The risks associated with cyber threats and data loss are a priority for companies in the pharmaceutical sector. Despite efforts to defend oneself, however, it is difficult to keep up to date and keep up with ever-new and ever-increasing dangers. British cybersecurity services provider Riskxchange conducted a risk assessment of the 100 largest pharmaceutical companies by revenue, showing how the sector coped from April 2021 to April 2022.

Ever-increasing threats

The analysis takes into consideration different types of cyber threats. Regarding network security, first of all, data breaches are very common, especially considering that they do not necessarily have to affect the company directly. Violations by suppliers or third parties can also cause costly damage. According to IBM, the average cost for a data breach in the pharmaceutical industry in 2021 was approximately $5.04 million.

Ransomeware is even more harmful. Due to programs that block access to networks or parts of them and then demand a ransom, companies can go out of business. According to Riskxchange itself, in 2021 one in ten multinational pharmaceutical companies was at risk of suffering this type of attack. Less radical but still harmful is phishing, where one is robbed of critical information from apparently reliable sources. This type of attack is on the increase and according to the digital services company Verizon in 2021, 36% of data breaches occurred using this technique.

Furthermore, the recent development of the so-called Internet of Things combines the undisputed advantages of new fragilities. In fact, the integration between networks and systems increases the surface area vulnerable to cyber attacks. Finally, among the causes that lead to cybersecurity violations, one surpasses all others: human error. In fact, workers were the primary vehicle for data breaches across all industries in 2021, as Verizon reports.

Cybersecurity: where are we at?

The distribution of cybersecurity problems in the pharmaceutical sector sees the poor reliability of networks and applications at the forefront. In particular, 35% of the problems encountered concern the scarcity of the security network and firewall policies, while 34% concern applications and configuration management.

Furthermore, the analysis found several points where networks may be vulnerable to cyber attacks. In fact, 15% of the problems found concern the security of databases, sometimes published on the Internet without protection, while in 10% of cases low-level encryption or even its total absence was detected. Only 5% of the problems concern the poor security of emails and Domain Name System (DNS), which opens the door to phishing.

Finally, in one of the companies analyzed, the company discovered the presence of malware distributed within the company systems during the analysis.

The performance of companies

Continuing the data analysis, Riskxchange highlights how 37% of cybersecurity issues concern the Internet or the security of corporate networks. Furthermore, in 14% of cases, the problem is so critical that it could allow a hacker to access company data and systems. Regarding encryption and configuration processes, the situation is insufficient in 27% of companies, with 21% of systems featuring low-level cryptographic encryption. Furthermore, in 36% of cases web applications have a poor security configuration, in 31% applications have obsolete TLS (Transport Layer Security) versions and in 30% the SSL (Secure Sockets Layer) encryption certificates have expired.

Riskxchange then assigned a score to each company’s security level. No one reached the maximum score and the average value was 745/900. The best company scored 864 points, while many companies fell below 700, with the worst achieving a score of 634. According to Riskxchange, such a score exposes a company to a serious data breach event within the 12 months.

The global trend is worsening compared to previous years. Furthermore, in 57% of cases the problems encountered were highlighted as early as 2017. Companies therefore appear to have been unable to keep up with the vulnerabilities found and resolve any problems in time.