sciences, pharmaceutical and medical device companies possess sensitive, high-value data that cybercriminals, hacktivists, unscrupulous competitors and other malicious actors aim to steal or otherwise expose. Personally identifiable information (PII), such as employee data and information about clinical trial participants, is a prime target for compromise. So, too, is intellectual property (IP), like drug formulas, proprietary software and manufacturing processes.

Adversaries are finding success with their campaigns: According to a 2016 study by the Ponemon Institute, which included pharmaceutical and medical device businesses, 90 percent of healthcare organizations (an all-inclusive category for all sectors participating in the survey) have suffered a data breach in the past two years. Ponemon estimates that those incidents cost the healthcare industry US$6.2 billion.

There are other cyber risks, too, that can be even more damaging. The recent, massive WannaCry ransomware attack, for example, shows how the interconnectedness of healthcare systems, and weak security practices, can put both organizations and patients at risk. The malware also affected Windows-based radiology devices at two U.S. hospitals, according to reports. The attackers took advantage of known vulnerabilities in the devices’ software. Many devices across the healthcare system use old software that is difficult to update, which means they are ripe for malicious actors to exploit.

Time to move cybersecurity from “top concern” to “top business priority”

Although cybersecurity is, and has been, a top concern for leadership at life sciences, pharmaceutical and medical device companies and their stakeholders, most of these businesses aren’t doing enough to ensure PII, IP and other vital data, and their critical systems and devices, are protected. There are several reasons for this, including:

  • Too much trust: Companies often outsource key critical functions, such as research and development, marketing studies and patient data analysis. Unfortunately, many companies feel that the risk of a data breach or hack is also outsourced to the business partner, and that the collaborative agreements they’ve established with their commercial or academic partners or contracted research organizations somehow guarantee security.
  • Lack of insight: Businesses may not dig deeply enough into their collaboration networks or supply chains when conducting cyber assessments to identify security gaps and other risks.
  • Too few resources: Many organizations in the industry are small and in startup mode, and therefore operate very lean. They devote most of their time and budget to research and development, which leaves them with little or no funding to put toward enhancing their cybersecurity. Also, many of these businesses rely on cost-effective and easy-to-access technology tools to store and share information, which means information could be exposed to malicious hackers if the tools are not configured and secured properly.

To improve cybersecurity, life sciences, pharmaceutical and medical device companies must stop viewing the issue as a top concern and treat it as a top business priority. As a starting point, these organizations should seek to answer the following questions:

  1. What information do we share with our strategic partners electronically and how is that data protected while in transit or stored? More companies than ever before, big and small, are now working with contract resource organizations (CROs). These CROs exchange sensitive and confidential data over electronic networks continuously, and the potential for loss, compromise or theft of PII or IP is high. Cybercriminals often will target the security weaknesses of third parties to gain access to a targeted company, using tactics such as phishing. Another risk area: Many businesses are relying on third-party vendors, i.e., cloud providers, to manage and store their data.
  2. How are our strategic partners handling our information physically at the research site? This question relates to the earlier point about companies’ lack of insight into their collaboration network. Organizations must understand how their information might be exposed in a lab environment or at a research site. The theft, by an insider, of a researcher’s notebook with details about a new drug formula or a medical device in development could spell the end for a company whose entire value is tied up in that irreplaceable IP.

Medical device companies have a third question they should consider (although, so too should the organizations and patients relying on these devices):

  1. What is the risk that our products could be hacked and/or controlled by malicious actors? The potential for medical device compromise is no longer in the realm of science fiction. And there were warnings that this would become a reality even as the Internet of Things was emerging. Back in 2014, for instance, the U.S. Federal Bureau of Investigation (FBI) issued a report warning that cyber attacks against healthcare systems and medical devices were likely to increase as more healthcare records were digitized and more medical devices were connected to the Internet.

Life sciences, pharmaceutical and medical device companies must think more critically about, and build a better understanding of, their cyber risk exposure and know what digital assets malicious actors would be most likely to target. When it comes to cybersecurity, these businesses would do well to trust less and question more. Failure to do so can put not only their brands and reputations at risk but their entire business — as well as, potentially, the lives of their patients.

Cyber Attacks Can Be Costly – Is Cyber Insurance the Answer?

By Adam Hamm, Managing Director
Risk & Compliance

 

 

 

The WannaCry malware attack in mid-May focused the attention of corporations around the world on escalating cyber threats. Our Flash Report released immediately after the attack noted that it marked a new and unsettling aggressiveness on the part of cyber criminals: No previous assault matched the breadth of impact of WannaCry, which affected hospitals, corporations and government offices in more than 150 countries around the world.

The cost of getting businesses up and running after the attack was expected to potentially add up to billions of dollars. Additionally, some organizations could face lawsuits over their failure to secure the previously disclosed Windows vulnerability that the criminals exploited.

In fact, news on May 23 that Target Corp. had agreed to pay $18.5 million to settle state and financial institution claims stemming from an enormous data breach should have warranted as much corporate attention as the WannaCry event. Hackers stole data from up to 40 million credit and debit cards belonging to the retailer’s shoppers during the holiday season in 2013, and the company disclosed that the total cost of its cyber security failure had amounted to $202 million so far. A settlement stemming from a consumer class action has yet to be finalized.

The grave consequences of weak cyber security – from business disruptions to the expense of repairs and lawsuit payouts – may lead some to believe organizations are scrambling to make cyber liability insurance part and parcel of their IT security protocols. Yet, according to recent surveys, roughly half of U.S. firms don’t have cyber risk insurance, and more than 25 percent of executives without a policy say they have no plans to add one. Among the companies that have insurance, only 16 percent reported that they have policies that cover all liabilities.

There are reasons many companies are reluctant to purchase cyber liability insurance or beef up existing policies, and the two main ones are cost and complexity. Certainly, insurers can improve clarity on their policies and enhance the ability for customers to compare different proposals. And, it may very well be the prohibitive cost of cyber insurance that is causing some companies hit by ransomware attacks to try and recoup their losses using kidnapping, ransom and extortion policies originally acquired to protect workers in dangerous locations.

Even so, a cyber liability insurance policy is a prudent course of action in most cases. Although it should never be a substitute for strong cybersecurity defenses, it can spell the difference between a severely affected and fairly unscathed bottom line in the aftermath of an attack. Before committing to a policy, however, it is important that management teams and their insurance brokers discuss three pivotal issues:

  • What kind of cyber liability insurance policy does the company need? Does it need a first-person policy to cover the cost of retrieving data critical to the operation, or does the company possess consumer information that requires protection against third-party lawsuits? Does it need both?
  • What amount of coverage does the company want to obtain? This figure will depend on a number of factors, including the size of the company and the type of coverage it needs. To mitigate third-party risk, for example, settlements like Target’s could provide useful benchmarks.
  • What is the premium an organization is willing to pay? A number of variables should be used to determine this figure, including a company’s earnings, the size of the IT budget, and the operations or data at risk.

Once a company has answered these questions, it can begin to shop for cyber liability insurance. As part of the process, the management team needs to fully understand what the policies cover. But perhaps most importantly, organizations need to understand what the policies don’t cover, which will ultimately indicate whether the policy is worth the expenditure.

Given the sophistication and prevalence of successful data breaches, it is now more important than ever for companies to analyze whether a cyber liability insurance policy should be a part of their overall cyber strategy.

10 Tips for Companies to Raise Cyber Awareness Among Employees

October is Cyber Security Awareness Month. Follow our blog for the latest from our experts on how to reduce your cybersecurity risk and related issues.

 

By Scott Laliberte, Managing Director
IT Consulting

 

 

Although much of the media attention surrounding cybersecurity tends to focus on hackers forcing their way into systems, research shows companies are almost twice as likely to suffer from a self-inflicted breach via email phishing, or other inadvertent employee-assisted action.

According to the latest data from ISACA, 74 percent of companies expect to fall victim to a cyberattack in 2016. A majority of those attacks (60%) are coming via email, with 30 percent of companies reporting daily occurrences.

Cyber criminals favor this and similar employee-assisted attack vectors because they provide access to secure networks through the front door, eliminating the need to hack in. Email security concerns and the importance of developing and following strict network security protocols have escalated to the point of becoming a point of contention in the current election cycle.

Here are ten ways companies can raise employee awareness of the threats, and the important role employees can play in protecting valuable and sensitive information.

  1. Beware of email links and downloads — This is true even if the sources appear to be known to the user. Cyber criminals are becoming adept at embedding malware and credential-stealing code in emails that appear to be coming from friends or colleagues. This practice, called phishing, is the most common source of employee-assisted breach, and has become so sophisticated that the fake emails often contain personal details designed to break down natural suspicions. We advise users to hover over links with their cursor to reveal hidden hyperlinks, or typing a specific URL into a web browser rather than relying on an email hyperlink.
  2. Don’t email sensitive information — This should be common sense, but it happens more often than you might think, often in connection with providing vendors with administrative access to accounts using another user’s credentials.
  3. Assume people are listening — Treat unencrypted email like a conversation in a crowded room. Even if the company doesn’t have good policies on it, employees need to use common sense. Sensitive information should only be transmitted via encrypted email or secure file transfer.
  4. Trust but verify — No one should ever ask you to share your password. A good practice when dealing with any sensitive information by telephone is to hang up and call back using a known telephone number. The same practice should be applied to hyperlinks in email or web pop-ups, which can be used either to collect sensitive information, or as a gateway for criminals into a secure network.
  5. One user, one password — Never share passwords; change them frequently and pick secure ones based on phrases, using a combination of upper and lower-case letters, and substituting special characters for alphanumeric values. Example: Pa$sw0rd. Two-factor authentication (combining, say, token authentication or biometric scan with a user password) is highly recommended and is becoming the standard for administrative access.
  6. Practice safe social media — Hackers are increasingly mining social media for personal details — from political party affiliations and hobbies, to travel plans and friends and family — that can be used to personalize harmful emails in order to get targets to click on them. A common tactic is for hackers to pose as a new contact following up on a conversation at a conference. This type of social engineering, also called “spear phishing,” has proven to be highly effective. Employees must be thoughtful about what they are posting and how that information could be used to target the organization. In a similar vein, network engineers should be cautioned against posting sensitive information such as IP addresses or configuration details to vendor support forums, the so-called “watering holes” where criminals have been known to lie in wait for unsuspecting prey.
  7. No unauthorized software — This is a common policy, but given the unpredictability of human behavior, many companies now routinely disable administrative access on company-issued workstations, phones and laptops. Given the trend toward remote access and “bring your own device” (BYOD), organizations need firewalls to segment secure systems from malware residing on user-owned devices. The use of USB sticks of unknown or uncertain origin should be prohibited.
  8. No access via shared public workstations — It is safe to assume that any unsecured public workstation — such as those at libraries or hotel business centers — has been compromised. Do not use these to log into corporate networks or sensitive sites such as your personal email or banking. Connecting to any unknown Wi-Fi networks, as well as inadvertently creating a personal hotspot with mobile device connected to a corporate network, can provide a backdoor avenue into the company.
  9. Don’t mix business and pleasure — Company phones and laptops should only be used by the authorized user, and only for business purposes. Children playing on company-owned computers have been known to inadvertently infect computers with malware present in many free online entertainment applications.
  10. Don’t forward work email to a non-work account — This is a common mistake, but one that should be avoided. The practice of auto-forwarding email from work to a personal email account or cell phone puts sensitive information on a potentially unsecure system and could violate regulations on privacy and data security.

Although these tips apply to all employees, I would note that executives are targeted at least as often as other employees, because of the greater access granted by their high-level security credentials. As with most policies and procedures, proper training, reinforced through repetition, is critical to success.

While we as security practitioners strive to design security controls to be seamless and not dependent on end users, we are still years away from not having to rely on the vigilance of the end user community. Each person needs to do their part to keep the organization safe. Finally, if inadvertently you fall victim to a cyber attack, immediately report it to the proper channels. Bad news does not get better with age, and prompt action can limit the damage from an attack.

More on Cybersecurity – President Obama Issues Executive Order to Sanction Cyberattackers

As a follow-up to our recent posts related to cybersecurity and cyberthreats, President Obama issued an Executive Order this week authorizing sanctions against cyberattackers operating outside the United States. You can read the Executive Order here. Reuters also published an informative overview of the Executive Order.

As noted in Reuters’ article and other sources, the Executive Order has received some positive response, but concerns are raised, as well. How exactly will a cyberattack be attributed with certainty to an individual or group? How will the administration handle cyberattackers who are deemed to be state-sponsored, particularly by nations with which the United States conducts trade? Will such sanctions be effective against faceless perpetrators who operate independently (i.e., without state sponsorship)?

We will continue to monitor these issues and comment periodically here and in other forums.

Jim

From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions

Infographic-2015-IA-Capabilities-Needs-Survey-ProtivitiToday Protiviti released another exceptional piece of research: our 9th annual Internal Audit Capabilities and Needs Survey. This year, we took a close look at the role internal audit can and should play in helping their organizations manage cybersecurity and cyberthreats, giving the organization greater confidence in managing this ever-changing threat.

In future blog posts, we’ll be covering key takeaways from this research and offering guidance for CAEs and internal audit professionals. For now, I encourage you to view our video and infographic here, and visit www.protiviti.com/IAsurvey, where you can download a complimentary copy of our research report.

Jim

 

 

 

 

Cybersecurity in Retail: Hope for the Best but Plan for the Worst

Rocco Grillo - Protiviti NY 2014 (hi res) (2)

by Rocco Grillo
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice

 

The recent uptick in retail data breaches is significant for all companies in a couple of important ways. First, it is important to point out that some of these highly publicized breaches have occurred at companies that were “PCI compliant.” Second, just when it appeared that the breaches had become as widespread as one could imagine, the continued line of additional companies falling victim has gotten larger, with no end in sight.

Furthermore, law enforcement investigators have indicated that there are many other organizations that have been compromised – the only difference is that they don’t know it yet.

It’s becoming painfully apparent that there is no such thing as penetration-proof data security. It’s no longer even enough to assume that you CAN be breached. We advise companies to conduct exercises that simulate that they have been compromised, and to focus, going forward, on how to address vulnerabilities and minimize the damage through rapid detection and response – both in containing the breach and in communicating with customers, employees, shareholders and the media.

Further to identifying potential areas of compromise, organizations need to transition from being reactive with their incident response plan and create a “proactive response” to potential compromises. This should include enhancing response plans, testing them through simulated tabletop exercises, conducting simulated forensics investigations to determine “the unknown,” and ultimately having partners aligned in advance of a potential attack or compromise.

That’s not to say that vulnerability and penetration testing aren’t important. It’s critical for organizations to understand where they are vulnerable and establish strong security processes and measures to ensure data remains safe.

But as we explain in our Point-of-View paper, High-Value Targets – Retailers Under Fire, security is a lot more than having a strong firewall. It must be applied to all layers in the organization, not just the “outer shell.” The right security best practices can identify and disrupt a cyberattack at the perimeter and also prevent a data breach, even if the attacker gets past the first layer of defense.

It’s frightening to consider how many companies are still relying only on fixed-point-in-time data security methods, such as penetration testing. As we found in our just-released 2014 IT Security and Privacy Survey, many companies don’t even have a written incident response plan. Among those that do, many have plans that are out-of-date or not mature, and too few rehearse and drill it to perfection through table-top exercises or simulated forensics investigations to help address the all-too-common questions coming from the board: Are we prepared to respond to an attack? Are we secure?

This is akin to a football coach who devises a trick play and tells his players all about it, but neglects to have them run the play at practice. Imagine the chaos that would ensue if they decided to run that play in a big game. Needless to say, the fan base would not like what they see!

Practice makes perfect.

Going forward, we need to assume that breaches are inevitable. I’d go so far as to suggest you assume that your organization has already been breached. That assumption puts you in immediate response mode and adds urgency to subsequent efforts to address the issue. Believe it or not, many organizations don’t figure out that they’ve been hacked until weeks, or months, after the intrusion.

Given the ubiquity of data breaches, organizations are going to be judged not by their ability to prevent an attack, but by the speed and efficacy of their response.

You have your board’s attention and directors want to know: Are you ready to respond? Are we secure? Are you sure? How do you know? If any of these questions give you pause, it’s time to up your game. Now more than ever, the bad guys are more sophisticated in attack techniques and with the holidays ahead, we’re entering the busy season for data theft. It may give “Black Friday” a new meaning in the retail industry.

Cybersecurity at the board level: Is your intellectual property and sensitive information leakproof?

In my line of work, I have the pleasure of talking to boards of directors and C-Level executives all over the country. I’m often impressed with their commitment to their enterprises, their keen intelligence, their professionalism and their drive. But I’m frequently stunned to see organizations without a process and control environment for protecting their intellectual property online. Of particular interest, board communications are among the most vulnerable.

Too many organizations treat emails, stored internal document files and social media communications as operational exceptions to otherwise tight cybersecurity framework rules. In fact, Thomson Reuters Accelus pointed out in its annual Board Governance Survey that more than 75 percent of organizations “utilize unsecure, personal email accounts to distribute board documents.” And barely half ensure these communications are encrypted. In this day and age, I call that a “wow!”

Board books, in particular, are almost 70 percent bigger than they were just a couple of years ago, according to some estimates, and more than half of companies produce them digitally. We all realize the importance of saving trees and “going green” but, having said that, we also know that confidential information is included in these books. Interestingly, the number of companies that distribute them electronically has dropped of late.

Things are changing for the better. Thomson Reuters Accelus also reported that 52 percent of organizations use board-only portals to share sensitive board information. Another encouraging trend: More organizations are providing their boards with secure mobile devices for board communications.

I call that good news because protecting sensitive information is getting harder every day. We pointed out in an issue of our Board Perspectives: Risk Oversight newsletter that despite the U.S. Securities and Exchange Commission requirements to disclose cyberattacks, reported attacks are just the tip of a vast iceberg. And cybercriminals are using ever more sophisticated means to gain control of online information. Simply stated, they are playing for keeps. We know that because Protiviti helps companies all over the world assess and manage these growing threats.

For boards of directors, as well as any other level of the organization seeking to secure its data and communications, an approach toward security that focuses on information governance is critical. This fosters cross-organizational collaboration and structured policymaking. That kind of team approach is vital to managing the risk of cyberattacks on board documents; it seems perfectly tailored to the less-than-structured and flexible approach so many companies now take to their board communications.

Protiviti employs a number of content management measures, including document locking on our online intellectual property. Others have been known to go so far as to embed user verification codes that cause documents to electronically “shred” themselves if opened by an unauthorized user. Some swear by this kind of digital rights management. Others have found it cumbersome to the extreme. This is challenging in the board environment, as directors and executive teams like to keep things simple.

What do you do to protect your board communications and intellectual property and sensitive information online? Share your thoughts in the comments below.

Jim