It is imperative to “keep current with technical and non-technical trends as part of your periodic review and sustainment efforts” for your data protection controls, according to a May 2020 report Health Industry Cybersecurity Protection of Innovation Capital (HIC-PIC). Due to the nature of innovation capital in pharma and health sectors, they are the prime target for cybercrime of all types at the moment. Pharma is especially vulnerable to malicious insiders while healthcare, in general, sees the highest percentage of accidental insider threats. While this 80-page report focuses on the healthcare sector - there are guidelines that will help a broad range of industries.
The sharing of expertise across multiple disciplines can proactively reduce risk and can help reduce the negative outcomes by establishing clear remediation guidelines. Your organization's success to protect their innovation capital depends on three types of experts who don’t usually hang out together nor cross paths in a typical business day. Leaders need to encourage communication between their security leaders and their legal and HR teams.
This triad team needs to have formalized communication and a continuous review of security policy, reprioritizing what data the organization needs to protect and an assessment process against which to measure progress. It is necessary to approach protection strategies from several dimensions including legal, employee privacy and operations.
Talk to a Lawyer
As shown in review of civil cases regarding IP theft, most settle out of court but there is definitely an opportunity to reduce the burden to reveal sensitive information during a public trail. All indicators point to the benefits of information security professionals to “spend time with their legal colleagues when establishing and evaluating data protection programs.” The guidance that legal professionals will provide will help establish the prerequisites to support legal procedures if required. Collecting the right information, in the right way, can assure that the company is protected and that they can take appropriate action against individuals who have compromised company information.
The report outlines in detail the nature of trade secrets in the eyes of the law and how keeping the Innovation capital secret for as long as possible plays a role in recovering the full economic value of the innovation. An understanding of local, federal and international law will influence the data protection strategy.
The innovative nature and high value of Pharma data is what makes the legal process especially complex. International law will probably come into play as well. In Pharma there are more incentives to stay secretive about research. Typically, no one wants to go public too soon with their research so protecting it with legal procedures is more complicated than it might be for other industries. Yet, these are all important considerations that all entities need to evaluate and make sure that security and legal are in sync as to how to investigate and collect evidence so that it can have the highest impact in the eyes of the law.
Talk to HR
The communication and enforcement of a security policy will rely on support from the HR team. The organization must culturally embrace security. Security education and training needs to be more than watching a boring video once a year. Implementing continuous reinforcement of security policy is a key to success. With HR you can have a celebration of security, introduce games, contests, not just shaming the we tricked you with an internal phishing exercise. People are motivated to learn new skills when they are recognized and rewarded for learning. One ideal scenario is implementing just-in-time learning that is relevant to the tasks and process that employees perform daily. Then they can relate the security best practices and policies to their job.
Above all, everyone in the company needs to be vigilant. HR knows who got a raise and who didn’t. Therefore they know who might be considering changing jobs. Tracking the access to popular job sites is probably the best way to gauge employee satisfaction. If this can be monitored routinely with IT or security tools, then HR may be able to intervene with strategies to re-engage employees. Employees who have given notice need to be monitored. And not just during their notice period. Ideally, the security team would periodically review the past 30-60 days of employee interactions with data. This would reveal if users had taken any sensitive data. This gives the company leverage in negotiating terms with the employee regarding the intellectual property and to request help from the legal team if necessary.
Across all industries, employees are stressed. “According to a new report conducted by Headspace, 70% of Americans fear they will lose their job in the next six months as the economic fallout from the coronavirus pandemic widens.” This stress, as reported in Yahoo Finance, leads to irrational employee behavior - like a squirrel stock-piles nuts - employees start to collect files for projects and activities they have contributed to. Unfortunately, some go too far and try to export the company files to their personal email accounts, personal cloud, or to a USB.
In Health, the percentage of accidental breaches is higher than in other industries at 30% in the latest 2020 Verizon Data Breach report.. Given the number of patients and the complex claims process it is not surprising that mistakes are the number one cause of breaches. One of the two main categories is the OOPs of sending sensitive information to the wrong email(s). There is new hope. There are now new data tracing capabilities like Cyberhaven’s Data Behavior Analytics(DaBA) that can help identify these scenarios and establish simple rules to prevent them.
Since Healthcare ranked the highest for internal bad actors in the Verizon report, real-time monitoring of health employees is absolutely necessary. An effort must be made to catch as many of these oops and correct for them in real-time if possible. Again, this is where partnering with Human Resources teams can evolve training and other programs to help maintain productivity while sensitizing employees to these types of errors. The right level of monitoring will focus on the data and put the right type of tools in place. Monitoring must not be intrusive and violate employee privacy but recognize that obviously everyone can and is making mistakes.
Talk to the techies
Continuous learning for users and for the technical experts. Try new technology. Seek new approaches. Your business is unique. Security is not a one size fits all solution. Keeping current is hard. Technology evolves quickly but it is unrealistic for organizations to adopt new technology. Although the HIC-PIC research was conducted with the unique necessities of the Health and Pharma sector - the best practices apply to multiple industries. Healthcare in the US struggles to attract top security talent because salaries tend to lower since the budget typically goes to the top priority which is saving lives. Therefore it is even more important that the healthcare sector reach out to their peers across industries to learn from the best practices of other industries.
So please don’t hesitate to speak to an expert. Even if you don’t have a budget. Even if you have no current project. Set a schedule to periodically check-out what is out there. Learn how new technology can improve the security posture of your company. What if we were all still writing letters on typewriters? Try to speak to a vendor you have never heard of once a month or once a quarter.
Book a meeting to watch a demo and invite your friends from legal and HR.
Topics: Insider Threat