Speaking from experience, Evotec shares solutions to cyberattacks

Evotec tells its story of cyberattack and calls for industry cooperation to make the whole ecosystem safer

Evotec has recovered from a cyberattack it suffered this spring and is raising awareness of strategies other companies can take — alone and together — to fortify the biotech ecosystem against future attacks, and make clean up after an attack as smooth as possible.

Matthias Evers, chief business officer at Evotec SE (Xetra:EVT; NASDAQ:EVO), told BioCentury that the April 6 cyberattack, which came via a “very sophisticated phishing email,” was successful despite the company having a cybersecurity officer and team who actively monitor threats and train employees.

“Obviously, you have to invest in security practices,” he said. “But the ISSO [information system security officer] guidelines are just not enough. You have these large, targeting phishing campaigns and modern malware. You always have the chance that something breaks through. One broke through.”

Malware entered Evotec’s network in March and almost immediately started moving through it. The company took affected machines offline when this movement was detected, but the malware was nonetheless able to deploy and activate ransomware “on several systems” on April 6. 

Evers said Evotec’s management team decided to immediately shut down all the company’s computer systems to protect its data. 

That left 5,000 employees unable to communicate by email or instant message with each other or the outside world. “That part of the crisis playbook is not so clear,” said Evers. “We literally started writing down telephone numbers. Everybody got on a WhatsApp list.” 

Evers said the company’s recovery efforts included three simultaneous three work streams. The first involved gradually moving its employees over to a new corporate internet domain to enable safe communication both within the company and with partners.

The second entailed bringing back access to the company’s science. Evotec decided that patching servers was too risky and instead isolated all of them from the internet prior to scanning, cleaning and sometimes reformatting them one at a time.

“That was a ton of work for many people across the organization,” said Evers, adding that an external cybersecurity forensics team eventually confirmed none of Evotec’s scientific data was affected by the attack. 

The third was making its operations even safer and more efficient. “We’re back to working,” Evers said, “but what we’re still doing is taking these servers into a new IT environment” and consolidating old ones that it no longer uses. The company expects to finish moving its operations by year-end.

In the meantime, Evers said Evotec is sharing what it learned.

Four avenues for improved security

First, Evers recommends companies use Evotec’s story and any other first-hand accounts companies are willing to share to breathe new urgency into their cybersecurity training.

“Rather than the random e-mail saying, ‘Hey, be careful about phishing!’, I think now we can share stories and what can happen,” he said. “Stories make the training more real.”

Second, he believes companies could recognize threats earlier is they shared their internet traffic monitoring indicators. “If you're working with a company on a protein degradation topic, why not also collaborate with them on cybersecurity?”

“There are bit sequences that point to certain threats,” Evers said. “What signals are relevant to act on? If we as an industry share more of these indicators, I think we can do even better in recognizing threats earlier.”

Third, he said company IT systems should be designed to resist malware, which typically proliferates in a network days or weeks before targeting human resources and payroll data with ransomware attacks. A company’s scientific data is less likely to be targeted. 

Companies should therefore segregate the IT systems used for operations and research, he said. They should also back up their data frequently, scan the backups to avoid inclusion of malware, and protect the backups from infection by disconnecting them from the internet — a practice known as “air gapping.”

“The question is how far do you go,” said Evers. “It's always a trade-off of risk and investment. In a world where you make high-frequency backups of everything and backups are stored in an air gapped way, you could rebuild your company in no time.” But, he said, “I don’t think it’s feasible to do the entire company in that way.” 

Companies should therefore consider what their most essential software is and prioritize backups accordingly. 

“There are definitely some areas where I want to push us to do something like that,” he said. 

Finally, Evers emphasized the importance of a unified organizational response. Comprehensive efforts to build a cyber-resilient organization reach far beyond the IT into all departments and should include external cybersecurity specialists as well. “It really takes the proverbial village,” Evers said.

Evotec’s experiences make a strong case for more collaboration in an area that is too often treated as an isolated field. “IT security is not something you can bolt on to your corporate culture. You want to create an atmosphere where people ask questions openly and flag any issues immediately — and for this, you need to remove all stigma from the discussion. When people start helping each other out like that, cybersecurity can be a truly inspiring part of who you are as a company.”

In that sense, he said, cybersecurity can be viewed similarly to sustainability — as a core attribute of a business. “If you bring it to that level, it's not boring,.”