IT security and cybercrime

Management of the material topic (GRI 3-3)

With the increasing digitalisation of the healthcare system, the risk of cyberattacks is growing. People are one of the greatest risk factors in connection with cyberattacks, as many cyberattacks target employees, for example by means of fraudulent e-mails (phishing). IT security is of great relevance at Galenica. As a healthcare provider, the company processes sensitive information and data. Galenica ensures that this data is protected against unauthorised access and unauthorised changes or losses in order to safeguard the confidentiality, integrity and availability of data, avoid financial damage and minimise risks. For logistics companies and pharmacies, the protection of IT systems is particularly important in order to ultimately guarantee the security of supply for the population. In addition, IT security contributes to social acceptance and the satisfaction of customers, partners and suppliers, thus strengthening the Swiss healthcare system.

Responsibilities

At Group level, the topic of IT security is coordinated by the Chief Information Security Officer. The responsibilities and organisation of IT security are regularly reviewed and adjusted in line with current requirements. The IT Security Board is responsible for balancing the interests of IT and the individual Business Units and coordinates IT security-relevant topics and measures. These are implemented by the members in their respective areas. The Board is responsible for the IT security strategy and ensures its implementation. The aim of the strategy is to achieve reliable and efficient IT security across the Group. The Board began its work in 2023 and meets quarterly.

Clear guidelines to govern operations

The IT Security Policy defines the objectives relating to information and IT security, the competencies and responsibilities as well as the IT security principles of the Galenica Group. The Policy applies to all companies of the Galenica Group and forms the basis for all written IT security instructions. In addition, the IT Usage Regulations set out the security-related rules of conduct for using IT work equipment, such as the use of private devices, working on the move and working from home. Finally, the IT Security Manual is aimed at employees in the IT departments and lays down the regulations for secure IT operations.

Raising employee awareness

The cooperation of all employees is required to ensure information and IT security. In addition to technical measures, Galenica also promotes awareness of security among employees by means of specific e-learning modules and intranet news. New employees are made aware of the key elements of the IT user regulations on their induction day. Galenica regularly runs e-learning courses on data security and dealing with phishing and cyberattacks. In addition, information on cybercrime is regularly published on the intranet for employees.

↗  Realistic
→ Partially delayed/critical
↘  Critical
=  Achieved
×  Not achieved

In the reporting year, various e-learning courses were offered related to IT security and cybercrime. These were supplemented by several phishing campaigns in order to test and sharpen employees’ awareness in a targeted manner. Voluntary training courses are also offered on the training platform to further support the learning initiatives.

Evaluation of the management approach and measures

• Security audit: The IT Security Policy and its implementation are continually reviewed by internal departments or external specialists to ensure they are up to date and effective.
• Monitoring: The security monitoring system monitors all IT systems and triggers an alarm in the event of anomalies. This is performed by an external Security Operation Center (SOC).
• E-learning: E-learning modules on the topics of data and cybersecurity are planned and carried out on a regular basis.
• Phishing campaigns: We regularly conduct targeted phishing campaigns to raise awareness among employees in a targeted and specific manner.