The Top 10 Things Life Science Companies Can Do to Protect Themselves from RansomwareNovember 21, 2022 Mariano A. Mattei
Ransomware continues to grow in popularity amongst the cybercriminal organizations that play an increasingly significant role in Malware associated breaches (61.2%) in relation to previous years. (Verizon, 2021) Some of the contributing factors have been the rapid increase of remote workers due to the COVID-19 pandemic, as well as an overall increase in companies migrating their online operations to the cloud and going digital for their data needs.
While these factors certainly contribute to the current rise in cybercriminal activity, the primary reason, just like in any other business, is profitability. Cybercriminals will be operating within a $10.5 Trillion-dollar industry by 2025. (Morgan, 2020)
To put it simply – ransomware works. Companies in the life science industry make up for 1/3 of all attack vectors. Cybercriminals targeting companies in this industry have a greater than 67% success rate due to the cyber immaturity of many of these businesses. (Verizon, 2021)
Life Science companies are a target because they are profitable to cybercriminals. Long gone are the days of the single hacker sitting in a basement with a laptop. Instead, today’s cybercrime leaders are mature organizations with sales quotas to meet, client lists (aka targets), business meetings, office space, and a team that runs 24/7.
So, what can you do today to become more cyber-resilient? How do you protect your revenue streams and your reputation? What changes can you make to reduce your industry’s vulnerability to cybercrime organizations?
Here are some effective countermeasures you can implement quickly:
- Asset Inventory
You should have a reactive, up-to-date inventory of all your physical assets, as well as software assets. If you don’t know what you have, you can’t protect it. You also need to know what assets you do not own but that exists on your network.
- Implement a VPN
Ideally, this should be mandatory on any mobile device connections whereby the data is not encrypted end-to-end. In doing so, when your employees connect to any network connection, their traffic cannot be intercepted and/or monitored.
- Mandate 16+ Character Complex Passwords
With today’s high-powered computers, password cracking is becoming increasingly easy. 16+ characters with upper, lower, numeral, and special characters should be the minimum for password protection.
- Multifactor Authentication
While passwords are something you know, multifactor authentication incorporates something you have. Approval through a cell phone, app, text, email – something in addition to your password - can help mitigate compromised accounts.
- Daily Vulnerability Scans with Prompt Remediation
Vulnerabilities are a common attack vector and if you are not scanning your environment, someone else most definitely is. Increase your scans to daily if possible and remediate weekly at a minimum. Software updates from vendors for OS, etc. are included in this weekly update schedule.
- Up to Date, Tested, Encrypted, and Off-Site Backups
Backups are effective, but if you are not testing them and storing them with encryption off-site, they are not worth the medium they are stored on. No longer than 24 hours of lost data should be stored, if possible.
- Continuous Risk Assessments
This is a sticky point for some, as these are typically done yearly—if at all. Risk Management should be part of your daily activities. These assessments help shape strategic, tactical, and business decisions.
- Continuous Penetration Testing
Another typically annual activity is penetration testing. The cybersecurity industry is shifting to new methodologies for continuous penetration testing because there aren’t many methods nearly as good at uncovering incidents before they happen in the wild. Bug bounty, communal, and groups of vetted ethical hackers are your best friends.
- Continuous Cybersecurity Awareness and Training
Again, yearly isn’t enough. Cybersecurity awareness and training should be done routinely in small, consumable, and short sessions. Monthly trainings are currently the preferred method with larger trainings taking place during the Cybersecurity Awareness month of October.
- Business Continuity, Disaster Recovery, and Incident Response
These important policies and procedures all rely on each other. They should be vetted and tested annually with mock disaster scenarios. Much like a fire drill – you’ll be glad you did them when an actual incident takes place.
Cybersecurity efforts have largely been focused on IT and as such, are typically part of the IT budget. I would propose a separation of IT and Security but that is a topic of another blog. Suffice it to say that doing nothing isn’t an option any longer. It is not a matter of if, but when, you will eventually become a cybercriminal’s sales lead.
There are many other items that could have ended up on this list; but, I tried to prioritize them into a top 10 list. There are many, many more cybersecurity functions that may or may not be needed at your organization.
Like with most things you must find the balance between security and functionality; between cost and benefit. I would love to talk to you more about cybersecurity and how Azzur Group’s Cybersecurity Solutions can help your organization better defend against cybercriminals.