Biotech companies like Repligen are likely targets for cybercriminals (possibly with high-level backing from certain nation-states) aiming to steal intellectual property or other sensitive data. However, Richard Richison was just as concerned about opportunistic attacks as he was about more targeted threats.
“Our primary focus is keeping threat actors out, so ransomware is a key element we need to protect against. We spend a lot of time protecting end users through security awareness training because clicking on a bad link is all it takes to let a threat actor in,” Richison said.
This end-user training is a critical component of Repligen’s cybersecurity strategy. The once-a-year 10-minute cybersecurity awareness refresher, which is still surprisingly prevalent, though agreed to be ineffective at best, is not a tactic recommended by Repligen.
The company runs a simulated phishing attack on all end users monthly – more on that later.
Risk Assessment & Roadmap
According to Richison, while Repligen has always been extremely security conscious, until a few years ago the security stack was siled and ad hoc.
“We had all the tools we should have, but we didn’t fully understand our attack surface,” he said.
“We have on-premises data centers and assets in AWS and Azure. Just understanding the threats within all of these hybrid pieces of infrastructure was a challenge. It was also about understanding the extent of shadow IT. Users set up their own Dropbox, what did they put there? You’ve connected to Gmail from enterprise endpoints. Why? It was about understanding what we had, where it was and what those devices were communicating with.”
Finally, last year, Repligen hired a third party to assess its entire security program. They opted for a security framework consisting of 20 controls. The third party addressed each of these controls and how Repligen measured against them. A board-level presentation roadmap was then created to prioritize and set up the right tools and automations.
Regulation varies around the world. How is a global organization like Repligen affected?
“As a global company, we need to be GDPR compliant. However, we are not regulated by the FDA so the only real regulation we are subject to is Sarbanes-Oxley. However, we take GDPR very seriously and are engaging a law firm to ensure compliance. The state of California has its own version of the GDPR, which we also follow.”
Richison also mentioned the Federal Cybersecurity & Infrastructure Security Agency (CISA).
“CISA has done many good things to keep security awareness in mind. They have announced that they will require publicly traded companies to have a person responsible for security to submit to the board the same funding teams had to post to Enron. We already do, and the board members are aware of the security policies and controls that we have in place.”
Richison had an interesting look at the risks posed by third parties and supply chains – something that is currently prominent in many security strategy discussions. The attack on the software vendor Kaseya is a good example of this type of attack as it is a remote management tool commonly used by MSPs and other third parties. The criminal logic of the attack was demonstrably clear from the sheer number of companies affected by the breach. However, Repligen managed to avoid the worst.
“Our Kaseya infrastructure is not connected to the internet. We download and patch manually. One way to mitigate risk is not to be totally dependent on third parties. We do not assume that they are protected. Everyone is at risk, including you.”
The weakest link
Repligen end-user awareness training is a fundamental part of their cybersecurity roadmap. Users are selected for additional training based on their responses to the simulated phishing attacks the company is conducting.
“Our security awareness training platform uses AI. It is based on user behavior over the past few months, allowing us to identify risks and focus on them. We also have specific training for finance and customer service staff as they are at greater risk. They get their own special training.”
Repligen also conducts mandatory quarterly awareness training for everyone, regardless of their role or behavior. Until they complete this training 100%, they will continue to receive reminders and the issue will escalate if the training is ignored. The company also has digital signage and safety reminders coursing through corporate division displays at each global location.
Richison is a strong believer in regular communication with executives at board level.
“We recently had a board meeting and were able to review the achievements of the past year and our expectations for the year ahead. The assessment we performed meant that we were able to identify a number for the maturity of the cybersecurity model. This number continued to increase for all 20 different controls under our security framework so you can see this maturity level growing each quarter.”