|
|
|
International Clinical Trials
|
The high value of new formulations and breakthroughs makes research data
incredibly valuable both to other organisations and the global black
market, leaving it under constant threat from thieves. In the digital
age, the phrase ‘data theft’ usually prompts an image of anonymous
hackers breaking into the company remotely; but in reality, firms should
be looking for threats closer to home.
Internal Danger
While
external hackers will continue to be a threat – especially as
international gangs continue to adopt the latest technology – it is
opportunist thieves within the organisation itself that are much more
difficult to identify or prevent.
This is best illustrated by a
recent incident in which a group of five people, including two insiders,
were indicted in Philadelphia for attempting to steal trade secrets
from leading British pharma company GlaxoSmithKline. The group – which
included a senior researcher – managed to steal information on drugs for
cancer and other serious diseases, which was estimated to be worth
millions of dollars if resold to rival companies. It was also found that
they had established a new business that could have been fuelled by
those secrets.
The involvement of a senior researcher in the
plot is particularly telling, as it highlights a growing trend in data
theft. Recent research from PricewaterhouseCoopers revealed that half of
all instances of company fraud were committed by staff aged over 40,
and the proportion committed by staff aged over 50 went up from only 6%
to 18% in just two years. Senior staff usually have unrestricted access
to their organisation’s entire network, enabling them to copy topsecret
information with impunity. The value of intellectual property (IP),
along with other data such as financials or customer information,
represents a huge temptation for unscrupulous employees.
Almost
every industry is vulnerable to this threat – for instance, insider data
theft cost the Bank of America more than $10 million in 2011, after an
employee passed on customer records to a fraud ring. The gang used the
data to commit identify theft against hundreds of people, costing one
victim as much as $20,000.
However, the enormous value of
pharmaceutical research and other IP means that sector is one of the
most vulnerable to this kind of activity. A recent report from the UK
government also highlighted IP theft as the most damaging aspect of
cybercrime for UK businesses, causing losses of more than £9.2 billion
every year.
Who are the Rogues?
The reasons for
employees to go rogue and steal IP from their own organisation are many –
and varied. It may be a case of corporate espionage in collusion with a
rival, or an opportunistic attempt to go it alone or get rich quickly,
as seems to have been the case with the GlaxoSmithKline group. Criminal
gangs are also increasingly approaching employees directly, for example
using extortion or blackmail to force them to steal data for them. It
was also recently alleged that thieves were approaching Apple employees
with upwards of $23,000 in exchange for their login information.
With
both external and internal forces ranged against them, companies may
feel they are facing a losing battle to protect their IP. However, the
risk of theft can be drastically reduced with a few effective security
measures in how data is managed and accessed.
Financial Penalties
If
the potentially ruinous cost of a major data theft incident is not
enough motivation, firms are also facing much tougher sanctions from the
EU. The upcoming EU General Data Protection Regulation (GDPR) has been
created to implement stronger, more unified rules for how companies are
expected to protect data. The legislation is especially focused on
protecting the rights and privacy of individuals whose personal details
are held by organisations. While not as vulnerable as sectors such as
finance and retail, which hold larger customer databases, companies that
undertake clinical trials could fall foul of the new regulations if
research sets containing personal data are stolen.
The GDPR
currently plans to punish businesses who have been found not to have
done enough to prevent data breaches, with fines of up to €20 million –
or as much as 4% of global turnover. The amount of fines means that any
company which handles personal data in its clinical trials must be able
to account for its safety, no matter how slight the chance of theft may
seem.
Restricting Access
To begin with, the best
practice should always be for users to only access as much information
as they need for their job – the fewer people that can access sensitive
data, the less likely it is to be accidentally leaked.
Surprisingly,
even large organisations break this golden rule and tend to give users
full admin access by default, because the process of selecting specific
access areas can be time-consuming. This is exacerbated by the way the
native Windows Active Directory System operates. This ungainly system
makes assigning access rights for each new user into a slow chore, and
also makes it difficult to gain an overview of the existing access
rights that each employee has.
This means many companies have
little idea about what information their staff can access, and rarely
rescind access once granted – even when someone has left. This problem
is greatly increased when large numbers of staff join at once, either
full-time as the result of a project or merger, or as temps. Indeed,
temp workers that require network access are a risk that few companies
fully consider. Just as with full-time workers, temps are often granted
access to the entire network by default, including potentially sensitive
information like payroll or IP. In fact, research by Avecto and Curve
IT found that 72% of temporary workers are given full administrative
rights.
Keeping Tabs
Hacking incidents that see
large amounts of consumer data stolen are one of the most publicly
embarrassing and damaging data breaches a company can suffer, but the
theft of IP tends to be much more low-key, and may not be discovered for
years. Indeed, if a worker is abusing their position to steal secrets
and there are no measures in place to detect them, they may get away
with their crime completely undetected.
For the most valuable
and important data, organisations can go beyond controlling access
rights and install systems to alert them whenever certain data is
requested under any circumstance, or sound the alarm when the files are
accessed at odd times or locations.
While it may feel
uncomfortable to be mistrustful of employees, the fact that one of those
charged with the GlaxoSmithKline conspiracy is a senior researcher
trusted with access to top secret research demonstrates that
organisations cannot be too cautious, even with their most senior staff.
Alongside internal technology and policy, companies should go
the extra mile when it comes to vetting staff, and should continually
keep an eye out for signs that something may be amiss. In the
GlaxoSmithKline case, three of the accused had set up a company in China
with the apparent intent to use it to sell on the stolen data –
something that could have been picked up earlier.
Make or Break
Although
such strict access control and staff monitoring may seem draconian,
engaging with employees on their importance will prevent them from
feeling alienated or mistrusted. Implementing new technology and policy,
as well as running an effective employee education, can make an
airtight data protection strategy a large undertaking – but this is a
small price to pay for the prevention of the theft of research data that
could make or break a company.
|
Read full article from PDF >>
|
|
 |
|
| Rate this article |
You must be a member of the site to make a vote. |
|
Average rating: |
0 |
| | | | | |
|
|
 |
News and Press Releases |
 |
IBM Research and Arctoris Accelerate Closed Loop Drug Discovery with AI and Cloud
Oxford and Zurich – 13 September 2021 – Life Science Newswire –
Today, IBM Research and Arctoris announced they are investigating the
application of AI and automation to accelerate closed loop molecule
discovery. IBM Research has developed RXN for Chemistry, an online
platform leveraging state-of-the-art Natural Language Processing (NLP)
architectures to automate synthetic chemistry.
More info >> |
|
 |
White Papers |
 |
|
|
