As life sciences businesses grow and evolve, so too does the complexity of their data and third-party access landscape. From startups to mid-sized enterprises, strong cyber security fundamentals are essential to protecting research and intellectual property, safeguarding investor funds and confidence, and ensuring long-term success.

The evolving cyber threat landscape

Cybercrime is an increasingly critical issue affecting all industries, as our most recent cyber security special report confirms. The life sciences industry, with its wealth of intellectual property and sensitive patient data, is a prime target for cyber-attacks.

Why is cyber security important to this journey?

Intellectual property theft

Cyber criminals target life sciences organisations to steal valuable intellectual property, such as research data and models, clinical trial data and proprietary formulas. This can lead to significant financial losses, reputational damage, competitive disadvantage and potentially loss of investor confidence.

Supply chain attacks

Cyber criminals are actively targeting data and third parties in the life sciences supply chain to infiltrate multiple organisations. Working with key data providers introduces threats and risks into your business.

Ransomware and extortion attacks

Ransomware attacks can cripple operations, disrupt critical research and lead to significant financial losses. Cybercriminals encrypt critical systems and data, demanding a ransom for decryption.

Phishing and social engineering attacks

Phishing attacks, often disguised as legitimate emails, can trick employees into revealing sensitive information or clicking malicious links. They remain prevalent for businesses of any size.

Patient data breaches

Upstream and downstream, life sciences companies handle vast amounts of sensitive patient data, including medical records, genetic information and personal health information. A data breach of these special categories of data can expose patient privacy, lead to legal liabilities and erode trust in the organisation.

What does strong cyber security look like in life science businesses?

Implement security early on

As your life sciences business grows, your cyber security needs will evolve. So, what do strong cyber security foundations look like?

Startups

• Do what you can; take small but informed steps: turn on familiar and obvious security features in the day-to-day technologies and tools you use. It’s a good idea to test after you turn on new security features to make sure your business is not affected.
• Focus on the basics: prioritise strong password hygiene, regular device updates, and employee awareness training for social engineering. If you use a cloud email service provider, enable basic controls such as Multi-Factor Authentication (MFA) and perform a security assessment of Office 365, Google Workspace and other user applications.
• Access control: implement basic procedures to manage user access control to sensitive data and provide secure mechanisms for third-party access, e.g MFA and VPN enforcement for remote access. Consider a well-implemented password manager and continuously manage access for joiners, movers and leavers.
• Consider Managed Security Service Providers (MSSPs): outsource your needs to a specialist MSSP, which can be cost-effective and efficient, especially for early-stage startups.

Mid-sized businesses

• Invest in endpoint, threat detection and response tools: proactively identify and respond to threats for your user devices and network.
• Start to build a dedicated security team: as your business grows, consider hiring dedicated cyber security professionals to establish a security team.

Larger businesses

• Establish a cyber security function: for more mature businesses, develop a formal security service function with dedicated data security and access control capabilities.
• Conduct regular security and vulnerability assessments, and penetration testing: include any cloud-services or third-party dependent IT services.
• Advanced security solutions: implement self-sovereign identity and access control solutions. Consider cyber security solutions that reference Artificial Intelligence (AI) or Machine Learning (ML) detection and control.
• Digital footprint: implement data classification and data security programmes to classify and protect data at source and during transit, eg by implementing cyber security foundations such as Data Loss Prevention (DLP).

Safeguarding against Artificial Intelligence and Machine Learning cyber attacks

AI-enabled attacks are becoming more sophisticated, causing companies to lose millions through deepfake impersonations for fraudulent payments. As the life sciences sector heavily relies on AI/ML to gain efficiency in research and clinical trials, these assets can be compromised in new ways. As dependency on AI grows, we will see more unique types of attacks, such as data poisoning against AI/ML systems.

• Build trust with established and complex technologies: we have expertise in helping clients understand, prepare for and implement a trusted AI Management System with ISO 42001, covering areas such as ethics, accountability, transparency and data privacy.
• Vulnerabilities: AI models can be susceptible to unique vulnerabilities, including data poisoning and AI-enabled attacks. These vulnerabilities threaten the integrity of clinical data and raise privacy concerns for patient information.
• Data governance: manual data classification processes can be sped up with the aid of AI/ML-enabled tools, helping businesses quickly understand what types of data they hold, where it is located and the relevant risks depending on the data type.

Key considerations regardless of your business size

• Third parties: implement continuous monitoring and regular audits of third-party data sharing access.
• Staying informed: keep up to date with news of incidents and threats that arise within your networks and communities.
• Financial threats: build strong cyber security foundations to protect your intellectual property and secure investments into your business.

Early cyber security planning for life sciences businesses

By adopting cyber security foundations early on, life sciences businesses can safeguard their valuable assets, protect patient data and trust and maintain investor confidence.

For more information on how to cyber secure your life sciences business at all growth stages, please contact Sheila Pancholi, Stuart Leach, or Neville Manekshaw.