“Four held for data theft from a pharma firm in Hyderabad” I am sure this news was read by many of the IT professionals in the pharma sector, or you might have forwarded to your colleagues on whatsapp. Such alarming news is not new to the Pharma industry. Also, a point to be noted is that this incident occurred in mid of Jan 2020 even before work from home was the new normal in India.
A recent study revealed that about 54% of Pharma companies experienced one or more successful attacks that compromised data and/or their larger IT infrastructure at some point in the year.
Right from malware, ransomware attacks to phishing to data theft – these have been the biggest challenges of Pharma since their inception. And, these are bound to increase while working from home during this pandemic.
I wanted to do some research on these topics, throw some light on their impact on the Pharma industry and how we can deal with these challenges.
IT plays a very crucial role in these work from home scenarios. IT can empower the growth of an organization if properly built for agility and aligned with its long term goals. But the proactive approach of choosing the right work from home solution can save pharma companies from disasters.
What are the possible consequences of cyber attacks on Pharma
It is very important to understand the consequences or the impact of disasters of cyber attacks on Pharma industries. It will not only cause total disruption of the entire business but also includes losses stemming from things like :
1. Stolen intellectual property
2. Being forced to repeat costly and time-consuming clinical trials
3. Litigation stemming from the breach itself
4. Lost revenue
5. Damages to products that are already in development or production
6. Significant production shortages in the supply chain
But Why is the Pharma sector almost at the top of the hit list of cyber attacks?
Before I explain what are the security threats in the Pharma industry, let us try to understand “why Pharma?” out of all the industries in India and all over the world.
There are several reasons for this, let me highlight the top 3 reasons:
1. Highly exposed due to an expanded threat surface and lack of built-in device security
2. Already on the radar of hackers and threat actors thanks to highly valuable IP data
3. Lagging behind other industries in applying cyber security best practices (traditionally taking an incident-response approach versus a proactive, enterprise-wide security approach)
Also, one of the issues with big or small Pharma companies from an IT perspective is that often these organizations are dealing with infrastructures that are a collection of legacy systems, multiple systems that are difficult to properly integrate (and secure), purpose-built cloud systems, and more. This may lead to an IT infrastructure that is all over the place and with no clear visibility and security, it is highly prone to such threats or attacks.
What are the threats that have shaken the whole pharma industry?
Pharma Companies In India need to realize that while the employees are allowed to work from home, including the mission critical work, they become intermediaries under the Information Technology Act 2000. It is of utmost importance that they comply with the parameters of due diligence and other compliances under the Indian cyber law, rules and regulations .
We need to note that India doesn’t have a data protection law or any law on cyber security. There is no special law on privacy. According to the experts this complicates the scenarios for businesses as they continue to be liable for breach in client data even when employees work out of the home.
Employers all around India have taken extra efforts to remind the employees who are working from home about data security, tips on how to access the internet and educate them on best practices to ensure that data continues to remain secure.
Cyber attack can wreak havoc, resulting in the compromise of proprietary digital assets & private information. These types of attacks can also potentially damage the critical systems that the organization heavily relies on. During this pandemic, Companies have sought permission from their clients for enabling work from home and built internal crack teams to manage security and privacy issues. But is this good enough?
2. Data Theft:
According to a study conducted by Deloitte,” the pharmaceutical sector is regularly the number one target of cyber criminals around the world—particularly when it comes to stealing data” . The reason for this is that the technology generally used by the Pharma companies for producing the drugs is unique and is its intellectual property.
There are 2 forms of data theft. One is the ID-related theft (the theft of customer records) or the theft of a company’s proprietary information or intellectual property. As per the survey conducted by PWC, around 53 per cent of respondents from the Pharma industry said they had faced identity theft (either by way of password sharing, social engineering or malwares) and yet did not have a policy to mitigate these incidences.
As informed earlier, Unlike the European Union which recently enforced the ‘General Data Protection Regulation’ superseding the Data Protection Directive, in India there is no separate comprehensive legislation on data protection. However, there are ‘Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011’ (hereinafter referred to as the IT Rules, 2011) which protects ‘Sensitive personal data’.
As someone has rightly said prevention is better than cure. Setting up work from home policies or telecommuting agreements isn’t enough. The company should first ensure they have secure networks and solutions so that basic security is taken care of even in a WFH environment.
3. Malware attacks
Pharmaceutical industry working from home is a hacker haven. Criminals are banking on the panic that has been caused by COVID-19 and are using multiple ways to access the systems of Pharma employees.
Hackers are launching cyber attacks against the pharmaceutical sector more than other industries, with malware attacks doubling every year. 77% of these attacks utilize file-less techniques—that means instead of tricking someone into downloading and installing a virus, the attacks are executed using vulnerabilities that were already there. Because of all this, Cyber security is a pressing issue to pharmaceutical businesses in particular.
To get away with these attacks most of the pharmaceutical companies are mistakenly investing a lot of money on VPN ( Virtual Private Network)
But, people working from home in the Pharma sector who work on crucial data get considerably less benefit from VPNs. And given the amount of people using this service, VPNs may pose more of a risk than not using one at all. Another main shortcoming: VPNs usually provide no added protection against phishing scams or malware attacks.
The heterogeneous nature of IT environments currently in vogue is not helpful in preventing enterprises from cyber attacks. Fortunately, there are ways to proactively detect and defend against malicious attacks.
First, you need to find the blind spots in your corporate network. It is unlikely that every part of the corporate network is monitored. Employees working from home/ remotely are among the many unmonitored backdoors through which malicious actors get in. Hackers very well know that the main corporate firewall isn’t an easy obstacle, but the employees working from home carelessly browsing the web are far easier targets.
Secondly, are there any policies in place to prevent users from accessing sensitive information? While networks continue to grow, sensitive information should ideally be on that part of the network that is not easily accessible to the whole company.
Thirdly, do you have a secure work from home solution ? This helps in overcoming the challenges of the first 2 points. There needs to be a strong, secure work home solution in place which helps you in being proactive by providing different layers of security not just in the network but also in employees’ workstations. A work from home solution which can be customised as per the companies work from home policies.
Here’s a sneak peek into security architecture of one of the work from home solution – VPNless VDI which is used by the top Bio Pharma companies in India
In the end, the most important thing for pharmaceutical companies, regardless of their size, is to understand that getting hit with this type of cyber attacks while working from home is no longer a question of “if,” but “when?”. If you know what someone is after, the good news is that you’re now in a much better place to mount the specific defense needed to protect it. And the defense is nothing but your well planned work from home solution.