Skip to content

Worker safety consciousness key part of cybersecurity roadmap for Repligen

Biotech corporations like Repligen are prone to be a goal for a cybercriminals (probably with some high-level sponsorship from sure nation states) intent on stealing mental property or different confidential knowledge. Nonetheless, Richard Richison was as involved about opportunist assaults as he was about extra focused threats.

“Our greatest focus is holding menace actors out so ransomware is a key factor we now have to guard in opposition to. We spend a variety of time defending finish customers through safety consciousness coaching as a result of all it takes is one click on on a nasty hyperlink to let a menace actor in,” Richison stated.

That finish consumer coaching is a vital part of Repligen’s cybersecurity technique. The annual, ten-minute refresher on cybersecurity consciousness which continues to be surprisingly widespread regardless of settlement that it’s, at greatest, ineffective, isn’t a tactic Repligen suggest.

The corporate conducts a month-to-month simulated phishing assault on all finish customers – extra of which later.

Threat Evaluation & Roadmap

In keeping with Richison, whereas Repligen has all the time been extraordinarily safety aware, up till a few years in the past the safety stack was siloed and advert hoc.

“We had all of the instruments we have been presupposed to have however we did not absolutely perceive our assault floor,” he stated.

“We’ve on premise datacentres and property in AWS and Azure. Simply having the ability to perceive threats inside all these hybrid infrastructure items was difficult. It was additionally about having the ability to perceive the extent of Shadow IT. Customers arrange their very own Dropbox, what “Have been they placing there? They have been connecting into Gmail from company finish factors. Why? It was about understanding what we had, the place it was and what these gadgets have been speaking with.”

Finally, final 12 months, Repligen employed a 3rd get together to evaluate their whole safety program. They selected a safety framework which consists of 20 controls. The third get together addressed each one in all these controls and the way Repligen measured in opposition to them. A roadmap was then created for presentation at board stage to priorities may very well be chosen and the proper instruments and automation put in place.

Regulation differs around the globe. How is a worldwide group like Repligen affected?

“As a worldwide enterprise we now have to be GDPR compliant. Nonetheless, we aren’t FDA regulated so the one actual regulation we’re topic to is Sarbanes-Oxley. We do nevertheless take the GDPR very significantly and seek the advice of with a authorized agency to make sure compliance. The state of California has its personal model of GDPR which we observe too.”

Richison additionally talked about the federal Cybersecurity & Infrastructure safety Company (CISA.)

“CISA have performed a variety of good issues by way of holding safety consciousness high of thoughts. They’ve introduced they will be requiring public corporations to have an individual liable for safety to current to the board of administrators in the identical that finance “Groups have needed to put up Enron. We already try this and board executives are conscious of the safety insurance policies and controls we now have in place.”

Richison had an attention-grabbing tackle the dangers posed by third events and provide chains – one thing that’s that includes prominently in lots of safety technique discussions at current. The assault on software program vendor Kaseya is an effective instance of this sort of assault, as it is a distant administration software, usually utilized by MSPs and different third events. The legal logic of attacking was made demonstrably clear by the sheer variety of corporations affected by the breach. Nonetheless, Repligen managed to keep away from the worst.

“Our Kaseya infrastructure is not related to the web. We manually obtain and patch. A method we mitigate in opposition to threat is to not be fully depending on third events. We do not assume they’re protected. All people is in danger, together with them.”

The weakest hyperlink

Repligen’s finish consumer consciousness coaching is a elementary plank of their cybersecurity roadmap. Customers are focused for additional coaching primarily based on their responses to the simulated phishing assaults that the corporate conduct.

“Our safety consciousness coaching platform makes use of AI. It is primarily based on consumer habits over earlier months so we will determine the place dangers are and deal with that. We even have particular coaching for finance and customer support workers as a result of they’re uncovered to larger dangers. They get their very own particular coaching.”

Repligen additionally conduct obligatory quarterly consciousness coaching for everybody no matter their function or habits. Till they get 100% in that coaching, they proceed to get reminders and the problem is escalated if the coaching is ignored. The corporate additionally has digital signage at every international location and safety reminders that cycle by way of shows in company areas.

Richison strongly believes in common communication with board stage executives.

“We had a board assembly just lately and will listing the accomplishments of final 12 months and what we count on within the coming 12 months. The evaluation we carried out meant that we might determine a cyber safety mannequin maturity quantity. That quantity continued to extend for all 20 completely different controls below our safety framework to allow them to see that maturity stage develop each quarter.”


Leave a Reply

Your email address will not be published. Required fields are marked *