By Josh Gould, Chief Commercial Officer
Security and compliance – what does it mean?
Go back a decade – before a time when technology was so intertwined with our business activities, buying habits and everyday lives – and, for most organisations, ‘Security and Compliance’ meant little more than completing a tick box exercise. At most they were an afterthought, bolted on to the end of other processes.
Today, it is regarded as not just important, but absolutely vital. It can also be a key asset – and the difference between winning and losing contracts.
As technology evolves, so does the increased need for information security. Applying funding towards security supports the business objective of maintaining appropriate security controls. And, as such, these efforts should correspond with levels of risk and data sensitivity.
What do we mean by ‘Security and Compliance’?
Security and compliance can be difficult to define, because it means different things to people and organizations.
For example, one organization’s policies may focus on protecting consumer data, while another would focus on ensuring the right staff have the necessary (and secure) access to the data they need.
Clearly, this can create complications for organizations providing services to other companies. Language Service Providers (LSPs) can be particularly exposed here as – by definition of the services they provide – they handle content (data) of their clients; and, in some cases, of their clients’ clients.
The key to security and compliance – and this applies to many aspects of business – is identifying and understanding the expectations of all parties involved. It may sound obvious, but do you really understand your client’s needs? Or at least understand what extra steps you need to put in place to meet them? Do you have the capabilities to meet their needs?
And do your own suppliers understand your needs, so that you can meet your client’s needs?
There’s a risk that organizations think they understand security and compliance but, actually, when a client starts probing a little deeper, their knowledge, capability and experience start to unravel.
You’re not too big to be hacked – nor too small
Data security breaches occur every day, across the world.
Some of these make international headline news, not just because they happen to involve a massive corporation, but often because they also affect people’s privacy and data. This may ultimately become an individual’s problem but its source is lack of data security by the holder of business-critical information.
You would think that huge multinational corporations with their impressive IT infrastructure and multi-million investment in the most up-to-date IT security technology and in-house experts could be immune to cyber-attacks. But you’d be wrong, as some very high profile cases have told us. 2013, in particular, was a bumper year in terms of huge organizations suffering major security breaches.
According to a summary report from threat intelligence consultancy firm Risk Based Security (RBS), in 2164 separate incidents, more than 822 million records were exposed, nearly doubling the previous highest year on record (2011). Four of those breaches made the all-time top ten.
In its most recent report on Information Security breaches, the Department for Business Innovation and Skills highlights the threat to small businesses, which are unlikely to have the dedicated resources and experience enjoyed by big companies. The rise in security breaches has increased significantly for small firms which are now experiencing incident levels previously only seen in larger organizations. As a result, 81% of large organisations had a security breach in 2014, as did 60% of small businesses. The average costs of the breach to a large company is £600,000 to £1.15m and for a small firm, £65,000-£115,000. Either way, this is a business crisis.
Although staff, deliberately or inadvertently, cause on average 40% of security breaches, attacks by unauthorized outsiders are surprisingly high: 55% for big companies and 33% for small. Infection by viruses or malicious software has increased significantly to 73%, up from 59% in the previous year.
73 percent increase in infections by viruses or malicious software
Companies are working hard to address the physical and digital attacks on their information, but there are surprising loopholes that can potentially lead to business-critical loss of intelligence, financial information or product plans, and one of those is translation.
Translation is often managed by some department other than IT; perhaps Marketing or Sales or Finance. A translation company is appointed and highly confidential information sent to them without question of what happens next. Typically, that company will make the information available to any of 12,000 working freelance translators. They in turn will download it to their own PC’s hard drive.
This is where a bell rings for the security-savvy business. This is not to question the linguists’ integrity but once housed on an individual’s PC in their home, information security is incredibly lax. Their children might use the PC. It could be stolen. It could break down and go to a repairer. The data might be inadvertently forwarded on. The possibilities for a release of company confidential information are enormous.
This is where thebigword Highly Secure Translation Editor (HSTE) comes in. The HSTE provides:
- The highest level of security and encryption deployed to keep your content safe.
- All content is individually encrypted.
- The ability to disable functionality such as ‘copy’ and ‘paste’ based upon content sensitivity.
- Secure integration of your Translation Memory, terminology and reference materials.
- Support of the secure translation of documents, transcriptions, audio and scanned documents.
- No trace of your content saved on local computers, secure at all times.
The HSTE achieves this by a completely new, industry-leading process:
- Your content is transferred automatically to thebigword Translation Management System (TMS).
- The content is held securely within thebigword TMS, which notifies the linguist that content is waiting to be translated.
- The linguist logs into thebigword TMS, accepts the job and logs into HSTE. They work on the content within HSTE and submit the content having never downloaded it.
- The translated content is returned securely to you.
1.Your content is sent to the Language Service Provider (LSP)
2.Your content is held by the LSP for review before sending to a linguist for translation.
3.The file is downloaded by the linguist to their own computer to begin the translation.
4.The completed translation is returned to the LSP. A copy of the files will still be present on the linguist’s computer.
5.The LSP will return the translated content to you.
thebigword Highly Secure Translation Editor
1.Your content is sent to thebigword Translation Management System. This can be automatically transferred from your own content storage system or directly uploaded to thebigword TMS. Both methods are secure.
2.Your content is reviewed by thebigword TMS. A linguist is notified of the project.
3.The linguist will sign into thebigword TMS, accept the job and follow the secure link to open the HSTE. The linguist is required to login to HSTE.
4.Your files are transferred to the linguist by an encrypted connection. Once the linguist has completed the translation a secure deletion process removes any trace of the content from the linguist’s machine. The encrypted file transfer connection returns it to thebigword TMS. You are notified by thebigword TMS that your files are ready to collect or be securely transferred back to your content storage system.
thebigword is compliant with ISO 27001 for Information Security Management Systems and were the first in the Language Services industry to attain the Award.
ISO 27001 is a very prescriptive standard with specific requirements covering the handling and security of information and is regarded as a ‘milestone’ certification to achieve.
ISO 27001 is about how you handle any piece of information in the business, whether it is written, electronic, spoken, emailed or written on a scrap of paper. It’s about how you manage, secure and identify that information, categorize it and deal with security breaches.
The fact that ISO 27001 is an international standard means that organizations working in global markets have a means of demonstrating to international partners that they have a high level of IT security management. The standard shows that an organization has the credibility to operate to the same IT security standards as its partners. This credibility is often a deciding factor, giving the certified organization a competitive advantage.
ISO 27001-compliant implemented organizations across the globe can work together in a common language, lowering cross-cultural barriers and increasing trust.
ISO 27001 certification offers guidelines or best practices in regards to information security.
Working in accordance with these best practices has been shown to:
- Drastically lower the amount of incidents within a company
- Processes are pre-defined and easily repeated
- Distribution of responsibility will be clearly defined
- Implementing ISO 27001 and keeping it up to date gives you an overview of the overall status of the information security management system (ISMS)
- Provides motivation towards continuous improvement
Implementing ISO 27001 takes a lot of hard work and investment, with regular audits every six months to a set framework to ensure that your business is upholding the standard and remains compliant. These checks could cover anything from e-mail tracking to risk analysis,and any staff member can be interviewed about the firm’s security policy.
Once an organization becomes ISO 27001 certified, though, the benefits quickly outweigh initial challenges. In the end, the ISO 27001 certification process has a positive return on investment and a better, more secure future.
You may well be ISO 27001-compliant, and your supplier may be, too – but what about their supplier? And the supplier’s supplier? Everywhere you look, there’s the risk of a leak in data security.
It’s important that the chain is not broken and that any partners – international or not – are either ISO 27001-compliant or are working towards being so in order that IT security breaches do not occur.
The ISO 27001 Standard ensures that businesses meet the rigorous requirements of multinational customers in terms of protecting their data and information.
It covers ten major areas, including:
- Business continuity planning
- Physical and environmental security
- Personnel security
- Asset control
- Security policy
The ‘Darwinian’ nature of IT security
The point is that IT security has almost become Darwinian in its nature, with hackers – the predators – becoming ever more sophisticated in their efforts to track down their prey: secure data and information.
But as they evolve, so do the defense mechanisms designed to resist them.
Everyone on board
With this in mind, how do you go about ensuring that you are doing everything you can do to avoid or minimize a cyber attack? Have you communicated your security and compliance guidelines across your organization in a way that is detailed and easy-to-follow? If you’re a multinational organization, have you translated and localized these guidelines for your multilingual workforce?
It is worth ensuring that all staff can see how the business is meeting its compliance goals, while understanding the importance of why it’s being done. Providing training to client account managers ensures content safety. Companies are all too aware that a security breach, no matter where it occurs in the production chain, can have catastrophic results for them. So they are becoming increasingly savvy in securing data, as well being more technical.
It is now commonplace for clients to ask detailed technical questions around data storage and data security, even down to what brand and version of encrypted hard disks are in place. Recently, one of thebigword clients inquired what version of firmware it was using on its various firewalls.
It is clear that maintaining the integrity of valuable data is becoming progressively important on an almost daily basis. Hardly a week goes by where there isn’t a major news story around a severe data or compliance breach.
You may believe you are Secure and Compliant today: but unless you maintain the significant investment, internal awareness, and training to keep up with the ever changing environment, you may not be Secure and Compliant tomorrow.
thebigword ensures that security and compliance is not an afterthought. It is the very foundation on which everything is built upon and weaved into every aspect of the process. It is the standard our clients and prospective clients – many of them huge multinational corporations or even government and military bodies – expect of us; and which we expect of our own suppliers