The enemy within

Sam Olsen warns that the greatest threat to Pharmaceutical and Biotech corporate Intellectual Property (IP) security comes from within. He says that that companies should not just consider if their IP will be stolen but when and how?

The media earlier this year were also full of ominous warnings about the dangers of cyber hacking. However, while government-sponsored hacking wins the battle of the headlines, it represents just the tip of the iceberg when it comes to the most prevalent threat to a pharmaceutical or biotech company’s intellectual property (IP) – that from the corporate insider.  In fact, the 2012/13 Kroll Fraud Report shows that 67% of all fraud cases are committed by insiders, up from 60% last year and 55% in 2010.

Insider fraud is on the rise

Why is insider fraud and IP theft growing at such a pace?  While there is no simple answer, it is certain that it is, at least, partially a reflection of our growing information-based economy.  With so much business these days being conducted online, a company’s IP tends to reside on computers and servers in the form of digital data. As a result, insiders have access to a far greater range of valuable assets – and can acquire them with greater ease – than ever before.


“Why is insider fraud and IP theft growing at such a pace?”


In addition, Asian economies such as China are fast moving away from low-end production to becoming global Research & Development (R&D) hubs for the pharmaceutical and biotech industries.  Under its latest Five Year Plan (2011-15), China expects to spend upwards of US$300 billion on science and technology, much of it earmarked for biopharmacy, bioengineering, bioagriculture and biomanufacturing . While China provides an attractive R&D opportunity for foreign companies, they need to understand the local risks.  The growing competition in China causes some firms to use questionable methods to ‘short-cut’ the R&D process.

Data to make you wince

IP theft and loss of trade secrets can cost a company millions of dollars in lost revenue or market share, and sometimes damage its competitive advantage.  

Here are a couple of alarming figures:

• Misappropriation of trade secrets in China cost the U.S. IP intensive economy US$1.1 billion in 2009 (International Trade Commission)

• US$362,269 is the average cost incurred by companies per incident in which a supply chain or  business partner exploits its access to data (Forrester Consulting)

Pharmaceutical and biotech companies, by their very nature, invest heavily in R&D, and are concerned about moving their trade secrets to emerging markets, where theft of information can be more widespread.  For example, last year, a scientist sold two compounds while they were being tested in China on behalf of a U.S. pharmaceutical giant.  Another Chinese scientist stole trade secrets on a USB memory stick while working for U.S. biotech firms between 2003 and 2009.

In another case in Asia, a sales and marketing manager granted potential customers full access tours of a new biotech plant. The tour route took customers past machinery with particular configurations and settings that constituted a trade secret. Most of the customers had strong networks with local companies in the country where the new biotech plant was located. The client eventually heard rumours that a copy-cat process had been set up in a local competitor’s plant, despite the fact that the local competitor had been generations behind them in terms of technology.


“…insiders have access to a far greater range of valuable assets – and can acquire them with greater ease – than ever before.”


This is why over the last few years we have seen a significant increase in the number of pharmaceutical and biotech companies asking us to advise them on how to protect their IP from internal and external threats.

What can you do to stop internal IP theft?

Taking steps to prevent such incidents from occurring early on is vital: it is far cheaper and more effective to prevent the theft and compromise of a company’s IP than trying to resolve the issue after it has happened.

Pharmaceutical and biotech companies should look at two critical areas of vulnerability: their operations and IT environment.  Both these risks impact one another and should not be looked at in isolation.

Under operational risks, companies should consider their security and technical systems such as CCTV, alarm monitoring and electronic access control. In addition it’s important to look at the potential loss or misuse of IP via individuals who are given access to secure areas and materials within a facility. Companies should review their HR, compliance and vendor hiring policies and screening procedures, and interview relevant staff to identify potential areas of weakness. As for the IT environment, IT systems and information security processes must be protected from not only external threats but also internal vulnerabilities.


“The growing competition in China causes some firms to use questionable methods to ‘short-cut’ the R&D process.”


Prevention is better than cure

Despite the growing pressure by Governments on espionage, companies simply cannot depend on legal recourse to recover lost IP or the ensuing financial loss.  Legal protection of trade secrets is limited in Asia and, as our clients, have experienced, NDAs, non-compete clauses in contracts cannot be solely relied upon.  When talking to clients, we always tell them the first step is not to consider if your IP will be stolen but when and how?

No-one likes to think badly of their co-workers, but companies need to consider the very real threat of insider IP theft.  It is critical that they take steps to protect their trade secrets now, rather than incur significant financial loss in the future.  This is most definitely a case of prevention is better than cure, and the best prevention is to have an IP protection system that brings together all the disparate operational and cyber elements.




About the author:

Sam Olsen is a Managing Director for Kroll Advisory Solutions, the global leader in risk mitigation and response.  Sam is responsible for providing security services, which includes IP protection, operational threat, risk and vulnerability assessments to a wide variety of local and multinational companies throughout Asia.  With over 13 years’ experience working within the security and consulting industries, Sam has worked on a wide variety of security consulting projects across several sectors.

Tel: +852 2884 7706



Why is insider fraud and IP theft growing at such a fast pace?