Safe email practices are essential to protecting property and privacy.
By Adi Ruppin
January 20, 2010 | Expert Commentary | Intellectual property is the single most important asset in the biopharma industry, with billions of dollars spent on R&D each year. Sensitive research data, new drugs, new proteins and other sensitive information must not fall into the wrong hands, otherwise irreparable damage may be caused. That said, one cannot simply block the ability to send out such sensitive data; business demands dictate a need to share such information frequently with employees, research partners, contractors, potential customers and the FDA. This begs the question: how are you sharing your data, and who else might be reading it?
If you are sending sensitive information via email, a third party could eavesdrop and intercept these messages. This can be quite easy when emails are not encrypted—passwords can be sniffed going over the Internet or even the message body. To keep costs down, most email hosts do not even provide SSL support, so if you are using a Web-based or hosted email service, chances are you are sending your credentials and messages in plaintext.
There are many other ways documents can leak out. Eighty-nine percent of PCs have “Trojan Horse” software installed on them, often without their owners’ knowledge, according to Webroot software research. Such programs can be activated remotely and extract information from your PC. Again, the result is the same—your information can get into the wrong hands.
Additionally, Google has caused some public debacles in which information was accessible by the wrong users. The most well-known incident involves sensitive Twitter documents that were stolen and published, as well as a case in which random users were exposed to other users’ information. Keep that in mind before you upload your most sensitive documents or information.
You may have sent an email to a person you feel is authorized to view it, such as a colleague or a friend. However, you have no control over whether this person can forward your email on to other people without your consent. This problem is not solved by any of the traditional encryption methods, as it doesn’t matter whether your emails and documents were encrypted in transit—in fact, after they reached their destination and were decrypted, they are no longer under your control. Such a breach does not have to be malicious—it could happen by accidentally clicking “forward” or “reply all.” Worse yet, once your emails are forwarded, you don’t have any knowledge that this has happened.
Almost everyone at some point has inadvertently sent an email to the wrong person, which can be acutely embarrassing. According to a survey by Sophos, 50 percent of employees surveyed admitted to accidentally sending a sensitive or embarrassing email to the wrong recipient. Microsoft Outlook, Gmail and other popular email applications or sites complete the recipient’s name automatically, which can be dangerous. Once a message has been sent, trying to revoke it seldom works.
According to a study by the FBI/CSI Computer Crime and Security Survey, employee inside abuses (accidental or intentional) accounted for 50 percent of all security breaches. A Ponemon Institute survey revealed that 69 percent of all serious data leaks occur as a result of employee activities; those leaks cost $6.3 million on average. Out of these leaks, 39 percent involved confidential business information, 27 percent involved personal customer information and 14 percent involved the company’s intellectual property.
A recent Network World article described a 15-day audit conducted at a mid-sized pharmaceutical firm. Much to the surprise of the company’s IT department, 11,000 leaks were detected, including clinical studies data, patient data and financial information going out in un-encrypted emails and documents.
Email is a very convenient tool, but it was not built for transmitting sensitive documents or information that you have to verify has reached its destination. Your email provider, a hacker, unauthorized persons, possibly your competitors, could get their hands on it. If you absolutely need to share such information, do it over the phone or install additional security measures beyond plain email. Keep in mind these measures need to control your information throughout its life cycle, from creation, through sending, to arrival and beyond.
Adi Ruppin is vice president of marketing for Confidela.
This article also appeared in the January-February 2010 issue of Bio-IT World Magazine.
Subscriptions are free for qualifying individuals. Apply today.