As the U.S. biomedical community rushes to combat COVID-19, the FBI announced last week that, in a bid to win the race for a vaccine or cure, state-sponsored Chinese hackers are targeting U.S. researchers in an attempt to “obtain valuable intellectual property and public health data related to vaccines, treatments, and testing.”
China is not alone in its nefarious intelligence-gathering efforts. On May 8th, Reuters reported that Iran-linked hackers had targeted Gilead Sciences, makers of the promising antiviral drug remdesivir.
In light of these attacks, the bioscience community must step up its cyber vigilance. It only takes a misconfigured piece of software, an open access port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.
Here are four key measures that security leaders can take to mitigate risk as their organizations race to develop vaccines.
1. Visualize risk across all digital assets
The global effort to beat COVID-19 is using technology at scale in ways never seen before. The number of digital touchpoints that scientists, researchers, government agencies, and others interact with day-to-day is growing exponentially — as is the attack surface. This puts tremendous pressure on security leaders who don’t have a handle on the risk hidden across digital assets in the cloud or across geographies, subsidiaries, and their remote workforces.
Yet organizations often lack visibility into the inventory of critical assets that comprise these complex ecosystems, such as connected medical devices, applications, and cloud infrastructure. They may also lack insight into the level of risk associated with each asset, not realizing when a piece of software needs an update or runs a high risk of being breached. Only with this understanding can organizations make strategic decisions about prioritizing their remediation efforts and moving their cybersecurity programs forward. Bitsight Attack Surface Analytics provides that understanding. It can help security teams overcome the challenges of detecting and managing unknown cyber risk hiding throughout their expanding digital ecosystem.
2. Discover risk in remote environments
The number of workers now working remotely has risen sharply since the pandemic began. Yet these environments pose significant cyber risk. A Bitsight study found that home and remote offices have alarming security issues that could put upstream company networks and data at risk of compromise.
Security teams can address the challenges created by this massive shift to remote work with Bitsight Work From Home - Remote Office. This solution empowers organizations to easily and effectively identify vulnerabilities and infections on IP addresses associated with remote operating environments, such as residential IPs. With these insights, unknown security issues across remote endpoints can be quickly discovered on a continuous basis for efficient remediation.
3. Continuously monitor third parties for risk
Pharmaceutical and bioscience companies are increasingly relying on third parties, which means the security of intellectual data or patient data may also be in a vendor’s hands. While the use of third-parties is necessary to help companies remain agile, share information, and speed time to market, it can introduce additional risk, as data breaches that originate in the vulnerable systems of third parties are increasingly used as part of a larger supply chain attack to gain access to the victim's strategic partners and/or customers.
This exposes those on the front lines of COVID-19 treatment and therapies to regulatory and reputational risk. To mitigate this vulnerability, partners need to be carefully yet expeditiously vetted to ensure they're not bringing unwanted risk into the organization.
An effective way of exposing risk in the supply chain — quickly and without the complexity of traditional risk assessments — is to rate and continuously monitor vendors’ risk levels using Bitsight Security Ratings. Security ratings are a data-driven, objective, and dynamic measure of security performance that make it easier than ever for organizations to achieve visibility into a vendor’s inherent risk. Unlike a point-in-time snapshot, security ratings are updated daily, so organizations can easily track how their vendors’ security postures are changing over time.
4. Don’t forget the basics
Studies show that about 95% of cybersecurity breaches can be prevented with basic security hygiene. This means ensuring that software is patched in a timely manner, systems are updated, open ports are closed, and data is consistently backed up. And, because cybersecurity is no longer the sole responsibility of IT and security teams, users should be educated on typical cyber threat behaviors and how to avoid falling victim to them.
Cybersecurity must go beyond “detect and respond”
Right now, the race to find a cure or treatment for COVID-19 is the science community’s Holy Grail. More than 200 clinical trials have been launched and nearly all other research has ground to a halt as scientists worldwide come together to focus on a singular topic.
Hackers will continue to meddle with these efforts, placing pressure on already stretched security leaders to go beyond conventional detect and respond approaches to cyber threats. Instead, they must revisit basic cybersecurity hygiene practices and find proven and efficient ways to continuously discover and manage risk exposure — across the extended attack surface and third-party ecosystem. Only then can remediation be prioritized, and life-saving science innovation assured.