How secure is your data?

The security and safe handling of laboratory data and information is a growing cause of concern for the profession in the wake of several recent high profile incidents, as we discovered when we spoke to security consultant Justin Bentley

ACCORDING to a recent IBM survey, 74% of threats to corporate security come from within their own organisations and the laboratory environment is not immune to this. The laboratory can contain many valuable assets in the form of research, data, processes and other information which must be kept secure from the twin risks of accidental loss and deliberate theft at all times.

A typical example of this was the recent case involving a former Duracell employee who pleaded guilty to stealing trade secrets from the US company. The laboratory worker, who had been employed as a cell development technologist at Duracell now faces up to 10 years in prison and a fine of up to $250,000 for sharing confidential corporate documents with external sources when he copied and downloaded research regarding Duracell's AA batteries to his computer during 2006. He then sent the information to two of Duracell's rivals in order to cause economic injury to the company and to provide competitors with an economic advantage. In another recent similar incident, a former DuPont employee left the company to work for a rival organisation having stolen an estimated $400,000,000 worth of proprietary information before leaving.

Although these examples depict large high profile data thefts, any laboratory, big or small is potentially at risk to similar data leakages unless they take appropriate precautions to prevent it happening. One man who is only too well aware of this is security consultant Justin P Bentley, who is also a director of security firm Astley Limited. Astley initially provided security officers predominately for chemical companies, clients over the years included Ciba Specialty Chemicals, Rhodia, Air Products and the cobalt-based chemical company OMG. In 2007 the company merged with a sister health and safety consultancy and now is a provider of consultancy, expert witness work and training in security and health and safety areas.

Justin, who himself has represented the IPSA (the International Professional Security Association) on various BSI committees considers therefore that where laboratories are investing in product development, any loss of data to a competitor could be catastrophic in business terms. “At these early stages, there isn’t the protection of a patent or copyright protection, so a competitor getting information which when combined with their own developments allows them to bring a product to market sooner, this could lead to significant loss of future income. Internet access and small portable storage devices, combined with most data being stored on computer networks gives individuals the opportunity to acquire large amounts of laboratory data. People who in the past would not have risked the danger of bulk photocopying paperwork and the risks of removing it could be taking many times that information simply stored on the memory chip within their mobile phone. Traditional security measures such as searching bags and personal property however is just not geared up towards the technical age.”

The financial consequences of data theft therefore to laboratories should not be underestimated as Justin outlines. “If your laboratory relies on new product development for its income, then a major loss could ruin a business. The larger the laboratory, the more potential data there is to lose. Even if you succeed in identifying loss of data and successfully use legal action to prevent it being used elsewhere, there is still the costs of the legal action, the time and the damage to an organisation’s public appearance to consider.

“Anything which could give another laboratory a commercial advantage should therefore be protected. This is not just chemical formulae and production data, but processes, designs - in fact anything that makes your product unique. As laboratories are moving towards paperless offices most data already exists in digital format, but with scanners provided with some computer and/or printers and digital cameras being common and frequently built into mobile phones, anything not already available in digital format can soon be converted. Whilst theoretically, this information could be removed in any form, the large quantities that can be copied electronically to small devices or transmitted out of a company via the internet or even via short distance WiFi, leaving the original in place, makes this the most likely method of information loss.”

Now that most laboratories employ dedicated IT departments looking after the network and external access, people attempting to gain access from outside tend to be doing this for mischievous or malicious purposes. Justin believes therefore that the loss of specific data is far more likely to happen from somebody with legitimate access within the network. “Employees planning to leave or working their notice will often look at taking data either as a gift for their new employer or to give themselves a personal advantage as they start their new employment. Revenge or grudge as a motive is possible also, but this can be seen as higher risk if traced back.”
 
In his experience with laboratory data theft to date, Justin tends to divide them into two distinct categories. “Physical devices can be memory sticks, portable hard disks, writeable CDs and DVDs. Where somebody is legitimately allowed to take information off site, such as taking a company laptop away to work from home, this transfer can occur off site. Transmission of information is usually via the internet by uploading to a storage server/computer or by e-mail, either in the body text or normally as attachments. E-mails could be either direct to rival companies, to personal e-mail addresses or using internet based e-mail such as Hotmail accounts. Theoretically WiFi can also be used to avoid going through the company internet if a receiving computer is set up in close proximity, this could be a laptop in a car parked outside the laboratory premises.”

Accidental loss of data stored on laptop computers and information stored on CDs lost in the post seems to be a particular problem at the moment as recent news reports have shown, an area Justin believes is a real cause for concern. “This type of scenario can also occur where an employee is specifically targeted for theft of laptop or handheld device, often as they are leaving work. There is also the possibility of a totally random theft, whether by mugging, car or house theft, where information is lost on a stolen device, but hopefully nobody will realise the value of the information and it will be deleted rather than sold on. The best protection against these scenarios is to prevent people removing information off-site in the first instance, but if it does have to be for business purposes then data encryption software should be employed which will hopefully prevent anybody from accessing the information if a device is stolen.”

For laboratories in particular, the possibility of an accidental loss of a database containing many months of important research work could be catastrophic, a disaster which Justin believes can all too easily occur if the correct procedures are not followed. “Accidental loss can be in two forms. One is deletion where files are either deleted by accident or become corrupted. Good back up procedures, housekeeping and archiving off-site are essential for files to prevent this kind of loss. The second is physical loss, where somebody loses the information or has it stolen in a random theft. Again, having a back up will mean that you can recover the files, but in this case you are hoping that the original files are not found by or passed to somebody who can use them against the company, which is why data encryption should be employed at all times. Departing employees pose a particular threat to data loss or theft. Normally persons choosing to change jobs have decided this long before they give their notice. If they are aware that the company has a policy of taking measures against persons working their notice, then they will have had the opportunity to steal the data before handing in their notice anyway. The better policy is to have strict employment terms and signed confidentiality agreements with key laboratory staff from the start and a policy of taking legal measures against anybody breaching those terms. If employees believe that there is a real risk of incurring financial loss rather than financial gain by theft, they will hopefully think twice before taking the information.”

So what cost-effective measures can a laboratory take to protect itself from data loss and theft? Justin believes it is vital for any organisation to work with it’s own IT department as he concludes. “There are software solutions available that will monitor for unusual access of databases and files. If you are not aware that the information has gone until you lose market share or a competitor releases a similar product, then it could already be too late. Also, you can’t beat the human touch. Is a colleague showing unusual behaviour, suddenly working late, or perhaps acting nervously if you glance towards their computer? Watching and caring about what is going on around you, remaining vigilant and being willing to question unusual behaviour could be the simple answer. Finally goodsecurity and loss prevention, is not just about preventing data theft. Consult with experts about how all forms of loss can be minimised in the laboratory environment. Check the bolt on that stable door now!”