Penetration Testing and Social Engineering for a Pharmaceutical Company
A team of cybersecurity experts helped a global pharmaceutical company handle a security breach with swift, effective actions. The team carried out black-box penetration testing and social engineering to check the system security and, in addition, helped the client with ISO 27001 and GxP compliance.
The client was a multinational pharmaceutical company. With headquarters in Europe and over 50 branches all around the world, the company produces vital medicines that are sold globally. With human lives at stake, pharmaceuticals is one of the most regulated industries. Any threat to the client’s data integrity could endanger the lives of patients, so this industry demands the utmost in security.
The client reached out to us after the incident for help with the security breach. In addition to incident response measures and investigation, they required an overall check-up of their ERP system and assistance with GxP and ISO 27001 compliance. The company also wanted to evaluate security awareness among their employees.
Social Engineering & Compliance
To check if the human factor was involved in the breach, our team used methods of social engineering. A phishing email campaign was sent across all 50 branches of the company to identify employees who use weak password protection and lack cybersecurity awareness. All information was gathered into a detailed report, which also contained instructions on how best to educate employees on cybersecurity.
In order to help the company comply with standards and regulations such as GxP and ISO 27001, we performed a two-stage security audit. It was a custom IP and infrastructure checkup tailored to this particular client, their industry requirements, internal systems, and business needs.
A team of cybersecurity specialists started with external black-box penetration testing to identify potential access points and take immediate measures to protect the system from the repeated breach.
Next, our team of cybersecurity engineers began internal penetration testing. Having access to the office and WiFi, we were able to reach the company’s core systems: ERP software, management team email boxes, and the servers. The vulnerabilities we discovered were sufficient to threaten the very existence of the company should a hacker perform any of a number of operations that could negatively impact their ability to control the budget and logistics, verify various operations, and access crucial sensitive information.
Our cybersecurity team provided the client with a list of potential weak spots and vulnerabilities along with a set of recommendations on how to eliminate the risks. These were later implemented by the client’s in-house IT team. We recommended the client introduce additional security measures and, with our guidance, their developers were able to strengthen the systems and pass the necessary security certifications.