Biotechnology companies such as Repligen are likely to be a target for cybercriminals (possibly with some high-level sponsorship from certain nation-states) bent on stealing intellectual property or other confidential data. However, Richard Richeson was as concerned about opportunistic attacks as he was about more targeted threats.
“Our biggest focus is on keeping threat actors out, so ransomware is a key thing we have to protect against. We spend a lot of time protecting end users with security awareness training because all it takes is one click on a link Bad to let a threatening actor in,” Richeson said.
End user training is a critical component of Repligen’s cybersecurity strategy. A ten-minute once-a-year reactivation of cybersecurity awareness that remains surprisingly widespread despite agreement that it is, at best, ineffective, is not a tactic Replica recommends.
The company performs phishing attack simulations monthly on all end users – more on that later.
Risk assessment and roadmap
According to Richeson, while Repligen has always taken great care of its security, the security stack was isolated and ad hoc until a couple of years ago.
“We had all the tools we were supposed to have, but we didn’t fully understand the surface of our attack,” he said.
“We have data centers and assets on premises in AWS and Azure. Just being able to understand the threats within all of these pieces of a hybrid infrastructure was a challenge. It was also about being able to understand the extent of Shadow IT. Users were setting up their Dropbox, what they were putting There? They were connecting to Gmail from corporate endpoints. Why? It was about understanding what we had, where it was and what devices you were connecting to.”
Eventually, last year, Repligen hired a third party to fully evaluate its security software. They decided to put in place a security framework consisting of 20 controls. The third party addressed each of these controls and how Rebgen measured against them. A roadmap was then created for a board-wide view of the priorities that could be selected and the appropriate tools and automation in place.
Regulation varies around the world. How is a global organization like Repligen affected?
“As a global company, we have to be GDPR compliant. However, we are not regulated by the FDA, so the only real regulation we are subject to is Sarbanes-Oxley. However, we do deal with We take GDPR very seriously and we are consulting with a legal firm in order to ensure compliance. California has its own version of the GDPR which we also follow.”
As mentioned by FEMA Richesson The Cybersecurity and Infrastructure Security Agency (CISA.)
“CISA did a lot of good things in terms of keeping security awareness in mind. They announced that they would require public companies to have someone responsible for security present it to the board on that same funding teams had to deploy Enron. We’ve already done that and the directors The executives on the board are aware of the security policies and controls that we apply.”
Richison had an interesting insight into the risks posed by third parties and supply chains – something that figures prominently in many discussions of security strategy today. The attacks The software vendor Kaseya is a good example of this type of attack, as it is a remote management tool, often used by MSPs and other parties. The criminal rationale for the attack was clearly demonstrated by the sheer number of businesses affected by the breach. However, Rebiggin managed to avoid the worst.
“Our Kaseya infrastructure is offline. We download and patch manually. One way to mitigate risk is to not rely entirely on third parties. We don’t assume it’s protected. Everyone is at risk, including them.”
End user awareness training for Repligen is one of the cornerstones of their cyber security roadmap. Users are targeted for additional training based on their responses to the company’s simulated phishing attacks.
“Our security awareness training platform uses artificial intelligence. It is based on user behavior over the previous months so we can identify where the risks are and focus on them. We also have special training for our finance and customer service staff because they are exposed to higher risks. They get their own training.”
Repligen also conducts quarterly awareness training that is mandatory for all, regardless of their role or behaviour. Until they get 100% on that training they keep getting reminders and the problem is escalated if the training is ignored. The company also has digital signage in every global location and security reminders that scroll across displays in company areas.
Richeson is a strong believer in regular communication with executives at the board level.
“We had a board meeting recently and can list the achievements of the past year and what we expect in the next year. Our assessment meant that we could set a maturity number for the cyber security model. And that number has continued to increase for all 20 different controls within the security framework We have it so they can see the level of maturity grow every quarter.”