Fraud, cyber, and security risks continue to reach high levels in the healthcare, pharmaceuticals and biotechnology sector, according to new report
Fraud, cyber, and security risks continue to reach high levels in the healthcare, pharmaceuticals and biotechnology sector, according to a worldwide survey for the 2017/18 Kroll Annual Global Fraud & Risk Report.
Seventy-seven per cent of respondents said their company had experienced a cyber incident or information theft, loss, or attack over the past 12 months. Just under seven in 10 respondents (67%) reported the occurrence of at least one security incident during the past year.
The report reveals that respondents in the healthcare, pharmaceuticals and biotechnology sector are experiencing a heightened sense of vulnerability to fraud, cyber, and security risks, with information-related risks now being the area of greatest concern. As criminals and other threat actors continue to find new ways to monetize confidential data, including personal data, data assets are becoming increasingly valuable and attractive targets.
Confidential information subject to increasing threats
IP theft, piracy or counterfeiting was one of the most prevalent types of fraud experienced in the healthcare, pharmaceuticals and biotechnology sector, cited by 29% of respondents, up 10 percentage points from the previous year. Misappropriation of company funds and theft of physical assets and stock and were also cited as the most common types of fraud by 29% of respondents in the sector.
In the year when major viruses such as WannaCry and Petya hit across the world, nearly four in 10 (38%) executives surveyed said their companies had been impacted by a virus or worm attack. A third (33%) said they had lost equipment with sensitive data and 31% suffered an email-based phishing attack.
Physical theft or loss of intellectual property (IP) was by far the most prevalent type of security incident. Of those executives in the healthcare, pharmaceuticals and biotechnology sector whose company experienced a security incident this past year, 40% said their organizations fell victim to IP theft or loss.
|Top three types of incidents reported by survey respondents (by category)|
|1.||IP theft, piracy or counterfeiting (29%)||Virus/worm attack (38%)||Physical theft or loss of intellectual property (40%)|
|2.||Misappropriation of company funds (29%)||Lost equipment with sensitive data (33%)||Workplace violence (35%)|
|3.||Theft of physical assets or stock (29%)||Email-based phishing attack (31%)||Environmental risk (including damage caused by natural disasters such as hurricanes, tornadoes, floods, earthquakes, etc.) (35%)|
Costly and wide-ranging repercussions
In addition to reporting extremely high incidence levels, respondents from the healthcare, pharmaceuticals and biotechnology sector indicated that the repercussions of fraud, cyber, and security events were costly and wide-ranging, affecting employees andcustomers, as well as the organization’s reputation and bottom line.
Employee privacy, safety, or morale was negatively affected by incidents according to 85% of respondents whose companies had experienced fraud, 83% of those that reported a cyber incident, and 80% of executives whose companies endured a security event.
An overwhelming majority of respondents stated that customers had been negatively impacted by all three risk factors – 92% by a fraud incident, 92% by a cyber incident, and 80% by a security incident. A similar proportion said that the impacted company’s reputation had suffered due to a fraud (90%), cyber (75%), or security (74%) incident.
Businesses suffered significant economic damage from fraud, with one in five respondents (20%) reporting losses of 7% or more of company revenues. No respondents from the healthcare, pharmaceuticals and biotechnology sector reported this magnitude of financial impact in last year’s survey.
Executives feeling increasingly vulnerable to risks
The report further reveals mounting concerns among surveyed executives about their companies’ potential exposure to fraud, cyber, and security risks. In particular, information-related risks overwhelmingly represent the top worries for respondents across all three risk categories.
Seven in 10 (70%) respondents from the healthcare, pharmaceuticals and biotechnology sector believe their companies are highly or somewhat vulnerable to information theft, loss, or attack, 13 percentage points higher than the global average.
With reported cyber incidents at an all-time high and perpetrators seeming to develop new methods of attack virtually every day, at least half of all executives surveyed are apprehensive about every type of cyber incident identified in the survey – with 82% especially wary of data deletion.
The proportion of respondents from the sector who said they feel highly or somewhat vulnerable to physical security threats was also substantial. More than three quarters (79%) of respondents stated their companies could be particularly prone to physical theft or loss of IP, the greatest single concern.
Culprits inside and outside
Insiders and ex-employees continue to pose the greatest fraud threat to companies in the healthcare, pharmaceuticals and biotechnology sector. Respondents revealed that fraud incidents are often inside jobs perpetrated by one or more of the following: junior employees (56%), agents and/or intermediaries (41%), and ex-employees (38%).
Competitors were the main culprits of cyber incidents (42%) and ex-employees were responsible for 54% of security incidents experienced by executives in the healthcare, pharmaceuticals and biotechnology sector.
Imperative to mitigate risks
Nearly all anti-fraud measures mentioned in the survey were widely adopted by over 70% of respondents in the healthcare, pharmaceuticals and biotechnology sector, with staff background screening the most widely implemented anti-fraud measure at 85%.
Cyber security is rapidly becoming a board governance mandate as the anticipated likelihood of an incident grows, compounded by increasing regulatory pressures and the costly reputational risks associated with data privacy and data loss events. 66% of respondents currently involve the board of directors in the formulation of cyber security policies and procedures, and another 28% plan to do so in the next 12 months.
A large proportion of respondents have adopted security risk mitigation measures, but given the high incidence and feelings of vulnerability around theft/loss of IP, it was surprising to see that only 77% of respondents have a plan for securing intellectual property. However, a fifth (20%) of respondents plan to implement these measures over the next 12 months.