Localisation security: the top ten issues to look out for
In today’s connected world, our most valuable assets cannot simply be guarded under lock and key. So how do we ensure that the localisation process meets the security challenges of the digital age?
Open for business?
Why is localisation security so important? Because, put simply, security breaches can compromise intellectual property, confidential data and system functionality to potentially devastating effect. On May 2017, for example, the WannaCry ransomware attack infected more than 230,000 computers in 150 countries in less than 24 hours. The effects were unprecedented, temporarily crippling networks of huge organisations such as the UK’s National Health Service, Spanish telecoms giant Telefónica and German rail company Deutsche Bahn.
With the stakes so high, it’s critical that security is an integral part of every business process – including localisation. But what are the key aspects to look for when assessing the security credentials of a potential localisation provider? We’ve compiled a list of the top ten security issues to consider before contracting any localisation provider.
- Physical security
First things first: even in the digital era, physical security is still important. Any localisation provider needs to ensure that areas in which sensitive information is handled can only be accessed by personnel with appropriate identification. Any visits by other parties to such areas should be made by prior arrangement only. In these cases, authorised employees should accompany visitors at all times and should have clear guidelines on their supervision. Physical security of course needs to be ensured even when the location is unmanned – camera and alarm-based protection (potentially backed up by private security) is important for 24/7 protection.
On particularly sensitive projects, enhanced physical security measures may be required. For example, in certain facilities, windows are darkened to protect against the threat of external spying via telephoto photography or even drones .In some cases, employees are required to leave their mobile devices in a secure storage facility outside the working area in order to prevent any unauthorised photography or data transfer.
- Systems security
Systems security should be comprehensively addressed as part of any security assessment of a localisation provider’s overall security credentials. As part of this, access to confidential information should be carefully regulated by the use of unique user IDs and passwords. A role-based permission system ensures that individuals only have access to work on areas of relevance to their assigned tasks.
As with any networked system, the use of firewalls, anti-virus software and secure back-up systems should be carefully designed according to project needs. Particular attention should be paid as to how information is stored – are servers securely located and who has access to them? Very often, games and IT developers demand a siloed approach, whereby on-site servers are kept in locked rooms accessible only to absolute minimum number of authorised personnel.
Translation management systems can also play an important role in enhancing levels of localisation security. Managing content on secured shared platforms can negate the need for less secure file-transfer processes. Some systems offer features such as “copy-and-paste lockdown”, which can reduce the threat of unauthorised duplication of sensitive information. Translation management systems can also help establish a clear audit trail with regards to information access, providing a level of transparency and accountability that reduces security risks.
- Remote access
Related to the issue of systems security, particular attention should be paid to remote access to a localisation provider’s network either by employees or third-party contractors. A clearly defined remote access policy should address key elements of risk relating to off-premises access such as acceptable use, password policy, wireless systems and the use of virtual private networks. This includes restricting access to machines used for remote working and keeping them up to date with the latest anti-virus and firewall systems.
- Managing human resources
Ensuring that employees do not share confidential information is fundamental to the management of localisation security. Non-disclosure agreements (NDAs) are an essential safeguard against the threat of such security breaches. These should be carefully drafted by specialist legal advisors and tailored to meet specific project requirements where necessary.
However, attention should also be paid to internal development processes. Do employees receive ongoing training on security issues and related threats such as copyright protection, corruption and bribery? These are important in creating a security culture in which employees have the tools and awareness to spot and manage potential risk from internal or external sources.
Processes should also be in place to combat the threat of employees who are leaving taking information with them. All passwords for email and network access should be changed, entry tags should be returned, and any relevant files should be removed from their personal computers. As part of the exit procedure, employees should be reminded of the terms of their NDAs and other employee contracts with regards to knowledge sharing and confidentiality issues.
- Asset lifecycle
Both in physical and digital format, assets need not only to be stored securely but also to be disposed of in the appropriate manner. For physical assets, secure shredding is essential. For digital assets, it’s important to ensure that sensitive data is deleted in ways which prevent subsequent retrieval.
Transparency in security means that a localisation provider’s controls and processes are open to inspection throughout the project upon request. In this way, clients can be reassured that protocols are being upheld and that all relevant issues are being addressed in accordance with pre-agreed terms and conditions.
- Incident reporting and contingency planning
As part of a comprehensive approach to security management, clear protocols should be in place for the reporting of any security-related incident for internal investigation. These should also determine precisely what kinds of security breach require immediate communication to the client.
Of course, deliberate breaches are not the only threat to localisation security. System failures or physical incidents such as fire or flooding can also compromise security; it is therefore vital that business continuity and disaster recovery plans are in place and fully actionable should circumstances require them.
Accreditation to an internationally recognised security standard can help to ensure that processes are designed, managed and maintained according to industry best practice. Many of the suggestions on this list, for example, are stipulated as necessary for ISO 217001/2, two much-used standards for information security. Accreditation to such standards verifies that these processes have been independently audited by a third party.
In the localisation industry, the use of subcontractors is commonplace way of working, especially with regards to hiring of specialist freelance translators who can bring valuable industry-specific expertise to particular projects.
Of course a chain is only as strong as its weakest link, so it’s essential that external subcontractors comply to the same security standards applied internally. NDAs should be completed and logged before the start of any work, and tailored to the specific project as necessary. It may also be necessary to check subcontractors’ security processes according to a range of key criteria (such as those outlined in this article) and to require completion of relevant security training before any work is undertaken.
- Patch management
Ensuring that all software systems are updated with relevant patches is essential to mitigate against the threat of security breaches and virus attacks. To this end, a patch management policy helps to provide a system whereby new patches are identified, tested, installed and verified within specified timescales subsequent to their release.
Staying one step ahead
As with any other critical business process, security in localisation is all about assessing risk, developing appropriate solutions, and ensuring these are executed consistently. Maintaining clearly defined standards should be an integral part of the localisation workflow of any service provider, regardless of project size, type or location. Of course, new security challenges evolve over time as technology changes. Nevertheless, the approach should remain the same: diligence, vigilance and attention t o detail underpin any successful security strategy.