Pharma manufacturers are especially reliant on intellectual property (IP). The formulas behind their products are closely guarded because any leakage can result in a loss of competitive advantage or, worse yet, the rise of counterfeits. Unfortunately, this IP is worth a lot of money, which is why the industry is exceptionally exposed to bad actors — both external and internal. Ultimately, threat actors are after one thing — money.
When monitoring for one of our pharma clients, we observed access to the client’s IP — in this case, formulas — being sold on the dark web. Upon further investigation into the matter, we determined that the threat actor had engaged multiple potential buyers, so there was no guarantee that even if the client successfully negotiated a deal, the threat actor would not sell access to someone else.
This is one of the reasons why a professional threat negotiator can help — threat actors should not be trusted. Just because they say “I’ll give access to the highest bidder” does not mean they will. After further investigation, we determined that the threat actor was actually an employee at the client organization.
Compounding the problem is the fact that there are currently a variety of 'do it yourself' cyberfraud kits for sale that lower the bar for committing a cybercrime, including insider threats. This means that virtually anyone, including insiders, can become a threat actor, increasing the probability of cyberfraud.
How IP can be compromised
In the case noted above, we notified the client that access to their formulas was for sale on the dark web. From there, a further investigation could ensue, and the insider could be stopped before he or she caused irreparable damage. The lesson from this is that the sooner a company can learn its IP is for sale, the sooner it can act and mitigate the financial, competitive and brand damage caused by having its IP made available through unlawful means.
While this is one example of how IP can be compromised, there are several ways in which threat actors can target pharmaceutical IP. They can steal IP through ransomware attacks and associated data breaches, tgain access to networks and sell 'initial access, or simply approach an insider and offer them money to take IP. One factor cuts across any approach — money.
Threat actors target pharma manufacturers’ IP because it is so lucrative. They can sell it back to the company they stole it from, or they can sell it to counterfeiters or even competitors. Or they can do all of the above. They will potentially lie, cheat and steal, and will do whatever they can to make money. Just because they say they’re not marketing your IP to other parties, does not mean they aren’t, or won’t still.
Steps to protecting IP
So, what can pharma manufacturers do to protect their IP? They need to be cognizant of the risks to their cybersecurity infrastructure and the IP it protects. Specifically, here are some points to think about when protecting IP:
- Prevention: To say an ounce of prevention is worth a pound of cure is an understatement when it comes to IP. A key aspect to prevention is understanding the vulnerabilities attackers are likely to exploit. This obviously includes knowing about vulnerabilities in your own infrastructure and patching them accordingly. It also includes understanding the intent of attackers — are the groups attacking similar organizations to yours, or are they focused exclusively on yours? This can all be discovered through cyber intelligence.
Unfortunately, many vendors have overused this term and may not be able to provide this information. In contrast to 'dark web monitoring' services, high-fidelity cyber intelligence services not only locate stolen IP, but also interact with the actor to understand that the threat and payment offer are legitimate. This type of cyber intelligence also generally helps clients understand less visible weaknesses in their own security infrastructure, as well as the groups that are most likely to target them. Most of all, true cyber intelligence should be immediately actionable to make your organization more secure.
- Early detection: In many cases, such as the insider threat above, the first sign of a breach is when stolen data, inappropriate access, or even actual substances — like raw material — is made available for sale on the dark web or other channels. The earlier this information can be identified, the less damage it is likely to do.
The first step is to identify stolen IP (whether it’s a formula, data or an actual substance) and understand who the threat actor is. Is it an insider, or a group with a track record of similar attacks, a group with a history of not living up to its promises, or a 'lone wolf' who has a limited track record and is just looking to make some quick cash?
It’s important to engage these actors appropriately, so they can be properly vetted and guided toward an appropriate resolution. There is real danger in not engaging with threat actors appropriately, because not interacting, or improper interactions, may do more harm than good. - Resolution: Many organizations do not take the proper steps to understand how an IP breach occurred and how to remediate it. This is why so many organizations are plagued by multiple breaches — unless the vulnerability is addressed, other attackers can use the same approach to execute a breach. Even worse is when the same group 'goes back to the well' to penetrate a victim again. Every breach should include an action plan for ensuring it does not happen again.
Pharma manufacturer's IP will always be a 'holy grail' for attackers because it is worth a lot of money, and victims are likely to pay to get it back. By taking the steps outlined above, companies can improve their ability to protect IP and minimize the damage to their company when things go wrong.
