3 Steps That Biotech And Pharma Can Take To Improve Their Cybersecurity Hygiene
Contributed Commentary by PJ Kirner
March 27, 2019 | When it comes to cybersecurity needs and policies, the biotech and pharma industries need to secure and protect their most valuable assets like every other industry. What makes them unique, however, is that while protecting a company’s data is important to any industry, this information (i.e. research) is the biotech or pharma company in question—it’s their lifeblood and is the foundation for everything they do.
When compared to other highly-digitized and tightly-regulated industries like financial services, biotech and pharma have historically spent far less on cybersecurity measures and policies. But why is that? Biotech and pharma are all in the same boat when it comes to allocating resources to research and project areas that will help them meet their objectives, adhere to regulations, and so forth. The real challenge is that this requires some sacrifices or trade-offs with other areas of the business. Cybersecurity is often—but not all the time—one of those things that does not get the attention or resources it needs to be effective.
Current cybersecurity policies and measures have primarily centered around securing perimeter defenses such as firewalls, which only protect the “outside” of your network. But with advancements in technology and the perseverance of malicious actors to find new ways in, protecting the perimeter isn’t enough anymore. This requires a change in mindset to one of “assume breach”, which simply means that it’s not an “if” but a “when” these actors will hack into a network. So the real question then becomes “What do you do once they’re inside your network?”
This is where micro-segmentation technology comes into play. Micro-segmentation has become a new way to think about cybersecurity. Think of your network and datacenter like a submarine: when a submarine’s hull is damaged, watertight doors on either side of the section are sealed, and so the flow of water is limited. This lets the submarine continue to function instead of sinking. Through micro-segmentation, the same effect is achieved for an organization’s network. It separates the high-value assets in your network (the crown jewels) from the low-value areas (from which would-be intruders will start). Micro-segmentation prevents breaches from spreading and provides a foundation for cyber resilience if and when an intruder slips past those perimeter defenses.
One of the biggest challenges is knowing where to start once an “assume breach” mentality is realized so I wanted to share the first three steps to get you on your way:
Step 1: Collaborate to identify your “crown jewels”
While seemingly obvious, the classification of your high-value assets may be different depending on the stakeholders within an organization. If an organization has not undertaken this effort, the first step is to bring together key stakeholders (i.e. CISO, Risk and Governance, key business stakeholders, Legal, and Finance) with the goal of mapping the risk of the assets and applications within the company’s infrastructure. A good way of doing this is to look at the NIST Cybersecurity Framework (CSF) so a risk assessment can be performed.
Step 2: Identify the best way to protect or control them
There are many layers to protecting a crown jewel application. These include identity and access management (IAM), vulnerability management, and segmentation. Ensuring that your organization has a good IAM program that uses two-factor authentication is a good start. Ensuring that vulnerabilities on crown jewels are aggressively managed is another win. However, patching vulnerabilities can be especially difficult because the crown jewels may not be able to be patched for any number of reasons (e.g. production freeze, no patch available, or the patch would break applications). Segmentation is another control that many organizations are turning to that fits into the NIST CSF; it ensures that crown jewels can only be accessed from authorized devices and those devices only have access to specific business processes on the critical applications.
Step 3: Evaluate potential solutions that are right for the organization
Determining a set of solutions to address the segmentation problem begins with identifying key stakeholders that may be called upon at different points in the journey (e.g. Security Engineering, Network Engineering, Application teams, etc.). The team should get together to look at the solutions that are available in the market. It is highly recommended that the team look at different approaches from different vendors. It’s also important to remember that segmentation is an emerging market. Traditionally, organizations just used firewalls, subnet, and zones to protect applications, but because the threat landscape has changed and compute has evolved, new solutions have evolved to solve the problem of segmenting applications sitting in existing data centers and public clouds.
Biotech and pharma companies need to plan ahead and think now about how to respond to future threats. It’s not a question of if but when an organization or an individual will be breached in cyberspace. If you believe that, you have taken the most important cognitive step. You are prepared to “assume breach” and build resilience to withstand a cyberattack.
As Chief Technology Officer and Founder, PJ Kirner is responsible for Illumio’s technology vision and platform architecture. Follow him on Twitter: @pjkirner