Tackling Cybersecurity Threats in the Biotechnology Industry

With significant investments being made into biotechnology and research and development (R&D), life science organizations are becoming increasingly profitable targets for cybercriminals. Tremendous strides are being made in terms of scientific discoveries and companies must also keep pace by managing security risks and protecting scientific data.

One cybersecurity report found that ransomware attacks – a form of malware that locks users out of their devices or files until a ransom is paid – increased by 485% in 2020 compared to 2019, likely influenced by the COVID-19 pandemic. Additionally, another report found that the average total cost of a data breach in the pharmaceutical industry was $5.06 million.

In light of these rising cybersecurity risks and the threats they pose, Technology Networks spoke to Zach Powers, chief information security officer at Benchling, an R&D cloud platform for the biotechnology industry. We discuss why the biotechnology industry is being targeted by cybercriminals, the importance of data security and how the industry can mitigate these threats.

Sarah Whelan (SW): Can you explain what the Benchling R&D Cloud is, and how it is designed to advance scientific research and development? How can this benefit small academic laboratories through to large-scale biotechnology companies?

Zach Powers (ZP): Benchling was started with a vision of making research and development what it’s meant to be — a collaborative process to turn ideas into scientific progress. In the past few years with the pandemic, this vision has felt more urgent and important than ever. Now, more than 200,000 scientists use Benchling’s R&D Cloud as a central source of truth for biotech R&D to centralize data, improve collaboration and access insights, ultimately accelerating the path to discovery.

Looking to examples of how our R&D Cloud facilitates progress in the scientific community – we helped Syngenta go from data silos to data as an advantage, now with a data infrastructure that serves 90 locations across different languages, regulations and time zones in their mission to build crops that require fewer inputs while producing great outputs. Using Benchling, Syngenta reported a 72% improvement in sharing data across geos and a large team.

SW: What considerations need to be made in terms of data security for these types of cloud-based platforms?

ZP: Biotech organizations generate revenue based on intellectual property, and if compromised, a great deal of revenue stands to be lost. These organizations are also highly regulated due to the potential human impact of their products and complying with regulations can make or break the organization’s ability to compete.

Both of these factors mean that for a cloud-based platform like Benchling, maintaining industry-leading security, privacy and compliance standards for biotech customers is paramount. Enterprise software as a service (SaaS) companies have a responsibility to develop cloud software and infrastructure securely. To do this, they use automated vulnerability management, routine penetration testing, asset management, configuration management, threat detection and response engineering, etc. The end result is that many cloud software products undergo more security scrutiny, on a more frequent basis, than on-premises technologies do. Not all cloud products are the same when it comes to security, but it is becoming increasingly common for enterprise SaaS companies to approach security in this way. When evaluating cloud platforms, customers should evaluate how much an enterprise SaaS company invests in security on an ongoing basis; is there an economy of scale on security that the customer can benefit from?

SW: How important is data security and governance to the industry, and how has this changed over the years as new discoveries are made and biotechnology becomes a more lucrative target for cybercriminals?

ZP: In recent years, threat actors have become more advanced and are highly funded, educated and organized businesses. What’s more, the most dangerous threat actors are being employed by adversaries of the USA and European Union. These organizations are in business to make profits, and many even have revenue targets. They aim to gain illegal access to some of the world’s most sensitive intellectual property for financial gain.

Pharmaceutical companies are now routinely targeted and attacked by these advanced threat actors, and in 2021 almost all (98%) of pharmaceutical companies experienced at least one security intrusion. In fact, over 20% of businesses have lost business-critical data or intellectual property in the last year alone.

It is clear that robust data security and governance are more important than ever, especially as the biotechnology industry continues to increase in value with the influx of valuable data it generates.

SW: What lessons do you think life sciences and biotechnology institutions can take from other industries regarding managing security risks?

ZP: Managing security risks appropriately today requires engineering, automation, real-time analytics, threat intelligence, significant tooling etc. It also takes a strategy of applying security throughout an organization, with multiple layers of defense, points of detection and built-in response options. This level of investment can seem daunting, but against adversaries who are well funded and are singularly focused on their targets, doing less only makes it easier for a threat actor to accomplish their goals. In the security industry, we often talk about the “cost to the attacker” and how appropriately investing in security can raise the cost sufficiently to either deter an attacker or slow down their attacks sufficiently for detection mechanisms to trigger and response plans to be executed. Threat actors consider the cost to carry out an attack; it is a business after all. Biotech institutions have the ability to influence that cost model.

When evaluating whether to invest in security at this level, many life sciences and biotech institutions have sticker shock — as the cost of security is rising rapidly year over year. The advice I give biotech institutions is to look at how many other industries have taken advantage of the economies of scale that mature cloud computing companies can offer on security, resiliency, disaster response and more. If a biotech institution is not ready to invest materially in security themselves, building out the type of world-class security program and capabilities necessary to protect data today, then they can still get secure outcomes by moving their data and workflows into cloud platforms that have invested materially in security. More times than not, mature cloud platforms have invested orders of magnitude more in security than their customers do and continue to on an ongoing basis. No security strategy is perfect, but a strategy that takes advantage of the economies of scale on security that mature cloud platforms provide tends to fare far better than not.

There is another fundamental benefit to approaching security in this way. The adoption of a cloud-first strategy can significantly increase a biotech institution’s data liquidity. Cloud architectures excel at enabling data to be found, to be accessed by those who need it, be interoperable between disparate systems and to be reusable. These are known as the FAIR data principles. It is a key focus for biotech institutions today, which have struggled with data residing in disparate, on-premises silos for years.

We can again draw lessons from many other industries, looking at how they evolved and profited from greater data liquidity. For example, enterprise SaaS, banking and healthcare each came to view cloud computing and more modern security as keys to unlocking data liquidity, supporting rapid growth and unparalleled innovation. If data liquidity is the destination, then the easiest road to take is via cloud computing and data platforms. Cloud computing and data platforms bring consistency in data modeling, easily allow for programmatic interfaces, allow for easier governance and security assurance and allow people to find, access and use data readily.

SW: What changes do you think are needed in the future to ensure data security as science advances? What are the biggest challenges that need to be addressed?

ZP: One of the biggest challenges I see is a distrust in cloud technology, which is, unfortunately, a more common sentiment in biotech, particularly in Europe. A lot of biotech institutions are still adhering to a security strategy from the late 1990s, using on-premises technology and essentially using firewalls as the first and only line of defense. More times than not, maintaining an on-premises strategy exposes you to more risk because 100% of the security responsibility and resourcing is on you. Most companies that distrust cloud computing are actually less secure than the cloud providers they distrust.

There are many myths about whether or not cloud computing is secure and it’s important to separate fact from fiction. When we look at breach statistics, nothing in the data says that on-premises technologies are more secure. But beyond taking a data-driven approach to making security decisions, the most important lens I can offer to change attitudes around the security of cloud computing is that of economies of scale. Companies that adopt cloud and enterprise SaaS take advantage of economies of scale on security that modern software companies provide. Enterprise SaaS companies have a responsibility for security, and they have security capabilities and teams beyond what most companies can afford.

It’s the same with Benchling, security is an integral part of the product we’re offering to our customers. To this aim, we invest far more in security than most customers can afford to, and we have an abundance of expertise. Benchling embeds security engineering into our software development lifecycle and cloud infrastructure operations. Vulnerability testing happens daily, all code checked into production undergoes security testing and any security issues found are fixed within industry-leading service level agreements.

Biotech institutions can get a more secure outcome by taking advantage of cloud software and platforms. We take care of the hard stuff in security so that our customers can focus on advancing science and delivering humanity-impacting products.

Zach Powers was speaking to Sarah Whelan, Science Writer for Technology Networks.