Biotech companies like Repligen are susceptible to cybercriminals (possibly with high-level sponsorship from certain nation states) who intend to steal intellectual property or other confidential data. However, Richard Richison was as concerned about opportunistic attacks as more targeted threats.
“Our biggest goal is to keep threat actors out, so ransomware is a key thing we need to protect against. We spend a lot of time protecting end users through security awareness training , because all it takes is one click on a bad link to let a threat actor in,” Richison said.
This end-user training is an essential part of Repligen’s cybersecurity strategy. The annual ten-minute cybersecurity awareness booster, which is still surprisingly prevalent despite agreement that it is, at best, ineffective, is not a tactic Repligen recommends.
The company conducts a monthly simulated phishing attack on all end users – including later.
Risk assessment and roadmap
According to Richison, while Repligen has always been extremely security conscious, until a few years ago the security stack was siloed and ad hoc.
“We had all the tools we were supposed to have, but we didn’t fully understand our attacking surface,” he said.
“We have data centers and on-premises assets in AWS and Azure. Just being able to understand the threats within all of these hybrid infrastructures was a challenge. It was also being able to understand the scope of Shadow IT Users set up their own Dropbox, what were they putting there? They were logging into Gmail from corporate devices. Why? It was a matter of understanding what we had, where it was, and with what those devices were communicating.”
Finally, last year, Repligen hired a third party to assess its entire security program. They decided on a security framework consisting of 20 controls. The third covered each of these controls and how Repligen measured up against them. A roadmap was then created to present at the board level so that priorities could be chosen and the right tools and automation put in place.
Regulations differ around the world. How is a global organization like Repligen affected?
“As a global company, we need to be GDPR compliant. However, we are not regulated by the FDA, so the only real regulation we are subject to is Sarbanes-Oxley. We do, however, take GDPR very seriously and consult with a law firm to ensure compliance. The state of California has its own version of GDPR which we follow as well.”
Richison also mentioned the Federal Cybersecurity and Infrastructure Security Agency (CISA).
“CISA has done a lot of good things in terms of raising security awareness. They announced that they were going to require public companies to have a person responsible for security to present to the board of directors in the same way as the finance Teams had to release Enron, we already do, and board leaders are aware of the security policies and controls we have in place.
Richison had an interesting view of the risks posed by third parties and supply chains – something that figures prominently in many security strategy discussions right now. The attack on software vendor Kaseya is a good example of this type of attack, as it is a remote management tool, often used by MSPs and other third parties. The criminal logic of the attack was demonstrated clearly by the large number of companies affected by the breach. However, Repligen managed to avoid the worst.
“Our Kaseya infrastructure is not connected to the internet. We upload and patch manually. One way to mitigate risk is to not completely depend on third parties. We don’t assume they are protected. Everyone is at risk , including their.”
The weakest link
Repligen’s end-user awareness training is a fundamental part of their cybersecurity roadmap. Users are targeted for additional training based on their responses to simulated phishing attacks conducted by the company.
“Our security awareness training platform uses AI. It’s based on user behavior over the previous months so we can identify where the risks are and focus on that. We also have a specific training for finance and customer service employees as they are exposed to greater risks. They get their own special training.”
Repligen also runs mandatory quarterly awareness training for everyone, regardless of role or behavior. Until they get 100% of this training, they continue to get reminders and the problem is compounded if the training is ignored. The company also has digital signage at each global location and safety reminders that pass from screen to screen throughout company spaces.
Richison strongly believes in regular communication with board executives.
“We recently had a board meeting and were able to list the accomplishments of the past year and what we expect for the coming year. The assessment we conducted allowed us to identify a cybersecurity model maturity number. This number has continued to increase for the 20 different controls under our security framework so that they can see this level of maturity increase every quarter.”
#Employee #security #awareness #key #part #Repligens #cybersecurity #roadmap