As COVID-19 cases continue to rise in the U.S., the global race is on for a vaccine to help society safely return to normal. The U.S. government alone has already invested nearly $11 billion in vaccine trials to secure enough doses once a vaccine is deemed safe and effective— however, this investment is at risk due to some potentially serious cybersecurity issues by the organizations conducting the research.
With the stakes for a coronavirus vaccine being particularly high, even basic security issues can have detrimental consequences on a global scale. There is clear evidence that foreign nations like Russia have attempted to meddle in U.S. business before, and are now turning their eyes toward the effort for a COVID-19 vaccine.
They are not the only nation-state looking to capitalize on the weaknesses of organizations racing for a vaccine. It’s important that these pharmaceutical organizations researching a vaccine are taking the right steps toward a strong security posture to prevent interference in their research from bad actors.
Recent research found that 17 of the top pharmaceutical companies working on COVID-19 vaccines have significant cyber issues. An alarming number of these companies have had compromised systems in the past year.
For instance, in the past six months, eight companies have been potentially exploited, and another eight have been infected with a botnet. This means only one of the 17 top pharmaceutical companies survived simple attack mechanisms.
The research also found that 14 of these companies have vulnerabilities. Some of these are worse off than others: six were classified as “very serious” (with a CVSS score greater than nine), and 10 have more than 10 different active vulnerabilities that STILL remain unaddressed.
Lastly, seven of these companies have open RDP ports — the same kind that were impacted by last year’s Bluekeep vulnerability. Of the services that could be exposed outside of a company’s firewall, Microsoft RDP is among the most worrisome. Recently, ransomware operators have been probing open RDP ports to try to infect corporate networks, which could cause major financial and overall problems for a pharmaceutical company.
Many of the issues that were found were basic level security issues — most of which could be compromised by just an amateur hacker. It’s important for these bioscience companies to step up their cybersecurity, or risk having their research, intellectual property, and clinical trial subjects’ personal data exposed.
The reality is, however, it’s not amateur hackers who are looking at these companies. Earlier this summer, the American, British and Canadian governments accused Russian-intelligence linked Cozy Bear of targeting pharmaceutical organizations. Shortly after, the U.S. indicted two Chinese hackers of trying to compromise vaccine research firms, which could pose a significant setback on a vaccine.
While these are just two recent examples of foreign interference into a vaccine, they won’t be the only incidents. The attack vector against these companies is huge, and as hackers loom, opportunity remains ripe. Quite frankly, there isn’t just a vaccine race going on, but a war — and the U.S. will lose if its pharmaceutical companies don’t step up their security and ensure they are following even the most basic security practices.
Reworking a security program does not need to be an extremely cumbersome undertaking. There are a number of basic steps that organizations can take to ensure they are practicing strong cyber hygiene and not giving attackers an easy in. One of the most important steps security teams can take is establishing a security performance management program.
An efficient program can help to provide continuous insight into cyber risk, drive efficiency and scale, introduce cost savings, and bring continuous improvements into the company’s overall cyber health. Gaining a deeper level of visibility into what’s happening on your businesses network means that security teams can have data-driven, risk-focused conversations with key stakeholders.
Not only do security teams at pharmaceutical companies need to continuously measure the vulnerabilities in their own data, but they must also utilize automated tools to continuously measure and monitor the security performance of the parties they partner with. Given that these companies will be partnering with a number of third-party providers, including those that will distribute vaccines, it’s important to remember that third-party ecosystems are expanding rapidly — so security teams must do their necessary due diligence in any third-party risk management programs they’re running.
Pharmaceutical companies’ weak security infrastructures are in danger of creating an even deeper human health crisis when it comes to the race for a vaccine. Without proper security hygiene and implementation of security performance management and third-party risk management programs, other countries are almost certain to succeed, and the U.S.’s major pharmaceutical companies will be breached. If this happens, these companies’ efforts will be ruined, and the country is a long way from the end to this pandemic.