In my last blog, Preparing your Pharmaceuticals business for GDPR: Protecting your Data from Insider Threats I talked about ways to mitigate the risks to your data which may arise from accidental or deliberate threats from staff or third parties who have legitimate access to your data.
In today’s blog, I wanted to talk about the additional precautions that you need to be taking in readiness for GDPR in order to protect your data from external security threats, such as hackers.
In days gone by, a firewall and some anti-virus software were largely good enough to protect your organisation from such threats, but in today’s ever evolving, increasingly complex threat landscape, a far more sophisticated suite of technologies, business processes, policies and staff training measures are needed to mitigate the risk from cyber threats.
If we just consider how working practices have changed in recent years it becomes apparent why a simple anti-virus + firewall strategy is flawed: For example, do you allow staff to synchronise their emails (which often contain confidential data) to their personal smart phones or home computers? If so, bear in mind that those devices are often outside the control of your network firewall and anti-virus policies. So what happens if those mobile devices get infected, lost or stolen? Or data is inadvertently made web facing through the use of cloud-based storage or backup programs on home PCs?
Remote working and cloud based services are just two risk areas that traditional IT security measures do not fully mitigate. There’s also the constant stream of malware and phishing emails that your company receives. It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the temporary administrative worker who unwittingly opens a supposed “invoice” which turns out to be something much more sinister.
Cyber criminals are also constantly busy looking for security loopholes in operating systems and software applications that they can exploit, with the result that software vendors like Microsoft are constantly bringing out a stream of security fixes that need applying to every device on your network. Again, it only takes one laptop or computer to not be updated, for whatever reason, to leave the firm highly exposed to threats like the recent Wannacry ransomware attack that so crippled the NHS.
Indeed patch management has become an even more important part of cyber security management in recent times, as we now have the situation where some cyber criminals are reverse engineering the patches that vendors like Microsoft publish, to work out what underlying vulnerabilities they fix, and then targeting those vulnerabilities in organisations who have not applied the patches promptly.
The reality is that nowadays, the only way to effectively secure your data against cyber security threats is by implementing a wide range of technologies, business processes and controls incorporating things like anti-virus, malware protection, patch management, email filtering, firewall management, encryption, user education, secure wiping of old equipment, remote access policies, website content filtering, mobile security, penetration testing and much more.
I hope this has given you a useful insight into some of the key areas to consider around cyber security when preparing your pharma business for GDPR. Should you need help on assessing your readiness for GDPR or advice on technology solutions that will assist with GDPR compliance, such as Epoq IT’s MySecurity service, which provides expert security management of all your systems for an affordable monthly fee, please do not hesitate to contact me on (01494) 444065 or email firstname.lastname@example.org.