Interview on Cybersecurity Risk in Emerging Life Science Organizations with Mark Schafer

Think your Biopharma startup is “too small” for cybersecurity risk?

We see it all the time. Read these real cybersecurity breach stories told by Mark Schafer, vCISO, SVA Life Sciences.

Mark Schafer is the Chief Information Security Officer (CISO) for SVA Consulting, LLC, a member of the SVA family of companies. In addition, Mark serves our clients as virtual CISO (vCISO), a service designed to make top-tier security analysts available to your organization for security expertise and guidance.

Mark is a recognized consultant and leader in security program design and build, ensuring the security strategies he deploys are in alignment with clients’ business objectives. He is experienced in risk assessment and management, compliance and facilitation of executive and BoD level discussion of these topics. He engages with a diverse group of organizations including healthcare, government agencies, manufacturing and nonprofit organizations.

Mark frequently draws from his personal experiences with cybersecurity risk in speaking with clients to emphasize the imperatives of data security in any size organization.

In this Q&A, Mark describes security breach scenarios that have happened to emerging Life Sciences organizations, his recommendations for prevention, and what similar organizations should take away from what happened.

Interview on Cybersecurity Risk in Emerging Life Science Organizations with Mark Schafer

Question: Can you describe the cybersecurity breach situations you witnessed with emerging Life Sciences organizations?

Mark: It’s important first to note that in the early stages, emerging Life Sciences companies make zero revenue. Some of these organizations have maybe 100 employees. That said, they really can’t afford the monetary loss a cybersecurity breach can cause. However, despite zero revenue, but because these organizations are known to have investment funding, they are a target. We have specifically seen targeting of the CEO, where a hacker “spoofs” this person and essentially pretends to be them.

In one case, a hacker used email to contact an employee and ask them to buy e-gift cards and to then send them to another email address. In a more serious case, however, a very well-scripted fake email from the CEO was sent to the Controller. This email asked the Controller to wire a large sum of money ahead of a meeting the CEO was attending. The scary part was, in that email, there were elements of truth. The hackers knew the CEO was on a plane, and they knew he was going to a foreign country for a specific meeting. Luckily, the Controller decided to run it past the CFO to make sure it was in fact a legitimate request. Thankfully they discovered it was not.

Unfortunately, I observed another situation at a different, yet similar organization and similar email spoofing a CEO where someone actually ended up wiring $250,000 because they didn’t question the request.

Question: What steps should emerging life sciences organizations take to prevent cybersecurity breach situations like this?

Mark: As ridiculous as these stories sound, they are 100% preventable with the right measures in place. People are gullible, much too trusting, and they really just don’t know what to look for without being trained on the risks. I’ve had to live through these situations where people come to me and ask, “What are we going to do about this?”, and trust me, you don’t want to be in that seat. You are much better off being proactive about cybersecurity from the start.

Cybersecurity should be top of mind, especially for pre-revenue clinical development-stage organizations that will soon be on point to deliver security reports to the BoD. Cybersecurity should be an active topic on your executive agenda, you should have a plan for dealing with phishing, and you should have staff appointed to thinking and acting upon compliance risk.

Question: What is the most common misconception when it comes to cybersecurity in the emerging life sciences community?

Mark: The most common misconception is that emerging LS organizations aren’t big enough to be targeted. This can happen anywhere, and like I said, we have seen it happen to incredibly “small” companies over and over. Hackers don’t care if you have 10 employees or 1000, if they can get in and trick someone, they will.

Question: What is one thing that leaders in emerging life sciences should take away from this?

Mark: Don’t think you’re too small to worry about cybersecurity risk. If you don’t have a thorough cybersecurity strategy or you need support in preparing for reporting to the Board, a vCISO can step in and be your surrogate. I’ve spoken with so many people who didn’t realize a vCISO was an option and regretted not finding one sooner.

Question: What practical steps can a Phase 1, 2 or 3 biopharma do to take control of their cybersecurity situation?

Mark: The most practical first step is to take a thorough assessment of your Cyber preparedness. This can be difficult to do on your own; SVA provides guidance through a simple assessment process. The outcome of an assessment will inform your smartest next steps, depending on where you are currently.

Were these stories surprising to you? We want to hear your reactions in the comments. If you’re looking for more information on cybersecurity preparedness or SVA’s vCISO offerings, please contact us.