The joint global effort by pharmaceutical companies in the search for a coronavirus vaccine is unique. These successes were also made possible by the fact that business processes can now be almost completely digitalized. Results from clinical studies, laboratory values or strategy papers can be exchanged and processed with partners, laboratories and suppliers worldwide in fractions of a second. Cloud services such as Microsoft Teams and SharePoint Online make it possible to work on data together - regardless of where the doctors, scientists and laboratory managers involved are working.

Agility harbors risks

However, this agility also harbors new risks. Highly sensitive data from clinical studies or research is stored in the data centers of cloud providers. Technically, the data is often better protected by the large cloud providers than in many self-operated data centers of medium-sized companies. However, there is a threat of access by the cloud providers themselves and - in the case of US providers - by government authorities. This is because the so-called 'Cloud Act' obliges US cloud providers to grant US authorities access to data that is not stored in the US - thereby undermining the EU GDPR.

For this reason, the European Court of Justice (ECJ) declared the Privacy Shield data protection agreement concluded with the USA invalid this summer. Basically, German companies are currently not allowed to use cloud offerings from Microsoft, Google or Apple for their business processes without special EU GDPR-compliant security from a trustworthy provider. However, the pharmaceutical industry is dependent on US services from Microsoft, Amazon or Google if it wants to collaborate globally in the cloud.

Cyber attacks are increasing rapidly

Cloud services such as Microsoft Teams or SharePoint Online have also made working from home possible on a large scale. However, working from home also opens up a whole range of data security risks. Attackers exploit vulnerabilities in insecure VPN tools or collaboration platforms, for example. Working from home has also led to a rapid increase in the number of attacks via phishing emails. Professional hackers send such emails to lure recipients to malware-infected websites. In this way, they try to gain access to companies' IT infrastructure in order to steal sensitive data. There have already been massive attacks on companies involved in the development, approval and distribution of vaccines against Covid-19.

Four central IT security strategies - how to protect your know-how and processes

All parties involved are therefore under increasing pressure to protect themselves better - also in the interests of the common good. At the same time, they must maintain their ability to do business and use tools that increase their agility when working together. In order to reconcile this agility with data protection, four central IT security strategies are necessary:

1. making the cloud secure

The fact that more and more files are being stored in the cloud is increasingly calling previous security strategies into question. After all, no one can protect their data with the help of firewalls if it is stored on the servers of cloud providers. Companies need innovative technical solutions that give them back control over their data. Microsoft has embarked on this path together with the German IT security company Rohde & Schwarz Cybersecurity. Sensitive user data is decoupled from the cloud and can be stored in encrypted form anywhere - for example in the company network. No cloud provider, hacker or authority can access the data in the cloud in this way. With a solution like this, globally active companies can also comply with worldwide data protection regulations.

2. use highly secure VPN connections

A 'Virtual Private Network' (VPN) enables a secure connection from any location to a company network. All that is required is a connection via a WLAN network, mobile network or Ethernet, for example. Special high-security VPN tools are required to ensure that data communication via such a public network or a home network is secure. The problem is that these were previously only available in the form of hardware boxes that only corresponded with end devices from certain manufacturers. When a large number of employees go into the home office from one day to the next, such a system quickly reaches its limits. The boxes are completely unsuitable for working on the move - for example at the airport, in the hotel lobby or in a cab - as they require an external power connection.

Only a software-based VPN client makes it possible to quickly switch to remote operation. For it to be truly secure, the VPN client must be 'always-on' - this means that the data can only leave the end device via the VPN connection. Only in the event that the VPN client detects a secure network - for example in the office - does it deactivate itself. Such 'friendly network detection' enables the user to work continuously and securely in different network environments. The R&S Trusted VPN Client is the first software-based VPN client that has been approved by the BSI for VS-NfD requirements.

3. secure the browser

Even before the coronavirus crisis, 70% of hacker attacks came from the internet. The current need for information exacerbates this danger even further. Malware is being smuggled onto computers via fake websites, emails or graphics that appear to come from trustworthy sources. The best protection against attacks from the Internet is a virtual browser, such as the R&S Browser in the Box. If this is used, cyber criminals don't stand a chance.

4. protect data on the end devices

Organizations with high security requirements in particular - and this includes pharmaceutical companies - should equip their employees' end devices with hard drive encryption. Only authorized users can then use multi-factor authentication to access their data and the operating system. If the device is lost or stolen, it is not possible for third parties to access the data.

Speed not at the expense of safety

Speed is important in the development, approval and distribution of new medicines and vaccines. But it must not come at the expense of data and process security. With the right IT solutions, security and digital agility can be combined.