In recent years, we have seen many significant breaches of cyber security and web vulnerabilities, resulting in high profile and sensational headlines on the lack of security. Not a week goes by nowadays, without a tale of woe befalling some household name, causing us all to take notice of the state of security in this internet age – even if all we do is change our email and social media passwords.
The nature of the business of translation requires that source content be passed around, frequently in some cases, to enable the translation task to be properly performed and completed. Even a simple case, as described below requires as least six transmissions and transfers of source content to key participants from Buyer to LSP to Project Manager to Translators to Editors and Proofreaders and back to enable task completion. In such a production environment with frequent electronic sharing and transmission, the potential for accidental security breach and information exposure is significant and real. The possibility of deliberate attacks to get access to confidential information by hackers is an even more formidable challenge, as very special counter measures need to be taken to prevent this.
The Translation Eco-System
Looking at this graphic it is clear that there are many electronic holes where data can slip out inadvertently, or make it easy for a hacker to break in if deliberate security measures are not in place. Yes, whenever someone asks questions about information security, it seems you always hear the same answer: We cover that by signing an NDA with our translators. We know, however, that NDAs are normally concluded with all suppliers and that such provisions can usually be found in nearly all contracts. Nonetheless, violations of the information security by employees, customers and suppliers account for a considerable share of the real industrial espionage cases. Apparently, NDAs are not very effective when it comes to protecting information.
As we have seen lately, determined hackers can break into both government and corporate networks and indeed they do on a regular basis. This graphic and interactive visualization is quite telling on how frequently hackers succeed, and how frequently large data sets of allegedly private data are accidentally exposed. In the last week alone, we just heard Equifax admit that “that an application vulnerability on one of their websites led to a data breach that exposed about 143 million consumers.” The statement goes on to say that those responsible for the data breach accessed records containing Social Security numbers, birth dates, addresses, and in some cases driver’s license numbers. The long-term implications of this can be quite problematic for those whose information has been compromised.
Translation agencies that do not take specific steps to mitigate risks can count on inadvertent and accidental data leakage and are quite vulnerable to any skilled hacker who wants access to their information for industrial espionage or consumer fraud strategies. This means that all client data sent for translation should be monitored from initial request to final delivery, and, informed and secure data transmission practices should be in place to ensure that data are always secured from any other third-party servers.
The process and technology controls implemented by a translation agency to mitigate security risks sometimes need to be independently verified by external assessors. One way an agency can prove and document stringent process and practices to ensure information security is to obtain certifications like ISO 27001, which provide a buyer with certified assurances that the agency has verifiable information security protocols in place. Safeguarding client information from loss or theft and ensuring supply chains are protected from bribery and corrupt practices are just two of the many benefits that certification brings to customers. Other certifications like ISO 9001 and ISO 13611:2014 also provide assurances to a buyer that quality and security management processes are in place. They typically go together as process discipline also makes it easier to establish reliable information security practices.
Information security is not just IT security. Information security refers to both technical aspects and to procedural ones. The goal is to protect information from unauthorized access as well as to provide information to the right place at the right time. Information that is so well secured that even authorized persons cannot use it is worthless. There are good reasons for using cloud-based services as long as they conform to the agreed security requirements. For the increasing number of cloud services being offered in the translation industry, the vendors must also offer the appropriate security standards and guarantee them to service providers and customers in an understandable and logical way.
However, state-of-the-art translation management systems are only as secure as the environments in which they are deployed. To this end, the hardware, security controls and human processes in place within the hosting data center play a crucial role in maintaining data security. The use of sophisticated web-application firewalls, perimeter networks, advanced denial-of-service detection algorithms all keep valuable information as secure as possible. When the physical security elements within the data center are combined with a strong information security management system of the kind imposed by ISO 27001 (backed up by regular security audits) language service providers can be sure that they have good control over their data and (more importantly) the data they are trusted with by their clients.
PCI Standard Data Security Standard –
High Level Overview
|Build and Maintain a Secure Network and Systems||1||Install and maintain a firewall configuration to protect cardholder data|
|2||Do not use vendor supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||3||Protect stored cardholder data|
|4||Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program||5||Protect all systems against malware and regularly update anti-virus software or programs|
|6||Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||7||Restrict access to cardholder data by business need to know|
|8||Identify and authenticate access to systems components|
|9||Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||10||Tract and monitor all access to network resources and cardholder data|
|11||Regularly test security systems and processes|
|Maintain an Information Security Policy||12||Maintain a policy that addresses information security for all personnel|
PCI Standard Data Security Practices
The manner in which sensitive data or confidential information requiring translation can leak is twofold. First, information can be stolen “in transit” by transferring or accessing it over unsecured public Wi-Fi hotspots or by storing it on unsecured cloud servers. Such risks have already been widely publicized and it is clear that weak processes and lax oversight are responsible in most of these cases.
Less considered, however, is what online machine translation providers do with the data users input. This risk was recently publicized by news agency NRK, where employees of state-run oil giant Statoil had “discovered text that had been typed in on [translate.com] could be found by anyone conducting a [Google] search.”
Slator also reported that: “Anyone doing the same simple two-step Google search will concur. A few searches by Slator uncovered an astonishing variety of sensitive information that is freely accessible, ranging from a physician’s email exchange with a global pharmaceutical company on tax matters, late payment notices, a staff performance report of a global investment bank, and termination letters. In all instances, full names, emails, phone numbers, and other highly sensitive data were revealed.”
“When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”
The MNPI definition is provided below as it is comprehensive and broad and many agencies may not be aware of how easily the MNPI requirements can be transgressed.
Definition of Material Nonpublic Information
Material Information. Information is material if there is a substantial likelihood that a reasonable investor would consider it important in deciding whether to buy, hold or sell a security. Therefore, any information that could reasonably be expected to affect the price of the security is material. Common examples of material information are:
- Projections of future earnings or losses or changes in such projections
- Actual changes in financial performance
- A pending or prospective joint venture, merger, acquisition, tender offer or financing
- A significant sale of assets or disposition of a subsidiary
- A gain or loss of a material contract, customer or supplier or material changes in the profitability status of a current contract
- Changes in management, other major personnel changes or labor negotiations
- Significant increases or decreases in dividends or the declaration of a stock split or the offering of additional securities
- Financial liquidity problems
- Actual or threatened major litigation, or the resolution thereof
- Communications with governmental agencies, such as the SEC.
Both positive and negative information can be material. Because trading that receives scrutiny will be evaluated after the fact with the benefit of hindsight, questions concerning the materiality of particular information should be resolved in favor of materiality, and trading should be avoided.
Unfortunately, business practices in the translation industry, which is often characterized by low margins and fast turnaround, can sometimes be compromised. We at MasterWord have recently had a Translation Buyer go to a competitor based on promised lower pricing. This customer has quickly returned because this competitor posted highly confidential medical documents on ProZ while trying to recruit translators who would accept low rates for the job.
RWS Deutschland also reports: “An old press release from 2014 was recently re-published on Uepo. It reported on a female translator who was caught trying to sell confidential design data for a submarine. The background to the story was the she was not paid for her work by her contractor due to quality issues, whether legitimate or used as a pretext. At the same time, she still had to pay the translators she had subcontracted.”
Information security as we see covers many areas and includes all of the following:
- Established production processes and controls for access and data security
- The quality and supervision of the supply chain (translators and editors)
- Information technology used to transmit, share and collaborate on customer data
- The vigilance of the IT and project management teams to secure data practices
- Knowledge and compliance of critical customer data related legislation like HIPAA and MNPI
- Classification of all projects by security requirements as all projects do not need the same vigilance
Customers want to know their information is safe from cyber-crime; they also want assurance that a third party has physical security covered and has measures in place to prevent fraud, bribery and corruption.
MasterWord is committed to Quality Management and has been certified to conformance with the International Organization for Standardization ISO 9001:2008 and ISO 13611:2014 standards; the technology we use has been certified to conformance with the International Organization for Standardization ISO 27001.
We welcome a discussion on our Information Security practices and hope that this summary provides you assurances that we are serious and knowledgeable about this subject.
For more information on how we can help you translate your confidential information, please call us at +1 281-589-0810 or +1 866-716-4999 (option 3 for translation) or email us at firstname.lastname@example.org. We are available 24 hours a day, seven days a week.