Mark Shriner is the founder of the Secure Talk Cybersecurity Podcast. He has also worked in several leadership roles in the localization industry including CEO Asia Paciﬁc for CLS Communication. He now works as the Strategic Sales Director for memoQ, leading the company’s business development efforts in regulated industries.
Language service providers and buyers of localization services are especially vulnerable to cybersecurity risks. This is partially related to the distributed work model, one that often relies upon freelancers, remote linguists, work from home project managers, and others spread across several countries. When you factor in the sheer volume of content and related metadata processed by numerous apps and devices — think content management systems, translation management systems, and more — it’s easy to see the explosive potential for a cybersecurity meltdown.
In the first part of this article (see MultiLingual September/October 2021), we took a high-level look at the different types of cyber risk and discussed how organizations can reduce exposure by creating awareness, assigning responsibility, and developing a cybersecurity policy. Now, we will drill down on some of the specific tools and practices the localization industry can use to reduce their exposure to cyber risk.
One of the most important steps in reducing cyber risk is to conduct an assessment of your organization’s IT infrastructure. There are various types of assessments including detailed questionnaires, network scans, and penetration (commonly shortened to “pen”) tests. Oftentimes, it may be prudent to use more than one type of assessment.
Questionnaires are great for understanding your organization’s relationship to data. They can clarify the data types you manage, your protection policies and updating software and hardware, and your compliance with specific regulatory bodies such as GDPR or HIPAA. They also delineate specific cybersecurity duties and responsibilities among staff.
Unfortunately, questionnaires can be time-consuming and typically involve several stakeholders. As the responses may reveal sensitive information about an organization’s security posture and compliance readiness, many may be reluctant to share their information with an external consultant. Therefore, internal resources may be needed to complete, analyze, and act upon the results of the assessment.
A network scan breaks down the active and inactive users on your network, where they are located, and whether your infrastructure is up to date and optimized to reduce costs and enhance security. Completed within days or weeks, they monitor network traffic and identify various users, traffic patterns, resource demands, and the type and number of devices — including servers — being used. A scan can also flag out-of-service hardware, apps that may need patching, and inactive credentials that should be deleted.
Need to uncover weaknesses with an organization’s IT infrastructure, apps, and websites? Hire a team of “ethical hackers.” They pen test an organization by launching an approved attack on one part of an organization’s IT infrastructure. Some regulatory standards such as the Payment Card Industry Data Security Standard require regular pen testing.
Your organization most likely already has access to some automated security assessment tools. For example, organizations using Windows 10 and O365 can use Microsoft’s free automated security assessment, Secure Score. This tool assesses the settings of an organization’s O365 tenant and makes recommendations customizable to your security posture and user experience. For example, if turning on a data protection feature will prevent the sending of unencrypted data, but will have no effect on the user’s experience, it would be given a greater priority. Secure Score also shows how your organization compares with peer companies in your industry.
While technically not an assessment, Microsoft also provides a free Compliance Manager tool that helps organizations view their compliance posture against all major regulatory bodies, flag and assign tasks, and send alerts for follow up.
Figure 1: The Microsoft 365 security center detects users at risk and issues a security score.
The weakest links in almost every organization’s IT system are the actual users. Whether it’s from poor password hygiene, the use of unsecured WiFi, or phishing email and malware mistakes, employees are by far the largest cyberattack vector.
Awareness training is the most effective counter to these threats. Solid training should demonstrate what a phishing or malware attack looks like, show you what to do when you receive a suspicious email or document, and teach best practices around password hygiene and remote work. Simulated phishing attacks, for instance, send emails that, if opened, alert the recipient and hone their threat detection skills.
Treat emails that ask you to enter your credentials for any work or personal account with great suspicion. Also, beware of unusual requests for money transfers, gift cards or other items. Often these are sent from “spoofed” or faked email addresses from a senior person, and the sender is hoping to create a sense of urgency. When in doubt, slow down and either call the person or forward the request to the correct email address for confirmation.
Since we all use multiple apps, sites, and devices, it’s challenging to create, remember, and secure passwords for every single scenario. A surprising number of people use generic passwords such as “password2021” or “summer2021,” which are vulnerable to automated attacks.
The simple solution? A password manager. Keeper, LastPass, and Dashlane are apps that allow users to generate, store, retrieve, and even share their passwords in a securely encrypted manner. This way, one can avoid creating a vulnerable password simply because it’s easy to remember (and therefore hack).
Single sign-on (SSO) is another solution. SSO allows users to sign on to several apps using a single credential and password. This is important because it reduces the time, effort, and potential security issues connected to passwords. Localization buyers and sellers alike should try SSO-enabled tools.
Another important practice when using third-party apps or tools is to ensure they are compliant with any relevant regulatory standards and bodies such as ISO 27001, GDPR, HIPAA, PCI, and more. It is also recommended that you conduct half-yearly or annual audits to guarantee these tools are maintaining their compliance.
Figure 2: A sample of the Microsoft Secure Score board.
Multi-Factor Authentication (MFA)
Apps and devices that only require a single factor such as username and password to authenticate are easier to access. They’re also more easily compromised. At least one additional authentication factor makes all the difference for any app or device containing sensitive information or an entry point into other systems.
Additional authentication factors might include something you have (security token, a key, USB stick), something you know (a PIN), or a biometric (voice or iris scan, typing speed analysis). The two most commonly used extra authentication options are a code that is sent to the user’s mobile phone or an authentication app. By using these extra factors you can be sure that even if your username and password have been compromised, bad actors still won’t have access to your apps, data, or devices.
The need for second authentication every time you log in can be annoying. And depending on the location of the user, the systems they are trying to access, and their level of access, it may not make much sense. But for individuals who are logging in from an unrecognized or unusual location, those who are using a non-company-owned device, or for those requesting extra administrative rights, MFA should be considered to secure your data.
For example, a standard practice is to have all global administrators use MFA to authenticate, since their credentials provide access across all IT assets. Furthermore, you may want to employ policies such as just-in-time permissions and just-enough permissions. These policies allow for elevated access rights only to the level absolutely needed and only for the time needed. By limiting access rights and forcing an MFA for enhanced credentials, you prevent a hacker from gaining elevated admin rights even if they have compromised an individual’s information.
Data Loss Prevention (DLP)
Have you ever worried about emailing personally identifiable information such as social security numbers or payment
information like credit card numbers? DLP can help. DLP is used to detect and classify the type of data in a computer file and then, based upon the policies configured for that data type, recommend or force a specific protective action.
For example, if you were emailing a file that contained credit card numbers, the DLP tool would be able to detect that and either suggest or force encryption depending on your organization’s policy. More good news is that Microsoft Office 365 has DLP tools built in, so you may already have access to it. App developers and device manufacturers send patches to customers, which should be installed as soon as possible. Microsoft, Adobe, and Oracle release patches regularly on Patch Tuesday. But often patches for newly discovered malware are sent as they are discovered.
Mobile Device Management
As data volume and the number of app and devices increase, it can be challenging for an organization to manage employee access, especially on personal hardware. Your organization should have a tool such as Microsoft Intune or VMWare’s Airwatch that allows an admin to monitor device activity. In the case of lost devices or departing employee, the admin can either remotely wipe or block access to all company apps and data on the device.
Figure 3: Compliance managers can help you hone in on potential cyber security risks.
Not all IT security relies on high-tech tools. One of the most basic forms of IT security is physical security. Can your organization monitor and control the physical access to your office and essential systems, apps, and data? Access keycards and pin pads with fingerprint scans are effective ways to secure your organization.
Many security-related tools rely on anomaly detection to flag potentially risky behaviors. Imagine a person who has never downloaded files from an organization’s financial reporting tool attempts to download or email financial data. An anomaly detection tool could flag that activity for review by your IT security team.
Another example is an “impossible travel” scenario in which a user logs in from one location and then minutes later logs in from a completely different city or country. A good security tool would flag this for review, as it most likely indicates that the person’s credentials are being used by a hacker to access the company network.
Back-ups & Patches
Backing up important data and systems is critical to prevent extended business shutdowns from either systems failures or ransomware attacks. Back-ups should be automated to limit risk of interruption after an outage.
Patches are fixes to bugs and newly discovered security issues.Likewise, CCTV systems can be used to monitor and record activities in all parts of a facility. Many regulatory bodies and security standards require documented physical access policies and practices in order to maintain compliance.
Figure 4: Risk assessment is key to understanding your cyber vulnerabilities.
Website and Homepage Security
One of the first things you can do to protect your company assets and website visitors is make sure you are using HTTPS. When you visit a site that uses HTTPS you can see the lock icon which signifies that all information downloaded from and sent to the site is encrypted. This prevents hackers from using your site to collect customer data by injecting malicious code into the site.
Public Wi-Fi is an increasingly common attack vector. It’s easy for a hacker to launch a “man in the middle” attack, where they impersonate the public Wi-Fi provider. When that happens, all unencrypted communications can be intercepted and copied. If possible, use a hotspot from your cellular network. However, if you must use public Wi-Fi, be sure not to access or send sensitive information and encrypt all communications.
When working remotely, it’s always a good idea to use a virtual private network (VPN). A VPN creates a private network over a public network and can be a good way to protect communications. Whenever appropriate, use a VPN with encryption to secure your communications.