Want to see blood pressure spike? Ask a drug developer’s CISO about data security
They have plenty of reasons to be nervous. About 5 million of them, on average.Â
According to IBM Security’s latest Cost of a Data Breach report, that’s how much pharmaceutical and biotech companies typically lose each time they suffer a cybersecurity failure. That makes drug developers the third biggest money-losers of all industries in the report, right behind healthcare and financial services.Â
Believe it or not, that’s down from 2022. And that’s only the immediate financial cost: data breaches can also cause a cascade of operational, legal, and reputational repercussions that can vastly compound the true cost of a single incident. Just ask Sun Pharma, Novartis, Eisai, and Merck, to name a few.
So if you’re a data security stakeholder at a pharma or biotech organization, and you’ve noticed how much more melatonin you need to take every night, there’s a good chance cybersecurity threats are why. They’re also why our team is obsessed with safeguarding our customers’ data: We know how critical it is to their core operations, business valuation, investor profile, and much, much more. We treat their chemistry, manufacturing, and controls (CMC) information like the precious resource resource it is.
So what can drug developers do to keep their data as safe as it is in QbDVision? Like any vigilant cybersecurity team, ours has identified a number of key steps IT teams can take to keep their infrastructure and information as secure as possible. Here are a few of the essentials.
Cyber risk assessments: Do them often, then do them again very soon
Even with the most cutting-edge cyber threats, one of the oldest rules still applies: an ounce of prevention is worth, well, in this case, millions of dollars of cure. Good cybersecurity starts with knowing and mitigating your vulnerabilities – but also with knowing that risk assessment is no one-and-done chore.
One of the many bedeviling facts about cybersecurity threats is they change constantly. Phishing scams, DOS attacks, malware, ransomware, CATO – cybercriminals never stop refining the art of illegally accessing and extracting data. Data security teams need to be every bit as proactive when it comes to identifying, prioritizing, and addressing vulnerabilities that may expose the company to criminal activity.
$5 million is only the immediate financial cost of a data breach: cybersecurity incidents can cause a cascade of operational, legal, and reputational repercussions that can vastly compound the true cost of a single leak. Just ask Sun Pharma, Novartis, Eisai, and Merck, to name a few.
Here are several important steps that need to be a part of every protocol for regular risk assessment:
Identify high-value assets
The first step in thwarting cybercriminals: knowing what they’re most likely on the hunt for.
For drug developers, that’s typically product and process IP, but can also include CMC assets like ingredients lists, manufacturing materials, suppliers, sources and their locations, and run timelines – all juicy targets for anyone who wants to steal a competitive edge or take critical information hostage. You want to know exactly where this information is stored, how and where it’s handled, and who has access to it under what conditions.
Define assessment scope and methodology
To ensure rigorous security reviews – and also that no vulnerabilities slip through the digital cracks – assessment protocols need to be crystal clear and consistently implemented.
That means:
- Establishing exact assessment intervals
- Specifying exactly which teams and stakeholders are involved
- Clearly defining the role of internal teams vs external assessors
- Selecting appropriate tools and frameworks to be used
- Defining exact access privileges associated with every level of the organization.
At QbDVision, these steps are a core part of our security review, which is performed annually at minimum.
Select standardized risk analysis frameworks
Multiple international standards have been established to help organizations evaluate and verify their cybersecurity readiness. Ensure your team has selected an appropriate framework for your organizational structure, data infrastructure, and level of security investment.
Most software enterprises start with either ISO 27001 or SOC2 (we comply with both). Either of those standards will help you get an Information Security Management System (ISMS) up to define the guardrails of your cybersecurity program.
Develop proactive risk mitigation plans
Stopping threats before they arise will always be the best way to mitigate cybersecurity threats. Put strategies in place for how your team should act first and prepare in advance.
Those strategies can factor in many different components, including:Â
- Regular internal security evaluation, including penetration testing and well-defined monitoring protocols
- Deploying patching software
- Implementing new technical and access controls
- Develop a detailed incident response plan
- Robust employee training
Make sure your security team is 100% clear on how steps like these should be managed and implemented – both before and after threats are identified.
Monitor and track ongoing risks
Cyberthreats never take so much as a quick nap, much less sleep. Guarding against them is a continual process, one that needs to evolve and adapt even faster than attackers and their toolkits can.Â
To keep your security program a step ahead, stay tuned to industry publications, attend cybersecurity conferences, and jump into any of the many active online communities dedicated to safeguarding data and IP. Treat every internal risk assessment as a learning opportunity, too: don’t wait to adapt your policies, procedures, and infrastructure in the face of ever-emerging new threats.
Access control: Managing who can access what, how, and why
Another timeless rule that still holds true in cyber realms: you can’t steal what you can’t get to. Carefully matching roles and access is a vital step for any effective security program.
At QbDVision, we strongly recommend a role-based access control (RBAC) strategy that follows the principle of least privilege. Simply put, that means giving users access to no more information than they need to perform their role or complete a specific task.Â
Cyberthreats never even take a quick nap, much less sleep. Guarding against them is a continual process, one that needs to evolve and adapt even faster than attackers and their toolkits can.
To put an effective RBAC strategy in place:
Carefully assess employees’ access needs
Define exactly which data and systems are required for each role in the organization, and limit access privileges to those essential sources.
Restrict highly sensitive data
Grant access only to stakeholders who have a clearly defined and specifically limited need to access them.
Regularly review and update RBAC policies
Roles change and company structures shift. Make sure access privileges evolve and realign whenever your business does.
Implement strong security checks
For critical systems, a strong password policy and multi-factor authentication (MFA) should come standard. Physical, hardware authentication keys are an increasingly common and popular security measure too.
Have a plan for both onboarding and offboarding
Know exactly what access new employees need to fulfill their role, and also when and how to retract that access after they move on. Ensure you have a process for disabling or removing inactive accounts (a favorite target of many phishing attacks).
At QbDVision, access audits are a critical part of our security review, performed at least annually. A minimum of once a year, we conduct a comprehensive scrub of our admin list to verify it’s clean, clear, and the right people have access to no more than exactly the right amount of information.
Compliance requirements: Know how they’re changing and what it means for your security program
In our world of ever-evolving cyber threats, regulators are also acutely aware that security standards, best practices, and expectations need to evolve as quickly as the dangers they’re intended to mitigate. Staying up-to-date on these requirements is a critical and continuous task for security leaders.Â
Focus on these essential steps to help ensure your team stays current and compliant:
Know who’s responsible
Make sure designated staff members know it’s their responsibility to track updates and changes to relevant standards, guidance, and regulations. Your go-to compliance person should be clear that their role includes following regulatory bodies, tracking new release, revision, and retirement announcements, and keeping the rest of the team abreast of what that means for your security program.
Review and analyze all updates
Any time regulators update their standards or frameworks, review them in detail to identify new requirements and modifications and determine what steps you may need to take to integrate those changes into your security program. At QbDVision, we use a simple rubric of “new, updated, retired” to categorize, prioritize, and action regulatory updates.
Revise and update compliance programs
When regulatory changes require updates to your program, don’t wait to make the changes needed to stay compliant. Prioritize updates to critical resources like your technical and access management controls, as well as your risk assessments.
Document all reviews and changes
In our highly regulated industry, your organization is likely required to document all compliance-related changes for relevant authorities.Â
At QbDVision, we create and manage these records within our own highly secure, validated platform. It’s a safe, centralized, and collaborative space to maintain records showing the compliance updates we’ve reviewed and the modifications made to ensure compliance. Other solutions like a document management system can work as well.
Educate staff on changes
Once your security team has fully reviewed and integrated new compliance requirements, it’s also critically important to ensure all relevant stakeholders in the organization are aware of how new changes may impact their workflows. Changes to access privileges and processes are particularly common, and especially important to communicate.
Monitor compliance and effectiveness
As soon as one new set of regulatory updates is in place, it’s often time to start planning for the next one – cybersecurity standards can move that fast. Make sure your team is always closely monitoring relevant standards and requirements, and proactively preparing to make further updates when new gaps, threats, and requirements arise.Â
Independent auditors and consultants can often be a useful addition to this effort. They can provide valuable outside perspective and feedback to help refine your strategies and strengthen your data safeguards.
Want to see these best practices at work? Head over to our Trust Center.
When it comes to cybersecurity, we practice every word we preach. To learn how, check out our Trust Center to learn how we’ve built robust cybersecurity into our platform – and how we rigorously evaluate and maintain our compliance with multiple gold-standard security frameworks.
GET IN TOUCH
Learn more about cybersecurity best practices for your transformation strategy.
Reach out to our team of experts any time to start a conversation about how you can protect your mission-critical product and process data.