One Nucleus Business Resilience Thematic Group - Cyber Security

Tuesday 1 November

Incredible research needs incredible security in a data-driven, cyber-vulnerable era. The aim of this meeting was to start building a community with an interest in sharing ideas, best practices, and latest developments on cyber security, as well as to bring it on the radar of whole organisations. Ultimately, increased confidence around cyber security policies and procedures is essential to support the science being undertaken and to drive value in our sector. Here are some of the key take-outs from the session:

Nature of Cyber Threats

  • Cyber risk is one of the most significant threats to operational, reputational and financial resilience for Life Science organisations. 
  • Cyber-attacks are generally moving away from traditional perimeter firewall attacks to targeting key individuals who are likely to have elevated privileges, access to data, financial systems or authority within an organisation.
  • Ransomware is an increasing trend over the last couple of years and attackers can come back for more.
  • Many attacks on the internet are automated and cyber essentials can get rid of most of the noise to focus on more major events.

The Importance of Staff Training

  • There are many layers of business security to consider to ensure your data is protected, with end-users being one of the most important considerations.
  • It is important to take an organisational approach to security and not only think about IT. Staff training is a really important line of defence.
  • Phishing is the most common security breach reported in a 2022 survey of UK businesses, as individuals in a business are often the weakest link.

Prevention is Better Than Cure

  • Cyber security should be a 360-journey starting with prevention, action and then remediation. Getting the first segment right can prevent getting involved in the second and third.
  • Where cyber threats evolve, it is important to try and stay one step ahead and be proactive.
  • The NCSC 10 steps to Cyber Security is a useful guideline on how organisations can protect themselves and can eliminate up to 90% of the threat.
  • Prevention is better than cure - You can build a cyber resilience plan in 5 stages – Prepare, Identify, Protect, Detect and Assure – and this should be done in a continual cycle.

Risk Management and Legal Implications

  • Adopting best practices creates resilience and can help in reassuring external stakeholders and potential investors etc.
  • Cyber insurance can help by providing protection in the event of lawsuits following a data breach and paying for breach costs & expenses.
  • Insurance acts as a breach response service helping the organisation recover from a cyber-attack.
  • If you are outsourcing IT, do not assume they are also doing security.
  • There is no single cyber security law in the UK, rather it is a patchwork of legislation, e.g., such as GDPR, national security laws and sector-specific legislation such as the NIS Regs. The NIS Regs apply to specific sectors including health and digital infrastructure and there is a range of criteria, including business size, to determine whether the Regs apply.
  • In the event of an attack, it is important to understand the key chain of responsibility, which includes notifying the IT team first and foremost. When involving external experts, there should be a specific order starting with lawyers so that privilege can be maintained over communications and to ensure the response is properly co-ordinated going forward.

With thanks to the following speakers:

Keith Taylor, Systems Team Leader, CCDC
Matthew Clark, Cyber Director, Partners&
David Allan, Managing Director and Chief Technology Officer, CYSIAM
Oliver Kidd, Partner, Penningtons Manches Cooper
Charlotte Hill, Senior Associate, Penningtons Manches Cooper