Proactive cybersecurity management and the support of a virtual Chief Information Security Officer (vCISO) is essential to safeguard sensitive data and valuable assets. Cybersecurity is a critical concern for startups and emerging companies. They need to protect intellectual property (IP) and establish their footing in a competitive industry. They also need to consider financial and reputational threats. Brian Rankin, Head of Cybersecurity Services at USDM Life Sciences, has extensive experience developing and implementing security strategies that align with the business objectives of life sciences organizations. He has also served as a vCISO for several USDM clients. In this interview, Brian shares his insights on cybersecurity challenges for emerging biotech companies. Question: What are some common cybersecurity challenges for emerging biotech companies? BR: Emerging biotech companies often encounter IP theft, ransomware attacks, and data breaches. IP theft is a major concern because these companies possess valuable scientific research data that can be lucrative for cybercriminals. Ransomware attacks have become increasingly sophisticated. For example, attackers exploit vulnerabilities in the IT infrastructure, lock out authorized users, and demand a ransom to restore the company’s critical data. One scenario involved a biotech startup that was in Phase 1 clinical trials. The company was the target of a sophisticated phishing campaign aimed at stealing sensitive research data. The attackers sent emails that appeared to be from a trusted partner and contained malicious links. When links were clicked, the attackers gained access to the company’s research database. This breach put the company’s IP and data at risk. Question: What other cybersecurity scenarios should emerging biotech companies be wary of? BR: Two types of security breaches are on the rise. One is that an unauthorized party gains access to a chief financial officer’s (CFO’s) email account and directs the finance team to send standard recurring payments (such as rent) to an illegitimate overseas account. Incidents like these result in direct financial loss, pose serious compliance risks, and result in legal repercussions for the company. The other is domain spoofing, where bad actors register a domain name similar to the company’s. They create a replica of the company’s website and attempt to redirect traffic and capture sensitive information from unsuspecting visitors. Related to this are bad actors who pose as company employees via email, which can severely damage the company’s reputation and lead to data breaches. Question: How significant is the risk of reputational damage in these cybersecurity incidents? BR: The damage to a company’s brand, customer, and partner trust can be far-reaching and long-lasting. For biotech companies, where the integrity of research and data is paramount, a single cybersecurity incident can undermine years of work and erode stakeholder confidence. Therefore, it’s vital to have strong cybersecurity measures in place to protect financial assets and the company’s reputation. Question: How should life sciences companies defend against cyber threats during mergers and acquisitions? BR: During mergers and acquisitions, life sciences companies should conduct thorough cybersecurity due diligence to identify and assess potential risks. Integrating cybersecurity practices across merged entities safeguards intellectual property and ensures a unified defense against cyber threats. Also, watch out for old accounts that are left behind. They might be needed for audit and legacy purposes, but those accounts may not have multi-factor authorization (MFA) or may use weak passwords. And they usually aren’t monitored because they are disabled. Bad actors might reactivate the account using compromised credentials or through exploitation of insufficient deactivation protocols. Question: How can life sciences companies mitigate third-party risk in their cybersecurity strategy? BR: Mitigating third-party risk requires a comprehensive approach that includes conducting thorough security assessments of all third parties (not just vendors), implementing strong contractual agreements with clear security requirements, and continuously monitoring third-party compliance with these standards. Life sciences companies should also: 1) establish a collaborative relationship with their vendors and partners to ensure prompt response to any security incidents, 2) integrate third-party risk management into their overall cybersecurity strategy, and 3) leverage technologies like continuous monitoring tools to assess and manage the risks associated with third-party vendors. This program should be implemented across the company, not just IT. Too often, the clinical side manages their own third-party risk, which makes it hard to measure that risk for the entire company. Question: Given the complexities of third-party risk management you’ve outlined, how important is it for IT and Quality departments to collaborate and what benefits can this collaboration bring to cybersecurity? BR: Historically, these functions might have operated in silos, but evolving cyber threats demand a more integrated approach. Quality ensures that GxP data and processes comply with regulatory standards, while IT provides the technology and systems to securely manage and protect data. This partnership helps to maintain data integrity and protect against breaches and cyber threats. Quality’s oversight of GxP data, underpinned by IT’s cybersecurity measures, ensures that data handling processes are compliant and secure. When IT and Quality work together, they establish a unified framework that integrates compliance with robust cybersecurity practices. This collaboration leads to data management systems that are secure and resistant to cyberattacks, which then reduces the risk of data breaches and ensures the integrity and confidentiality of sensitive data. Question: What preventive measures should emerging biotech companies take to protect themselves from these threats? BR: The key is to establish a robust cybersecurity framework from the outset. This includes regular security awareness training for employees, strong access controls, and up-to-date antivirus and malware protection. They also need an incident response plan in place to mitigate the impact of security breaches. Question: How does a vCISO support emerging life sciences companies? BR: A vCISO brings in expert knowledge and experience in cybersecurity. For startups and emerging life sciences companies, hiring a full-time CISO usually isn’t feasible. A vCISO provided by USDM offers strategic guidance, helps build and maintain a cybersecurity program, and ensures compliance with industry regulations. This role provides invaluable assistance in navigating the complex cybersecurity landscape effectively and affordably. Question: What are the first steps an emerging life sciences company should take to secure its operations? BR: The first step should be a comprehensive cybersecurity risk assessment to identify potential vulnerabilities in their systems and processes. Then the company should prioritize vulnerabilities and start with the most critical ones. Regular security audits and monitoring are also essential to ensure ongoing protection against new and evolving threats. Question: What future trends in cybersecurity should life sciences companies be aware of? BR: Life sciences companies should anticipate increased cyber threats targeting cloud-based resources and remote work infrastructures. Advances in AI and machine learning will offer sophisticated security solutions and new vectors for cyberattacks. Evolving regulatory requirements necessitate agility in their compliance and cybersecurity strategies. Despite the size or stage of the company, risks and potential consequences are significant. Proactive cybersecurity management and the expertise of a vCISO is essential to safeguard the valuable assets and future of these innovative companies. For more information, download the USDM vCISO datasheet or contact USDM to talk to a cybersecurity expert.
This content was originally published here.