Managing Cyber Risk

Managing Cyber Risk
Mark Shriner is the founder of the Secure Talk Cybersecurity Podcast. He has also worked in several leadership roles in the localization industry including CEO Asia Pacific for CLS Communication. He now works as the Strategic Sales Director for memoQ, leading the company’s business development efforts in regulated industries.

 

Language service providers (LSPs) and their enterprise customers are becoming increasingly concerned with cybersecurity, privacy, and compliance with various regulatory frameworks including General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). In fact, most requests for proposals (RFPs) for both services and tools in the localization industry now include questions related to IT security, location of hosting services, data handling and protection, and relevant certifications attained such as ISO 27001, ISO 9001, and SOC2.

This two-part article will introduce some of the best practices related to developing a cyber risk management plan that addresses concerns related to cybersecurity , as well as some specific tools, policies, and actions that teams and individuals can use to improve their cybersecurity posture and protect data. 

Cyber risk can be defined as the potential damages, loss, or business interruptions caused by some type of cyber threat. A cyber threat is anything that can cause damage or loss to an organization by exploiting a vulnerability in its IT system. Examples include phishing attacks to gain access to a person’s IT credentials, ransomware attacks that encrypt an organization’s data, or a virus that shuts down all infected devices. 

Many organizations view cyber risk solely as a risk to their IT assets and data. However, it is becoming increasingly common to take a broader view of cyber risk and view it as an overall business risk. This is important because when cyber risk is viewed as an IT risk, the responsibility for protecting digital and IT assets is often siloed with the IT team. However, the most effective way to reduce cyber risk is to treat it as a risk to the entire enterprise and to foster a corporate culture that prioritizes cybersecurity.

Three types of cyber risk

All organizations, regardless of their industry, face three types of risk related to cybersecurity: operational risk, legal and compliance risk, and reputational risk. 

For most companies, not being able to operate due to a hacked website, ecommerce platform, or internal software system is their biggest cybersecurity-related concern. This would be considered an operational risk and is typically the focus of most IT security teams.

Fines and sanctions levied by regulatory bodies such as GDPR and HIPAA related to the improper handling of customer data are becoming an increasingly important concern. This would be classified as a legal and compliance risk and is usually the responsibility of a compliance officer, chief information security officers (CISO), or company legal counsel.

Examples of real-world compliance risk include the €50,000,000 fine that Google Inc. was assessed on January 21, 2019, by the GDPR regulatory body in France, and the announcement by the U.K.’s Information Commissioner’s Office (ICO) of its intention to fine British Airways €204,600,000 under the GDPR for inadvertently allowing its website to divert visitors to a bogus site set up by hackers to steal customer data.

No company wants to see their name in the news as being the victim of a hack and then suffer the reputational damage and loss of customer, employee, and shareholder trust and goodwill because they have inadvertently compromised customer or employee data. That is why reducing reputational risk is also extremely critical. 

For example, a consumer poll conducted by BrandIndex showed the retail giant Target suffered a 54.6% drop in consumer perception during the 12 months following its 2013 breach which resulted in the loss of credit card information for 41 million customers. What that equated to in lost sales is hard to quantify, but surely it was substantial.

Create awareness

Some cyber risk can be reduced by adopting better cyber-security practices and training, and the negative effects of a cyber incident can be mitigated through proper planning and using products such as cyber insurance. However, the best first step to reducing your organization’s cyber risk is to create an organization-wide awareness of the problem in the specific context of your organization’s operation risk, legal and compliance risk, and reputation risk.

To start with, you should identify your critical business systems and data and ensure that you have proper policies in place to provide them with the appropriate level of security, redundancy, and backups. The simple act of identifying critical assets provides an organization with the knowledge of how to prioritize its protection and risk reduction efforts.

For an LSP, critical systems could include the translation management system (TMS), the financial record-keeping platform, and the CRM tool. Sensitive data could include HR records, credit card and bank information, tax records, customer contacts, and company, contractor, or customer data that contains personally identifiable information (PII). 

You should also consider from what vectors your system or data could be attacked. For example, are your remote workers using secure WiFi? Do you have a defined process in place to eliminate the potential risk posed by departing or disgruntled employees? Could one of your colleagues open a malware-infected file attached to an email? Once you have identified potential attack vectors, you can work to eliminate or minimize them.

For legal and compliance risk you need to know what regulatory bodies have jurisdiction over your organization. And if you are processing a customer’s data, as regularly happens in the translation industry, you need to know what regulations apply to both your organization and to your customer’s data. 

For example, you might be a US-based LSP with no offices or employees in Europe. However, if you have a database of European freelance linguists or you are translating information that relates to identifiable European residents, you would be expected to adhere to the GDPR. Likewise, if you are translating patient-reported outcomes (PROs) in the US, you would be expected to follow HIPAA guidelines related to data protection and deidentification. Failure to do so, could expose your organization to fines and sanctions, and possibly reputational risk. 

Assign responsibility

In many organizations the IT team inherits all responsibility related to cybersecurity by default. This can be problematic because there is an inherent conflict between business needs and security needs. If security becomes too restrictive, the usability of your tools and your productivity will suffer. However, if security is too lax, your data could easily be compromised. Additionally, cybersecurity is most effective in organizations where it is considered to be part of everyone’s job.

A common solution to this dilemma is the appointment of a CISO that reports directly to the CEO. It is the responsibility of the CISO to ensure that the appropriate security practices are being followed and that the organization is in compliance with the relevant regulatory bodies. A CISO will also work with stakeholders across the company to ensure that their business and security needs are being met. If you don’t have the budget for hiring a full-time position, you may want to consider a fractional or virtual CISO.

It’s also important for the people in these roles and all senior executives to make sure that everyone in your organization, from contractors and part-time interns up through the CEO, is aware that cybersecurity is an enterprise-wide shared responsibility. It doesn’t do any good to spend a ton of money on the latest intrusion detection system or antivirus software if the people in your organization haven’t adopted best practices related to cybersecurity and aren’t doing their part to reduce cyber risk.

Create a cybersecurity policy document

Just as every organization should have a policy related to hiring, promotions, business travel, equality, etc., your organization should have a cybersecurity policy. By creating a cybersecurity policy you can gain visibility on mission-critical assets, establish a plan for protecting them, assign responsibility for specific items such as patch hygiene, and also make it clear at the most basic level that everyone in your organization is responsible for cybersecurity.

The cybersecurity policy document should also name a CISO and possibly create a cybersecurity committee or a cybersecurity emergency response team (CSERT) that meets periodically and reports issues and concerns to the board. The document should also include an incident response plan that includes detailed steps for the recovery of compromised assets, and the communication to employees, shareholders, customers, and the general public. 

Every organization should include their commitment to training in the cybersecurity policy document. Regular general security awareness and best practices training should be required for everyone. More in-depth and focused training should be provided to individuals who have access to sensitive information and those in IT and cybersecurity-related roles.

Anyone responsible for the management of translation projects should have a good understanding of what constitutes sensitive data, the relevance of metadata, and best practices related to encryption and deidentification. Companies that are subject to GDPR, HIPAA, or other regulatory guidelines, should have at least one in-house subject matter expert who can identify potential issues and alert senior management.

It’s an enterprise-wide effort

In summary, the best way to reduce operational, legal compliance, and reputational risk related to cybersecurity is to create an enterprise-wide awareness of these risks, what systems and data need to be protected, and the best practices related to cybersecurity. Lastly, it is critically important to foster a culture of shared responsibility for cybersecurity and reducing cyber risk.

In part two of this article, we will look at some of the specific tools and techniques organizations can use to assess and improve their cybersecurity posture and reduce cyber risk.


THE ROLE OF CYBER INSURANCE

Insurance policies that cover cyber risk or “cyber policies” can be an important tool in reducing all types of cyber risk. In the case of a system breach, a good policy can provide balance sheet protection for an organization by paying for breach response assistance, legal and forensic services, customer notifications, and even credit monitoring services in the case of a loss of customer data.

Some insurers will leverage an already established network of subject matter experts and help coordinate all breach response activities including IT, legal, PR, and customer notification services. 

Some cyber policies will pay ransom-ware payments to recover data, and fines related to a breach that are levied by various regulatory bodies. However, some insurers will refuse to pay if the insured organization has not followed best practices related to security in their industry. Also, cyber policies typically don’t cover audits from regulatory agencies that are triggered by a breach. 

Just like regular business insurance, a good cyber policy can be a great tool to reduce a company’s exposure to operational risk. However, not all policies are created equal and it’s very important that you check with your broker to have a clear understanding of what is and isn’t covered.