The Embezzler’s Ghost: Why The Fraud Triangle Is A Gift To Adaptive Threats

Posted on February 4, 2026 by Paul Curwell

Paul Curwell

3–5 minutes

We are trying to catch 21st-century crooks with a framework designed in 1953 for middle-management embezzlers.

In my consulting practice and work with post-grad students, I see this disconnect constantly. We are defending against Organised Adversaries – crime syndicates, nation-states, and sophisticated fraud rings – using logic designed for a completely different era.

Donald Cressey’s “Fraud Triangle” was a breakthrough for its time. It perfectly explained the opportunistic fraudster: the trusted employee who hits a personal crisis and “breaks.”

But today, we aren’t just facing desperate employees. We are facing actors who don’t wait for a crisis to occur – they engineer one.

When we apply “embezzler logic” to a sophisticated criminal operation, we don’t just get it wrong. We create a dangerous blind spot.

Donald Cressy's Fraud Triangle focuses on embezzlers, and was developed in 1953. — The “Fraud Triangle”, Donald Cressey (1953)

The Problem: Looking For Desperation, Not Intent

The Fraud Triangle rests on the pillar of Pressure (specifically, a “non-shareable financial problem”). It is designed to find the person drowning in debt.

Adaptive threats, however, operate out of Strategic Intent.

If you only look for “financial desperation,” you will miss the high-performing, debt-free executive who is acting on ideology or coercion. We need to shift from Occupational Psychology (why good people go bad) to Adversarial Motive (what a sophisticated actor wants).

Understanding Motive As A Target Map

For adaptive threats, bankruptcy is rarely the lead indicator. To find the levers of disruption, we need to use the intelligence community’s MICE framework:

Money: For organised crime, this is about profit maximisation. Your lever: Increase their “cost of business” until the ROI fails.
Ideology: They believe your IP belongs to their nation. Your lever: Total denial of access—you cannot “ethically train” an ideologue.
Coercion: A trusted insider is being blackmailed. Your lever: Culture. A “safe-to-report” environment disrupts the adversary’s leverage.
Ego/Extortion: The desire for revenge or status. Your lever: Behavioural analytics that flag “entitlement patterns.”

The Structural Blindspot: Solo vs. Group Logic

The Fraud Triangle is a one-dimensional psychological analysis. It fails to model the reality of modern, structured threats:

Group Decision-Making: Adaptive threats use hierarchical command structures, not solo impulses.
Long-Term Strategy: These actors have patience. They use multi-stage operations and strategic misdirection (false flags) that a “one-off” fraud framework cannot detect.
Institutional Doctrine: State-sponsored actors follow a professional doctrine, not a psychological rationalisation.

graphical illustration of an adaptive threat network — Sophisticated ‘adaptive threats’ are effectively businesses, with dedicated roles and cross-border reach (JP 3-25)

From Static Opportunities To Manufactured Ones

The Triangle assumes Opportunity is a static weakness – like a door accidentally left unlocked.

Adaptive threats don’t wait for an unlocked door; they build a key.

They use intelligence tradecraft – such as social engineering and long-term grooming – to create access. While the opportunistic embezzler exploits a loophole, the adaptive threat exploits the system itself.

Why Your Current Toolkit Is Failing

If you rely solely on the Fraud Triangle, your mitigation strategy is likely fighting the wrong war:

Bankruptcy Checks: Miss the “clean” operative being paid handsomely by a third party.
Baseline Controls: Easily bypassed by an adversary who has spent months mapping your social and technical dependencies.
Internal Investigations: Often fail because they assume a “lone wolf” perpetrator. As I’ve noted in my previous article, 31% of insiders operate in networks. If your detection doesn’t account for these internal networks, you are missing the campaign behind the individual.

Stop Looking For The “Lone Wolf”: New Research Reveals 31% Of Malicious Insiders Don’t Act Alone

The Shift: Toward Adaptive Detection

We must trust our people to run a business, but we must recognise when that trust is being exploited. We need to shift our surveillance and detection focus:

From Financial Monitoring to Relationship Mapping and Behaviour Analytics.
From Control Weaknesses to Access Pattern Analysis (UEBA).
From Individual Psychology to Organisational Loyalty and Network Cohesion.

The Takeaway

The opportunistic embezzler and the organised adversary are fundamentally different risks.

You cannot stop a professional spy or a state-backed fraud ring with a framework designed to catch a desperate clerk.

If your defence doesn’t evolve, you aren’t managing risk – you’re just waiting to be a headline.

The 90/10 Problem: Why We Are Blind To The Insider Risks That Matter Most

Posted on January 28, 2026 by Paul Curwell

Paul Curwell

3–4 minutes

We have built a massive machine to stop data theft.

If an employee tries to download 5,000 sensitive files to a USB drive, we catch them (increasingly). We have User Entity Behaviour Analytics (UEBA), Data Loss Prevention (DLP) agents, protocols, and budgets dedicated to this single problem. It is a success story.

But this success has created a dangerous strategic blind spot.

By becoming experts at detecting Information Theft, we have inadvertently convinced ourselves that we are managing all insider risk. We aren’t. We are aggressively managing the one domain that generates the most logs, while the other seven remain largely unmonitored.

The Insider Risk Blind Spot (Curwell, 2026)

Here is why our focus is skewed, and why the risks of the next decade require a completely different approach.

The Taxonomy of Neglect

Practitioners generally recognise 8 distinct insider risks. Look at this list and ask yourself where your budget goes:

Information Theft (The industry focus)
Sabotage (Physical, Data, and IT/OT)
Workplace Violence
Terrorism (religious and issue-motivated)
Physical Theft, Diversion & Supply Chain Compromise
Foreign Interference
Espionage
Internal Control Compromise

I suspect 90% of your resources are dedicated to #1 (and maybe a bit to #8), leaving the other seven exposed.

The Evidence of the Gap

These “neglected” domains are no longer theoretical anomalies. For example:

#6 Foreign Interference (The “Imposter”) Increasingly, the most pervasive threat isn’t a spy stealing blueprints; it’s foreign interference like the 2024-2025 “North Korean IT Worker” fraud scheme.

The Blind Spot: These trusted insiders don’t trigger DLP alerts because they aren’t trying to steal data—they are trying to keep their jobs.
The Risk: They represent a pre-positioned sabotage force with “commit access.”

#2 Sabotage (The Kinetic Insider) In 2022, saboteurs cut the fiber-optic cables for the German Rail network in two separate locations.

The Blind Spot: The precision of the cuts implied “insider knowledge.” No firewall or UEBA could stop the physical attack enabled by inside info.

The High Cost of “Silent” Risks

We focus on Information Theft because it is “Noisy” (spikes in logs). But the “Silent”, Low Probability High Impact (LHPI) risks often cost more.

Consider Société Générale. The rogue trader (Jérôme Kerviel) didn’t steal money directly; he compromised Internal Controls (Domain 8).

The Fine: €4 MILLION (Poor compliance).
The Loss: €4.9 BILLION (Control failure).

We spend millions optimising for the fine, while ignoring the bankruptcy-level risk.

3 Steps to Monitor the Other Seven Domains

We don’t need to throw away DLP, but we must pivot:

1. Re-tune UEBA for Context: Ingest Physical Access (PACS), HR, and OT data. A threat isn’t just “downloading files”—it’s an angry employee entering the facility at 3 AM.

2. Validate Identity, Not Just Activity: To catch the “Imposter,” move beyond background checks to biometric validation.

3. Monitor “Integrity,” Not Just “Confidentiality”: Detect changes to business logic (e.g., “Why was this sensor threshold changed?”), not just the movement of files.

The Takeaway

We have solved the “easy” problem of data leakage.

The “hard” problems—sabotage, fraud, and foreign interference—are still waiting for us.

It’s time to turn the lights on in the other seven rooms of the house.

Exploring Microsoft’s 2025 Updates: Impact on Insider Risk Management and Information Protection

Posted on October 7, 2025 by Paul Curwell

Paul Curwell

8–11 minutes

3 Key Takeaways

In Australia, a cyber incident hits a small business every six minutes, with an average cost of around AUD $49,600 (ACSC, 2024). Some analysts estimate that 50–60% of SMBs never fully recover after a serious breach — a stark reminder that security, including Microsoft Insider Risk Management, is a matter of business survival.
Insider threats remain an underappreciated risk for many SMBs.
The good news: if you already have Microsoft 365 E5, you own tools like Purview IRM, Sentinel, and Defender to protect your trade secrets and IP. Microsoft’s 2025 updates strengthen insider risk detection — but remember, technology alone won’t replace a complete insider risk management program.

Managing insider risk protects your business and your investors

According to the Australian Cyber Security Centre (ACSC, 2024), a cyber incident hits a small business roughly every six minutes, with an average cost of AUD $49,600 per incident. Even worse, some commentators suggest that 50–60% of SMBs never fully recover after a serious cyber attack. That’s not just IT drama — that’s business survival at stake.

If your business is R&D-intensive — biotech, advanced manufacturing, materials science — then your currency is intellectual property. You breathe it, you sweat it, and let’s be honest, you probably worry constantly that someone will steal it. And the reality? That threat isn’t always knocking from outside your firewall. Often, the biggest risk comes from inside your own walls: departing scientists, disgruntled engineers, or even well-meaning employees who don’t realize that “just sharing” can leak your crown jewels.

Biotech and MedTech Investors Are Demanding Security and Resilience: Are You Ready?

When it comes to insider threats, most large companies, let alone SMBs, are still playing catch-up. In this article I will explain how you the tools you’re probably already paying for through your Microsoft licensing can help. But first, a short case study:

Case Study: The GSK Scientist

In a high-profile U.S. DOJ case, a GlaxoSmithKline scientist emailed proprietary drug formulas to a company in China, causing over $500 million in lost R&D and IP value.

Now imagine this scenario under Microsoft Purview + Sentinel in 2025:

The formulas live in SharePoint, Teams, or OneDrive and are labeled with sensitivity (e.g., “Confidential – R&D”).
Purview ties labels to protection rules: “cannot be emailed externally — or must require justification.”
Attempting to email triggers Insider Risk Management (IRM) alerts or blocks the action.
Sentinel’s UEBA detects abnormal behavior — unusually large downloads, off-hours activity, or new endpoints.
Alerts are combined across Purview, Defender XDR, and Sentinel, giving analysts a clear, high-priority case.
Purview’s data risk graph visualises 30 days of activity, helping triage faster.

With early detection and response by configuring tools you already have, this sort of damage to IP, commercialisation timelines, and investor confidence could be significantly reduced — maybe even avoided entirely.

If you already have Microsoft 365 E5, you own more of the solution than you think. And now, the latest 2025 updates to Purview and Sentinel have added serious muscle to detect and prevent insider threats — but only if you integrate them into a proper insider risk program and fill in the process gaps.

How Purview + Sentinel Fit Into Your Insider Risk Program

Here’s how Purview + Sentinel support the implementation of your Insider Risk Program:

Program Component	What Purview / Sentinel Provide (2025)	What Program Managers Must Do	Gaps / Limitations
Asset Identification & Classification	Sensitivity labeling and Unified Data Catalogue classify documents, Teams content, and metadata.	Maintain your IP inventory, map critical projects, and align labels to business value.	Doesn’t cover physical lab notebooks, test rigs, or bespoke machinery metadata.
Policy Definition & Risk Indicators	Configure policies in Purview IRM (e.g., “sharing of Confidential documents”) and integrate generative AI risk indicators.	Decide which policies matter, define thresholds, and engage legal/HR.	Microsoft provides generic templates—not biotech-specific models like gene sequences.
Behavioral Analytics & Detection	Sentinel UEBA builds baselines, flags deviations, and correlates with IRM alerts.	Tune models regularly, review false positives, and interpret alerts in domain context (e.g., why a scientist downloaded 10 GB after hours).	Entity profiles may miss domain nuances like lab equipment logs or custom LIMS.
Continuous Monitoring & Log Retention	Sentinel Data Lake allows long-term retention and unified analytics; Purview data risk graphs visualize user activity over time.	Decide which logs to ingest (QMS, LIMS, endpoints) and maintain connectors.	Doesn’t automatically capture lab instrument logs or IoT devices without custom integration.
Access Control & Offboarding	IRM ties into DLP and Entra conditional access; alerts feed into Defender XDR & Sentinel for unified incident management.	Enforce least privilege, automate offboarding, and review permissions periodically.	No direct control over physical access systems or lab network zones outside Microsoft domain.
Training & Culture	Insights highlight risky behavior trends and feed training content.	Run tailored awareness programs, embed reporting culture, and address willful breaches.	Tools don’t provide morale incentives or human trust programs—that’s still on you.
Incident Response & Investigation	Alerts integrate across IRM and UEBA; workflows allow escalation.	Define incident playbooks, coordinate with HR/legal, and conduct root cause analyses.	Doesn’t integrate into lab SOPs, physical forensics, or external partner investigations.

The takeaway? The tools assist, but they don’t replace your program. Success comes from aligning process, domain knowledge, and tool tuning.

Benefits and Limitations of the Lastest Update

Most SMBs already have Microsoft 365 E5, which as of 2025 includes:

Microsoft Purview Insider Risk Management & Information Protection – label sensitive data, prevent unauthorized sharing, and configure insider risk policies.
Microsoft Sentinel – aggregate alerts, correlate user/device/system events, and analyze anomalous behavior with UEBA.
Defender for Cloud Apps – monitor shadow IT, risky data exfiltration, and suspicious external sharing.

These tools are powerful — but they work best when embedded in a full insider risk program that combines technology, policies, monitoring, and response.

The benefits of UEBA illustrated with a simple example:
Meet Dr. Lee, your molecular biologist: Normally, Dr. Lee downloads 2 GB from SharePoint each evening. UEBA quietly learns that pattern. One night, Dr. Lee downloads 20 GB and tries to email a zip labeled “Confidential – Patent2027” externally. Purview IRM immediately flags it. UEBA notices the 10× spike and unusual context — after hours, from a new endpoint — correlates it with the IRM alert, and surfaces a high-priority anomaly. Analysts see it in Sentinel, triage the alert, and kick off the response. The key point here is that UEBA doesn’t monitor every email or attachment. That’s IRM/DLP territory. Instead, UEBA focuses on patterns, deviations, and context, giving you the early warning signs before any damage is done.

When it comes to using this practically, however, there are some limitations that you’ll need to keep in mind:

QMS/LIMS logs: These systems store formulas, protocols, and test data. Purview and Sentinel don’t automatically ingest them — you’ll need APIs, Syslog, or custom connectors to detect anomalies in your crown-jewel IP.
Physical security systems: Badge access logs (e.g., Gallagher Command Centre) can feed into Sentinel UEBA via REST APIs, correlating physical and digital access.
Policy alignment: Insider Risk Management policies must coordinate IT, compliance, and R&D to cover all sensitive assets effectively.

Integrating Security into Quality Management Systems

Total Cost of Ownership (TCO)

Let’s talk dollars — because even the best plan is irrelevant if it’s financially out of reach.

Access via E5: Your Hidden Advantage

If you already have Microsoft 365 E5, many Purview insider risk features — IRM, sensitivity labeling, and analytics — are already included. You don’t need to pay more; you just need to turn them on and configure them thoughtfully.

Sentinel Pricing Model

Sentinel charges per GB of data ingested, plus extra for long-term retention.
The new Sentinel Data Lake GA reduces the cost of historic logs (1–2 years).
High-volume sources like IoT devices or lab instrument logs can push ingestion costs up, so start with high-value systems first.

Implementation & Ongoing Management Costs

Consulting to deploy, tune, and integrate Sentinel + Purview usually starts around USD ~$25,000 for modest scopes. Costs typically cover:

Policy workshops — which trade secrets need which protections
Connecting QMS/LIMS/instrument logs via custom middleware
Alert tuning, user onboarding, and training
Ongoing maintenance — reviewing false positives, adjusting thresholds, rotating policies

You’ll also need a security analyst or compliance lead (or a good consultant) to monitor alerts, triage cases, and evolve the models.

So what does this mean for you? The cost of doing nothing is far higher: lost investor confidence, competitive leakage, and compromised commercialization. Even a single IP breach that trims your valuation by 5% in a funding round could outweigh all of these tool and service costs combined.

Crafting Security Business Cases for Executive Buy-in

Putting It All Together: 6 Steps to Roll Out an Insider Risk Program

Here’s a practical roadmap you can follow:

Audit Your E5 Entitlements
Check which Purview insider risk features you already have. Chances are, you own more than you think — just waiting to be switched on.
Pick Your Initial Policy Domain
Keep it simple. Start with protecting R&D documents, blocking external sharing of “Confidential” files, and monitoring abnormal downloads.
Connect Critical Systems Gradually
Ingest data from SharePoint, Teams, QMS/LIMS, and instrument logs. Use the Insider Risk Indicators import path where possible. Start with your crown-jewel systems; you can expand later.
Enable UEBA in Sentinel
Turn on UEBA and let it build behavioral baselines over 30–90 days. This is where the tool learns what “normal” looks like for your team.
Tune, Triage, Repeat
Review alerts, adjust thresholds, suppress noise, and track metrics like alert volume, conversion rates, and response times. Insider risk management is iterative — not a set-and-forget exercise.
Embed Process, Training & Governance
Align IT, HR, legal, and management. Implement offboarding, access reviews, insider threat training, and domain-specific workflows. Tools alone aren’t enough; people and processes make the difference.

Call to Action: Pick a Small Use Case & Make It Real

Insider threats aren’t theoretical — they directly put your trade secrets, research, and commercialisation efforts at risk. Your Microsoft 365 E5 licence already gives you powerful tools, but only if deployed strategically within a formal insider risk program.

Start small: pick a critical system or high-value dataset, configure your policies, turn on UEBA, and watch how the alerts and patterns help you detect anomalous activity early. Over time, scale your coverage. Don’t let leaks or fraud cripple your business.

How to Enhance Detection with Comparative Case Analysis

Posted on September 30, 2025 by Paul Curwell

Paul Curwell

5–7 minutes

3 Key Takeaways

Comparative Case Analysis (CCA) isn’t just theory — it’s a practical method to connect the dots between trade secrets theft, fraud, insider threats, and supply chain abuse.
You don’t need a huge internal dataset — competitor incidents and cross-industry cases provide the patterns and behaviours you need to build robust typologies.
CCA creates tangible business value — done properly, it turns messy case data into insights that protect revenue, IP, and operational continuity, making you look good to management and investors.

What is Comparative Case Analysis?

Most companies already have clues sitting in plain sight — case files, legal documents, media reports, competitor incidents, industry analyses. But they rarely connect the dots. If you don’t connect the dots, you can’t detect threats early, which means losses escalate, your IP gets compromised, and supply chain integrity suffers before anyone even notices.

Comparative Case Analysis (CCA) fixes this. It might not show up in glamorous keynote speeches, but it gives you practical leverage: more accurate detection, fewer false alarms, and stronger business protection. If revenue protection, IP protection, and supply chain integrity matter to you (spoiler: they should), then this is your toolkit.

Comparative Case Analysis means taking several instances of risk events (fraud, IP theft, insider threat, etc.), comparing them systematically, extracting patterns, signatures, and behaviours, then using those insights to write typologies which are used to build detection mechanisms. It’s the bridge between one-off incidents and repeatable defence.

Even if your organisation is small, you can pull from competitors or other industries — because threats are surprisingly consistent.

Why Comparative Case Analysis Matters for Business

When you get CCA right, two big things happen:

Earlier detection – You start recognizing threats before they inflict material damage.
Higher accuracy & efficiency – You reduce false positives and false negatives, which means fewer wasted resources and more trust in your detection systems.

That opens the door to greater automation and AI usage. If you understand which threats matter and how they appear in your data, you can lean more on rules engines, models, or anomaly detection — meaning you don’t need huge analyst teams fire‑fighting all day.

The business value isn’t theoretical: avoided losses, protected IP, preserved revenue, fewer disruptions in your supply chain. Plus, when management or investors ask, you’ll have solid proof you’re not just “winging it.”

We often overlook criminology when combating insider threats, fraud and sabotage

The Comparative Case Analysis Value Chain

Here’s the refined flow I use (and teach):

Threats → Risk Events (cases) → CCA (comparison) → Typologies (including patterns, signatures, behaviours) → Detection = Business Value

If any link is weak, the value drops. If all are strong, you build a resilient, measurable defence.

How to Actually Do It (Step‑by‑Step)

Here’s the practical method I use. If you follow this, CCA becomes repeatable, grounded, and useful:

Define your scope
Decide which type(s) of threats matter most to you: IP theft, insider risk, supply chain fraud, etc. Also decide down to the industry, product, or technology level.
Collect cases
Pull from internal cases (incidents, near misses), competitor incidents, public legal filings, academia, and media. If you don’t have five useful internal examples, don’t worry — competitor- or cross‑industry cases are totally valid.
Standardise the data
For each case, capture things like: who, what, when, how, impact, what failed controls, what signatures/behaviours were present.
Compare systematically
Lay out your cases side by side. Look for recurring behaviours, misused access, insider‑outsider collusion, process failures. Don’t assume everything is causal — test what appears consistently.
Extract typologies
From those recurring behaviours/patterns, build your typologies: the defined set of patterns, signatures and behaviours that will become your detection requirements.
Validate & test
Apply typologies to fresh data or unseen cases. Measure whether you catch real threats and don’t swamp people with false positives. Refine aggressively.
Monitor performance
Track detection speed, false positives/negatives, cost of investigation vs. savings, and measurable risk reduction. If you’re not seeing clear value, revisit your typologies.
Peer review
Get someone not involved in your collection or initial comparison to critique: did you miss patterns? Are your assumptions reasonable?
Evaluate reliability
Are your detection rules trustworthy enough to rely on with minimal oversight? If not, iterate.
Refresh regularly
Threats evolve. You should revisit your typologies and the chain every year (or more often in fast‑moving tech sectors) to stay relevant.

“Typologies” Sound Boring – But They Could Save Your Business Millions

Real Case Examples to Learn From

Comparative Case Analysis might not win design awards, but it wins business protection. It turns messy case files into sharp detection requirements. Do it right, and you get fewer losses, protected IP, stable revenue, and less headache from the security/fraud team. For example:

Trade Secret Theft in Medtech: A departing engineer at a medical device company copied proprietary 3D printing designs for a new implant. The designs appeared at a competitor two months later. Compare the methods used to extract the IP, the timing, and which controls failed — then ask yourself: could this happen in your organisation?
Supply Chain Fraud in Electronics: Danish authorities recently discovered unlisted components in circuit boards purchased from overseas, intended for use in green energy infrastructure. The parts could have been exploited to sabotage operations in the future. Compare the tactics and controls in place — quality checks, supplier audits, component verification — and assess whether your supply chain could be similarly vulnerable.
Insider Threat in Critical Infrastructure: A disgruntled employee at a water utility sabotaged Operational Technology at pumping stations so they would fail five days after he left the business. Compare the patterns and tactics used, as well as which controls worked or failed. Then use this to assess your own business: could this happen to you?

These examples demonstrate that threats are not isolated incidents but part of broader patterns that can be identified and mitigated through CCA.

Call to Action

If you’re a risk or compliance leader whose business is exposed to these sorts of threats, you need to ask whether your team is conducting Comparative Case Analysis as part of continuous improvement. Are you systematically comparing incidents to identify patterns? Are you using these insights to write typologies that inform your detection mechanisms? If not, it’s time to start.

Ransomware Attacks on R&D Companies Explained

Posted on September 2, 2025 by Paul Curwell

Paul Curwell

5–8 minutes

3 Key Takeaways:

Ransomware has professionalised: today’s gangs follow an 8-step targeting cycle that looks more like a military operation than a cybercrime.
R&D-intensive companies are prime targets because weak data governance creates exploitable security gaps — and attackers know your research is the fastest route to a big payday.
The financial impact goes far beyond ransom payments — share prices fall, investors back away, and patents can be undermined.

The impact on your business

Ransomware is the digital version of kidnapping. Attackers break into your systems, lock up your data, and demand payment for its release. But unlike old-school kidnappers, they don’t just keep the hostage — they copy it too. For R&D-heavy companies, that hostage is your research pipeline: your trade secrets, trial data, and commercialisation plans.

And here’s the part too many boards miss: the ransom is only the start of the damage.

Share price impact: Public disclosures of ransomware routinely knock 3–5% off market cap. One company’s 2023 breach wiped millions in value overnight.
Investor attraction: If you can’t prove your research data is safe, investors won’t touch you. Due diligence now treats ransomware resilience like another line in your balance sheet.
Time-to-market delays: Every month of R&D delay costs millions in burn and kills first-mover advantage. In pharma, a six-month delay can add $3–6M to costs.
Commercialisation risk: Stolen formulas and trial data can create “prior art” that undermines your patents. Translation: your billion-dollar IP is now legally copyable.

Ransomware isn’t just an IT outage — it’s a strategic risk to valuation, market entry, and investor confidence.

49% of Private Equity deals fail because of undisclosed data breaches

Why R&D-intensive companies are vulnerable

Think of your R&D program as a fragile supply chain. Every stage — discovery, trials, data integrity, and commercialisation — depends on governance and control. When ransomware strikes, the weak links show.

Here’s an uncomfortable truth: in R&D intensive businesses, many ransomware vulnerabilities come not from exotic zero-day cyber exploits but from poor data governance, which flows through to your information security posture. Data governance is not a “tech” term — it’s a board-level responsibility. When governance fails, attackers thrive:

Unclear ownership and access: If no one owns the data, no one protects it. Attackers love overexposed research folders and outdated VPN access.
Failed backups: Governance blind spots mean backups aren’t tested — so the first time you discover they don’t work is during an attack.
Misapplied controls: Without proper data classification, security teams guard low-value data while leaving crown jewels exposed.
Regulatory exposure: Weak governance makes GDPR, HIPAA, or ISO non-compliance almost inevitable — and regulators don’t accept “we were hacked” as an excuse.
Slow detection: Without adequate security monitoring, attackers can sit inside your network for weeks undetected, rehearsing their attack.

Poor governance contributes to a perfect operating environment for ransomware groups. And in R&D-heavy sectors, that means your valuation is basically gift-wrapped for attackers.

governance is key to protecting your data, data integrity, and implementing fit for purpose security protocols to guard against ransomware.

The professionalisation of ransomware in 2025: the 8-step targeting cycle

Forget the old “spray and pray” model where attackers blasted out phishing emails and hoped someone clicked. That was cybercrime’s stone age, and focused on everyone and everything rather than being highly sophisticated, targeted, and selective.

Today’s ransomware gangs are professionals. They behave like organised crime syndicates, following a structured 8-step targeting cycle designed to maximise pressure and payouts:

Target Selection – Industries where data equals enterprise value, such as pharma, biotech, semiconductors, medtech, and advanced manufacturing.
Initial Surveillance – Public sources, leaked credentials, and open servers help attackers map your weak spots.
Final Target Selection – They zoom in on firms with high-value IP, fragile governance, and patchy defences.
Pre-attack Surveillance – Once inside, they quietly watch. Mapping networks, spotting backup systems, and studying user behaviours.
Planning – With insider-level intel, attackers script their playbook for maximum damage and leverage.
Rehearsal – Yes, they practice. In test environments, they run through encryption and data theft to ensure nothing goes wrong on game day.
Execution – Systems are locked, IP is exfiltrated, ransom notes drop. Victims are blindsided; attackers are already two steps ahead.
Escape & Evasion – Logs are wiped, trails covered, backdoors left behind for future profit.

Paul Curwell's 8-step targeting cycle for organised crime

This is not opportunistic crime conducted by pimply teenagers. It’s deliberate, researched, and ruthlessly commercial — closer to an IPO roadshow than a smash-and-grab.

Case studies: when ransomware hit the labs

Perhaps your one of the many people I talk to at industry events who’s sick of hearing about security. Well, if you need further convincing on the importance of this topic here are 5 real-world examples that show how professionalised ransomware plays out:

Company	Attacker Group	Success Factors	Business Impact	IP/Patent Risk
Company A (India, 2023)	ALPHV / BlackCat	Compromised VPNs & stolen credentials, extensive pre-attack surveillance.	17TB of data stolen, 3–5% share price drop, $50–62M revenue hit, $3M+ recovery costs.	Risk of patent invalidation if leaked as prior art.
Company B (Japan, 2023)	Unnamed (likely RaaS affiliate)	Supply chain intrusion, privileged access exploitation.	Multi-week disruption of R&D and manufacturing, investor concern.	Possible exposure of neuroscience research.
Company C (India, 2020)	Unnamed criminal ransomware group	Phishing & credential theft during COVID-19 trials.	4% share price drop, 2-week trial delays, $150k–$250k added burn per project.	Trial data exposure undermines exclusivity.
Company D (Germany, 2023)	Unnamed RaaS affiliates with APT links	Exploited enterprise / cloud vulnerabilities, targeted R&D repositories.	Attack contained quickly, limiting share price impact.	Potential R&D data exposure, though managed.
Company E (UK, 2024/25)	Qilin	VPN / firewall exploits (CVE-2024-21762), targeted NHS-critical systems.	£32.7M loss (~$41M), weeks of disruption, ransom ~$50M.	Diagnostic IP exposed, R&D collaborations disrupted.

The costs of an IP breach

Conclusion: the strategic picture

The uncomfortable truth: ransomware groups have professionalised faster than most boardrooms have adapted. They’re running playbooks that look like government intelligence operations, and they’re aiming squarely at industries where research is the business to make sure you’re highly incentivised to pay up.

If you’re in an R&D-intensive sector, you’re not just another target — you’re the main course. Weak governance, patchy security, and misplaced confidence in cyber insurance won’t save you.

So, next time someone in the boardroom calls ransomware an “IT problem,” remind them it’s actually a governance problem. Because in 2025, the attackers aren’t amateurs anymore — and if your business wants to survive your response can’t be either.

Why Your Brightest Minds Are Clicking on Deepfakes: The Hidden Business Cost of Phishing in Science & Tech SMBs

Posted on July 22, 2025 by Paul Curwell

Paul Curwell

7–10 minutes

Key Points

Phishing is smarter now—AI-generated, multi-channel, phishing and social engineering schemes are targeting your most trusted staff.
If you don’t own your cloud security, someone else will—probably a criminal.
Breach costs in biotech, medtech, and high-tech are among the fastest-growing, averaging $4.9M.

“We Thought We Were Too Small to Be Targeted”

If I had a dollar for every science or tech founder who told me their company was “too small to be on anyone’s radar,” I’d have my own R&D fund.

Let me be clear: attackers don’t care about your size—they care about your value. IYou’re holding proprietary data, research, or trade secrets, so you’re a target. Most science and technology businesses rely on cloud services and don’t have a full-time security team, making you vulnerable.

The methods used to breach billion-dollar multinationals are now faster, cheaper, and powered by AI. This article outlines the threat and provide tips on how to stop your business from being compromised with one fake Slack message, QR code, or deepfake video call.

The Phishing Shift: Multi-Channel, Deepfake, and Voice Fraud Are the New Norm

Phishing has evolved. It’s no longer about shady emails from fake banks. Today’s attacks are:

AI-enhanced: Customised lures generated instantly using your public data.
Multi-channel: 41% of phishing attacks now include SMS, WhatsApp, Teams, Slack, or LinkedIn, not just email. [[Verizon DBIR 2025]]
Visual and audio deepfakes: CEO voice clones. Fake investor video calls. Deepfake “compliance officers” asking for document uploads.
QR code phishing (quishing): Seen a QR code on a conference booth or flyer? It could trigger malware or credential theft. These attacks have jumped 2,000% since 2023. [Proofpoint]

This means your smartest, most senior, and most trusted employees—research leads, engineers, finance managers—are now your most likely targets.

And when they click? The attackers don’t just steal credentials—they steal access to your intellectual property, your commercialisation roadmap, your partner data.

Business Email Compromise – persistent threat or consistently mismanaged?

What’s Really at Risk? IP, Trust, and your Entire Business Model

According to the IBM Cost of a Data Breach Report (2024), the average breach in the biotech and medical devices sectors now costs $4.9M, driven by:

Lost IP and R&D delays
Regulatory investigation
Supply chain fallout
Loss of investor confidence

And let’s be blunt: in your world, IP is the value. If that gets leaked, copied, or ransomed, your growth narrative evaporates. Here’s how the damage cascades across your business:

Function	Impact
Strategy	Stolen trade secrets = lost first-mover advantage
Investment	Investors now screen for cloud security and IP protection readiness
Finance	Costs spike with downtime, legal, incident response, and insurance gaps
Operations	Phishing often leads to ransomware disrupting production or trials
Marketing	A leak of your roadmap = blown launch, brand damage, loss of trust

AI for Deeptech Startups: Balancing Speed and Security

Real Example: The Deepfake COO That Killed a Fundraise

A medtech startup was gearing up for their Series B. One of their engineers received a message on Slack from “their COO” requesting trial data to be uploaded to a new shared folder for investor review. It was convincing—same profile picture, same tone, same urgency.

Except it wasn’t their COO.

The link was spoofed. The data was stolen. Within weeks, unpublished clinical research appeared online. The raise was postponed. A competitor filed a patent within six months.

This was not a technical failure—it was a business failure rooted in poor security awareness and access control.

The Cloud Trap: “We Use Microsoft/AWS, So We’re Covered” (No, You’re Not)

There’s a dangerous myth in science and tech startups:

“We’re on Azure or AWS, so we’re secure.”
Wrong.

Cloud providers like Microsoft and Amazon only protect the infrastructure. Everything else—your apps, identities, access controls, data classification, and monitoring—is your responsibility.

Who Secures What in the Cloud?

You Secure	Provider Secures
IP, data, applications	Physical data centres
User identities, MFA	Infrastructure uptime
SaaS app permissions	Network hardware
Monitoring & alerts	Hypervisor patching
Segmentation, backups	Base platform security

Cloud platforms call this the Shared Responsibility Model, and it’s not optional. If you’re not configuring and monitoring your cloud assets regularly, you’re driving blind.

Security Awareness Training: The Key to Protecting Life Sciences from IP Threats

So What Do You Actually Do? Here’s a Business-Ready Plan

You don’t need a CISO or a 10-person security team. But you do need a plan that works for a cloud-first, IP-heavy business. Here’s mine.

1. Use the Cloud Security Tools You Already Own

You’re probably already paying for enterprise-grade security features. Turn them on.

On Microsoft Azure:

Defender for Cloud: Detect misconfigurations, malware, and risky settings.
Sentinel: Security analytics and threat detection.
DLP & Microsoft Purview: Prevent IP and research leaks across Teams, SharePoint, and email.
Defender for Cloud Apps: Track SaaS sprawl and OAuth risks.

On AWS:

GuardDuty: Real-time threat detection and alerts.
Security Hub: Centralised risk view across AWS services.
IAM + KMS: Fine-grained access control and encryption key management.
Connected App Reviews: Audit OAuth and API app integrations.

Set alerts. Monitor changes. Review configurations monthly.

2. Lock Down Identity, Access, and Data

MFA Everywhere: No exceptions, no delays.
Least Privilege: Don’t give admin rights unless absolutely necessary.
Credential Hygiene: Rotate secrets; store them in Key Vault (Azure) or Secrets Manager (AWS).
Segment R&D Environments: Separate IP-heavy workloads from finance, HR, and business ops.
Encrypt Everything: In transit and at rest. Use customer-managed keys for sensitive data.

3. Train for the Threats of 2025

Phishing isn’t just email anymore. Your staff need to be trained for:

Quishing: Fake QR codes that install malware or lead to credential harvesters.
Vishing: Calls from deepfaked executives or suppliers.
Fake video calls: Deepfakes of board members or partners requesting documents.
Business email compromise: Fake invoices, altered payment instructions.

Simulate these scenarios monthly. Keep it realistic. And build a no-blame reporting culture—you want incidents surfaced fast.

**4. Prepare for the Breach—Because It Will Happen**

Automate Cross-Region Backups: Especially for research data and regulatory submissions.
Test Disaster Recovery Quarterly: Restoring is not plug-and-play. Practice like it’s game day.
Keep R&D Snapshots Offline: Isolated storage can prevent ransomware spread and data loss.

Your IP is irreplaceable. Treat it like crown jewels, not just another folder.

5. Audit Your SaaS and Supply Chain Access

Third-party apps and vendors are often your weakest link.

Review OAuth and app permissions quarterly
On Azure, use Defender for Cloud Apps to flag unused or risky apps.
On AWS, use the Connected App list to track what’s talking to your data.
Add security clauses into vendor contracts: include breach notifications, minimum controls, and audit rights.

And always ask: Do they need access to that data? If not, revoke it.

6. Give the C-Suite Metrics That Matter

Executives focus on risk, cost, and reputation. Produce a monthly cloud security dashboard to track business-relevant metrics and identify where you need to improve:

% of staff with MFA enabled
DLP events involving research/IP
Number of connected third-party apps
Training completion rates
Number of critical misconfigurations or policy violations

Tie these to business outcomes: funding readiness, compliance status, and operational continuity.

Biotech and MedTech Investors Are Demanding Security and Resilience: Are You Ready?

Final Thoughts: Security Is Commercialisation

If you’re in science and tech, your ability to protect your research and data is part of your business model.

This isn’t paranoia, it’s about staying competitive. You are competitive when you secure your IP, prove control over your cloud environment, and train your team to spot social engineering, you don’t just reduce risk—you build credibility with investors, partners, and customers.

So let’s recap. Here are 6 actions you can take now to avoid becoming a victim of the next phishing or social engineering scheme:

Enable MFA on every account—human and machine.
Audit your Azure or AWS environment with Security Hub or Defender.
Run a phishing simulation that includes voice, SMS, and video threats.
Review all third-party apps and OAuth permissions.
Test your disaster recovery plan.
Start tracking metrics for the boardroom.

If you need help setting this up—or just want a quick review—I’ve worked with enough S&T startups and growth-stage firms to know what’s worth your time.

You don’t need to be unbreakable. You just need to be prepared.

And in a world of AI-enhanced fraud, that’s your real competitive edge.

Biotech and MedTech Investors Are Demanding Security and Resilience: Are You Ready?

Posted on July 15, 2025 by Paul Curwell

Paul Curwell

7–10 minutes

3 Key Takeaways

Your IP is your goldmine – For most biotech and medtech companies, intellectual property (IP) is the primary asset—often making up most of the enterprise value. Competitors, cybercriminals, and nation-state actors are targeting these assets, even in early stages.
The “security later” myth is costing you deals – Investors are increasingly seeing weak security as a deal-breaker during due diligence. Regulatory failures can cost millions to remediate.
Resilience now rivals innovation – Investors increasingly allocate capital to companies that can demonstrate not just breakthrough science, but also the security, integrity, and resilience to protect it.

Security Is a Business Decision—Not a Technical One

Security decisions often get framed as technical, complex, or something to worry about later. That mindset is dangerous—especially in life sciences, where what you don’t protect can cost you your next round, your IP rights, or your company’s future.

In reality, early-stage biotechs and medtechs face three unavoidable truths:

Your intellectual property is the business — and likely the only real asset you own.
You’re already a target — from competitors, cybercriminals, and even foreign intelligence services.
Investors are watching — and asking questions you must be ready to answer.

The risk environment has shifted. Today’s adversaries aren’t just hackers in basements. They include:

Ransomware gangs targeting IP-rich companies for extortion
Foreign actors stealing trade secrets to boost their own biotech industries through espionage and foreign interference
Contract partners and employees who, as insider risks, might mishandle, steal, or deliberately leak sensitive information

You may not stop every threat—but you can become a harder target. And that makes you a safer bet for investors.

Security Creates Value—and Investors Know It

Here’s what most founders miss: Security doesn’t just protect value. It creates it.

Early-stage companies that build in basic controls gain:

Faster fundraising – Clear controls speed due diligence.
Smoother partnerships – Big pharma won’t risk IP leaks from weak links.
Fewer regulatory delays – Secure-by-design systems reduce audit findings.

It’s not about locking everything down—it’s about stage-appropriate controls that prove you can grow responsibly.

Surveys show over 70% of life science investors now flag data integrity and IP protection as top decision factors. That’s because the risk is real: trade secret theft costs the global economy more than $1 trillion annually, and life sciences firms are prime targets.

Nation-state actors, insider risks, and ransomware gangs are no longer fringe concerns—they’re active threats. This isn’t hypothetical. It’s a competitive filter—and investors are paying attention.

The 3 SMB Risk Management frameworks you need to protect your business

When IP Protection Becomes a Business Valuation Driver

From my experience helping companies navigate security challenges, there are four critical stages where security transforms from “nice to have” to “deal or no deal.”

A. Discovery Stage:

Many founders assume they’re “too early” for security. In reality, premature public disclosure or leaks can destroy patent eligibility and future value.

Case Study: A European gene therapy startup lost patent protection after a postdoc shared results at a conference before filing. The resulting “prior art” invalidated their core IP, forcing an 18-month delay and a complete pivot.

Whilst many medtechs and biotechs fail at this conceptual hurdle, they still have valuable information and data assets with some residual value. A resonable investor might ask “How do you prevent premature disclosure of trade secrets? What’s your invention disclosure process?”

5 Tips to manage information security risks during discovery:

Enable conditional access controls and sensitivity labels for IP documents using existing tools.
Implement NDAs for everyone, including advisors and part-time collaborators.
Create invention disclosure workflows to track who invented what, when.
Run brief security inductions focused on IP protection basics.
Most early-stage companies already pay for Microsoft 365 tools like Purview through their E5 subscription (or AWS, Google equivalents). These tools are designed to manage these risks, but they’re never turned on!

Microsoft Purview Information Protection – an overview

B. Prototyping Phase:

Outsourcing and collaboration introduce new risks. Without strong IP protection clauses and access controls, your designs and data can walk out the door. Here are two examples:

Case Study 1: A Boston medtech company discovered a manufacturer had shared CAD files with competitors. Weak contracts and lack of controls cost them millions in lost advantage.

Case Study 2: A European medtech startup outsourced prototyping to an overseas partner. Within months, a similar device appeared in local patent filings. Weak contracts and open file sharing enabled the leak. Surveys indicate that over half of life science firms have experienced IP leakage during collaboration or outsourcing.

If your business is at this stage in the lifecycle, I think its perfectly reasonable that a potential investor might ask: “What IP protection clauses are in your supply chain contracts? How do you audit third-party access to sensitive data?”.

Tips to manage risks in outsourcing and prototyping

Here’s five simple actions you can do to manage your prototyping risk:

Upgrade vendor contracts with IP protection, confidentiality, and audit clauses.
Implement data loss prevention policies to prevent sensitive IP sharing via email or chat.
Use secure collaboration portals with controlled access.
Conduct regular access reviews for sensitive information.
Use a secure, timestamped invention disclosure log—this can be as simple as storing cryptographic hashes of documents with trusted timestamps to prove originality and timing.

Protecting Your R&D When Outsourcing Rapid Prototyping

C. Clinical Validation:

Data integrity and regulatory compliance become paramount. According to FDA enforcement summaries, a significant portion of warning letters cite documentation and data integrity deficiencies.

Case Study: One oncology trial faced a clinical hold after inspectors found inadequate data controls, costing $1.8 million in remediation and a 14-month delay.

As life science companies progress to clinical validation, regulatory scrutiny really steps up. Investors start asking tough questions like “Do you have FDA compliant data management systems? Can you demonstrate audit trail capabilities for trial data?”.

If you can’t satisfy a regulator, your commercialisation timeline might be set back by one to two years, and your additional cash burn could send you under.

Don’t wait until the last minute to factor in security – there’s a reason why the FDA and TGA adopted ‘secure by design’ principles.

Tips to manage security and integrity risks at the Clinical Stage:

Encrypt all clinical trial data using built-in cloud platform features.
Develop data integrity SOPs aligned with regulatory expectations.
Assess CRO security practices before signing contracts.
Prepare incident response plans for data breaches or integrity issues.

D. Scaling Phase:

At this stage, due diligence intensifies. Investors want proof you can scale—securely, not just scientifically.”

That means showing your approach to information security, data integrity, and resilience to recover from disruption or compromise is well thought out and consistently applied.

Case Study: A US-based biotech lost millions in valuation after a researcher emailed unpublished gene-editing data to a competitor before patent filings. The company lacked basic NDAs and data loss prevention controls. Industry studies suggest that premature disclosure or insider risks resulting in inadvertant publication are a leading cause of patent novelty disputes.

Potential investor questions:

“How do you manage privileged access to trade secrets and sensitive clinical data?”
“What happens if someone in your supply chain is compromised?”
“Can you detect and respond to insider threats before they damage your valuation?”

Scaling Stage Actions:

Formalize your security program with written policies and governance.
Implement privileged access management for sensitive IP and trial data.
Establish vendor risk assessment processes.
Provide regular employee security awareness training.

Actions Life Science SMBs Can Take to Reduce The High Cost of Licensing Fraud

What Investors Now Ask (And What You Need to Answer)

Today’s investors aren’t just evaluating your science—they’re evaluating your ability to protect it. Here’s what they want to know:

Are your information security controls appropriate for your risks?
Can you demonstrate good data integrity?
How do you protect global operations? What controls are in place for international CROs and suppliers?
Are you compliant with export controls?
How do you manage insider risk?
How do you protect your data and IP with contract manufacturers and research partners?

49% of Private Equity deals fail because of undisclosed data breaches

The Bottom Line: Security as a Strategic Advantage

In 2025, security isn’t just about prevention—it’s about acceleration. When you can show your IP is protected, your data integrity is sound, and your partners are secure, you’re demonstrating the kind of operational maturity that makes you investable.

Companies that invest in security early don’t just avoid disasters—they grow faster:

Faster fundraising: Mature security speeds up due diligence.
Higher valuations: Strong IP protection earns investor premiums.
Partnership acceleration: Pharma and CROs want secure collaborators.
Regulatory efficiency: Better data integrity, fewer delays.
Competitive edge: While others scramble to patch gaps, you’re moving forward.

In a world where cybercriminals, competitors, and foreign governments all want your IP, the question isn’t whether you can afford to invest in security—it’s whether you can afford not to.

References:

Deloitte, “2024 Global Life Sciences Outlook”
PwC, “Biotech and Pharma Investor Survey 2023”
FDA Warning Letters Database
World Intellectual Property Organization (WIPO) Reports
Office of the Director of National Intelligence, “Annual Threat Assessment 2024”
Ponemon Institute, “Cost of a Data Breach Report 2024”
Various industry case studies and market analyses

Operational Technology and Insider Threat Detection: What You Need to Know

Posted on July 1, 2025 by Paul Curwell

Paul Curwell

8–12 minutes

3 Key Takeaways

Insider threats in operational technology (OT) environments can tank production, cause safety and quality incidents, and cripple your commercialisation pathway—often without leaving a digital trace.
Most insider threat programs are built for IT, not for OT environments with legacy equipment, safety risks, and fragmented data across OT and physical systems.
A smart detection approach—still emerging and adopted by only a few leading organisations—combines behavioural, scenario-based, and contextual signals across IT, OT, and physical domains to reduce risk without disrupting operations.

Insider Threats easily go unnoticed in Operational Technology (OT) environments

A few days ago, hackers opened the valve at Lake Risevatnet dam in Norway and no-one noticed for 4 hours (Security News Weekly). If a technician sabotaged your production line or quietly walked out with sensitive process data from your R&D facility, would you know? Would your systems flag it?

In my experience advising critical infrastructure and research-intensive companies, the answer is usually no. The maturity of cybersecurity in OT environments is backed up by a recent global study commissioned by Forescout (Takepoint Research). Insider threats are one of the most under-recognised risks in OT-heavy businesses. Unlike external hacks, insider incidents are often slow, subtle, and devastating. And they don’t just compromise data—they can damage physical assets, halt operations, and put lives at risk.

Unfortunately, most businesses are still using insider threat models built for IT environments. But OT (operational technology), where physical processes are controlled and monitored, is an entirely different beast. If your business depends on production, engineering, or commercialising proprietary research, it’s time to rethink how you detect insider threats—before it’s too late.

What Is an Insider Threat Program (and why OT gets left behind)

An insider threat program is a coordinated set of processes, technologies, and cultural practices to prevent, detect, and respond to harmful actions from trusted individuals—employees, contractors, vendors, or partners.

These programs typically include:

Policy and governance
Risk and asset identification
Monitoring and detection
Incident response and recovery
Training and culture

Problem is, most insider threat programs focus on IT environments. They monitor email, file transfers, login patterns, and endpoint activity. That’s all great, but in OT settings, insider threats play by a different rulebook.

In an OT-heavy business, critical systems might be unpatchable, unmonitored, or physically exposed. A contractor could swap out a device, reprogram a controller, or sabotage a process, and you wouldn’t see it in your SIEM or Quality Management System (QMS).

Worse, many companies treat OT, IT, and physical security as separate silos. That means no one has the full picture—and malicious insiders know it.

The 3 SMB Risk Management frameworks you need to protect your business

Insider Threat Risks in OT Environments

It’s not just OT environments that are different, the trusted insider risks are different too. Here’s some examples of what plays out in real incidents:

Risk Category	Real-World Example
Sabotage	A maintenance worker disables sensors on a production line, causing costly downtime.
Data compromise	A disgruntled engineer uses a USB drive or other removable media to copy sensitive R&D data, which is subsequently leaked. In OT, USB devices are often used for legitimate tasks—making them a real risk for both data theft and malware introduction.
Theft (equipment / data)	A contractor walks off-site with control modules or exports trade secrets via USB.
Espionage	An insider working for a foreign entity records processes and measures over weeks – the ‘know how’ you build into your processes is often a Trade Secrets which you haven’t patented, so you’re exposed.
Accidental / negligent	A misconfigured PLC leads to an emissions breach and regulatory fines.
Credential compromise	A phishing victim gives attackers access to production systems. Phishing is not just an IT problem—it’s a leading cause of credential compromise in OT-heavy industries, providing a foothold for attackers into production systems.
Process disruption	A technician delays batch runs, quietly costing millions in lost output.
Physical safety risks	A bypassed safety interlock leads to a serious injury on the shop floor. Integrating physical security data (badge logs, CCTV, visitor management) is crucial for correlating physical actions with digital events.

If you’re commercialising a new technology or scaling research into production, these aren’t just operational hiccups. They’re existential threats. They compromise intellectual property (IP), slow down time-to-market, and damage investor confidence.

Mitigating risks from workplace sabotage

OT detection is hard

Think of a real-world example. An power station detects a technician repeatedly accessing a substation after hours. Alone, it looked like overtime. But cross-referenced with badge logs, config changes, and HR notes? It could match a potential workplace sabotage scenario.

Unfortunately, OT environments like this example aren’t designed for visibility. Here are the 6 main detection challenges I see:

OT Detection Challenge	Description
Legacy Systems	Many OT assets run on unsupported platforms that can’t be patched, monitored, or logged. They might also run proprietary protocols or custom integrations. Trying to install endpoint detection software? Good luck.
Mixed Connectivity	Some devices are air-gapped. Others connect via Wi-Fi or cloud APIs. You might not even know how many assets are online.
Fragmented Data	Access logs live in one system, telemetry in another, badge swipes in a third—with no correlation between them. To see the big picture, you need HR, physical security / facilities, IT and OT data in one place
Physical Access Gaps	Unlike IT assets, OT systems are often in physical spaces where people can tamper with hardware or override processes without leaving a digital trace. Many devices have no logging or remote monitoring. Integrating physical security data (badge logs, CCTV) is crucial for correlating physical actions with digital events.
Insider Familiarity	Insiders know your systems. They know the blind spots. They know when no one’s watching. If you’re only monitoring digital access or looking at corporate IT logs, you’re missing half the story. Don’t forget vendors and contractors, who often have privileged access.
Poor documentation	Most orgs can’t trace how an alarm triggers a shutdown, and documentation for legacy systems might have been lost or poorly written. You might even find there’s no-one alive who can code in that language anymore!

This complexity means malicious insiders can chain actions together: badge in, disable a sensor, reboot a system, send a USB payload, walk away. If you want to understand how an insider could compromise your operation? You need to map attack paths across IT, OT, and physical layers.

So what can you do about it? Let’s start with detection.

Insider Threat detection that fits OT

There are 3 main approaches to detection in mixed IT / OT / physical environments. Whether you can use one or all of them depends on your capability maturity, available data, and technology stack on the one hand, and your inherent risk on the other.

Basic: Pattern-of-Life / Anomaly Detection

Many businesses start here. They look for simple red flags of what shouldn’t be happening, or what looks unusual. It’s a good starting point, and it’s where many corporate insider threat detection solutions start by looking at indicators out of the box, without being configured for your business

How it works: Builds a baseline of what “normal” looks like across users and devices. Flags deviations.
Good for: Stable operations with predictable activity.
Watch out for: False positives. No context. Easy to overwhelm your team.

Intermediate Advanced: Scenario-Based and Multi-Step Detection

In my experience there’s a big step up between basic and intermediate. This requires not only tools and data, but also people with different skillsets, such as intelligence analysis and data science. Achieving this successfully is much harder than it sounds.

How it works: Looks for sequences of actions that match known attack paths (e.g., badge-in → PLC access → config change).
Good for: Catching subtle or sophisticated attacks. Lower false positives.
Watch out for: Requires upfront work. Needs good integration.

This work goes by many names, but I use the term ‘typologies’ which is what we refer to in fraud and financial crime to detect a range of complex threats in a dataset. The global financial services industry invests millions each year in this capability to avoid huge fines.

“Typologies” Sound Boring – But They Could Save Your Business Millions

Advanced: AI and Hybrid Models

Last is where AI takes us. I still see organisations using a mix of rule-based detection and AI. Also, there are some applications where you simply can’t use AI yet, such as to identify unknown unknowns or truly ‘novel’ threats. You still need a ‘human in the loop’ here:

How it works: Combines behavioural detection with scenario logic. Surfaces unknown patterns.
Good for: Dynamic environments with lots of data.
Watch out for: Over-alerting. Needs good context and tuning.

It’s worth noting many organisations are only at the start of the insider threat detection journey, so intermediate and advanced detection capabilities are still the exception, not the norm. However, a handful of advanced organisations are combining behavioural, scenario-based, and contextual analysis across IT, OT, HR and physical domains. They’re leading the way—helping develop the tools and methods to implement this at scale.

Alert management and insider risk continuous monitoring systems

Detection-Driven Best Practices

Now you understand the problem we’re trying to solve, let’s talk action. Here’s what I recommend to every business trying to catch insider threats in OT:

Map critical assets and who has access – You can’t protect what you don’t know. Prioritise systems with trade secrets, safety impact, or production value.
Integrate cross-domain data – HR, IT, physical security, OT telemetry. Break down the silos.
Use blended detection methods – Pair anomaly detection with scenario logic to balance breadth and depth.
Segment networks and enforce least privilege – Don’t let operators access systems they don’t need. Limit shared credentials.
Build OT into your incident response playbooks – Include safety, environmental, and operational contingencies.
Train staff beyond cyber basics – Teach operators, engineers, and third parties how insider threats work—and how to report them.
Continuously refine – Systems change. People change. Threats evolve. So should your models.

Continuous Control Monitoring: Your SMB Security Game Changer

Final Word: You Can’t Protect What You Don’t Watch

If your business depends on operational tech, research, or manufacturing IP, you can’t afford to run blind.

Insider threats are rising. According to Ponemon, the average insider incident costs US$15.4M per year, but OT remains a blindspot for many organisations.

So here’s the question I always ask my clients: If someone inside your business tampered with a key process, would you know? Would your systems tell you? Would your people speak up?

If you can’t confidently say yes, it’s time to rethink your detection game.

AI for Deeptech Startups: Balancing Speed and Security

Posted on June 24, 2025 by Paul Curwell

Paul Curwell

7–10 minutes

Key Takeaways

AI is already deeply embedded in how R&D startups operate—handling analysis, reporting, quality monitoring, and workflows.
But every tool and integration you use—especially if ungoverned—can expose your intellectual property (IP) or sensitive data.
Protection doesn’t mean overengineering—startups can use lean frameworks and smart defaults to stay secure without losing momentum.

You’re already using AI—but are you protecting what matters?

If you’re leading a biotech, medtech, advanced manufacturing, or deeptech startup, AI is probably already hard at work in your business. Whether you’re using your LIMS to track experimental data, automating lab tasks with tools like Zapier or N8N, or generating regulatory reports with ChatGPT, you’re benefiting from AI’s ability to deliver speed, insight, and productivity.

And it’s working. You’re innovating faster, making better decisions, and doing more with fewer resources. That’s exactly what investors and partners want to see from early-stage companies. In 2025, you don’t need a 500-person team—you need smart systems.

But the same technologies accelerating your work can also quietly undermine it. If you’re not actively managing how AI interacts with your intellectual property (IP) and sensitive data, you’re leaving the door wide open for mistakes, leaks, or compliance failures that can stall your growth—or sink your business entirely.

Protecting Your R&D When Outsourcing Rapid Prototyping

How AI Is supercharging R&D-intensive startups in 4 use cases

AI isn’t just hype for small innovators—it’s a practical tool delivering real business outcomes. And unlike larger enterprises that spend millions and deploy large teams integrating AI into legacy systems, deeptech SMBs are cloud-native and agile. That gives you a major edge.

Here’s how I see most small, research-driven teams using AI right now:

1. Data Collection and Analysis

Your scientific and engineering teams are automating the aggregation of experimental results, integrating data from sensors, lab systems, and external research. AI helps clean, normalize, and interpret it all—so decisions can be made in days, not months.

You’re also leveraging AI for literature mining and competitive analysis, giving your team a clearer picture of where to focus and how to differentiate.

2. Continuous Control and Quality Monitoring

Whether you’re a medtech firm tracking calibration drift or a materials science startup checking for outliers, AI is helping detect inconsistencies early. This kind of real-time feedback loop improves reproducibility and protects your reputation with regulators and partners.

3. Reporting and Documentation

Grant milestones, regulatory submissions, investor updates—these all take time. AI-generated summaries, charts, and reports help your team stay compliant and communicative without pulling attention away from the actual science.

4. Workflow and Service Management

Your operations are already automated. Zapier, N8N, and Power Automate are running the back office: scheduling lab time, flagging inventory shortages, tracking project milestones. AI helps orchestrate and optimize these workflows so your team stays productive.

This all adds up to serious efficiency gains. But—and it’s a big but—each of these systems and integrations touches sensitive data or protected IP. And that’s where the real risk creeps in.

Protecting Innovation: The Spectre of Trade Secrets Theft in Biotech

Four AI risks most science and tech startups overlook

These are excellent use cases, but like everything, there are pros and cons. Deeptech’s need to understand how AI tools and use cases can generate downside risk for your business:

1. Trade Secrets Floating in the Open

AI models are great at summarising documents and drafting content. But paste your prototype results or lab logs into an unsecured LLM, and you might be training someone else’s model with your trade secrets.

This isn’t a fringe issue. In 2023, employees of one global tech company accidentally leaked sensitive source code through ChatGPT. They were trying to be efficient—but exposed high-value IP instead.

Case Study 1: Global tech’s ChatGPT Blunder: IP Exposure Through Misunderstanding

In 2023, engineers pasted sensitive source code and internal meeting notes into ChatGPT while trying to solve coding problems. They didn’t realise that public AI tools could store and retain this input.

The result? Confidential trade secrets exposed. The company responded by banning the use of generative AI internally. But the damage was done.

Lesson: If your staff don’t understand how AI tools process and retain information, they may accidentally train someone else’s model with your crown jewels.

Practical actions:

Identify what qualifies as a trade secret in your business. Write it down.
Turn off chat histories in AI tools or use private models.
Avoid pasting raw R&D data or code into consumer AI platforms.

2. Data Leaks Through Automation Tools

Automation platforms like Zapier, Make, and N8N are amazing for productivity—but they’re often invisible to risk and compliance teams. If data is moving between systems without encryption or logging, that’s a blind spot.

One startup had lab results automatically emailed to a shared inbox via Zapier. Harmless? Until one of those emails ends up forwarded to the wrong contact triggering a data breach incident.

Case Study 2: Global tech company’s AI Team Accidentally Exposes 38TB of Data

In another 2023 case, another big tech’s own AI research team uploaded a GitHub repo with an incorrectly configured Azure SAS token. This gave public access to 38TB of internal data—including private research, credentials, and backups.

This wasn’t a cyberattack. It was a configuration error—just one line of code—and it put an entire research group’s IP at risk.

Lesson: Even world-class AI teams can slip up if access controls and cloud permissions aren’t managed carefully.

Practical actions:

Audit your integrations quarterly. Know where data is flowing.
Limit the exposure of sensitive data in workflows.
Apply the same scrutiny to no-code tools as you do cloud providers.

The Rising Threat of Cyber-Enabled Economic Espionage: What Business Leaders Need to Know

3. Misconfigured Cloud Environments

Being cloud-native doesn’t mean being secure. Startups often move quickly, spinning up instances, sharing buckets, and adding users without much structure. The result? Sensitive IP and research data sitting in misconfigured storage with public access enabled.

Case Study 3: Biotech’s AI Feature Abused to Extract Genetic Data

Attackers didn’t hack the biotech’s core systems. They reused leaked credentials to log into user accounts and exploited the company’s DNA Relatives feature—powered by AI—to harvest massive amounts of genealogical and genetic data.

The breach wasn’t about a flaw in the AI—it was about poor monitoring and a lack of foresight into how AI-powered features could be abused at scale.

Lesson: AI features can scale risk just as fast as they scale value. You need visibility and governance to keep both in check.

Practical actions:

Use native controls like IAM, DLP, and logging in AWS, GCP, or Azure.
Review access privileges regularly—especially after staff or contractor changes.
Don’t assume your default setup is safe—check it.

4. Regulatory Risk and Data Sovereignty

If you’re collecting personal or regulated data—think clinical trial results, biospecimens, or identifiable research participant data—you’re accountable under privacy laws. And regulators won’t accept “we’re a startup” as an excuse.

Practical actions:

Store regulated data in compliance with local data laws.
Map where your data lives and who can access it.
Delete data you no longer need—less data, less risk.

You Don’t Need an Army—You Just Need a Plan

Information security and data protection doesn’t have to be expensive or complicated. You just need to know what matters most—and build guardrails that suit your size and stage.

That’s why frameworks like SMB1001 exist. Designed for small, R&D-heavy businesses, it gives you a clear path to understanding what’s critical, setting sensible access controls, and documenting how you manage risk—all in a way that supports growth, not bureaucracy.

You don’t need ISO 27001 on day one. But you do need to show investors and partners that your IP and data aren’t flying blind through a tangle of automations and unvetted tools.

The 3 SMB Risk Management frameworks you need to protect your business

Final Thoughts: AI Is Fuel for Growth—If You Protect the Engine

AI is your multiplier. It helps small teams outperform larger competitors, serve customers faster, and bring complex products to market on a startup budget.

But if your trade secrets leak or research data ends up in the wrong hands, that advantage disappears overnight. Worse, you might not even know it’s happened until it costs you a deal, a grant, or a key staff member.

So if you’re using AI—and I know you are—take these three steps now:

Map where your IP and sensitive data live.
Review how they flow through AI and automation tools.
Use a framework like SMB1001 to set practical controls that grow with you.

The best part? Once you’ve got this in place, you’re not just secure—you’re investable, credible, and ready to scale.

Integrating Security into Quality Management Systems

Posted on June 10, 2025 by Paul Curwell

Paul Curwell

5–8 minutes

My 3 Key Takeaways

If you’re in deeptech or manufacturing, your Quality Management System (QMS) can do way more than keep auditors happy—it can protect your IP, prevent fraud, catch compliance failures, and reduce insider threat risk.
Integrating your security and compliance processes into a QMS lets you achieve more with less: fewer tools, fewer people, fewer mistakes.
Most deeptech SMBs already have the infrastructure—they just haven’t connected it all yet. That’s the opportunity.

Let’s Talk About the Boring Stuff That Could Kill Your Business – Quality & Security

Let’s be honest—QMS, fraud controls, insider threat detection… not exactly stuff that gets founders leaping out of bed. But you know what’s worse than a dry compliance meeting?

Watching your research walk out the door with a departing employee.
Getting sued because someone emailed a product claim to a customer before the regulator signed off.
Losing a major sales deal because your QMS and security systems don’t talk to each other.

If you’re in a knowledge-intensive industry and chasing investor capital or enterprise contracts, these aren’t just compliance risks. They’re existential threats. Thankfully, you probably already have everything you need to prevent them!

Read on to find out how.

Your QMS Doesn’t Have to Just Cover Compliance—It’s Commercial Defence

Sure, you’ve got ISO 9001, ISO 13485, or FDA 21 CFR 820 in place. You have to. But compliance is the floor, not the ceiling. Today, quality is about more than audits. It’s about trust—with regulators, buyers, and investors. And increasingly, quality failures stem from security failures.

This means your risk and compliance programs can’t live in silos – let me show you what I mean:

Security Failure	Business & Compliance Impact
Employee sends IP to Gmail pre-exit	Trade secrets lost, investor trust damaged
Supplier compromise injects code	Product recall, brand hit
Staff emails HCPs with unapproved claims	Regulatory violation, potential litigation
Ransomware halts diagnostics	Delayed care, reputational damage
Research data shared publicly	IP protection compromised

As you can see from this table, these aren’t just cybersecurity issues. They’re business continuity, liability, and commercialisation risks as well, which are exactly what a well-integrated QMS should be catching.

The 3 SMB Risk Management frameworks you need to protect your business

Integrate Quality and Security to Create Your Advantage

Most deeptechs are SMBs which run lean. No in-house CISO. No army of compliance officers. But—you do have a quality team and a QMS. That’s your edge. If you can embed security, IP protection, and insider threat controls into your QMS, you gain:

Operational efficiency—fewer tools and frameworks, less duplication
Investor readiness—clean audit trails, documented controls and processes that work
Market trust—quality and compliance proof baked in to win and retain customers

The good news is your business can run lean and stay secure.

You don’t need a CISO to lead on risk—just smart, integrated processes. — Photo by Andrea Piacquadio on Pexels.com

So enough talk, what’s the fix? Here’s how you do it

Step 1: Identify Overlapping Risks

Bring together your Quality, IT, Compliance, and Security folks—yes, even if that’s just two people with five jobs—and map out shared risk areas:

Trade secret risks: Who has access to research, models, or source code—and what happens when they resign?
Outbound comms risks: Can someone email a healthcare provider or investor with an unapproved claim?
Supplier risks: Are third-party vendors accessing your R&D environment or pushing code into your stack?
Data risks: Are IP files, calibration logs, or clinical datasets being handled securely?

Spoiler alert: the same systems and workflows touch all of these. The only thing that changes is who’s watching and why. We can leverage this!

Step 2: Build Integrated, Actionable Processes

Expand your existing QMS workflows—incident logs, CAPA, document control—to cover your information security and fraud risks, such as:

Departing employee sends IP to Gmail? Log it as a deviation. Raise a CAPA. Trigger access review. Investigate. Retrain.
Email flagged with unauthorised claim to an HCP? Route through the same CAPA process as any product defect.
Security incident in supplier data flow? Link it to your QMS audit trail and generate a risk-rated action plan.

If your business runs on the cloud, you probably already have systems to manage these, even if you’re paying for them but they’re not configured. Let’s make them work harder.

Unlocking New Uses for your SIEM: Beyond Cybersecurity

Step 3: Align Your Systems to Real Business Needs

Think like an SMB: use what you already have. Forget vendor feature lists. Start with those core requirements your business actually needs:

Secure document management
Workflow orchestration (escalations, approvals, logging)
Audit trails that regulators and enterprise buyers can follow
Real-time alerting for policy violations or unusual activity
Case management for incidents and corrective actions
Dashboards and management analytics across all domains

Here are some use cases to demonstrate how all this might work in practice:

Microsoft Purview + Sentinel: Classify sensitive research data, enforce retention policies, and monitor emails to detect regulatory violations and IP risks.
GCP Chronicle + Workflows: Detect insider threats, trigger automated reviews, sync results with your QMS and HR systems.
AWS GuardDuty + Step Functions: Scan S3 buckets for unclassified IP, auto-trigger CAPAs in your QMS.
Digital QMS platforms: These must integrate with your SIEM, cloud, ERP, HR, and research platforms. No integration = no scale.

The result? One process. One system. Many benefits.

Step 4: Monitor, Automate, and Expand

Use your existing monitoring stack—not just for cyber, but for compliance, fraud, and regulatory use cases:

Microsoft Purview: Classify IP, research data, or regulated content and flag outbound emails that contain unapproved medical claims.
Splunk or Elastic: Detect download spikes, file movements, or unusual access patterns.
SIEM + QMS: Auto-trigger a CAPA or risk log entry when a critical security alert is detected.

Now you’re using the same stack to:

Prevent insider threats
Catch regulatory breaches, possibly before they happen
Monitor fraud risk
Strengthen IP protection
Prepare for inspections, audits and regulatory approvals

This is where the ROI multiplies.

The Final Word – Strength and Opportunity

SMBs always run lean. But lean doesn’t mean exposed.
You already have:

A QMS
Cloud, email, and monitoring tools
Data and IP worth protecting

All you need is to connect the dots.
Not with more tools. Not with more people.
With smarter, integrated processes that do more with less.

This isn’t about adding compliance for compliance’s sake. It’s about:

Avoiding lawsuits and insider breaches
Scaling your business without scaling your risk
Impressing investors and enterprise buyers with how secure—and smart—you operate

That’s how you build a credible, defensible, and investment-ready business—without losing your edge.

The Problem: Looking For Desperation, Not Intent

Understanding Motive As A Target Map

The Structural Blindspot: Solo vs. Group Logic

From Static Opportunities To Manufactured Ones

Why Your Current Toolkit Is Failing

The Shift: Toward Adaptive Detection

The Takeaway

Further Reading:

We have built a massive machine to stop data theft.

The Taxonomy of Neglect

The Evidence of the Gap

The High Cost of “Silent” Risks

3 Steps to Monitor the Other Seven Domains

The Takeaway

Further Reading

3 Key Takeaways

Managing insider risk protects your business and your investors

Case Study: The GSK Scientist

How Purview + Sentinel Fit Into Your Insider Risk Program

Benefits and Limitations of the Lastest Update

Total Cost of Ownership (TCO)

Access via E5: Your Hidden Advantage

Sentinel Pricing Model

Implementation & Ongoing Management Costs

Putting It All Together: 6 Steps to Roll Out an Insider Risk Program

Call to Action: Pick a Small Use Case & Make It Real

Further Reading

3 Key Takeaways

What is Comparative Case Analysis?

Why Comparative Case Analysis Matters for Business

The Comparative Case Analysis Value Chain

How to Actually Do It (Step‑by‑Step)

Real Case Examples to Learn From

Call to Action

Further Reading

The impact on your business

Why R&D-intensive companies are vulnerable

The professionalisation of ransomware in 2025: the 8-step targeting cycle

Case studies: when ransomware hit the labs

Conclusion: the strategic picture

Further Reading

Key Points

“We Thought We Were Too Small to Be Targeted”

The Phishing Shift: Multi-Channel, Deepfake, and Voice Fraud Are the New Norm

What’s Really at Risk? IP, Trust, and your Entire Business Model

Real Example: The Deepfake COO That Killed a Fundraise

The Cloud Trap: “We Use Microsoft/AWS, So We’re Covered” (No, You’re Not)

Who Secures What in the Cloud?

So What Do You Actually Do? Here’s a Business-Ready Plan

1. Use the Cloud Security Tools You Already Own

2. Lock Down Identity, Access, and Data

3. Train for the Threats of 2025

4. Prepare for the Breach—Because It Will Happen

5. Audit Your SaaS and Supply Chain Access

6. Give the C-Suite Metrics That Matter

Final Thoughts: Security Is Commercialisation

Further Reading

3 Key Takeaways

Security Is a Business Decision—Not a Technical One

Security Creates Value—and Investors Know It

When IP Protection Becomes a Business Valuation Driver

A. Discovery Stage:

B. Prototyping Phase:

C. Clinical Validation:

D. Scaling Phase:

Scaling Stage Actions:

What Investors Now Ask (And What You Need to Answer)

The Bottom Line: Security as a Strategic Advantage

3 Key Takeaways

Insider Threats easily go unnoticed in Operational Technology (OT) environments

What Is an Insider Threat Program (and why OT gets left behind)

Insider Threat Risks in OT Environments

OT detection is hard

Insider Threat detection that fits OT

Basic: Pattern-of-Life / Anomaly Detection

Intermediate Advanced: Scenario-Based and Multi-Step Detection

Advanced: AI and Hybrid Models

Detection-Driven Best Practices

Final Word: You Can’t Protect What You Don’t Watch

Further Reading

**4. Prepare for the Breach—Because It Will Happen**