Pharmaceutical and biotech companies suffer more breaches than those in any other industry, with 53% of them resulting from malicious activity, according to a Forbes article from earlier this year.
“Generally, we are seeing that the healthcare and pharma industries are experiencing more precise and targeted attacks,” Eyal Benishti, founder and CEO of IRONSCALES, told BioPharma-Reporter.
Some of the cybercrime his company has tracked of late in relation to the pharma sector includes credential theft, invoice phishing and business email compromise (BEC) attacks.
“Threat actors are trying to become insiders within an organization, using social engineering tactics to get their hands on proprietary and sensitive data.”
Such cyberattacks can be aimed at stealing information. Benishti noted an increase in cyberattacks by, among other groups, nation-state actors, who typically rely on hired guns for espionage and IP theft. Those cybercriminals have been targeting prominent vaccine manufacturers in that respect, trying to catch up in the race to find solutions for COVD-19.
Psychology of cybercrime
Threat actors, said Benishti, always go after the low hanging fruit, they target industries that they believe are vulnerable, and that are lagging behind or are less well prepared technically to fend off cyberattacks:
“Based on the data that we are seeing, and the kind of attacks we are monitoring, pharma is very high up on cybercriminals’ target lists. It is an industry that is susceptible to supply chain based attacks due to the nature of the business, the way in which companies interact and communicate with other organizations.
“And a lot of pharma companies are not making the right kind of investments around cybersecurity. They are not up to speed on the latest technology to address phishing or social engineered attacks.”
But he acknowledged that industries in general tend to be more reactive and not proactive when it comes to such challenges.
“From the moment companies realize they are a target to the point where they can hire and attract the right talent, build the programs, put the solutions in place, understand how to better utilize those programs and become more secured, evidently, there is a process.
“Pharma firms need to be much more proactive and understand that even if they are not a target right now, they might or will become a target at some point.”
A cyberattack can have devastating consequences for a company, said Benishti, who added that 1% of cybercrime is responsible for 99% of the damage.
Dr Reddy’s Laboratories experienced a cyberattack late last year, which crippled the company’s global infrastructure, forcing it to shut down its datacenters and production facilities around the globe.
The criminals appeared to be trying to steal clinical trial data that the India-based drug company had compiled. Dr Reddy’s was eventually able to restore all systems and production facilities.
While some cybercrime attacks are publicly announced, most of them are not, continued the expert. And just because there has been no disclosure, it does not mean an organization has not been targeted, he said.
His company is tracking irregularities inside the organizations it is protecting.
“We have pretty much reversed the order in the sense of how we are approaching threat detection.
“Typically, in our industry, it is common to try and understand the threat, then create a signature to block this threat and make sure it can never happen again. This strategy is problematic though as you are always looking in the rear-view mirror, you are only taking account of known threats.
“With our approach, we are trying to understand the individuals, the organization and what makes sense in the context of the business process, in terms of communication with vendors.
“We are looking for anomalies so we can detect unknown threats. We can analyze the communication pattern, the language that is being used.”
Hacking the business process
Threat actors are becoming much more sophisticated, they are not necessarily trying to hack into a laptop or device, instead they are hacking the business process, to determine if there are any vulnerabilities in a company’s operations, and they then try and lure or socially engineer a person inside an organization to click on the right buttons in order to do something that will eventually play to the benefit of the cybercriminal.
They might assess a company’s invoicing payment procedure, to see if there is something broken in the process. They may also evaluate how companies are segmenting and protecting their data, how they go about access management and identity. “We see a big shift from before where threat actors were just trying to install a malware or steal a user’s credentials to today where they engage in more precise and intelligent attacks.”
Companies need to protect the employees, they need to take a more behavioral focused approach, rather than targeting devices or the perimeter, in order to have greater success in dealing with this highly targeted, socially engineering based cybercrime, he said.