Why Life Sciences Companies Require a Comprehensive Approach to Defend Against Cyberattacks

1. Evaluate Current Cyber Hygiene Practices

• Ensure you know what data and systems are most critical to maintaining your organization’s business and operations. You should have a thorough and complete inventory of your most critical assets and know where your organization’s most valuable data resides within the environment.
• Assess your current cyber practices against the appropriate standards for your organization—including National Institute of Standards and Technology, Center for Internet Security (CIS), International Organization for Standardization (ISO), andv others—for vulnerability management, patch management, identity and access management, and configuration management.
• Understand your external interconnections and who you have allowed to access your systems (both IT and Operational technology) and whose technology you’re using. This will help you better understand the risk to your organization and how these risks are being addressed. The existence of a security weakness in a business partner or vendor environment makes you vulnerable too.
• Know the data that you share with third-party business partners and vendors. Know how it is shared, how it is protected, and how its protection can be validated.

2. Cyber Resilience—Develop a strategy to build an environment to ensure your most valued data, operations, and business mission are the focus of the program. Consider network segmentation and restricting both internet exposure and thirdparty access. Create a baseline of your environment and consider tools that will help you monitor for anomalies.

3. IT Strategy—Develop and assess courses of action and strategies that define the future, enable transformation and modernization, increase performance, and improve services for your customers.

4. Supply Chain Risk Management (SCRM)—Engage your organization to develop an SCRM program to illuminate and identify risks to products, tools, and vendors.

5. Enterprise Risk Management (ERM)—Apply a risk-based approach to managing the security of your environment. Risks associated with data breaches should be evaluated against enterprise objectives and should consider enterprise strategies and risks. Include your Chief Risk Officer and engage support to help you prioritize your resources toward your most critical business risks.

6. Cybersecurity — Develop a comprehensive cybersecurity program to address gaps identified during the evaluation of your current practices. Ensure best practices are implemented and a sufficient governance structure is put in place. This should include an ongoing security awareness and training program focused on creating a cyber-conscious culture. The cybersecurity program should also address vulnerability management, patch management, identity and access management, least privilege, configuration management, data encryption, and email filtering.

7. Regulatory Compliance Review—Work with your legal department to ensure your reporting obligations are identified and up to date. Also consider international regulations If your organization conducts business internationally.

8. Incident Response Training—Invest in security incident response training and planning to ensure you can rapidly respond to and recover from a cyber incident, to include such things as a supply chain exploitation.

The Chief Information Officer and Chief Information Security Officer can no longer have sole responsibility for data protection. A robust governance model must be implemented and include participation from a broad range of stakeholders, including the Chief Financial Officer, Chief Risk Officer, Office of General Counsel, Human Resources, Corporate Communications, and Mergers and Acquisitions. A comprehensive risk managementbased cybersecurity program combined with a robust governance model are required to adequately protect your organization against cyberattacks and the risk of value and reputational erosion that comes with this threat.

__________________________________________________________________________________________________

^1. Fox Business, “Microsoft says Chinese hackers targeted groups via server software,” March 2, 2021, https://www.foxbusiness.com/technology/microsoft-says-chinese-hackers-targeted-groups-via-server-software.
^2. BBC News, “North Korea accused of hacking Pfizer for Covid-19 vaccine data,” February 16, 2021, https://www.bbc.com/news/technology-56084575.
^3. Tara Seals, “Nation-State Attackers Actively Target COVID-19 Vaccine-Makers,” Threat Post, November 13, 2020, https://threatpost.com/russia-north-korea-attacking-covid-19-vaccine-makers/161205/.
^4. AP and Los Angeles Times, “Britain, U.S., Canada accuse Russia of hacking coronavirus vaccine trials,” July 16, 2020, https://www.latimes.com/world-nation/story/2020-07-16/uk-us-canada-accuse-russia-of-hacking-virus-vaccinetrials.
^5. Angus Liu, “AstraZeneca staffers targeted in suspected hacking scheme amid work on COVID-19 vaccine: report,” Fierce Pharma, November 30, 2020, https://www.fiercepharma.com/pharma/astrazeneca-staffers-targetedsuspected-hacking-amid-work-covid-vaccine-report.
^6. Laura Hautala, “SolarWinds not the only company used to hack targets, tech execs say at hearing,” CNET, February 24, 2021, https://www.cnet.com/news/solarwinds-not-the-onlycompany-used-to-hack-targets-tech-execs-say-at-hearing/.