Three-quarters of cybersecurity attackers seek the weakest point of access in a partner network – and the majority of attacks, up to 85%, happen through phishing, a cyberattack disguised as an email, explained Exostar SVP of Innovation and Informatics Vijay Takanti.
While companies typically have systems in place to detect phishing in email systems, Takanti told us employee training also is needed. “The weakest link at the end of the day is the human being,” he said.
In line with this, the emphasis is given to educating the workforce on what to look out for. An example is labeling emails from non-employees, clearly indicating that it is coming from an external source. “This looks simple, but this tends to have the biggest difference in preventing these types of attacks,” Takanti added.
According to Takanti, the industry, especially large pharma, is increasingly recognizing the potential threat posed by attacks on third-party vendors.
“It’s not so much that an attack could happen through the third party, but that it could happen to the third party,” he said, “It’s identifying the strategic suppliers who are critical for the delivery of the drug to the market … And what can I do from a resiliency perspective, so my delivery doesn’t get affected with the cyber-attack happening on one of my partners.”
Traditionally, the industry’s focus has been on technology vendors, but more and more, Takanti said the focus is shifting to non-technology vendors, given these attacks are affecting commercial operations.
As he explained, cybersecurity is a bigger issue and it is not about just information and communication technology (ICT) suppliers, but all third-party suppliers, “That is a big, big shift.”
To think about numbers, companies like Merck and Johnson & Johnson have up to 2,000 ICT suppliers, but potentially 40,000 total third-party suppliers, according to Takanti. “So, the scale of the problem is different,” he noted.
Where security issues have typically been the domain of IT, the onus now falls with compliance and procurement as well, which Takanti said is a huge step forward.
Working together, these teams are working to figure out how to gain visibly into supplier performance, and in what ways they can add cybersecurity to existing risk-management practices. With limited resources, Takanti also said it is important to determine where the focus should be given and what metrics will be used to define importance.
Frameworks, such as those published by the National Institute of Standards and Technology (NIST), are helping guide these efforts. Additionally, companies are forming alliances, such as through the Health Information Sharing and Analysis Center (H-ISAC), establishing working groups to develop best practices.
Still, all of these elements are in a nascent stage in the pharmaceutical industry, Takanti said, adding, “instances like Charles River make it more important for the board of directors to pay attention to these things.”
Charles River hack
Charles River Laboratories late last month notified clients of unauthorized access into portions of its information systems after detecting unusual activity in mid-March, at which time it initiated an investigation in coordination with US federal law enforcement.
According to the company, it also began to “promptly implement a comprehensive containment and remediation plan.”
In a form 8-K filing with the US Securities and Exchange Commission (SEC) dated April 30, 2019, Charles River explained “some client data was copied by a highly sophisticated, well-resourced intruder,” though the investigation remains ongoing.
The company is not providing any additional comment at this time, though CEO James Foster addressed the incident during its Q1 2019 earnings call yesterday.
Foster explained the incident did not disrupt day-to-day operations and was not a malware or ransomware attack. Those affected – approximately 1% of the company’s total clients – have been briefed.
“The client response has been appropriately measured to date, yet most were understanding,” he said on the call. While too early to determine any potential effect on revenue, Foster said any impact would be minimal.
He added, “the cost to fully remediate this matter are not expected to be material based on our preliminary estimates, and we believe that potential revenue and cost impact can be accommodated within our current guidance range for 2019.”