spacer
home > ict > spring 2016 > under wraps
PUBLICATIONS
International Clinical Trials

Under Wraps

The high value of new formulations and breakthroughs makes research data incredibly valuable both to other organisations and the global black market, leaving it under constant threat from thieves. In the digital age, the phrase ‘data theft’ usually prompts an image of anonymous hackers breaking into the company remotely; but in reality, firms should be looking for threats closer to home.

Internal Danger


While external hackers will continue to be a threat – especially as international gangs continue to adopt the latest technology – it is opportunist thieves within the organisation itself that are much more difficult to identify or prevent.

This is best illustrated by a recent incident in which a group of five people, including two insiders, were indicted in Philadelphia for attempting to steal trade secrets from leading British pharma company GlaxoSmithKline. The group – which included a senior researcher – managed to steal information on drugs for cancer and other serious diseases, which was estimated to be worth millions of dollars if resold to rival companies. It was also found that they had established a new business that could have been fuelled by those secrets.

The involvement of a senior researcher in the plot is particularly telling, as it highlights a growing trend in data theft. Recent research from PricewaterhouseCoopers revealed that half of all instances of company fraud were committed by staff aged over 40, and the proportion committed by staff aged over 50 went up from only 6% to 18% in just two years. Senior staff usually have unrestricted access to their organisation’s entire network, enabling them to copy topsecret information with impunity. The value of intellectual property (IP), along with other data such as financials or customer information, represents a huge temptation for unscrupulous employees.

Almost every industry is vulnerable to this threat – for instance, insider data theft cost the Bank of America more than $10 million in 2011, after an employee passed on customer records to a fraud ring. The gang used the data to commit identify theft against hundreds of people, costing one victim as much as $20,000.

However, the enormous value of pharmaceutical research and other IP means that sector is one of the most vulnerable to this kind of activity. A recent report from the UK government also highlighted IP theft as the most damaging aspect of cybercrime for UK businesses, causing losses of more than £9.2 billion every year.

Who are the Rogues?

The reasons for employees to go rogue and steal IP from their own organisation are many – and varied. It may be a case of corporate espionage in collusion with a rival, or an opportunistic attempt to go it alone or get rich quickly, as seems to have been the case with the GlaxoSmithKline group. Criminal gangs are also increasingly approaching employees directly, for example using extortion or blackmail to force them to steal data for them. It was also recently alleged that thieves were approaching Apple employees with upwards of $23,000 in exchange for their login information.

With both external and internal forces ranged against them, companies may feel they are facing a losing battle to protect their IP. However, the risk of theft can be drastically reduced with a few effective security measures in how data is managed and accessed.

Financial Penalties

If the potentially ruinous cost of a major data theft incident is not enough motivation, firms are also facing much tougher sanctions from the EU. The upcoming EU General Data Protection Regulation (GDPR) has been created to implement stronger, more unified rules for how companies are expected to protect data. The legislation is especially focused on protecting the rights and privacy of individuals whose personal details are held by organisations. While not as vulnerable as sectors such as finance and retail, which hold larger customer databases, companies that undertake clinical trials could fall foul of the new regulations if research sets containing personal data are stolen.

The GDPR currently plans to punish businesses who have been found not to have done enough to prevent data breaches, with fines of up to €20 million – or as much as 4% of global turnover. The amount of fines means that any company which handles personal data in its clinical trials must be able to account for its safety, no matter how slight the chance of theft may seem.

Restricting Access

To begin with, the best practice should always be for users to only access as much information as they need for their job – the fewer people that can access sensitive data, the less likely it is to be accidentally leaked.

Surprisingly, even large organisations break this golden rule and tend to give users full admin access by default, because the process of selecting specific access areas can be time-consuming. This is exacerbated by the way the native Windows Active Directory System operates. This ungainly system makes assigning access rights for each new user into a slow chore, and also makes it difficult to gain an overview of the existing access rights that each employee has.

This means many companies have little idea about what information their staff can access, and rarely rescind access once granted – even when someone has left. This problem is greatly increased when large numbers of staff join at once, either full-time as the result of a project or merger, or as temps. Indeed, temp workers that require network access are a risk that few companies fully consider. Just as with full-time workers, temps are often granted access to the entire network by default, including potentially sensitive information like payroll or IP. In fact, research by Avecto and Curve IT found that 72% of temporary workers are given full administrative rights.

Keeping Tabs

Hacking incidents that see large amounts of consumer data stolen are one of the most publicly embarrassing and damaging data breaches a company can suffer, but the theft of IP tends to be much more low-key, and may not be discovered for years. Indeed, if a worker is abusing their position to steal secrets and there are no measures in place to detect them, they may get away with their crime completely undetected.

For the most valuable and important data, organisations can go beyond controlling access rights and install systems to alert them whenever certain data is requested under any circumstance, or sound the alarm when the files are accessed at odd times or locations.

While it may feel uncomfortable to be mistrustful of employees, the fact that one of those charged with the GlaxoSmithKline conspiracy is a senior researcher trusted with access to top secret research demonstrates that organisations cannot be too cautious, even with their most senior staff.

Alongside internal technology and policy, companies should go the extra mile when it comes to vetting staff, and should continually keep an eye out for signs that something may be amiss. In the GlaxoSmithKline case, three of the accused had set up a company in China with the apparent intent to use it to sell on the stolen data – something that could have been picked up earlier.

Make or Break

Although such strict access control and staff monitoring may seem draconian, engaging with employees on their importance will prevent them from feeling alienated or mistrusted. Implementing new technology and policy, as well as running an effective employee education, can make an airtight data protection strategy a large undertaking – but this is a small price to pay for the prevention of the theft of research data that could make or break a company.

Read full article from PDF >>

Rate this article You must be a member of the site to make a vote.  
Average rating:
0
     

There are no comments in regards to this article.

spacer
Jens Puhle is the UK Managing Director for 8MAN – a provider of access rights management technology designed to protect company data from unauthorised access, with offices in London, UK, and Berlin, Germany. He specialises in access rights management security, cyber security, aggressive business development and public speaking. Since joining 8MAN as Global Head of Sales in 2014 in Berlin, Jens has successfully built up the international business with a licence revenue increase of 35%.
spacer
Jens Puhle
spacer
spacer
Print this page
Send to a friend
Privacy statement
News and Press Releases

3P Biopharmaceuticals welcomes Keensight Capital as majority shareholder


More info >>

White Papers

Autoinjector testing made safe efficient and flexible

ZwickRoell

The autoinjector market is one of the fastest growing markets across almost all pharmaceutical applications. Studies expect a global market volume of approximately USD 2.5 billion by 2020, with pre-filled autoinjectors representing the largest market segment. There are a variety of tests that can be performed on autoinjectors, and these are well-demonstrated by the Zwick product portfolio. The Ulm-based company and specialist in testing systems offers a variety of testing systems that are already being successfully used by multiple pharmaceutical companies.
More info >>

 
Industry Events

ESMO Targeted Anticancer Therapies Congress 2020

2-4 March 2020, Paris, France

A unique and international mix of experts, researchers and decision makers both from academia and industry across the globe, will convene in Paris for a three-day Congress aiming at exchanging knowledge, experience and research innovations in cancer. TAT 2020 will focus, among others, on novel strategies in immuno-oncology, personalised medicine and molecular tumour boards, preclinical studies to identify effective combination therapies, use of microbiome, tumour agnostic trials, ADC technology, oncolytics, multispecific biological constructs and targeting cytokines. Participating in TAT 2020 will offer you the possibility to take part in interdisciplinary discussions inspiring new ideas and new collaborations.
More info >>

 

 

©2000-2011 Samedan Ltd.
Add to favourites

Print this page

Send to a friend
Privacy statement