Study Shows Magnitude of Cybersecurity Vulnerabilities at Big Pharmaceutical Companies

Reposify, an external attack surface management platform provider, has posted the results of research about security vulnerabilities at pharmaceutical companies which reveals the great majority of pharma companies have unsolved vulnerabilities that are placing sensitive information and internal systems at risk of exposure.

The study was performed to evaluate the frequency of breaches of services, unpatched CVEs, sensitive platforms, and other security problems. Data assessed for the Pharmaceutical Industry: 2021: The State of the External Attack Surface Report was compiled over a two-week time period in March 2021 and included 18 of the top pharmaceutical firms around the world and over 900 of their subsidiaries.

Pharmaceutical firms keep substantial amounts of sensitive personal information and extremely important drugs and vaccine research information. Because of that, they are an appealing target for cybercriminals. Throughout the COVID-19 pandemic, nation-state hackers focused on pharma and biotech companies to obtain access to sensitive COVID-19 studies and vaccine development information.

Based on IBM Security/Ponemon Institute’s 2020 Cost of a Data Breach Report, pharma and biotech companies had an increased rate of security cases in 2020. 53% of the incidents were due to malicious activity. On average, the cost of a pharmaceutical data breach in 2020 was $5.06 million while the average time it takes to detect and control a breach was 257 days.

Because the pandemic brought about a rush to level up and digitize, the digital footprints of pharmaceutical firms have expanded even more creating a lot of new blind spots that attackers can and did quickly exploit to gain access to confidential, highly sensitive information.

In 2020, numerous mergers and acquisitions have happened as bigger pharmaceutical companies bought smaller firms in the industry. These smaller companies were usually focused on quick development and flexibility, which frequently meant inadequate resources were spent on cybersecurity. M&A transactions consequently had bigger possibilities to bring in serious security risks.

Reposify researchers examined 2020 M&A transactions and discovered in 70% of instances, the newly obtained subsidiary had a bad effect on the parent company’s security posture. The vulnerabilities presented were frequently significant, or in certain cases, lots of sensitive data compromised and unpatched solutions.

The researchers examined the incidence of key problems which are obvious externally and could possibly be exploited by cybercriminals, such as misconfigured databases and cloud solutions and unpatched vulnerabilities in software programs. The high severity security problems per organization had a median number of 269, while critical severity issues per organization had a median of 125.

Important information from the report consists of:

  • 92% of pharmaceutical firms had a minimum of one exposed database that was possibly leaking information.
  • 76% had a compromised RDP service.
  • 69% of exposed services found were categorized as being a component of the unofficial network perimeter.
  • 50% of pharma companies had a compromised FTP with unknown authentication.
  • 46% of pharma companies had a compromised SMB service.

Pharmaceutical firms need to solidify their security and make it harder for attackers to acquire a footing in their systems, explains Reposify. This initiative should start with getting a clear perspective of their outside attack surface and constant tracking and removal of risky attack vectors. The report additionally pointed out the significance of doing pre-acquisition cybersecurity research, such as mapping and investigation of the acquisition target’s outside attack surface.