New Research: Life Sciences Organizations are Ahead of the Curve, but Vulnerabilities Persist
Blog Article Published: 07/21/2023
Originally published by Code42.
Written by Clea Ostendorf.
From HIPAA regulations, to lost business opportunities, to stolen IP and trade secrets, organizations in the Life Sciences sector stand to lose a great deal to Insider Risk. Though all sectors are faced with the threat of data loss from insiders, those in the Life Sciences – medical device manufacturers, biotech, and pharma companies – are tasked with protecting massive amounts of both proprietary and sensitive data.
Without the proper resources, training, or overall structure in place, those in the Life Sciences leave themselves vulnerable to a potentially devastating extent of data loss. Take it from companies like AstraZeneca partner FibroGen, who filed a lawsuit against two former employees who allegedly used proprietary information to kickstart their own biotech company, or from Johnson & Johnson, whose ex-employees stole trade secrets and gave them to their new employer – a direct competitor; A lack of planning and investment in Insider Risk can be costly.
Annual Data Exposure Report 2023: Life Sciences Sector
The results of this year’s Annual Data Exposure Report offered compelling revelations about the state of Insider Risk Management (IRM) for the Life Sciences sector, which includes biotech, biopharma, biomedical engineering, and the pharmaceutical industry. Particularly, the report offers insight into the barriers faced by these organizations in establishing and fostering strong IRM programs – a crucial effort given the need for these organizations to protect their valuable IP.
Of chief interest, results show that while this industry is already ahead of the curve in protecting against Insider Risk, gaps in security remain; Though 78% of Life Sciences CISOs state that they have a program dedicated to Insider Risk or threats, 70% of respondents say that it is difficult to detect data loss from insiders within their company.
The information organizations are working so hard to protect? Life Sciences industry respondents mark their top three most valuable data types as research data (69%), product roadmaps (60%), and source code (52%). Source code particularly poses a challenge, as 87% of respondents say they need more visibility over source code sent to repositories.
Why does this sector experience fewer insider incidents?
In short, organizations in biotech, biopharma, and biomedical engineering have more support from leadership. 24-28% of those in industries like energy, oil and gas, and business and professional services report adequate leadership support for Insider Risk Management, compared to almost half of those in the Life Sciences (48%). Further, for those respondents who do not yet have a program dedicated to IRM, 80% say that their company plans to implement an IRM program within the next 12 months.
Even though we’re seeing positive traction for the Life Sciences, it’s important to note that being ahead of the curve doesn’t mean full protection. Though these organizations report about 28-47% fewer insider-driven incidents per month than other industries; at 20 events per month, that’s still almost an incident a day – a number that’s far too high when it comes to the decades of research, investment, and proprietary information that stand to be lost by the bioengineering vertical.
Thinking beyond tech
How can companies in this industry close the gaps in their IRM strategy? With all of the resources often dedicated to finding the perfect tech – or the perfect combination of tech tools – the issue of people and culture is often overlooked. The large majority (86%) of respondents in the Life Sciences feel that improvements are needed in data security training at their company. Fostering a culture of transparency and security awareness distributes the burden of Insider Risk from overworked security teams to every employee. By empowering employees with just-in-time training that’s empathetic and personalized, they’re able to meaningfully join security leaders in protecting vital information.
What organizations can do right now
The issue with a cultural solution is that it doesn’t happen overnight. Contrary to the finite progress of deploying a new technology, building a security-aware culture takes time and is always evolving. Given that, there are steps that organizations in the Life Sciences can take immediately to improve their security posture. These include protecting trial data from leaking to competitors who could go to market first; getting to market quickly and securely; and staying compliant while maintaining full visibility into where they are most exposed.
See all the insights from the 2023 Data Exposure Report: Life Sciences Sector
This is only a glimpse of the full findings from this year’s report tailored to the Life Sciences. While this sector stands tall above others in terms of IRM strategy, vulnerabilities remain that could easily cripple the progress of these organizations. Take a look at the full report to gain further insight into how Life Sciences businesses can partner culture with tech to close the gaps within their IRM programs.
About the Author
Clea Ostendorf, CISSP, has been in the IT space for the last 10 years holding roles from IT recruiting to product manager. At Code42, Clea helps organizations develop Insider Risk programs through workshops, technical deployment, and strategic dialogs. Clea believes you should never stop learning and find ways to approach problems from the human element.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.