The cybersecurity threat landscape for pharmaceuticals

Industry focus:
Information and cybersecurity issues and solutions are not created equal across sectors. Here we set out an overview of what the CISO in the pharmaceutical sector is most likely to be confronted with.

Pharmaceutical firms are big targets for cybercriminals, who are tempted by the large amounts of sensitive personal data they collect, from personal health information and drug patents to data related to pharmaceutical technologies.

And it’s not just cybercrime that poses a risk. Data breaches, which can occur as a result of mistakes or human error, can be devastating.

As pharmaceutical companies worldwide continue to embrace digital transformation, cyber threat actors continue to adapt and evolve, making cybersecurity and risk mitigation top priorities across the industry.

Catastrophic consequences

A cybersecurity incident could result in:

• Stolen intellectual property
• Compromised clinical trial data
• Reputational damage
• Lost revenue

In fact, recent research¹ on the impact of a breach on pharmaceutical organisations, which was based on real-life experiences, demonstrates that an incident could lead to:

• A 20% drop in company valuation
• A 5% share price drop
• Financial losses of up to $363 million due to lost intellectual property
• Regulatory fines of up to 4% of global turnover
• Losses of around $4 million per breach due to operational disruption

What puts pharmaceuticals at risk of an attack?

The ever-changing nature of the pharmaceutical industry has led to the identification of new risks, which must be understood and mitigated. These include:

Digital transformation

Digital transformation has resulted in more data than ever being collected and managed online, making the industry a more prominent target for cyber attacks.

Third-party suppliers

The use of third-party vendors, automation tools and outsourcing to improve operational efficiency puts firms at a higher risk of a cyber attack or data breach.

The internet of things

In recent years, the use of internet-connected technologies has increased significantly across the pharmaceutical sector. These devices make up what is known as the internet of things (IoT) — a network of connected devices and machines that can collect and exchange data via an internet connection.

But the use of IoT increases the attack surface. It opens up many more potential access points to internal networks for attackers.

Types of attack

The cyber attacks noted in Microsoft’s report are being perpetrated by three APT groups. These groups are Strontium, a Russia-based group also known as ‘Fancy Bear’ and ‘APT28’, and two North Korean groups dubbed Zinc, which is also known as ‘Lazarus’, and Cerium.

The attacks are not localised, indicating that this is a global issue for pharmaceutical companies.

The APT groups use a combination of spear phishing emails, brute force password attacks and password spraying attacks in an attempt to steal login credentials.

Spear phishing

Phishing is a fraudulent attempt to gain sensitive information, such as login credentials, personal details, or financial information, by impersonating somebody else.

Spear phishing is an evolution of this technique that uses targeted attacks that are tailored to a specific individual or team. Attackers will use the names of well-known organisations to trick victims into opening infected attachments or clicking on links to fake websites.

Brute force and password spraying

A brute force attack involves a cybercriminal systematically working through all possible combinations of letters, numbers and special characters until they find a user’s password.

This is generally carried out using computer software which can run through thousands of guesses in a matter of seconds.

Password spraying is a type of brute force attack where the attacker uses a list of commonly used passwords (think ‘Password123’) on a large number of accounts, in the hope that one of the accounts using a common password and can therefore be accessed.

Ransomware

The risks identified by Microsoft are significant, but they are not the only risks pharmaceutical companies need to be aware of.

Ransomware is a type of malware that denies the victim access to their data if a ransom is not paid. It does this by encrypting the data, then demanding payment (typically in cryptocurrency like Bitcoin) for the decryption key.

More recently, cybercriminals have modified their ransomware so they can steal the victim’s data before they encrypt it. They then threaten to release the data publicly if the victim refuses to pay.

According to the Identity Theft Resource Center, ransomware attacks will be an increasingly popular vector for cybercriminals in 2021³.

This is just an introduction to the myriad threats the industry faces in 2021.

If you would like more information about how The Security Company can support you to minimise the risks your organisation is facing, please contact Jenny Mandley.

¹ Deloitte, Deal breaker: Cyber risk in life science M&A, 2018
² Microsoft, ‘Cyberattacks targeting health care must stop’, November 2020
³ Identity Theft Resource Center, ‘2021 predictions: government support for identity crime victims is out and stealing passwords is in’, January 2021