Last year, the prevalence of cybercrime grew more than 27 percent. The average cost of a single malware attack has reached $2.4 million and takes organizations an average of 50 days to resolve.1 In 2017, the Life Sciences industry ranked last in cybersecurity preparedness and capability.2 It is this landscape that demands Life Sciences organizations build resilience against the threat of data compromise.



In our introduction to resilience, we identified data compromise as one of the three macro areas of disruption threatening Life Sciences companies. Data breaches damage business value through loss of trust and damage to brand. In addition, there are costs from reduced operational performance, people and technology associated with response and rebuilding. A recent cyberattack resulted in over $135 million in lost revenue in addition to $175 million in operational expenses and cost of goods sold. Publicly, data breaches have a permanent impact on share price, a long-term average of -1.8 percent3. On average, recovery from a data breach has a $5 million impact on bottom line, with an average cost of $207 per record and an average number of records per breach around 25,000.4

So, how should Life Sciences organizations differentiate their resilience plans to address the growing and varied threat of a data breach? There are three core steps that comprise a strong resilience plan: preparation, response and recovery.

Prepare

Life Sciences executives reported that within a 12-month period, an average of 95 security breaches were attempted with nearly 1 in 3 of those attempts succeeding.5 With attempts being made on almost a twice-weekly basis, a complete understanding of the threat landscape should be coupled with a regular diagnostic of potential vulnerabilities in current systems. Data security plans are important to establish secure data storage and firewalls, governance for classifying and handling sensitive information, and processes for maintaining confidentiality and complying with regulations (GDPR, HIPAA, etc.).

Sixty-four percent of Life Sciences executives reported that currently it takes “months to a year” to identify a breach.

Sixty-four percent of Life Sciences executives reported that currently it takes “months to a year” to identify a breach5. Putting in place controls and performance thresholds to monitor systems is critical to mitigating impacts and improving response and recovery. For example, a biopharmaceutical company recently analyzed key business threats and translated them into a library of 80+ metrics that, in aggregate, enables visualization of whether their security program is meeting targets. This view helps both security and non-security executives keep a pulse on cyber performance.

Finally, ensuring all employees are well-trained on data protection and security helps to limit the entry points for cybercrime and improves detection. This is not a once a year exercise. Life Sciences companies have engaged in ‘advanced adversary simulations’ and hackathons to probe for vulnerabilities and test the organizations’ ability to detect and respond.

Respond

The Life Sciences industry has experienced digital disruption across the value chain, with technology solutions being integrated into all areas of business, thus increasing the volume of data and the inherent risk of cyberattack. For example, connected devices and other Internet of Things (IoT) solutions can require integration between Life Sciences companies’ and Healthcare System’s electronic medical record (EMR) platforms. This connectivity provides more gateways for malicious or unauthorized third parties gaining access to biometric data directly linked to medical records. These integrations add complexity to a rapid response when a data breach occurs.

Cybersecurity agreements should be in place with any third parties to support a coordinated response. Inefficient internal and external processes can make it difficult to stop the spread of attacks, so integrated communication across impacted business areas as well as any impacted third parties is key to enabling emergency measures.

Recover

Only 32 percent of Life Sciences executives feel that they can accurately measure the impact of a security breach.5 The definition of baseline metrics (e.g. number of exposed records) enables organizations to measure their response and certify recovery to both internal and external stakeholders. Following an attack, organizations should conduct as assessment of the attack and patch or repair vulnerabilities as required to learn from each event. Each incidence of a data-related threat should inform future response tactics, driving continuous improvement of data security.

A well-defined resilience plan will enable Life Sciences organizations to effectively respond to a data breach. Preparation and planning driven out of the C-Suite allows the business to structure an efficient and positive response that ultimately reinforces customer and shareholder trust. Demonstrating deliberate response and rapid recovery can foster rather than destroy market confidence. As the threat of disruption increases with data becoming increasingly fundamental across Life Sciences organizations, resilience emerges as not only a necessary response tactic, but as a strategy to sustain and drive future growth.

1 Accenture Cost of Cyber Crime, 2017

2 Accenture Security Index, 2017

3 CNBC, ‘Global investors lose billions to cyber attacks’

4 Ponemon Institute, Cost of Data Breach Study

5 Accenture High Performance Security Report, 2016

Erin Rajtik

Business Manager – Accenture Strategy, Life Sciences

MORE ON THIS TOPIC


Subscription Center
Stay in the Know with Our Newsletter Stay in the Know with Our Newsletter