Secure localization management

The year 2014 was branded by some as the “year of the hack,” when some significant breaches of cyber security and web vulnerabilities resulted in high profile international headlines. Not a week went by without a tale of woe befalling some household name, causing us all to sit up and take notice of the state of security in this internet age — even if it was only to change our social media passwords. Which got me thinking: as guardians of customer data, in the form of translation content, reference materials, translation memories and the like, how effective is the language industry when it comes to cyber security? How well do we serve our customers’ security needs?

It is fair to say that the general public is aware of only a fraction of the cyber attacks against organizations that occur almost every hour of every day; attacks perpetrated by a range of different parties, from casual hobby-hackers and hacktivists to more organized data theft on a grand scale. If this is of no concern to you then perhaps it should be, since most of the governments of G20 countries cite cyber security and the associated risk of data protection and system hacking as a Tier 1 threat, alongside international terrorism and military conflict. But it’s not just governments that need to take the threat seriously; we all need to assess our security profiles and maintain effective controls against unauthorized cyber activity, which is no mean feat given that the internet is so tightly woven into the fabric of our businesses and society in general. Although slightly left-field, the ever-increasing proliferation of internet-connected devices — things that until recently we all considered to be passive, everyday objects — merely adds to the challenge of keeping data secure. True, your IT systems are unlikely to be infiltrated through your toaster, but the recent story of wireless webcams being compromised by the simplest of tweaks (with resulting images being posted for all to see on the internet) serves as a timely reminder that we all need to take steps to protect our data. Also, and more importantly, to protect the data belonging to our customers.


How to protect our data

Most of us associate data protection with firewalls, which have been a mainstay of IT security for many years. Indeed, over the millennia, the humble wall has been the method of choice for many who have sought to secure their assets, defending them from external attack. From Beijing to Rome, cities became fortresses as seemingly impenetrable barriers were constructed in an effort to keep out would-be invaders. In the majority of cases, however, such fortifications alone were not enough to save civilizations from their eventual downfall, as those within their confines were lulled into a false sense of security. Feeling safe inside their domains, inhabitants became complacent, forgetting what might happen if their defenses were breached, which inevitably they were. Breaches generally came in two forms: the first was catastrophic failure, whereby once the mighty wall was scaled no other protection was in place to prevent invasion. The other was more insidious; over time, strategies of engagement with the outside world gave way to carelessness about who and what was coming through the gates.

If you are beginning to draw parallels with how the world approaches data security today, then you’d be right to do so. However, how much have we actually learned from history? The answer depends on the kind of organization you ask and the importance it attaches to information security, which generally comes down to a reliance on security for livelihood. Those companies that act as data controllers or high-volume data processors generally have a very good understanding of what secure means, supported by mature, audit-driven policies and procedures. Arguably, one of the most effective information security regimes, which can serve as a benchmark for us all, is the Payment Card Industry Data Security Standard (PCI DSS) as seen in Table 1, which helps safeguard the details of approximately 95% of credit cards on the planet. Its implementation goes a long way toward ensuring adequate protection against security breaches, by combining the need for physical defenses with compliance-driven processes. Table 1 is a summary of the PCI standard that has been generalized to refer only to data. Interestingly, the control objectives and their corresponding requirements still hold true, despite the broadening of the scope. Indeed, any rational person reading this article would expect all of their data (not just credit card details) to be handled according to the standards described.

Security in the

localization industry

Thus far, we have highlighted the need for solid information security controls and identified a good standard that we (probably) all agree should be adopted in one form or another. How is it then that the localization industry lags so far behind in espousing appropriate security controls for the data that it processes? After all, with an estimated worldwide turnover of $33 billion, this is hardly a cottage industry. Or is it? With the vast majority of language service providers being self-employed linguists working out of their homes, it actually fits one definition of a cottage industry very well. But as we all know, above this talented global network of linguists are the language service companies selling the localization dream and managing its delivery at local, national and international levels.

So who’s to blame for the industry lagging behind in terms of its security credentials and capability? Answer: we all are. From individual linguists to language services providers to software manufacturers, we all have to take some responsibility for the situation, and are all going to be involved in fixing it before it’s too late. We can either proactively manage how our industry responds to the threats posed by cyber crime or we can bury our heads in the sand and pretend the problem doesn’t exist. The trouble with the latter approach is that by the time we come up for air, the landscape will have changed and we could be facing an uphill battle to regain customer trust. And if you are a buyer of language services, you have to play your part as well. Only through your insistence that information security is given the importance it deserves will the industry really start to change. You have the ability to demand change, the industry has the ability to deliver it.

So how savvy are customers when it comes to security in the localization industry? One would imagine that risk-aware organizations will know exactly what happens to their data when they send it to their language service provider. But detailed risk-management isn’t the norm. What is, still revolves around transmission of content through unsecure email or unencrypted USB sticks. Without wishing to be too generalist, customers often appear content to simply sign a nondisclosure agreement with their language service provider, agree to the standard terms and conditions and then (somewhat naïvely) assume that their data is secure and well-protected. However, when there are so many third parties involved in the localization supply chain, how can they be sure that this is the case? How can they know where their data is being sent, who is viewing it, how it is being stored, whether it is being securely deleted post-project and most importantly, if their content is vulnerable. The maxim of caveat emptor appears to be stretched beyond its practical limits when it comes to the procurement of localization services.

To this end, the industry needs some sort of security charter: a set of guiding principles that everyone can adhere to and that affords some peace of mind to the unwary buyer. It should be the responsibility of all language service providers to ensure that all parties within their supply chain are security compliant. Translators, proofreaders, DTP suppliers, AV specialists, interpreters, transcribers and language testers all need to understand the importance of information security and take appropriate steps to conform to documented (and better still, contracted) standards. Similarly, language service providers should ensure that their own staff work to a set of robust information security standards, backed up by regular training and awareness sessions on subjects such as data protection, anti-bribery, fraud awareness and the like.


Technology to the rescue

Thankfully, the past few years have seen a new breed of translation management systems come to market that have been designed to address many of the security concerns described above. Making full use of almost ubiquitous access to the internet, their basic premise is to negate the need for file transfers to linguists, meaning that source documents and linguistic assets (translation memories, style guides, glossaries and other supporting material), remain under the control of the language service provider — typically on their servers. The products in this space also tend to ensure that linguists only have access to content they are responsible for and that is relevant to their work, and the more advanced solutions offer additional controls, such as nonproliferation and copy/paste lockdown. Role-based permissions also ensure that project managers have restricted system rights so that customer-specific data is only accessible to those who are authorized to work with it. Lastly, in the very best products, all activity is logged as part of a detailed audit trail. This enables language service providers and their clients to remain safe in the knowledge that they know who is accessing their information, and when.

However, state-of-the-art translation management systems are only as secure as the environments in which they are deployed. To this end, the hardware, security controls and human processes in place within the hosting data center play a crucial role in maintaining data security. The use of sophisticated web-application firewalls, perimeter networks and advanced denial-of-service detection algorithms all keep valuable information and content as secure as possible. When the physical security elements within the data center are combined with a strong information security management system of the kind imposed by ISO 27001, and backed up by regular security audits, language service providers can be sure that they have good control over their data and (more importantly) the data they are trusted with by their clients.


Rise of the machine

No article on information security would be replete without a mention of free machine translation (the bête noire of professional linguists) and the perceived dangers that accompany it. Among risk-averse, highly regulated, international industries there is a growing unease around the use of free machine translation sites by staff wishing to get the gist of content not in their mother tongue. The trend is for such sites to be filtered from use and replaced by private, bespoke machine translation solutions, thus ensuring that risks associated with confidential data loss are minimized — at least through that particular avenue. Those with the deepest pockets (and possibly the highest levels of suspicion) opt for in-house solutions, while others satisfy themselves that a trustworthy machine translation supplier with the right security credentials can offer them the kind of assurance they need. Irrespective of the operating model, the scene is set for significant growth in this area of language services as cyber security rises up the boardroom agenda.

The language industry needs to wake up to the issues around cyber security and start putting in the controls and procedures that will help safeguard customer data. While more regulated industries have embraced change and gotten their cyber house in order, only a few key language service providers appear to have made inroads in this area, offering the kinds of assurance that an increasing number of customers now demand. 2015 needs to be the year that our industry starts to deliver on security promises.