Did you know that a whopping two-thirds of pharmaceutical companies have suffered serious data breaches? And, based on industry projections, that number may be on the rise. A stolen trade secret can be a valuable commodity for any savvy hacker.
As the 2016 IBM X-Force Cyber Security Intelligence Index reports, health care companies received more cyberattacks than any other industry in 2015, during which time there was also an alarming uptick in cyber incidents aimed at manufacturing firms, including pharmaceutical companies.
While data security may seem like the realm of your colleagues in IT, as a corporate communications leader, you have more skin in the game than you might think. After all, should a breach occur, your team will be on the front lines managing the crisis and working to mitigate any damage; highlighting the positive aspects of your company that you and your team want to focus on are much easier to do when you're not busy putting out other fires.
Biopharma and biotech are hot targets
Perhaps these trends aren't so surprising. In the pharmaceutical sector, highly sought-after intellectual property and R&D (research and development) data abounds, and most of it is sensitive and valuable. According to a PricewaterhouseCoopers report, a single stolen trade secret could result in billions of dollars of losses for a company, not to mention the impact on a company's reputation, stock value and employee morale.
Meanwhile, sensitive and proprietary information is more vulnerable than ever since most of it is shared electronically. This is particularly true within many life sciences companies where IT infrastructure is often outdated, leaving organizations wide open to cyberattacks.
It also doesn't help that hackers appear to be getting more resourceful. In 2014, security firm FireEye identified a highly-sophisticated cyber group that was targeting publicly traded health care and pharmaceutical companies using advanced social engineering tactics and deep subject-matter knowledge. It is thought that the perpetrators intended to use the retrieved data to gain an edge in the stock market.
So get ahead of the hackers before they get ahead of you. Here's how your team can effectively partner with IT to help reduce your company's risk and develop an effective crisis management plan so you're ready if a cyberattack occurs.
As the saying goes, an ounce of prevention is worth a pound of cure. To help prevent your company from joining the ranks of those that have suffered a data breach, you will need a multi-faceted strategic approach that includes preparation, education and strong vendor relationships.
1. Keep in touch
Knowing your company's IT program is the first step to understanding the types of problems that could pop up. You don't have to be able to explain the intricacies of your company's IT vulnerabilities. But the point of keeping in close communication with your IT team is to understand the context of how things work on their end. This way, when a fire breaks out, you're not starting from ground zero to explain your company's complex technology capabilities (and the vulnerabilities that come along with that). By keeping in touch with your partners in IT, you already have the groundwork laid for how to react fact.
2. Form a security communications team
Make sure you have a team in place that is equipped to respond quickly should a data breach occur. Your team should include an executive sponsor in addition to representatives from your IT, legal and HR teams. Assemble members who have the subject-matter expertise and temperament to act in a crisis; while you will need some leadership representation, the best security crisis team members may not always be the highest ranking employees. Your team should meet regularly and schedule drills that test your crisis management plan. Additionally, the crisis team should work with the IT department to set data security guidelines and policies for the entire organization.
3. Educate your employees
As PRNewswire reports, it is widely believed that employee errors cause the majority of successful data breaches. It is, therefore, critical that you educate your employees — from your C-suite to your temporary workers — on the importance of data security.
"Training that's only occasional, or that tries to beat in the message with threats, doesn't work," attorney and author James Pooley says in The Digital Guardian. "Staff training should be careful, continuous, upbeat and professional." As expert communicators, this is where you and your team can play a crucial role. Work with your partners in IT to develop engaging mandatory trainings and educational materials that clearly explain what's at stake and how every employee can do their part to keep the company safe.
4. Choose your partners carefully
Mark Weatherford, former head of cybercrime at the U.S. Department of Homeland Security notes that vendor indifference to data security can be a huge liability for pharmaceutical companies, as in-Pharma reports. If you decide to outsource any of your communications functions to an external partner, always make sure that they offer enterprise-level infrastructure, up-to-date software, state-of-the-art cybersecurity and robust, 24/7 support.
Preparing for a breach
When crisis hits, a swift response can be particularly crucial, however, health care and drug companies reportedly take longer to respond to and deal with security threats than companies in other industries, according to the Financial Times. Make sure you're ready to move efficiently should the worst happen by working with your security crisis team to carry out the following tasks:
- Take an inventory of your data assets and likely targets.
- Anticipate why you might be hacked. This might include trade secrets, proprietary processes or operational information.
- Thoroughly understand the regulatory requirements with which your company must comply should you face a data breach.
- Create a comprehensive crisis communication plan, and ensure that all team members have clearly defined roles and responsibilities.
- Identify your strongest advocates, both within your company and externally. Should a data breach occur, you want as many influencers as possible in your court.