Pharmaceutical companies have long been a target for cybercrime, but with the Covid-19 pandemic pushing the industry into the spotlight over the past year, the threat has become even greater. Cyber attackers often attempt to steal intellectual property (IP) such as drug formulas and R&D data from companies – and the race to develop coronavirus vaccines worldwide means this information is now all the more valuable.
The average cost of a pharmaceutical industry breach stood at $5.06m in 2020, a sum 1.3 times higher than the global average. A new report by external attack surface management platform Reposify has examined the security posture of the world’s leading pharmaceutical companies and their 900-plus subsidiaries.
Cybercrime in pharma: key findings
Analysis of data covering a two-week period in March 2021 found that 92% of the companies had at least one exposed database with potential data leakage, while 46% had an exposed Server Message Block (SMB) service.
SMB is a communication protocol that allows networks within the same system to share files. Exposed SMB services were previously exploited in the infamous WannaCry cyberattack, which compromised 80 NHS trusts across England in 2017.
Examining the prevalence of exposed sensitive services among pharmaceutical companies, Reposify also found that 99% of companies had at least one remote access platform exposed to the internet.
Reposify CEO Uzi Krieger said: “The pharmaceutical sector is one of the largest contributors to the global economy and human welfare. But pharmaceutical companies are struggling to protect their distributed network perimeter from increased cyberattacks coming from well-funded and well-organised hacking groups on the hunt to steal and hold valuable, confidential data for ransom or other nefarious acts.
“Covid-19 is still ravaging parts of the world, variants are spiking, and the safety of clinical research, manufacturing and supply chains have never been so important to humanity, and yet, pharmaceutical companies remain ill prepared and unsecured, spiralling the industry into red level vulnerability to external attacks.”
The impact of M&A on pharma cybersecurity
Hundreds of mergers and acquisitions (M&A) took place in the pharmaceutical sector last year. While parent companies acquire valuable IP in these transactions, they also inherit the cybersecurity risks of their newly purchased subsidiaries.
Reposify analysed 20 M&A deals that took place throughout 2020, and found that in 70% of cases, the subsidiary had a negative impact on the acquirer’s security posture.
The authors of the report recommend that parent companies undertake cybersecurity due diligence before any prospective merger or acquisition, including mapping and analysis of the acquisition target’s external attack surface, to uncover weaknesses and risky exposures and ensure they are addressed before the deal takes place.