Magazine Article | August 30, 2013

Stealing Competitive Secrets From Pharma Companies

Source: Life Science Leader

By Jonathan Snyder, CGC, CHS, president and CEO, Argus International Risk Services, Inc.

Pharma companies, looking to capitalize on the global demand for their products, pour billions into R&D hoping to develop the key ingredients needed to solve, or at least reduce, mass population killers. The demand is enormous, the rewards are enormous, and as a result, this market is fertile ground for the theft of trade secrets.

As a leader in your industry, your primary goal is to find cures to some of the world’s most menacing medical issues; however, a close second goal is to drive revenue. As an intelligence and espionage professional, whether you are my target or the “nest” I am trying to protect, my goal is to penetrate your corporate risk management and security infrastructure to either steal or “test penetrate” your protected data or personnel. How would I accomplish my goal? There are many common methods to steal your competitive secrets.

The first and foremost method in this rapidly evolving digital age is the penetration of your technology. At a recent security seminar presented by Nova Southeastern University and the FBI Miami Division, the chief information officer for one of the world’s renowned IT security leaders, RSA, stated, “The new focus of technology security professionals is to quickly identify and mitigate network intrusions — not prevent intrusions.”

Today we know that even the most robust IT security devices cannot prevent all the sophisticated and overwhelming data-intrusion attempts. The goal is to identify the electronic thieves quickly, eliminate their presence, assess the damage, and attempt to harden the penetration points. A scary fact is that the average electronic spy has spent 34 days inside a network before the penetration is even detected. Putting this statistic in context, imagine a criminal being inside of your home for a month monitoring everything you are doing while going undetected!

Several other ways to steal your secrets traverse various areas of the organized crime realm. A highly simplistic yet powerful tool is the phenomenon known as “dumpster diving.” Most organizations literally dump their proprietary secrets into their corporate trash bins without regard to who is waiting to score big on a critical formula, investment report, or interoffice memo that will identify who is critical to the research. All of this info provides key insights for spies to develop an attack plan to acquire secrets.

A parallel thought to the dumpster dive concept is the identification of key employees and their home residences. Monitoring their homes, where most people put their guard down, is another step in the process of stealing secrets. The average person becomes complacent with corporate security initiatives while working at home. In fact, company security policies are difficult, if not impossible, to impose on an employee’s home turf. As an example, most homes have wireless routers installed, which all have included security, but most people only know to password protect the actual wireless broadcast. What they fail to password protect is the manufacturer’s standard “admin” login Internet protocol. What this does is provide espionage agents the ability to bypass the wireless security protocols and gain access to all home computer systems. Examples also relate to the trash put out in the regular bins by the homeowners; they would never think of someone purposely looking for their company secrets in their home trash.

The Security Risks Of Clinical Trial Meetings
Another successful way to penetrate an organization’s proprietary info is to track its numerous clinical trial meetings and the panelists involved in those meetings. As someone who has provided security and counter-intelligence services to many organizations globally, including pharma, I have witnessed scientific leaders who were very nonchalant about protecting data secrets. Simply stated, foreign soil is a hotbed for data theft. Penetration of hotel rooms, listening devices planted into meeting rooms, and the infamous “honey trap” (i.e. using sexual exploitation to get what you want) are all methods of espionage that seem to work with endless success. The adversary who has targeted your organization thrives on organizational and vendor tendencies to be complacent and naïve. The goal of espionage agents is to remain undetected, which results in their best work. The more complacent or arrogant the target, the better chances of theft success.

A simple example of an environment at risk for a security breach is a hotel meeting room with the window curtains wide open. Such places provide corporate spies an opportunity to steal your secrets with the proper surveillance equipment. Simply closing the meeting room curtains can usually prevent laser surveillance equipment from picking up the conversations of the proprietary clinical study findings. Basically, if the curtains absorb the sound waves, spies cannot collect the sound bites.

If I were trying to gather intelligence on your company, it would be my goal to track your data and people. But sometimes it is challenging and exciting to, as we say in the industry, physically “work the room.” For example, most hotel uniforms for food and beverage personnel are generic and easily bought at a local uniform supply. I have been able to penetrate many meeting rooms with covert listening devices and pin-hole photographic equipment to “take out the trash,” or plant electronic bugs inside the room while the meeting is in progress. An even better opportunity is when the participants break for lunch and leave the room dirty. If I time it right, and I usually do, I can be in and out before the regular staff knows I was even there. Even if a hotel employee or participant seems curious as to whether I belong in the area, 99.9 percent of the time the curiosity never manifests into action on their part. My presence usually goes without further investigation.

Meeting planners are usually the easiest to penetrate, as they are spending the better part of their time appeasing the scientific attendees by catering to their every whim, rather than paying attention to who may be entering the room to clean up. Frequently, I run into laptops that are left on with critical data, and are easily stolen if the data seems to be a “big hit” worth the potential of being caught. As well, charts and graphs with formulas and attendee names and organizations are easily purged from the environment and go unnoticed.

Foreign Manufacturing Sites Are Vulnerable
If we haven’t discussed enough means and methods, there are definitely more to address. Depending on the resources I have at my disposal, foreign manufacturing environments are great places to steal secrets. They say in Kazakhstan, you can buy a fully automatic AK-47 rifle from a 10-year-old child for a pack of cigarettes. Fortunately for spies, the value of integrity and loyalty in most foreign environments is a commodity that is traded easily.

Penetrating foreign workforces to build a pipeline of information is easier than trying to raise an American teenager in the Twitter era. While foreign manufacturing has its benefits, most secrets are stolen from sources derived from developing-country environments. There is no level of security that can be put in place that can fully stop the collection efforts by espionage professionals working within foreign territories.

A creative alternative to directly stealing is to allow targets to self-implicate through their personal integrity choices. For example, considering that most conventions are attended by professional executive types, it is quite clear that an unspoken world of illegal sex trade has probably infiltrated some of your organizational personnel, prospective employees, or vendors — the statistics simply do not lie! You may ask, “How does the sex trade affect our secrets?” Probably the oldest trick in the tradecraft book is to compromise a target through the “honey trap.” The potential for enormous damage to both professional and personal life is usually enough for most targets to secretly cooperate to reveal secrets. The benefits of this typically yield a long-term “asset” (insider threat) to assist in stealing more secrets when needed.

At its darkest point, espionage has led to severe cases of kidnapping, torture, and even sometimes the murder of critical participants. The FBI says, “On average, 3 percent of all U.S. domestic terrorist events involves the assassination of executives.” The data is not particularly reflective of the pharmaceutical industry; however, the information does cause concern that such tragic incidents are possible — especially in such an aggressive world of economic crisis and prowess.

One thing is for sure, there is absolutely no way to fully remove the possibility of theft of your corporate secrets. Utilizing the same Secret Service methodology for protecting the president of the United States of America, the goal is to “harden” the target as much as feasibly possible and become unpredictable to your adversaries — all for the goal of discouraging most from engaging in a targeted campaign of espionage-laden activities.