Information Security for Translation Services

1

2015

RWS Group - www.rws-group.de

ETUG 2015 – Information Security for Translation Services

2

2015

RWS Group - www.rws-group.de


2015

RWS Group - www.rws-group.de 3


Companies are pitted against each other in international competition, and the pressure on the competition is growing steadily.

Competitors are attempting to

• Bring similar products to the market at a lower price

• Bring newer products to the market quicker

• Produce products cheaper

• Outbid competitors in calls for tenders

To this end, information about the market and the competition is very helpful.

Not every company feels morally bound to legal practices when it comes to acquiring information.

Although it is difficult to provide precise figures, a current study (2014) sponsored by Corporate Trust (www.corporate-trust.de) does provide some insight:

• In 2014, nearly 30 % of all companies in Germany and Austria reported a specific case of industrial espionage.

• 27 % of the companies in Germany and 20 % in Austria

reported at least one suspected case.

• The financial damages caused by industrial espionage accounts for at least € 11.8 billion

One result of industrial espionage is for example illegal copies.

• According to the OECD, damages caused by illegal copies in 2008 came to $ 650 billion . In 2015, this amount could grow to over $ 1.7 trillion.

Even though we currently read and hear about espionage carried out by and against state organisations.

Industrial espionage is also a subject for companies that they cannot afford to ignore if they wish to protect their competitiveness.

Medium-size businesses in particular have become an attractive target for industrial espionage.

2015



Prime targets are anywhere where one expects to find valuable information or where information appears easy to obtain.

Thus it comes as no surprise that the areas of research, development, and IT administration are being targeted by attackers.

Nearly 20 % of the attacks are directed against sales activities; the area of mergers and acquisitions is apparently also a worthwhile target for attackers.

2015



The gamut of potentially interesting information is wide. Of course, this includes anything that is new or particularly good.

However, quality issues at a company could be exploited by a competitor as a way to start one's own sales activities.

Information obtained from current calls for tender or ongoing negotiations can help to optimise one's own strategy versus the company that is calling for tenders.

Information about employees can help prepare a targeted solicitation or help find employees whose solicitation would be particularly rewarding.

Analyses of purchase prices or process costs can help to identify one's own deficiencies so that remedial action can be taken to become more competitive.

2015



The majority of attacks are carried out by hackers. In Germany, this accounts for more than 40 %, and in Austria it is still more than 30 %.

Whereas in Germany customers and suppliers make up the second largest group with over 25%, 30% of the attacks in Austria are carried out by the companies' own employees.

There are three main ways of obtaining information:

• Electronic attack of corporate IT systems.

• Monitoring and interception of electronic communication.

• Social engineering or the more or less intentional distribution of information

2015



Although it no longer applies to the majority of attacks, there is still a viable market for acquiring information.

Especially in eastern countries you can find numerous hackers or hacker groups that offers their services to those willing to pay for them.

This could be specific information or simply login credentials to the desired systems.

Another option is to sound out persons who have the desired information. The many options offered by social networks are helpful as are direct contacts at trade fairs and

conferences. Know-how can, of course, be also obtained by soliciting people in

the know.

This is done not only with the victim's employees but also with the customer's and supplier's employees.

This is also conceivable the other way around. By infiltrating employees, you even have the added advantage that the victim also pays the spy. Depending on the type of information sought and the standards in place at the victim's site, it may suffice to infiltrate interns. Seen against this backdrop, the new German minimum wage law can be viewed as step to improve information security.

In many companies it's very easy, however. One goes to the company, loiters in front of the stairwell and converses with the smokers there and then enters the building with them. All you have to do then is look for an empty office, connect your notebook to the company LAN and quietly fill your hard drive.

2015



Bearing that in mind, it comes as no surprise that legislation is currently under way in Germany that would require companies to do more for their security.

Even though this would apply only to companies of special importance, for example those involved in infrastructural industries critical for the economy, it appears that such a law will have deeper economic repercussions.

2015



Confidential information must be available at several locations otherwise it is of no use to anyone.

In growing internationally networked processes, this means that such information must also be translated.

At the same time, a large percentage of translations is no longer produced by internal company departments.

Translation providers also frequently avail themselves of external freelance translators.

Consequently, information is frequently transferred, stored at different locations and passes through several hands.

The translators often live in the respective target countries. This is all the more true, the lower the living expenses are there.

Translators have come to use the Internet as their primary reference source for finding terminology and definitions.

The use of cloud-based technologies is gaining in popularity for translations work.

2015



Companies and translation service providers often try to recruit freelance translators from the many translation portals available. When a translator receives an enquiry, it often already contains the documents to be translated.

If you play your cards right, you can even make both sides pay for your espionage.

Alternatively, I can try to contact the right translators and then attempt to the buy the information I need from them.

An old press release from 2014 was recently re-published on Uepo. It reported on a female translator who was caught trying to sell confidential design data for a submarine. The background to the story was the she was not paid for her work by her contractor due to quality issues, whether legitimate or used as a pretext. At the same time, she still had to pay the translators she had subcontracted. Apparently, a not too uncommon practice among freelance translators.

Many translation service providers do not have the resources to handle their IT tasks. This is why they must turn to external consultants or service providers.

In an industry subject to high pricing pressure, I can easily imagine making a translation office an incredibly low offer as a means of gaining access to its IT resources.

An Internet portal for translation services may be all one needs. All you have to do is analyse the data sent there.

Searching waste paper can also be worthwhile endeavour. Wherever documents are translated, large quantities of paper are printed.

2015



Whenever someone ask questions about information security, it seems you always hear the same answer:

We cover that by signing an NDA with our translators!

One should bear in mind, however, that NDAs are normally concluded with all suppliers and that such provisions can usually be found in nearly all contracts. As far as the relationship with customers go, NDAs are nothing out of the ordinary.

Despite all this, violations of the information security by employees, customers and suppliers account for a considerable share of the real industrial espionage cases. Apparently, NDAs are not very effective when it comes to protecting information.

2015



Information security is not only complex because IT systems are becoming more elaborate but also because of increasing connectivity.

This is why information security needs a comprehensive concept that outlines the risks and processes involved.

It must be possible to adapt any information security concept to the ever-changing circumstances at hand.

One's own processes and requirements will change as will the risks brought about by changes made in IT.

This also includes the growing number of sophisticated tools and methods employed by attackers.

2015



Information security is not just IT security. Information security refers to both technical aspects and to procedural ones. The goal is to protect information from unauthorised access as well as to provide information to the right place at the right time. Information that is so well secured that even authorised persons cannot use it is worthless.

As far as information security is concerned, we can define several perspectives:

1. Data security

2. Protection against spying eyes

3. Access control

4. Data transfer

In the following section, we will focus our attention on a number of aspects that are highly relevant for translation processes and language service providers.

2015



To implement a concept for information security, various aspects must be taken into consideration.

On the one hand, there is a series of technological measures to implement. Among these are separating the network, installing sophisticated firewalls or encrypting data drives and communication channels. As a rule, you should assume that the protection level must be increased to match the confidentiality requirements of the information. Practically speaking, this is primarily a financial challenge for companies. The technological requirements correspond in large part to those of other companies.

Likewise, steps need to be taken in reference to structural changes. You must ensure that secured areas are equipped with access control devices. Appropriate visual protection screens must also be added to prevent spying. Information security also requires proper anti-burglary and fire-protection equipment. Here too, the requirements for a translation service provider are comparable to those in other industries.

Just as critical as these physical measures are awareness programmes and employees training. A large part of the successful attacks is carried by employees. Whether phishing for passwords and login credentials or installing trojans by carelessly clicking links to infected websites. You should not overlook the fact that this is an ongoing job; people's attention to details wanes over time. Customers also have their own responsibilities in this regard. If contact partners start ignoring agreed standards in day-to-day business dealings, it will be difficult for language service provider employees to accept the significance of measures they feel to be at least in part annoying.

The biggest hurdle for language service providers is, however, the translation process itself. You must generally assume that a large share of the translations will be completed by freelance translators. They often work outside of the access zone provided by the language service provider. This means that the documents given to the translators also leave the controlled area at the language service provider. We will take a closer look at this problem in the following section of the presentation.

All in all, the ability to control the technological and personal aspects of the translation process has become the most demanding challenge.

2015



If you want to tart with information security, you have to classify your information.

From the classification you can convey all the security requirements for each document.

The classification should be reflected in:

• Physical situation of rooms and access restrictions

• Network separation

• Security measures

2015



Language service providers usually work together with freelance translators who can live and work anywhere around the globe.

In terms of the translation process, this means that a confidential or secret document is initially sent by the customer to the language service provider.

There, the document is prepared for translation. Until then, both customer and language service provider still control access to the document. The document is sent encrypted, all systems implement a high security standard, and the employees have been trained and made aware of the possible risks.

Now a translator must finally receive the document, so he or she may start translating it. When selecting a translator, a series of requirements must be fulfilled:

The translator must be qualified according to the international standard ISO 17100. This means that not only do translators need to be qualified in their respective language combinations but also be knowledgeable of the contents of what they are translating. In addition to the translator, we also need a proofreader with comparable skills.

You generally cannot assume that it is economically feasible to have all the required translators for a large number of languages and large number of subject areas available at the language service provider.

2015



Therefore, the following options are left:

1. The translators needed are flown in.

Due to the expenses and the time involved, this is hardly a realistic option.

2. The translators fulfil the same requirements as the language service provider.

This is indeed possible but can incur high costs for individual translators. Abidance of the requirements would still have to be checked by the language service provider. From a practical standpoint, this would be expecting far too much of all the participants.

3. What is needed is a hybrid solution.

2015



Translators work from their offices over protected VPN connections to special work areas that have been set up on the systems located at the language service provider.

This procedure ensures that the technological requirements regarding the storage of documents remain in control of the language service provider.

The translators must also be trained and made aware of the specifics of working with the confidential documents at hand. This means that confidential documents must not be processed in public rooms or on unsecured networks. Working in an airplane, a train, in an Internet café or on the beach is not an option. Moreover, printouts or screenshots are not allowed. The rules in place for using Internet-based translation tools must be strictly observed. Here is where the support provided by the designated translation tools are helpful. It would be helpful if the project manager could disable cloud-based MT for particular projects in SDL Studio.

When selecting the translators for a particular job, great care should be exercised. Agreements concerning information security must be made with the translators that extend beyond those of a normal NDA. It is recommended that you verify the translator's compliance with the agreement.

For the language service provider, this procedure means being able to increase the potential pool of translators. Nevertheless, this method also requires a lead time of a few weeks before the translator can start work. In addition, one should note that special licensing requirements for the terminal services to be used must be met. These include licences for the operating systems and office programs.

2015



In our view, the procedure presented here is suitable for processing documents that are confidential or strictly confidential. For the time being, documents classified as secret can only be processed with sufficient security if they are done so internally.

2015



Another aspect that I would like to touch upon is that of cloud-based services, which are gaining in popularity.

There are good reasons for using cloud-based services. One should not categorically claim that cloud services are non-secure.

The problems with cloud services for language service providers is in ensuring that the cloud services used conform to the agreed security requirements.

For the increasing number of cloud services being offered in the translation industry, the vendors must also offer the appropriate security standards and guarantee them to service providers and customers in a understandable, logical way. This means that in SDL Studio, for example, project managers should have the option of limiting the use of cloud-services.

At any rate, it should be possible to tell if a translator has used cloud-based machine translation in his or her project.

Practice has shown that at least for now it is better to use cloud-based services for translations in secured areas. This can only work if the language service provider has wide control of the technologies in use at the translation workplace.

2015



Thank you for your attention.

2015



Business

Information Security for Translation Services