Biotech companies like Repligen are likely to be a target for cybercriminals (possibly with high-level sponsorship from some nation states) intent on stealing intellectual property or other confidential data. However, Richard Richison was as concerned about opportunist attacks as he was about more targeted threats.
“Our primary goal is to keep threat actors out, so ransomware is a key thing we need to protect against. We spend a lot of time protecting end users through security awareness training because it only takes one click on a bad link to allow to a threat actor inside,” Richardson said.
End user education is a critical component of Repligen’s cybersecurity strategy. The once-a-year 10-minute cybersecurity awareness update, which is still surprisingly prevalent despite the consensus that it is, at best, ineffective, is not a tactical recommendation from Repligen.
The company conducts a simulated phishing attack on all end users on a monthly basis, more of them following.
Risk assessment and roadmap
According to Richison, while Repligen has always been extremely security conscious, until a couple of years ago the security stack was isolated and ad hoc.
“We had all the tools we should have, but we didn’t fully understand our attack surface,” he said.
“We have on-premises data centers and assets in AWS and Azure. Just being able to understand the threats within all those hybrid infrastructure pieces was a challenge. It was also about being able to understand the “extension of Shadow IT. Users set up their Dropbox, what did they put in it? Did they connect to Gmail from corporate endpoints. Why? It was about understanding what we had, where it was and what those devices communicated with”.
Finally, last year, Repligen hired a third party to evaluate the entire safety program. They decided on a security framework that consists of 20 checks. The third part addressed each of these controls and how Repligen dealt with them. A board-level submission roadmap was then created to prioritize and put the right tools and automation in place.
Regulation differs around the world. How is a global organization like Repligen affected?
“As a global company, we need to be GDPR compliant. However, we are not regulated by the FDA, so the only real regulation we are subject to is Sarbanes-Oxley. However, we take GDPR very seriously and consult with a study legal to ensure compliance. The state of California has its own version of the GDPR that we also follow.”
Richison also mentioned the Federal Cybersecurity & Infrastructure security Agency (CISA).
“CISA has done a lot of good things in terms of keeping security awareness first. They have announced that they will require public companies to have a person responsible for security to present to the board of directors in the same way that funding teams have had to publish Enron We already do this, and board leaders are aware of the security policies and controls we have in place.”
Richison had an interesting take on the risks posed by third parties and supply chains, something that is at the forefront of many security strategy discussions right now. The attack on software vendor Kaseya is a good example of this type of attack, as it is a remote management tool, often used by MSPs and other third parties. The criminal rationale of the attack was made starkly clear by the sheer number of companies affected by the breach. However, Repligen managed to avoid the worst.
“Our Kaseya infrastructure is not connected to the internet. We download and patch manually. One way to mitigate risk is not to be completely dependent on third parties. We don’t assume they are protected. Everyone is at risk, including them.”
The weakest link
Repligen’s end-user awareness training is a cornerstone of their cybersecurity roadmap. Users receive additional training based on their responses to simulated phishing attacks conducted by the company.
“Our security awareness training platform uses artificial intelligence. It is based on user behavior in previous months, so we can identify where the risks are and focus on that. We also have specific training for finance and customer service because they are at greater risk. They get their own special training.”
Repligen also conducts mandatory quarterly awareness training for everyone, regardless of their role or behavior. Until they get 100% in that training, they keep getting reminders and the problem is escalated if the training is ignored. The company also has digital signage in each global location and safety reminders scrolling across displays in corporate areas.
Richison is a strong believer in regular communication with executives at the board level.
“We recently held a board meeting and were able to list last year’s achievements and what we expect for next year. The assessment we conducted allowed us to identify a cybersecurity model maturity number. That number has continued to increase for all 20 different controls under our security framework so they can see that maturity level grow every quarter.”