CFOs and executives of life science companies are more at risk to security breaches than they may have previously thought. On December 1st, 2014, The New York Times revealed that over 100 companies, most of them publicly traded life science companies, had been successfully hacked. Unlike credit card theft from Target, Home Depot, and others, these thieves specifically targeted email accounts of company executives to gain advanced information regarding mergers and acquisitions, significant discoveries, and future plans that could be monetized on the financial markets.What makes this kind of information theft different than generalized identity theft?
Four distinct facts surrounding these attacks made this type of threat unique among other security breaches:
Company executives were specifically targeted.
The thieves were sophisticated programmers from western countries.
The thieves could monetize advanced information into gains on the stock market.
They also successfully targeted trusted consulting partners like investment bankers and law firms.
Why does this matter?
Three aspects of these revelations should give CFOs and executives of life science companies pause:
The thieves did not need network access to secrets. They only needed to acquire email account access of company executives.
Information that life science companies think is secure with their lawyers and investment bankers needs to be reconsidered. They are as much of a target and liability as the company itself.
- Life science companies are a particularly good target because the volatility in fortunes oftendepend on discoveries, approvals, partnerships and merger and acquisition activity.
Increasingly, CFOs and executives should realize that if information they have can be monetized, they should assume it will be attacked. Therefore taking a proactive approach to prevent security breaches is necessary in order to protect company IP and proprietary data.
What steps can you take to protect your company?
The list of suggested security measures is usually a mile long, costly, and incredibly time consuming to most companies. What are the least costly and most effective actions a company can implement quickly to protect their information? Here’s our list:
Require two factor authentication for all email accounts. Stealing usernames and passwords is the #1 method of gaining unauthorized access into a company. Google offers the service for free. If someone steals a username and password, two-factor authentication will require them to enter a text code or some other code typically sent to the real user’s phone, thus thwarting an external hacker.
Corporate documents, anything with a signature on it, and trade secrets should be locked in a virtual data room or secure corporate repository. Companies commonly use solutions like Box and Dropbox to store critical information. These services are more specifically made for anytime, anywhere access and for editing of documents. They are not purpose-built to protect critical company documentation. A virtual data room is built like a digital vault, where only one copy of any document exists with strict permission-based access applied to it, thereby limiting your security perimeter.
Law firms and investment banks may not be as secure as you may think and are also desirable targets for thieves. In 2012, Mandiant estimated that 80 major U.S. law firms were successfully hacked. That same year, the FBI convened a special session with 200 major law firms in New York due to concerns around the frequency of successful hacking attacks. Since law firms are necessary to the success of life science companies, company executives should consider taking control of how they share documents with legal counsel. Never send documents via email and, once again, choose a solution with two-factor authentication and strict permissioning. In addition to law firms and investment bankers, consider using the same safeguards for work with clinical research organizations.
Online theft is no longer the province of overgrown adolescents showing off their computer skills. Increasingly, hackers are sophisticated business thieves looking for ways to monetize their skills. Identity theft has made most of the headlines, but life science companies with their valuable trade secrets, and inherent volatility due to mergers and new discoveries, make for an attractive target for those that know how to use private information to gain an advantage on the public financial markets.
Basic security measures like two-factor authentication for email is free, and investing in a secure corporate repository for critical company documentation is well worth the potential financial consequence of compromised company access.