Despite all the advances in cybersecurity in recent years — iron-clad antivirus, impenetrable encryption, spookily effective spam filters — hackers are still breaking into even the most secure organizations by taking advantage of their weakest position: the human element.
According to some estimates, up to 91 percent of data security attacks begin with a false email intended to dupe the receiver into giving up login credentials or installing malicious software. This technique, a favorite of hackers worldwide, is called phishing.
How Phishing Works
There are a few important subcategories of phishing, which we’ll cover in upcoming articles. But here are the broad strokes:
- Step 1: A hacker sends an email to a person or group of people. The email is designed to appear as if it was sent from a trustworthy source: a bank, a delivery company, a social media network, or even the CEO. In its more targeted form, hackers customize phishing emails according to what they know about their intended victim or their business.
- Step 2: The email recipient is enticed or tricked to click on a link. This will often lead them to a false website — again designed to look trustworthy — where the recipient gives up sensitive personal information. Or, the email includes a download of a seemingly harmless file (a bank statement or an e-ticket, for example) that is actually malware, designed to spy on the recipient’s computer or network.
- Step 3: The hackers use their easily-acquired access to steal secrets, commit identity theft, blackmail, and otherwise harm the recipient’s organization.
2 Ways Phishing Puts Biotechs at Risk
When hackers gain access to your data or company information through phishing attacks, they can wreak havoc on your company, stealing the experimental data you worked so hard to compile, exposing the patents you tried so hard to protect, hurting your reputation with investors, and costing you thousands or millions in potential profitability.
1. Phishing Can Damage Your Company’s Value
In late 2014, a security firm announced it had uncovered a ring of hackers using phishing attacks against more than 100 biotech and pharmaceutical companies. The hackers’ carefully targeted emails using the language of the investment industry to infiltrate their victims’ email systems and steal their corporate secrets.
The criminals sought to “gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can significantly affect a company’s stock price,” the New York Times reported.
2. Phishing Can Cost You in HIPAA Fines
If your biotech firm works with protected health information (PHI), it’s subject to the data security rules of the U.S. Health Insurance Portability and Accountability Act (HIPAA). Fines for allowing PHI to get into the hands of unauthorized individuals can pile up; they run from $100 to $50,000 per violation, depending on the severity of your negligence.
How to Prevent Phishing
A good, enterprise-level email filter is your biotech’s first defense against phishing. (I wrote about this earlier this year.) Your spam filter should be configured to fit your company’s needs. If you can’t do this yourself, a trusted IT partner can do it for you.
But as phishing techniques get more sophisticated, hackers are finding ways around spam filters. That’s why your best defense is education.
- Teach your users to be skeptical of email links and attachments, even if (especially if) they’re from a trusted source.
- Instruct them to err on the side of caution. If they’re not sure about a link or an attachment, they should get a second opinion.
- And they should never, ever, enter personal information into a website to which they’re directed by an unsolicited email.
A trusted IT provider can be your partner here, too, helping you plan education initiatives and communication strategies to create a vigilant, phishing-resistant workforce.
Tell Your Phishing Stories
Have you or your employees been targeted by phishing? Share your experiences in the comments section below.
Learn more about important IT considerations early stage biotech and life science companies should be aware of in our free guide – After the Seed: Planning IT Investment for Early-Stage Biotech Companies.