The pharmaceutical industry is certainly not immune to cyber-crime. The ‘Petya’ cyber-attack that spread from the Ukrainian National Bank through to US pharmaceutical giant Merck in summer 2017 (in which the virus froze computer screens and demanded $300 ransom for the unlocking of the machine) highlighted the very real financial risks that pharmaceutical businesses face. You don’t have to look far in the press to see a new story about a big organisation that has been affected by cyber criminals in some way and with the sensitive information that all companies in the life sciences sector hold, it is easy to see why it has been seen as more of a target than other industries. But what can businesses do to minimise their risk of being hit?
The impending General Data Protection Regulation (GDPR) – designed to strengthen and unify data protection for individuals within the EU – will be about demonstrating transparency, but it also includes provisions to ensure that as a business, pharma, biotechs and CROs are all minimising the threat of data breaches which could be harmful to their ability to operate (and costly too if you look at the fines that are suggested). For the pharmaceutical industry that will mean data held on consumers, patient databases, employee data and other HR related files within their own business, medical records and screening forms, medical consent forms, as well as questionnaires that are filled in by patients on clinical trials, for example, will all have to be GDPR compliant. That is a lot of change and the requirement to ‘opt in’ with all of these elements will mean a lot of consent will need to be sought by any company working in the sector. The first step is a thorough audit process of what data you hold and many organisations have task forces assigned to the delivery of compliance on the regulation. If you’re not doing that already you could be falling behind.
Companies operating in the pharmaceutical market are prime targets for attack. The pharmaceutical industry is big business for cyber criminals and in an industry where intellectual property in the drug development cycle runs into many, many billions of dollars/pounds/euros, large, medium and small companies need to make sure that they have the highest level of protection when it comes to crime online. For many companies the pain of a breach of information that leads to their IP or R&D being compromised can have cataclysmic effects. Billions are spent on getting a competitive advantage and so to lose out on that due to a lack of proper cyber protection would be a bitter pill to swallow for any boardroom. The type that damage revenues that are eyewatering, like Reckitt Benckiser’s announcement in July that £100 million of revenue would be affected as a result of a cyber-attack, so we aren’t talking about insignificant figures here.
So what can be done to mitigate the risk of cyber-attack? Our company has recently undergone a certification for a UK government-backed scheme called ‘Cyber Essentials’. The scheme – a government-endorsed standard that ensures that a business is delivering on core protocols to prevent the most common cyber-attacks, involved a comprehensive review of our internal IT processes and assessment of the steps taken to reduce the risk of malware or virus attack. Some of the specific elements of the process included ensuring that all systems are regularly updated with the latest security patches, that all external connections are protected using firewalls, that all files and computers are only accessed by authorised users, devices are protected by strong antivirus malware and firewall protection, as well as a robust and extensive training process for staff to ensure they understand the requirements of protecting themselves and the business.
Having a certification like Cyber Essentials will not be a cast iron guarantee that you won’t suffer at the hands of cyber criminals, but it will help any business in the pharma sector in effectively reviewing its processes and making sure that it is operating in a compliant manner and educating employees on the risks that exist.
So what steps is your business taking to be a) ready for GDPR, and b) be repeated in a world of ever-increasing cybercrime? Are you reviewing internal processes, data that you have that perhaps you might not need, or protection that you have all of the right levels to keep your IP safe?
Chris Howard is head of marketing at SEC Recruitment, a European Life Sciences recruitment agency based in London, and has been working in the recruitment industry for over ten years. He is passionate about marketing and is part of a GDPR taskforce within SEC charged with ensuring compliance with the regulations launched in 2018.