Project

Global Information Security & Compliance Project in the Life Science industry

Challenges

A global pharmaceutical needed to significantly increase its data protection. After a series of incidents and recognizing that further attacks were to be expected, the company decided not only to massively increase the technical measures to protect its intellectual property and data, but also to increase the level of knowledge of its employees and to improve their behavior towards higher information security and compliance

  • A joint project of the business, compliance and IT in a culture that is used to working in silos

Our Approach

The existing information security organization comprised responsible experts in the majority of the more than 80 countries. As main internal stakeholders we identified the local responsible IT managers, the local and global information security officers, Global Comms, Internal Comms and User Comms units subordinate to them, division heads and contacts in Compliance and Risk and Legal at corporate level

  • Analyzing employee behavior worldwide and identifying significant irregularities. Several workshops with company’s information security experts to assess the information security risks and develop appropriate countermeasures
  • Internal campaign on information security (on- and offline at all major locations worldwide) including a worldwide information security day as well as a gamification approach with a specially developed app
  • Development, setup, and operation of an intranet presence with extensive material, workshops, and trainings on the most urgent problems (train the trainer)
  • Integration of information security aspects into training, all current projects and as an essential part of all new projects
  • Regular performance of overt and covert tests (e.g. simulated attacks), combined with trainingn

Results

  • Excellent feedback for project communication globally. All stakeholders feel well informed and integrated in the project
  • Employee behavior measurably improved to be more information-safe
  • Awareness for information security significantly improved on local and global level
  • Information security established as an obligatory component of the onboarding and annual compliance education

Lessons learned

  • Strong promoters and competent contact persons are needed on site
  • The combination of different elements of information transfer by means of different media reaches almost all employees with a high degree of reliability
  • Communication and change management proved to be key to keep all stakeholders (SteerCo, MD level, country and information security heads and employees, project staff, different consultancies) on board
  • Regular reminders at high frequency and in various ways are needed to achieve a lasting change in behavior
  • Employees must be personally involved and not just experience the topic as spectators
You need help? Contact us!