17 June, 2014 by Jim King, Senior VP of Technical Support & Infrastructure, MasterControl Inc.
|Information security deserves full attention throughout.
Due to the ever-rising position of information as a valuable commodity, organizations must take steps to protect their data. For pharma and life sciences companies, the question is not if their digital data will be compromised, but when. Here are three common security mistakes made by enterprises and ways to avoid those mistakes by focusing on employee behavior.
Pharmaceutical and life sciences companies have become highly attractive targets of cyber-attacks, due to the high revenues and substantial costs involved in original research and development (R&D). In 2013, pharma companies reported an increase in data loss as a result of security incidents, according to PricewaterhouseCoopers’s (PwC) Global State of Information Security Survey 2014.
However, these companies are threatened not only by outside parties intent on stealing commercially sensitive information – from confidential patient data and intellectual property to financial information and trade secrets – but also by employees who inadvertently create an opening – clicking on links they shouldn’t or sending sensitive files by email to recipients they shouldn’t.
Considering the high stakes of loss, theft or interception of sensitive business data, information security deserves full attention throughout pharma and life sciences companies. Despite the increased vulnerabilities, however, many organizations underestimate the threat and therefore remain passive about bolstering cybersecurity, or at least content with their conventional approach to security, which for many is fast becoming insufficient.
More than half (57 percent) of pharma and life sciences CEOs are not concerned that cyber threats – including lack of data security – could threaten growth in their highly regulated industry, according to a separate PwC study, published earlier this year. Although approximately 79 percent of pharma and life sciences CEOs surveyed believe there’s a need to change strategies in that regard, less than one-quarter (23 percent) have already started.
Especially as information security risks evolve in sophistication and escalate in frequency, the complexity and variety of cybersecurity can be daunting. However, focusing on employee behavior is a relatively cost-efficient way to at least minimize common and costly gaps in enterprise security.
The following are three of the most common security mistakes routinely made by enterprises, as well as ways to avoid those mistakes by focusing on the organization’s people.
Mistake No. 1: Not Educating Staff and Reinforcing Training on Security Measures
In PwC’s findings, most pharma executives and directors of information technology (IT) and security cited insiders – particularly current and former employees – as a source of security incidents. This is why it is crucial for organizations to regularly train new hires in how not to infect the company, and to frequently reinforce that training.
To that end, new and old employees should receive an ongoing mix of formal training – fully immersive, seminars and workshops on rules for maintaining secure passwords, for example – and informal education – such as weekly emails that keep employees up-to-date on the latest phishing scams, malware campaigns and other cyber threats.
Ultimately, to minimize security breaches through human error, all workers must understand the business risks of the information assets they touch every day, the value of protecting customer and colleague information, and their role in keeping it safe.
That said, because many employees view mandatory training programs as easily dismissible, it’s a good idea for organizations to put enterprise security in personal terms for employees, as a way to benefit employees in other areas of their lives outside of work. In other words, companies should relate the objective of the training to the needs of both the organization’s cybersecurity and employees’ at-home cybersecurity.
Mistake No. 2: Not Incorporating a Security Policy and Controls throughout the Organization
Life sciences companies must incorporate a security policy and appropriate controls to ensure that the policy is being followed as intended. It’s important to distinguish a policy from controls: a security policy is essentially a document outlining the organization’s strategy for how it will implement company-wide information security principles and technologies; and controls are the appropriate technological mechanisms that stop unwanted access and behavior.
Certainly, companies should audit their technological controls against the applicable security policies, as many security problems are hidden and only revealed through regular auditing of procedures and protocols. Beyond testing tech controls (twice annually), however, companies should also test employee behaviors frequently.
Many managers assume that just because the rules have been documented in a security policy, all employees will suddenly know about them, understand them and adhere to them. While it is crucial that employees are trained to know the security policies expected of them, it is just as important that the organization have mechanisms in place for testing whether employees’ security training is effective.
For instance, vulnerability assessments can help determine whether employees are learning their security lessons and complying with policies. Among simple ways to test behavior-based vulnerabilities: the IT team may look around for Post-it notes with computer passwords lying on workers’ desks; or simulate phishing scams to extract passwords from employees. The insights gleaned from such assessments can then be integrated into evaluations of the organization’s security training moving forward.
Mistake No. 3: Not Holding Users with Privileged Access to the Same Security Standards
The reality is that vulnerabilities are very often created by the very employees who are on the front lines of an enterprise’s security defense when they should know better. IT or technical teams consist of employees with the special access and are therefore more likely to misuse entrusted organizational resources or privileges. This often occurs when policies are not clearly defined and enforced across the board.
That is why users with privileged access, including IT and technical staff, must be held to the same security standards as the rest of the organization’s employees. Just as all new employees should receive IT awareness training as part of their orientation, IT and technical staff should also have the knowledge and tools required to understand how to make good judgments online and within internal networks and systems.
To reinforce all employees’ understanding of their roles and responsibilities in safeguarding sensitive data and protecting company resources, it is important that the organization has a security strategy in place that:
- Cultivates a culture of cyber awareness/security that starts with commitment of top executives and cascades to all employees;
- Adopts a security framework, such as ISO 27001, to wrap procedures and controls around; and
- Proactively addresses security gaps, as many security problems are hidden and only revealed through regular auditing of protocols and procedures.
Incorporating a security policy and controls while enforcing user training throughout the organization can only accomplish so much. More than companies in many other verticals, life sciences companies (pharma, medical devices, etc.) have many more compliance rules around what they do with data, including the U.S. Food and Drug Administration’s 21 CFR 11. That is why a layered, defense-in-depth approach to information security – one that focuses on both employee behavior and automated security solutions – works best.
Jim King is senior vice president of technical support and infrastructure for MasterControl and has more than 18 years of experience in technology, software development and staff management. He has held numerous leadership roles in technology management and has assembled an extensive track record of building successful technology and support teams in the life sciences, retail and service provider fields. Prior to joining MasterControl, King served as CIO/CTO of NexTalk and as CTO of Nelson Laboratories. He is a founding member of the Information Systems Security Association’s (ISSA) Utah chapter, a longstanding member of InfraGard and a member of the Association for Information Management (AIM). King earned a certificate in criminology from the University of Utah and a bachelor’s in business administration with a specialization in IT management from American Military University, and he is a graduate of the FBI Citizens Academy. He may be reached at firstname.lastname@example.org.