Defending Knowledge: Key Strategies for Data Protection in the Pharmaceutical Sector.

All about Empower your pharmaceutical defense with insights on data protection strategies.

The pharmaceutical sector has proven to be crucial during and after the COVID-19 pandemic, marking a turning point in the industry’s significance for global public health. The swift response in vaccine and treatment development showcased not only the innovative capacity of the sector but also its challenges in terms of global distribution and accessibility. This period has underscored the need to strengthen supply chains, encourage international collaboration, and promote ongoing research and development to address future health crises.

For companies in the pharmaceutical sector, the primary risks posed by cyberattacks are the loss of intellectual property and operational disruption. The loss of intellectual property and patented information (pharmaceutical product or technology) negatively impacts their competitive advantage, as innovations and business secrets are stolen. Meanwhile, operational disruption at any stage of the value chain hampers business processes and, ultimately, revenue.

According to data from the European Patent Office, the pharmaceutical industry was the leading industrial sector in Spain in 2021 for the fourth consecutive year in terms of patent applications (189 patents), followed by the energy and healthcare technology sectors. It is important to note that drug research involves average periods of over ten years and costs approximately €2.5 billion.

Cybersecurity commitments and incidents always damage a company’s reputation and, in many cases, expose it to the risk of litigation for not implementing appropriate defense measures. Furthermore, recent regulations punish the exposure of personal data more severely, so organizations handling sensitive personal health data, such as those conducting clinical trials, must be aware of these risks.

Due to the sensitive nature of their research, intellectual property, and personal data they handle, there are several practices pharmaceutical companies can employ to effectively defend against information theft.

It is important to define and lay the groundwork to protect the information, starting with:

1. Identifying the data’s location: the first step in creating a strategy is to discover where the data is located and the main storage locations to gain an overview of the data.
2. Classifying the data: data classification is the most important and complex step. It is important to have tools that automate this process and use an intuitive labeling taxonomy that aligns better with industry standards.
3. Identifying and addressing old data: before implementing new tools, there might be old data that needs reviewing and resolution. When reviewing this data, it is important to consider its age and if anyone is still using it. Additionally, priorities should be established, and rules created to save, delete, and protect the data.
4. Protecting the data: finally, data should be protected according to its classification. Protecting personal and customer information is the core of what we aim to safeguard. Building customer trust and protecting their information are the keys to an information protection program.

If your organization is starting to create an information protection program, it is important to follow these three steps. At myCloudDoor, we offer a layer of specialized services that cover these three steps and turn it into a successful project.

1. Governance, Risk, and Compliance: consulting services for defining the types of information that need defending, always focusing on customer data and sensitive information.

2. Deployment of tools: services for deploying and managing tools for information protection and user rights management. At myCloudDoor, we offer the deployment and use of the Microsoft Purview application layer, focused on protecting the organization’s information.

• Microsoft Purview Information Protection
* Discover and classify data at scale through automation and machine learning.
* Integrated labeling and protection.
* The platform extends protection experience to users and the organization.
* Integrated encryption in Microsoft 365, both at rest, in transit, and in use.


• Microsoft Purview Data Loss Prevention (DLP)
* Automatically apply compliance with regulations and internal policies in the cloud and on-premises.
* Extend the DLP policy to Microsoft and other manufacturers’ endpoints, local file shares, user applications, browsers, and services.
* Apply flexible policy management to balance user productivity.


• Microsoft Purview Data Lifecycle Management
* Retain or delete data and manage records that users collaborate on to manage risk and avoid productivity loss.
* Demonstrate compliance with label analysis insights, defensible deletion, and enriched audit trails.
* Manage the import of data external to Microsoft with predefined data connectors.


• Microsoft Purview Compliance Manager
* Manage compliance from start to finish, from simple onboarding to control implementation.
* Configure ready-to-use assessments to meet your requirements across all assets.
* Simplify compliance with continuous assessments, automated control assignment, and a compliance score.

Education and awareness: training services on information labeling and usage, as well as the use of tools for information protection.

Creating an information protection program is not a one-size-fits-all solution, but if easy-to-understand and apply classification terms are chosen, users are proactively educated, and information protection is integrated into existing processes to minimize impact, program success can be increased.

Miguel Monedero
Security Director at myCloudDoor