Ransomware Susceptibility Index Spells Trouble for Pharma
Take heed, pharmaceutical manufacturers – 10% of you are at high risk of suffering a ransomware attack.
It may come as no surprise that you’re in the crosshairs of attackers; any organization in health care or the medical field, especially the companies developing vaccines against COVID-19 likely will draw the attention of bad actors. But what might raise some eyebrows is how well – or how poorly – pharma manufacturers score when it comes to indicators that gauge whether they’re ripe for attack.
In its 2021 Ransomware Risk Pulse: Pharmaceutical Manufacturing report, Black Kite quantifies the risk those companies face. Black Kite looked at the 200 largest global pharmaceutical companies and 166 of their third-party vendors to understand the biggest threats they face and how well they’re positioned to fend them off.
By sifting through data from multiple open source intelligence sources and applying machine learning, researchers correlated 26 control items to give each company they evaluated a Ransomware Susceptibility Index (RSI) score, ranging from 0.0 to 1.0.
“We don’t tell people that if you’ve got a high RSI, you’re going to be a victim, and we don’t tell them if you have a low one you won’t be a victim,” said Bob Maley, CSO at Black Kite. But if a company’s RSI is low, and there are other signals present, (like there were at Colonial Pipeline, which recently suffered a devastating ransomware attack that led to the shutdown of a pipeline servicing the eastern part of the country) then the risk of attack is higher. Colonial Pipeline, which nabbed a “decent” security rating overall, presented with two of the 26 indicators that Black Kite’s RSI uses – open remote desktop protocol (RDP) ports on six servers and credentials recently found on the dark web. If anyone from the company had been monitoring those elements, they might have been able to prevent the disaster that occurred.
In the pharmaceutical report, 9.5% of the top 200 global pharmaceutical manufacturers and 12.2% of pharmaceutical industry IT solutions providers scored above 0.6, which Black Kite identified as the critical threshold. Nearly half of the pharmaceutical data management vendors, or 42%, scored an RSI above that threshold. The lesson there is mind who you do business with – insist that they contractually meet certain security thresholds and cut them loose if they don’t.
“We’re seeing a lot of people in manufacturing now going, ‘I really should be paying attention to my supply chain,’ and they’re struggling to find their way in a very complicated area – supply chain third-party risk – especially around cyber,” said Maley.
In fact, Black Kite found that data management vendors pose the most significant annual financial risk, $6.2 million. While the vendors bear responsibility for locking down their solutions, “ultimately, the burden is on the company that uses the vendor,” Maley said.
“A lot of times, vendors don’t have the wherewithal or the finances to recover from that, and it falls back to you,” he explained. “If there are indicators and signals that a vendor is susceptible; if that company is not willing to change and the financial impact to your corporation is bigger, well, maybe it’s time to move to new vendors.”
The other number from Black Kite research that’s likely to make members of the C-suite stand up and take notice, though, is the financial impact (risk) calculated for each pharmaceutical company. First, deriving a Loss Event Frequency (LEF) – the likely cybersecurity event frequency for a company within a year – then multiplying that by the probable cost of a ransomware attack, Black Kite found the average annual cybersecurity financial risk for pharmaceutical companies is more than $31 million.
“Best practices, essentially, aren’t being followed,” said Maley. “They’re the basic hygiene themes of your program that are being missed. These are not new controls, these are paying attention to the details.”