Employee security awareness key component of cybersecurity roadmap for Repligen

Biotech companies like Repligen can be targeted by cybercriminals (perhaps with the high-level sponsorship of certain nation-states) intent on stealing intellectual property or other sensitive data. However, Richard Richison was more concerned about opportunistic attacks than he was about targeted threats.

“Our top priority is to keep threat actors out, so ransomware is the number one thing we protect against. We spend a lot of time protecting end users through security awareness training, because all it takes is one click on a bad link to give a threat actor access.” . in,” Richison said.

This end-user education is an important component of Repligen’s cybersecurity strategy. A ten-minute refresher on cybersecurity awareness once a year is surprisingly common, despite the agreement that it’s ineffective at best, which is not a tactic Repligen recommends.

The company conducts a monthly simulated phishing attack on all end users, most of which are later.

Risk assessment and roadmap

According to Richison, while Repligen has always been very security conscious, a few years ago the security stack was disabled and became ad hoc.

“We had all the tools we needed to have, but we didn’t fully understand the ins and outs of the attack,” he said.

“We have underlying data centers and assets in AWS and Azure. It was difficult to understand the risks in all the hybrid infrastructure pieces. It was also about understanding the scope of Shadow IT. Users install their Dropbox. Did they deploy there? They from corporate endpoints Added to Gmail. Why? It was about understanding what we have, where it is, and what these devices are communicating with.”

Also Read :  Europe’s digital ambitions won’t be realized without cloud – POLITICO

Finally, last year, Repligen hired a third party to evaluate its entire security program. They decided to create a security system consisting of 20 control elements. The third party focused on each of these controls and how Repligen measured against them. A roadmap was then created to set board-level priorities and implement the right tools and automation.

Regulation varies around the world. How does it affect a global organization like Repligen?

“As a global business, we must be GDPR compliant. However, we are not regulated by the FDA, so the only real regulation we are subject to is Sarbanes-Oxley. However, we take GDPR very seriously and are consulting with a law firm to ensure compliance. In the state of California, GDPR has its own version, which we also follow.

Richison also mentioned the federal Cybersecurity and Infrastructure Security Agency (CISA).

Also Read :  You Can Still Get a Free $300 Gift Walmart Card When You Buy an Apple iPhone 14 for AT&T or Verizon for Black Friday

“CISA has done a lot of good things in terms of security awareness. They announced that they will require public companies to nominate a person responsible for financial security to their board of directors. teams had to accommodate Enron. We are already doing this and our board leaders are aware of the security policies and controls we have in place.

Richison’s interesting take on the risks posed by third parties and supply chains is something that features prominently in many security strategy discussions these days. The attack on software vendor Kaseya is a good example of such an attack, as it is a remote control tool that is often used by MSPs and other third parties. The criminal logic of the attack was evident from the large number of companies affected by the breach. However, Repligen managed to avoid the worst.

“Our Kaseya infrastructure is not connected to the Internet. We download and patch manually. One way to reduce risk is to not be completely dependent on third parties. We don’t think they are protected. Everyone is at risk, including them.”

The weakest link

Repligen’s end-user awareness training is a cornerstone of their cybersecurity roadmap. Users are targeted for additional training based on their responses to simulated phishing attacks conducted by the company.

Also Read :  Time to get spooky: An alien experience

“Our security awareness training platform uses AI. It’s based on user behavior over the past months, so we can identify where the risks are and focus on them. We also have special training for finance and customer service staff because they’re big exposed to risks. They receive special training.”

Repligen also conducts mandatory quarterly awareness training for everyone, regardless of their role or behavior. Until they get 100% in this training, they will continue to receive reminders and if the training is ignored, a problem will arise. The company also has digital signage at each global location and safety alerts that run through displays in corporate areas.

Richison strongly believes in maintaining constant communication with board-level executives.

“We recently had a board meeting and were able to list the accomplishments of the past year and what we expect next year. The assessment we did meant we were able to define a maturity number for our cybersecurity model. This number has continued to grow for all 20 different controls. Under our security framework, they are growing each quarter in maturity. can see where it is.”


Leave a Reply

Your email address will not be published.

Related Articles

Back to top button