Dear members and friends,
The biomedical industry is increasingly taking note of the risks and costs of cyberattacks. In late June, a number of biopharma companies, including a global industry giant, were hit by a well-publicized worldwide hack. The companies were denied access to data as ransomware demands flashed on their screens, and they were exposed to the risk of exposure of proprietary and competitive scientific and commercial information.
Closer to home, some of you may remember that last Spring my own email address list was hacked, despite protection on my office computer, and certain addresses used as the basis of a phishing scheme.
We asked around, received recommendations, interviewed folks, and ultimately engaged BlueStone Analytics of Charlottesville to provide a cybersecurity assessment and implementation plan to Virginia Bio. The firm has similar work for some of our member companies.
The firm undertook a series of interviews with staff, inspected our hardware and work patterns, preformed a dark web threat intelligence collection, a vulnerability scan of networks and a security architecture review, launched a simulated attack on our system, and finally prepared and delivered to us a Cybersecurity Assessment Report on the first of August.
Most importantly, the firm’s report contains a Security Action plan, which lists nine specific recommendations and additional options to improve our security, encompassing not only the computers and network in our office, but also our mobile devices and cloud based support.
The first seven items were highly recommended, and I am pleased to report all seven recommendations we have completed or are underway. We have implemented universal two-factor authentication (2FA) for all staff, we have changed the passwords on printers and other peripherals which are an attractive opening for cyberattacks; we have installed uniform end-point protection for all devices, we have resumed a practice of regular and systematic data backup; we have turned on device encryption on our mobile devices, and all staff have begun use of Virtual Private Network (VPN). All staff also have started a course of cybersecurity training which will span several months.
The above recommendations have been implemented for all devices used by all four Virginia Bio employees. In the FY 2017/18 budget recently approved by the Board we budgeted for these and other improvements. We believe we owe this to our member companies and to the industry at large. If you have questions about the tools or software we’ve used and our experience with them, please contact Sherri Halloran.
We’ve asked BlueStone Analytics to help us put on a series of webinars in the Fall focused on cybersecurity for startup and scale-up bioscience companies, and access to the webinars will be made available to members free of charge. We will invite you to join the webinars, become aware of the risks and learn about steps you can take to significantly reduce the risk, so watch for an invitation in the coming weeks.