Governance, employee, and supply chain practices in Life Sciences companies can make or break IP security
Intellectual property (IP) protection enables Life Sciences companies—including pharmaceutical, biotechnology, medical device, and biomedical—to earn the rewards of innovation and to safely inspire others to build upon their ideas. Life Sciences IP security requires that you find and close the gaps in your governance, employee, and supply chain practices.
That effort requires acknowledging that both the greatest contributors and the greatest threats to security come from people, including competitors, scammers and hackers, employees, and suppliers and partners. Both remote and onsite employees and suppliers lack cybersecurity awareness, with mobile devices being especially vulnerable. Moreover, whenever you allow an outside party to access any details of your manufacturing process, even a trusted supplier, you open a window into intellectual property theft.
You cannot completely shield yourself from interactions with people. But you can assess and rectify the governance, employee, and supply chain practices that provide them with opportunities.
IP security and your governance
A company’s governance policy covers ethical behavior. It aligns the interests of shareholders, the board, management, and employees while building trust with investors, the public, and government. Clearly, protection of intellectual property is an ethical and trust issue with ramifications for all stakeholders. To protect your IP:
- Make sure that those responsible for governance understand IP security. Recent scandals over top secret papers being found in presidential homes underscores two problems: confusion over the exceptions that can be made by those in charge and a proliferation of items that are considered top secret, making compliance difficult even at the highest level.
- Determine whether your company’s plans expose you to IP security risks. Those plans may range from hiring contractors to embarking on mergers and acquisitions. Unsecured information can flow in unexpected directions.
- Plan for the time when you need to react and recover quickly to a breach of IP security or to IP theft. Supposing you find that one of your key suppliers has a security issue. Is your procurement department able to quickly fill the gap and does it have processes in place for vetting new suppliers?
- Know your values. A company must be certain of its values before it can impose them on employees. What is your level of tolerance for errors? Are the same penalties in effect across the entire company? Have you communicated your expectations across your company and supply chain?
- Reinforce the behaviors you want. Collaboration, information exchange, and IP security require constant vigilance. If leaders simply assume that everyone is following the same protocols, sooner or later standards will slip.
IP security and your employees
Disclosure of intellectual property by employees may be accidental or deliberate. Non-disclosure agreements create employee awareness of the seriousness of security breaches and cybersecurity software can set up a wall of protections, but prevention requires several additional steps:
- Build procedures before you need them. Do you know who has access to your IP and where it goes after each access? What happens if someone alerts you to a security breach? Do you know what systems should you be monitoring, who is monitoring them, and how often?
- Make an ORCI analysis. Do you know the owner, responsible, consulted, and informed parties? Unless these roles are clear, you may be limiting or permitting access to the wrong people. For example, it may not be necessary for everyone in the C-suite to have the same level of access to intellectual property.
- Educate your employees. Do your employees know how to make a secure document exchange, and do they have the software necessary to do that? Do they know how your data security works? Does everyone agree on what is meant by “intellectual property,” “sharing proprietary information,” “cybersecurity,” and similar terms?
Your employees need guidance in interacting with everyone along the end-to-end supply chain, including other employees, suppliers, partners, and consultants, to avoid inadvertent sharing of proprietary information and intellectual property.
IP security and your supply chain
Your supply chain may make your IP vulnerable in two ways:
- You establish supplier relations, build warehouses, or set up factories in locations where IP regulations are lax, unenforced, or nonexistent.
- After a supply chain disruption, the protections you had with your old suppliers in the old location are no longer applicable to the new suppliers in the new location.
“Suppliers” refers not only to your immediate raw material and parts suppliers, but to your suppliers’ suppliers. You may also have relationships with logistics and other third-party suppliers, as well as consultants and auditors. Your ability to protect your IP along the entire plan-buy-make-move supply chain depends on whether you:
- Take advantage of optionality. When it comes to protecting intellectual property, geographic optionality goes hand-in-hand with supplier optionality. If one area or one supplier becomes vulnerable to security threats, if a country changes its protections, or if a supplier changes their protocols, you want to be ready to exit or switch.
- Make sure you are speaking the same language. Is your suppliers’ definition of “intellectual property” the same as your own? Do you meet with suppliers regularly to explain your needs and expectations, including those around security?
- Build strong supplier oversight, ranging from the way you vet suppliers to your ongoing evaluations of their performance. Are you clear about who among your suppliers needs to know what information? Is everyone in your procurement department clear about how much information they give each supplier? Do you regularly audit your suppliers?
- Maintain your procurement department at a high level of maturity. Keep supplier decisions and negotiations in their control to ensure consistency in IP protections, sharing, and audits. A mature procurement department knows how to build optionality and oversight.
- Break down silos to allow information flow and keep everyone—especially the C-suite—aware of who is talking to whom and where vulnerabilities may have emerged. Make sure that procurement, operations, and logistics are aware of or participate in supply chain decisions before they are made, as those decision might have an impact on their IP awareness or precautions.
- Create a single source of truth. You need to collect the right data from the right people in a timely manner. Use that data to monitor where and when information is flowing, what protocols have been put in place to protect your IP, and where roadblocks are occurring. A simulation of your supply chain may reveal gaps you weren’t aware of.
For example, one recent SGS Maine Point client was a company carved out from a larger organization. The company had a lot of sole suppliers and custom fabrications that, combined with a new and unprofessional procurement department, left the suppliers as the font of all legacy knowledge for custom fabrications. If they changed suppliers, all that knowledge would disappear.
An SGS Maine Pointe analysis gave the C-suite the information they lacked on who was making each purchase; what business units were being supplied; and where each category of supplies was brought. The company then introduced both optionality and tighter controls. They also considered whether all those custom fabrications were even needed. This effort reduced both costs and the threat to their IP.
When you take your governance, employee, and supply chain practices into account, you may find low-hanging fruit that enables you to tighten IP security without a huge investment in technology. Those changes could range from educating employees, leaders, and suppliers to ensuring that future decisions avoid geographic areas and situations where you put your intellectual property at risk. Closing the gaps in your IP security while also boosting your governance, employee, and supply chain practices is a win-win.