Defending against third-party security risks in pharma companies

Even if a pharmaceutical company has a robust cybersecurity posture and a history unmarred by data breaches, it is still vulnerable to security incidents. Every vendor expands a pharmaceutical company’s attack surface, so it is essential to understand the most common third-party risks and how to defend against them.

Pharma companies face third-party breaches

Cybercriminals are increasingly targeting suppliers, partners, and service providers to indirectly compromise their actual targets. Verizon’s 2025 Data Breach Investigations Report revealed that the percentage of breaches for which a third party was responsible doubled from 2024 to 2025, going from 15% to 30%.

Vendors put their clients at risk, regardless of their role in drug development, manufacturing, sales, or distribution. Contract research organisations, logistics providers, marketing agencies, IT service providers, packaging suppliers, and pharmaceutical testing laboratories are all potentially culpable.

Vendors have been responsible for some of the pharmaceutical industry’s most significant cybersecurity incidents in recent memory. In February 2024, Alexion Pharmaceuticals experienced a third-party breach through Cisiv Ltd, when threat actors accessed a database used to support the pharmaceutical company’s Risk Evaluation and Mitigation Strategy programme, exposing sensitive information.

As defences become increasingly robust, cybercriminals will find more discreet ways in. Neglecting this fact is like fortifying a castle’s main gate, only to leave the sewers and walls undefended. Relentless hackers will find a way in at all costs, putting vendors at risk.

Tips for defending against third-party attacks

Pharmaceutical companies can secure themselves against third-party attacks and prevent avoidable damage with these four methods.

1. Use homomorphic encryption and anonymisation

Encryption is not a silver bullet. Vendors typically decrypt data after receiving it, immediately making it vulnerable to exfiltration, ransomware, or privilege escalation attacks. Homomorphic encryption lets third parties perform computations without access to plaintext, preserving security.

However, it requires extensive storage space. Anonymisation may be a more practical solution. It involves transforming sensitive or personally identifiable information, rendering breaches relatively harmless.

2. Regularly audit vendors’ cybersecurity posture

Pharma leaders should conduct third-party security audits. They could use penetration testing or simply evaluate critical systems. A clause in the contract allowing them to carry out these assessments without informing vendors is crucial because their systems may be compromised. If the attacker gets wind of a test, they may further conceal themselves or risk taking action.

3. Create a honeytrap to lure unsuspecting hackers

Honeytraps lure attackers who circumvent the organisation’s defences by targeting third parties. They may believe they found an ingenious workaround or got lucky. In reality, a security professional catalogues their techniques, tools, and tactics to inform the risk management strategy and update the indicators of compromise.

4. Say goodbye to vendors with subpar security

Pharmaceutical companies should move on from third parties that have a bad track record with data breaches. However, they often don’t. In a SecurityScorecard report, nearly 100% of organisations revealed they have an active relationship with at least one vendor that has experienced a breach in the last two years.

Even if pharma companies inform customers that their vendor was breached, the pharma company itself will likely still receive bad press, potentially impacting sales and its overall reputation.

Strategies for enforcing security mechanisms

Leaders should take third-party attacks more seriously. Proper enforcement mechanisms will help them do so.

Revisit vendor contracts to improve enforcement

Decision-makers should revisit vendor contracts to update mandatory cybersecurity protocols and enforcement mechanisms. The goal is to force suppliers to maintain cyber liability insurance, comply with industry standards and follow the clearly defined breach reporting timeline, ensuring accountability and mitigating financial losses.

The cybersecurity landscape is constantly evolving. Regularly updating contract terms is vital for staying ahead of hackers. Businesses should enforce best practices like the principle of least privilege, strong passwords, and multifactor authentication while outlining unacceptable bad habits like credential reuse.

Establish third-party risk management programmes

Third-party risk management programmes involve inventorying and categorising vendors based on risk exposure, past history of security incidents, and potential damage if a breach occurs. Risk is not static, so leaders should conduct these evaluations repeatedly – ideally during onboarding and regularly thereafter.

Use evidence to avoid a false sense of security

There is no one-size-fits-all approach, and trying to implement one often results in security gaps. In 2022, nearly half of organisations experienced a cybersecurity incident because of a third party, up 7% year over year. Companies should tailor strategies to specific vendors or roles, prioritising evidence-based evaluation and validation.

This enforcement approach may take more time and effort. However, paying security professionals to handle such things is better than paying millions due to a breach.

Fostering a culture of vigilance-based security

The rise of large, coordinated threat groups signals urgency. Unlike lone hackers looking for a quick payout, cybercriminal organisations will meticulously poke at defences until they find a way in, no matter how much effort it requires. Decision-makers should take action quickly.

Pharmaceutical companies can protect themselves using best practices and robust enforcement mechanisms. Sometimes, improving security will require switching vendors, and a company may have to update its tech stack to do so. Any cybersecurity investment is better than paying to rectify a hacker’s damage.