The pharmaceutical industry is one of the most vulnerable sites for cyber attacks, and it highly depends on technology to conduct is business on a daily basis (Laudon & Laudon 2016). These companies produce billions of dollars in sales annually, and it also generates very sensitive, private and confidential information for instance research data, medical records, employee information and financial data (Maruyama & Matsuo 2014). The industry has a huge responsibility to its patients, employees, stakeholders, and customers worldwide in ensuring that the information in secure (Galliers & Leidner 2014). Therefore, it is critical that pharmaceutical industries invest adequate amounts of resources to ensure that information security management is effective because lack of it could have devastating effects on the company. In this paper, we shall use the case study of Napco Pharma in Glasgow, United Kingdom to identify sources of the security breach, undertake a risk assessment and develop mitigation measures.
Possible Sources of Cyber Security Breach
Contracted companies: some of the biggest security threats to a pharmaceutical company are not from hackers but individuals within the organization for instance employees or contractors (Peppard & Ward 2016). Given the case of Napco Pharma, they have very little concern regarding company information, because they have entrusted it to an offsite firm. This makes the company very vulnerable. Considering that the company is developing a diabetes medication that will revolutionize its treatment, it is easy for someone from the contracted company to leak out information to another firm who is interested in such research and information to develop the drug before Napco does.
Hackers: an outsider for instance staff that does not work in the department or any other unauthorized personnel can gain access into the company and leak out company data, through the creation of malware that makes the existing system vulnerable (Maruyama & Matsuo 2014).
Internal attacks: another source of the security breach could be a R&D employee that is also interested in making a fortune through the sale of the intellectual property regarding the research (Peppard & Ward 2016). From the case, we have established that the R&D department has no security protocol and any employee in the department can assess the sensitive data. It is therefore easy for an employee in the department to leak the information to another firm. In addition, the security breach can also occur if an employee is vengeful, and he/she becomes determined to sabotage sensitive company data by use of a third party inside the organization (Maruyama & Matsuo 2014).
Accidental breach: another security breach can occur if the employee accidentally leaks information using system malware, or when they make mistakes when accessing the system, which can be introduced accidentally by hardware connected into the system such as hard-drives, flash discs among others (Maruyama & Matsuo 2014).
Security Assessment for Napco Pharma
As part of establishing the imminent cause of security breach and development of mitigation measures, it is crucial that the company undertakes security assessment. These measures include risk identification, vulnerability identification, likelihood rating, risk impact and creating a risk assessment matrix to summarize the findings.
Risk identification: it identifies the potential source of the security breach in the company (Feng, Wang & Li 2014). It will include analysis of all systems in the organization including the service provider.
Threat Source Threat Statement
Organizational Individuals, groups or organizations can breach system data for financial gains or vengeance
Individual, groups or organization may seek to exploit system information, to curb competition
Privileged user One may accidentally leak system information as a result of not following system information.
One can accidentally introduce malware into the system as they are undertaking day to day activities
Software It can result as a result of failure of equipment or established controls due to resource depletion, aging of system software, lack of updates among others
Infrastructural failure Infrastructural failure can result such and it can be beyond the control of the organization
Vulnerability identification: It combines attractiveness of a given facility as a target and also a level of defense that is provided by the counter measures (Haimes 2015). Target attractiveness is asset measure in the eyes of the perpetrator of the crime, and it often influence by the facility influence, function and also its importance (Schwalbe 2015).
Vulnerability level Vulnerability Statement
Very High The target is a very high profile facility as in the case of Napco Phrama, and hence a very attractive target for potential adversaries. The source of the threat is highly motivated, and sufficiently capable of carrying out the attack, the target in this case is very attractive and existing controls for preventing vulnerability and not exercised.
High The target is a high profile facility, which is either regional or national and hence attractive target. The source of the threat is motivated, and capable of attacking the system but system controls are not exercised sufficiently.
Moderate The facility is moderate, and hence provides a potential target for attacks. The existing defense measures are marginally adequate.
Low the target is not a high profile facility, hence provide a possible target to attacks, and also the existing defense measures are adequate.
Likelihood rating: it determines the level at which a given threat may occur to a given organization. This rating is also highly dependent of the attractiveness of the organization and the existing control measures in place (Willcocks 2013).
Low The threat is not likely to happen, but the organization is relatively attractive, but existing control measures are sufficient.
Medium The organization is attractive, and the existing control measures are not very sufficient
High The organization is attractive, and lacks control measures
Risk impact: this outlines the effects of a given threat to the organization if it happens. It determines the efficiency of the existing measures in the organization and the overall readiness of the organization to handle threats (Li 2014).
Risk Impact Impact definition
High In the case of Napco Pharma a high impact results to major loss of resources such as finances, intellectual property rights, it can violate, harm or even impede the organizations mission, interest, reputation and can result to severe legal action.
Medium It can cause costly loss of organizational resources, and it can interfere with its interests, and reputation of the organization. Legal action may or not be taken against the company.
Low Some of the tangible resources of the organization may be lost, and may impact negatively on the reputation and interest of the organization.
Risk assessment matrix
Low (10) Moderate (50) High (100)
Low (0.1) 1(Low Impact) 5(Low Impact) 10(Moderate impact)
Medium (0.5) 5(Low Impact) 25(Moderate impact) 50 (High Impact)
High (1.0) 10(Moderate impact) 50(High Impact) 100 (High Impact)
Adapted from Haimes (2015)
Based on this assessment matrix, the following measures can be undertaken by Napco Pharm
High impact: they should identify new system controls, not proceed with any activity at the R&D until risks are reduced to a low or medium level.
Moderate impact: the organization can continue with its processes, but practical controls should be developed and implemented to reduce the impacts and ensure that it monitors controls regularly
Low impact: the company should review existing controls, but monitoring should be undertaken to ensure that it remains effective.
Mitigation Policy for the Company
Based on the theft of clinical results and diabetic medication, it is clear that the impact is high to Napco Pharma; therefore it is critical that effective mitigation measures and policies should be developed.
First, the company should transfer its system control from an offsite office of the system provider to an onsite office within the organization (Peppard & Ward 2016). This way, the company through its information personnel can regularly monitor and check system data and information hence ensuring information protection (Roberts 2014).
The company should ensure that the server in the R&D department is encrypted, and accessible to a designated individual who is responsible for keeping system data (Laudon & Laudon 2016). This will ensure that the system data is secure even from malicious employees in the department. Also, the company should set up protocols that would ensure that system data are not accessible to undesignated individuals, by ensuring that strict system controls are installed (Roberts 2014). The company should also hire information technology personnel as point persons to the contracted company (Hu, Dinev, Hart, & Cooke 2012). That way it becomes easy to manage and track any malicious activity by the company.
The company can also implement training of all R&D personnel and staff regarding system security and data handling (Hu et al. 2012). The contracted company should also be asked to provide regular audits of the system to ensure that existing loopholes are sealed. Information systems are very delicate, and a company cannot afford to be careless regarding how it handles its information (Galliers & Leidner 2014). Napco Pharm should make it their sole responsibility that all the company data is secure, regardless the fact that they have contracted an external source. A strict policy in privacy should also be developed to ensure that future attacks such as those do not happen in the company (Roberts 2014).
Feng, N., Wang, H.J. and Li, M., 2014. A Security Risk Analysis Model for Information Systems: Causal Relationships of Risk Factors and Vulnerability Propagation Analysis. Information Sciences, 256, pp.57-73.
Galliers, R.D., and Leidner, D.E. eds., 2014. Strategic Information Management: Challenges and Strategies In Managing Information Systems. Routledge.
Haimes, Y.Y., 2015. Risk Modeling, Assessment, and Management. John Wiley & Sons.
Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture. Decision Sciences, 43(4), pp.615-660.
Laudon, K.C., and Laudon, J.P., 2016. Management Information System. Pearson Education India.
Li, W., 2014. Risk Assessment of Power Systems: Models, Methods, and Applications. John Wiley & Sons.
Maruyama, M. and Matsuo, J. 2014. Cyber & Insider Risk at a Glance: The Pharmaceutical Industry. [ebook] Deloitte, pp.1-10. Available at: https://www2.deloitte.com/content/dam/Deloitte/jp/Documents/life-sciences-health-care/ls/jp-ls-cyber-insider-risk-en.pdf [Accessed 13 Nov. 2017].
Peppard, J. and Ward, J., 2016. The Strategic Management of Information Systems: Building A Digital Strategy. John Wiley & Sons.
Roberts, S.J., 2014. The Necessity of Information Security In The Vulnerable Pharmaceutical Industry. Journal of Information Security, 5(04), p.147.
Schwalbe, K., 2015. Information Technology Project Management. Cengage Learning.
Willcocks, L., 2013. Information Management: The Evaluation pf Information Systems Investments. Springer.
If you are the original author of this essay and no longer wish to have it published on the thesishelpers.org website, please click below to request its removal:
- Overview of the Organization Selected: General Motors
- Implementing and Evaluating ISO 27001:2013 Framework in a Corporate
- The Technique of One Minute Manager in an Organization - Book Review Example
- Essay Example: Toolstation's Potential Expansion Strategy to Australia
- Report Example: Computacenter Plc Analysis
- Competitive Analysis of the Hotel Industry - Paper Example
- Opportunities and Challenges in Implementing Information Technology Governance in Nuclear Entities in the UAE