By Joe Payne, CEO and President, Code42
LinkedIn: Joe Payne
X: @code42
Few industries place as much value on their intellectual property (IP) as the life sciences sector. On average, it takes an estimated $2.3 billion investment and between 10 to 15 years for these organizations to go to market. In 2020, the U.S. biopharmaceutical industry spent $122 billion on R&D.
With billions of dollars at stake and under constant pressure to be first to market with a groundbreaking treatment, it’s no wonder that protecting IP has become a board-level concern for life sciences companies. And when IP is lost, it’s not long before it becomes headline news.
Look no further than the recent experience of the pharmaceutical giant Pfizer. In late 2021, the company brought a high-profile lawsuit against a longtime employee for allegedly stealing “scores” of confidential documents, including some related to its COVID-19 vaccine, as she prepared to jump ship to a competitor. The lawsuit claims the employee breached her confidentiality agreement by uploading over 12,000 proprietary files to her personal accounts and devices from her company-issued laptop.
Such incidents illuminate the glaring vulnerability that life sciences companies face, even for those with robust data protection controls in place. While it’s standard practice for most organizations to swiftly revoke network access and mandate the return of official devices upon an employee’s exit, some troubling blind spots remain. A staggering 63% of people admit to taking data when they leave a role, with the intent to use that data at their next organization.
The IP Risk Paradox
The 2023 Life Sciences Data Exposure Report highlights a paradox unique to the life sciences sector. At first glance, the industry seems to be taking strong measures to counteract insider threats, with nearly half (48%) of CISOs stating that they have adequate support from leadership on Insider Risk – a much greater figure than other industries. This shows an industry-wide understanding of the potential dangers posed by insiders and a concerted effort to address them.
However, 70% of those same respondents struggle to identify data loss from insiders consistently. Here, we can see a disconnect between the proactive establishment of Insider Risk programs and their actual efficacy in the real world. This paradox suggests that even with a defined strategy in place, underlying complexities continue to evade security teams. A modern approach with correspondingly new technology is required to address these industry shortcomings.
Consider the evolving nature of work and how modern enterprises leverage new technologies. Cloud storage systems, for instance, were designed to make it dead simple to regularly back up important files. But those systems also make it that much easier for data to be intentionally exfiltrated or accidentally leaked. The same is true of collaboration platforms like Slack or Teams. Sure, you can lock these systems down to safeguard your IP, but then you risk impeding the collaborative spirit that fuels innovation.
This begs the question: How do you strike the right balance between protecting your most valuable IP without cultivating a workplace culture driven by fear and distrust?
Every successful Insider Risk program – regardless of the industry or the sensitivity of the IP in question – has one thing in common: they both appreciate and account for the human element. This is foundational to minimizing Insider Risk. While systems, tools, and protocols play a significant role in an organization’s security framework, it is ultimately people who interact with, manage, and control access to sensitive data. Consider the following four human-centric principles for protecting your most valuable IP assets:
Broaden Your Scope: Traditionally, cybersecurity professionals have focused solely on external threats – think hackers or nation states. Protecting from these threats is critical, but strategies that only account for external threats are missing a vital piece of the puzzle. One in three data breaches involves insiders, and when these employees and contractors take IP they created, they know how to use it. Case in point, insider-driven data exposure, loss, leak, and theft events could cost companies $16 million per incident, on average. Without a holistic view that accounts for the full landscape of risk, both external and internal, security and risk programs miss a crucial vector of vulnerability.
All Data Matters: Many organizations attempt to identify “the data that matters” and only focus on protecting that specific data, but in today’s world, we have learned that all data matters. Every department and every employee has some form of critical information that could be used by competitors to gain advantage. A few years ago, Tesla discovered that its recruiters had taken data with them when they left Tesla to work for a competitor. Many security teams might label recruiters as not having critical IP. But when those recruiters were able to recruit away some key Tesla people because they had all the salary and performance data, they created a competitive advantage for their new organization. Finance people have plans. Salespeople have customer information and pipelines. Developers have source code. Recruiters have payroll data. Everyone has data that matters. An approach that focuses only on some data is flawed.
Don’t Just Train, Educate: While training users on proper data protection protocols is clearly essential, it’s just as important to educate them on what constitutes IP and, ideally, to do so in real time. When employees are presented with specific, targeted content – such as a video – immediately following a particular action they’ve taken, they are significantly more receptive to its message. For instance, upon resigning, an employee might receive a tailored reminder detailing the company’s IP and the associated guidelines. Such a prompt serves as a timely nudge, clarifying what information or data they cannot take with them. This real-time approach not only reinforces the importance of safeguarding IP but also empowers employees to make better decisions.
Investigate with Empathy: When IP is compromised, a rapid and effective investigative response is required. That said, it’s essential to distinguish the approach we take when investigating insiders versus external threat actors. Treating insiders with the same suspicion as you would a hacker is both ineffective and counterproductive. Instead, investigations of insiders should strive to take an empathetic approach that fosters trust and offers deeper insights into why a policy was disregarded. By working to truly understand the motivations and challenges faced by employees, security teams are better positioned to give them the support and training they need. Furthermore, this method offers a dual benefit: it aids in reinforcing safe practices among employees and simultaneously provides valuable feedback on areas where existing security protocols might need to be recalibrated.
For the life sciences industry, Insider Risk represents both an existential threat to business and an opportunity to refine and strengthen security posture. While it’s impossible to eliminate this risk completely, teams can take steps now to mitigate its impact through proactive strategies that foster a culture of trust and awareness.