Education or Security Technology… which makes companies more secure?

Kurt Haynes • 1 September 2023

There are so many good reasons to communicate with site visitors. Tell them about sales and new products or update them with tips and information.

Some organisations believe that security should be done by their IT department and no one else needs to be involved. In reality, every single member of the organisation is responsible for security and usually the IT team is the least vulnerable part of the organisation. If the organisation does not look at information security from the top down then most efforts will fail. The most secure technical controls will be let down by the employees who are not educated or aware enough about social engineering, handling sensitive information or adhering to the obligations of the contracts with clients. Both fundamental information security awareness and buying off-the-shelf technology are important for improving security. However, they are not mutually exclusive and should be used in combination to create a comprehensive and effective security strategy.

 

Fundamental information security awareness is essential because it helps employees and stakeholders understand the importance of security and the role they play in protecting sensitive information. This can include training on topics such as password hygiene, phishing scams, and social engineering tactics. By raising awareness and providing education on these topics, companies can create a culture of security where everyone understands the risks and takes responsibility for protecting their data.

 

On the other hand, off-the-shelf technology can help companies implement specific security controls and address specific threats. For example, a company may purchase a firewall or antivirus software to protect against malware and other cyber threats. These tools can help companies detect and prevent attacks and provide an additional layer of defence against cybercriminals.

 

Ultimately, both fundamental information security awareness and off-the-shelf technology are important components of a comprehensive security strategy. While technology can help mitigate specific risks, it is only effective when combined with a strong security culture and awareness program. Conversely, without the right technology, even the most security-aware employees may be vulnerable to attacks. Therefore, it is important for companies to invest in both awareness training and security technologies to create a well-rounded and effective security program.



Kurt Haynes MSc CISSP CCSP CISM CDPSE

The Pharma industry is not as serious about security as it should be… Why?

by Kurt Haynes 3 October 2023
There are several factors that may be holding the pharma industry back from better information security practices: Resource constraints: Many pharma companies may not have the resources or expertise to implement the latest security technologies and practices. This can leave them vulnerable to attacks and data breaches. Lack of awareness: Some pharma companies may not be fully aware of the extent of the cybersecurity threat landscape and the potential risks to their business. This can lead to complacency and a lack of investment in cybersecurity measures. Legacy systems: Many pharma companies rely on legacy systems that may not be compatible with newer security technologies. This can make it difficult to implement effective security controls and upgrade their cybersecurity infrastructure. Complexity: The pharma industry is highly complex, with numerous stakeholders and a vast amount of sensitive data that must be protected. This complexity can make it difficult to implement effective security controls and ensure that all stakeholders are following best practices. Regulatory compliance: While regulatory compliance is important for protecting patient data and ensuring the safety and efficacy of drugs, it can also be a barrier to implementing new security technologies and practices. Compliance requirements can be complex and time-consuming to meet, which can divert resources from other security initiatives. Perception: Many decision makers in the industry who are not knowledgeable enough about information security and the risk based approach, assume that more security means more steps to complete a task and a bad user experience. They do not realise that in most cases the best practice either replaces insecure steps rather than adding more or the user experience can be made more secure and easier for the user by embracing newer technology. Overall, the pharma industry must overcome these challenges to implement better information security practices and protect their critical assets from cyber threats. This will require a concerted effort from all stakeholders, including industry leaders, regulators, and cybersecurity experts. Kurt Haynes MSc CISSP CCSP CISM CDPSE

Zero Trust in Pharma

by Kurt Haynes 7 August 2023
In recent years, the pharmaceutical industry has experienced a significant increase in cyber attacks, with hackers looking to steal valuable data and intellectual property. They target large top 20 companies, service providers, smaller consultancies and micro companies that specialise in output that may be a small deliverable to larger projects. Any part of the ecosystem is a potential target. In response, many pharma companies are turning to Zero Trust security models to protect their critical assets. Zero Trust is a security model that assumes all users, devices, and network traffic are untrusted and must be verified before granting access to any resources. This approach differs from traditional security models that rely on perimeter defences and assume that once a user is inside the network, they can be trusted. This is a large shift for many organisations especially since many in the industry do not even adhere to basic security principles like least privilege. The principle of least privilege means that only the minimum required access to resources is granted and no more. The Zero Trust model can be implemented through a combination of tools, such as multifactor authentication including conditional access, network segmentation, access controls administered on the resource and more. By using these tools, pharma companies can ensure that only authorized users and devices are accessing their networks and data. The model extends to systems that automatically access resources without interactive human intervention. One of the primary benefits of the Zero Trust model is that it allows pharma companies to protect their critical data and intellectual property from both internal and external threats. For example, if an employee's device is compromised, Zero Trust will prevent the attacker from accessing sensitive information, even if they have already gained access to the network. Another advantage of the Zero Trust model is that it can help pharma companies meet regulatory compliance requirements. The pharmaceutical industry is heavily regulated, so companies must comply with numerous laws and regulations governing the storage, processing, and transmission of patient data. The Zero Trust model provides a framework for implementing security controls that can help pharma companies meet these requirements. The Zero Trust model represents a new paradigm for cybersecurity in the pharmaceutical industry. In many organisations especially the micro ones with less than 50 people, security is not taken seriously enough. Many of these sized organisations, especially in the US, believe that they are too small for anyone to check how effective their security is, but this is not true when they have to work with other organisations that take security seriously. Also attackers look for weak links in the supply chain so these micro companies are often easy targets. By assuming that all users, devices, and network traffic are untrusted, pharma companies can implement robust security controls that protect their critical data and intellectual property. As the threat landscape continues to evolve, pharma companies must embrace new security models like Zero Trust to protect their business interests. Kurt Haynes MSc CISSP CCSP CISM CDPSE