ipopba/istock via Getty Images
Pharmaceutical Supply Chain Cybersecurity Risk Tops $31M Annually
Ransomware threat actors have shifted their focus to pharmaceutical supply chains in recent years, with 12% of pharma industry vendors likely to incur a ransomware attack annually.
Ransomware susceptibility for pharmaceutical manufacture supply chain tops $31 million annually, according to new research from Black Kite.
Black Kite’s 2021 Ransomware Risk Pulse: Pharmaceutical Manufacturing looked into cybersecurity posture of the 200 largest global pharmaceutical companies and 166 of their commonly associated vendors.
Researchers found that while pharmaceutical companies generally reflect a “good” overall cyber risk rating, ransomware threat actors have shifted their focus to pharmaceutical vendors and supply chains in recent years.
For example, one in ten global pharmaceutical manufacturers are at high risk of ransomware attack annually. And over 12 percent of pharmaceutical industry vendors are likely to incur a ransomware attack.
Phishing attacks, which commonly use leaked credentials, have historically been the leading attack vector in ransomware attacks. About half of pharmaceutical companies (47 percent) have over 1,000 leaked employee credentials exposed on the deep web.
In the report, Black Kite’s ransomware susceptibility index (RSI) for pharmaceutical companies ranged on a scale from 0.0, the least susceptible to ransomware attacks, to 1.0, representing the most susceptible to attacks.
But researchers emphasized that RSI score does not mean that a company is immune to ransomware attacks completely.
About 9.5 percent of the top 200 global pharmaceutical manufacturers and 12.2 percent of pharmaceutical industry IT solutions providers registered an RSI above the threshold of 0.6.
Notably, the group that poses the greatest risk to pharmaceutical manufacturers is data management vendors, at an annual risk of $6.2 million. The RSI for over 42 percent of pharmaceutical data management vendors exceeds 0.6.
Overall, data management vendors had slightly more credential-related issues, vulnerabilities due to out-of-date systems, and publicly visible critical ports. According to researchers, this increase in risk is due to restricted IT security budgets and resources for data management companies.
In the analysis, pharmaceutical companies were tiered based on their market capitalization value.
Data was collected from various open-source intelligence sources located in the Ransomware Susceptibility Index, including internet-wide scanners, hacker forums, and the deep web.
Researchers derived a formula for the cost of a ransomware attack based on the correlation with a pharmaceutical company’s revenue. Then, they calculated the probable financial impact for each pharmaceutical company from what they call a “loss event frequency,” which is the cyber event frequency a company is likely to have within a year.
Overall, the average annual cybersecurity financial risk for pharmaceutical companies is over $31 million.
But the financial impacts of ransomware attacks go beyond the ransom payments themselves, researchers explained. The impacts can include replacement costs, halting business operations, productivity losses, forensic costs, legal costs, and lost business due to a lack of patient trust.
Over 5 billion people rely on at least one product manufactured by the pharmaceutical industry, including over-the-counter pain medication, a cancer drug, or a COVID-19 vaccine.
Any interruption in manufacturing lifesaving drugs or therapies, such as a cyberattack on a pharmaceutical company, would pose a great threat to many individuals.
Therefore, researchers suggested five ways that companies can adopt a risk-aware approach for vendor ecosystems, including:
- Understanding the “crown jewels” of the company, like IP theft
- Understanding overall risk and adopting quantitative approaches to risk management strategy
- Understanding third parties and their associated risk
- Adopting an incident response strategy for post-breach
- Engaging with the company’s board in cybersecurity risk
“We have seen how ransomware attackers can shut down a gasoline pipeline in the past week. Imagine if a ransomware attack halted a manufactured COVID-19 vaccine hostage or stopped the production of vital chemotherapy drugs,” Bob Maley, chief security officer at Black Kite.
“Billions across the globe rely on pharmaceutical manufacturers. Ransomware attacks on 10% of the globe’s pharmaceutical companies could have an immense impact,” Maley concluded.