Knowledge is the lifeblood of the pharmaceutical sector. From raw experimental data to complex chemical formulae, from carefully regulated drug trials to patented IP – without information the industry couldn’t survive. It wouldn’t have the robust evidence base it requires to confidently launch safe and effective new medicines, or to meet the increasingly stringent demands of the regulator, or to protect organisations in the sector against legal action.
But the development cycle for new drugs takes years and is growing more expensive. Consequently, any loss, damage or exposure of information that is, inevitably, highly sensitive and confidential could irrevocably damage that process and put the organisation at risk. The understanding and management of information risk is, therefore, vital to the long-term health of Europe’s pharmaceutical sector.
It is worrying that research now suggests that, just at a time when data volumes are exploding and market conditions have never been tougher, Europe’s pharmaceutical sector has not yet committed to taking information risk seriously.
Data breaches are expensive and the estimates reveal that the cost of a breach in more heavily regulated industries such as pharmaceutical and financial services significantly exceeds that of other industry sectors. For example, the average per capita cost of a data breach in the UK’s pharmaceutical sector is £103, compared to £53 for media and £69 for the retail sector. With the average number of data breaches across all sectors now growing at a rate of 50 per cent a year, the cost impact alone should be enough of a wake-up call for the sector. And that’s before you consider the implications a data breach would have on competitive advantage, brand reputation and customer confidence.
Having an effective information risk strategy is a good place to start, but it is not enough on its own. Our joint study with PwC found that while a reassuring 90 per cent of pharmaceutical firms have an information risk strategy in place, only around half (47 per cent) check whether it works or is indeed acted upon.
The report, Beyond Awareness: the Growing Urgency for Data Management in the European Mid-market, reveals that complacency and inconsistency are not unusual when it comes to the management of information risk – a trend also seen in other business sectors. Awareness of the threat to information is often high. In the pharmaceutical sector, three in four firms recognise that a responsible attitude to information is critical to success, close to half (47 per cent) expect the risk of a data breach to increase and over three quarters (77 per cent) believe it would damage the business.
However, this concern is not mirrored at board level: just over half of those surveyed (52 per cent) say the board does not see data security and protection as a big issue. Increasing investment in managing information security is likely to be a challenge for many, with 62 per cent of pharmaceutical firms believing that reducing costs is more important than reducing exposure to risk.
It’s not enough on its own, but having an effective risk strategy is a good start
Some, it would appear, have simply decided that there is nothing they can do anyway. More than half (59 per cent) say that the pace of change in information risk is so staggering that they will never keep up with it.
Most worrying of all is the fact that, while over half (54 per cent) of pharmaceutical firms claim they would refuse to do business with an organisation that had suffered a data breach, more than a third (35 per cent) see data loss in their own company as an inevitable part of daily business.
The threat to information is a business risk that needs to be addressed calmly and strategically now, not in haste tomorrow when proposed new data protection legislation finally becomes law. It needs to be addressed as the highly complex, regulated, knowledge-based pharmaceutical sector prepares to meet the demands and potential of the next decade. If you don’t know what information you have, where it is and who is keeping it safe, then you risk losing it and you may well not realise the impact of the loss until it is too late to act.
- A summary of Beyond Awareness: the Growing Urgency for Data Management in the European Mid-market can be found at www.ironmountain.co.uk/risk-management
