Cyberattacks targeting the pharma industry have ramped up during the pandemic, and insider threats and nation-state attacks are also on the rise. Meanwhile, the average cost of a pharma breach in 2021 is $5.04 million, according to the IBM-sponsored Ponemon Institute’s Cost of a Data Breach Report. For context, an average data breach incurs damages of $4.24 million.

Pharmaceutical companies are beginning to allocate more resources to cybersecurity, according to Howard Ting, CEO of data detection and response business Cyberhaven (Palo Alto, Calif.).

Pharma companies’ data is increasingly decentralized

The traditional model for protecting sensitive data was to create the networking equivalent to a castle and moat. But in the pharmaceutical industry and elsewhere, sensitive data can no longer be stored under lock and key. Pharmaceutical companies’ data must “move and be shared,” Ting said. For example, a contract manufacturer might need access to sensitive data. Or external researchers might need to share sensitive data with drug companies.

Decentralized clinical and hybrid trials also contribute to the complexity while the considerable amount of M&A activity in the industry provides another avenue for data leaks.

“This data is constantly moving, and you have lots of users accessing this data, but there’s no good way for these organizations to identify the sensitive data and then protect it,” Ting added.

Insider threats aren’t always what you might suspect

The classic insider threat involves an employee who is either disgruntled or planning to leave your firm for a competitor. Before they go, they store sensitive information on a USB stick via a file-sharing application.

Howard Ting

But insider threats can involve attackers with a degree of separation from the employee. The attacker could be a “family member or a former colleague who is able to manipulate this insider to do something that would expose the company to some risk,” Ting said. Such an employee might create an attack vector without malicious intent.

In some cases, nation-states or criminal organizations could be involved in the social engineering of an unwitting employee.

“There’s much more variety in terms of the types of risks and threats we’re facing,” Ting said.

While truly malicious insider threats are worth keeping in mind, they represent a subset of all insider threats. Ting estimates that perhaps less than 1% of insider threats are genuinely malicious. In the remainder of the cases, sloppiness or failing to follow security policies is the real risk.

Some security teams attempt to reduce that risk by adding friction to employees’ workflow, constraining how they approach everyday tasks to ensure employees follow security protocols. But reducing risk doesn’t necessarily need to involve such friction, Ting said. “We shouldn’t think of users as a threat. We should focus on preventing risky behaviors,” he explained.

Ransomware attacks are evolving

For years, the damage from ransomware has steadily increased. Cybersecurity Ventures (Sausalito, Calif.) predicts ransomware will have an economic toll of $265 billion by 2031.

In terms of ransomware targeting pharmaceutical companies, cybercriminals have explored a range of tactics. “We’ve seen cases where [attackers] access clinical trial data or research data about a product that’s in development,” Ting said.

In broad terms, ransomware has evolved. A few years ago, ransomware attacks typically involved the encryption of sensitive data coupled with an offer of a decryption key for a fee. Now, attackers are exploring other avenues of monetizing data involved in ransomware attacks. Ransomware attackers might, for example, exfiltrate sensitive data and threaten to post it online or share it with a competitor unless they receive a payment. Such an attack increases the odds that the hackers will receive a payment even if the company has backup copies of the data.

Protecting pharma data can be tricky with off-the-shelf software

While the cybersecurity landscape has grown more crowded, relatively few vendors cater to the particular needs of pharma and biotech. “It’s because they have so much IP that’s hard to identify,” Ting said. By contrast, a small bank might have relatively straightforward needs to ensure compliance with cybersecurity regulations and protect personal identifiable information (PII). But things tend to be more complicated for pharma companies, which might have trouble identifying intellectual property with off-the-shelf text-based content matching tools.

Protecting data requires understanding context

It is difficult to protect sensitive digital data without understanding the flow of information — also known as “data lineage.” “We advocate for really understanding the data and how it moves,” Ting said. That involves mapping the flow of data to determine its source, where it goes, who touches it, how it is shared and the types of apps and systems that access it.

“One of the biggest problems organizations face is how their data sprawls,” Ting said. A well-meaning engineer or data scientist might, for instance, download a copy of clinical trial data because they’re training a machine learning model. They then could leave that data on their computer or load it into a file-sharing application to share with other scientists.

Such practices contribute to data sprawl with, often, limited visibility.

To counter the problem, Ting advocates an approach he calls “data detection response,” which involves “observing the movement of data and then using analytics to determine where you have risk and exposure.”

In the aftermath of COVID-19, there is a growing appreciation for the cybersecurity threats accompanying decentralized data flows. “I think everyone’s waking up to the fact that they don’t know where their data is, and they don’t know where it goes,” Ting said.