Companies spend huge amounts of time and money protecting their data from prying eyes – installing anti-virus software, implementing firewalls and using the latest encryption standards to send documents to each other internally. But as soon as they have to deal with external suppliers, the secure processes and systems in place are abandoned.
Translation services represent one particular area of vulnerability because, more often than not, company information is by necessity shared with a third party.
This is well known but not many are aware of the inherent risks they face when using cheap translation agencies or online machine translation tools.
Specific security threats
There are three activities that raise particular security concerns:
- Using unsecure online automated translation services
- Transferring and storing data insecurely, such as using unsecured public WI-FI and/or insecure email
- Lack of third party security when using translation service suppliers
Why machine translation could be a security risk
Google reports that over 200 million people use its free machine translation service, Google Translate, every year. It’s tempting to use these free services for business purposes to reduce costs but this is a surefire way to expose your data to unacceptable risks.
Using a free online translation services caused one Japanese bank considerable embarrassment, not to mention legal exposure. When bank staff used machine translation for company emails, they unexpectedly became publicly accessible online.
The company had no way of getting the information taken down from the site, or any means of contacting the Webmaster. It’s troubling that these sites exercise the right to use your company data in ways your company may not have intended.
Google states that use of its own machine translation tool gives Google the right to “communicate, publish, publicly perform, publicly display and distribute such content.” That suggests using this tool could potentially leave your material unacceptably exposed. It’s certainly extremely unwise to use free online services to translate content that contains any confidential information whatsoever.
Mitigate threats by removing sensitive information
One way to mitigate this threat is to remove any identifying information from content before using online translation services. In the case of the Japanese bank, this might have included removing the company name, personal names, and any account information from the emails before using the service.
Unfortunately it is difficult to police staff use of these automated services when they are freely available online and enforcing corporate policies is an ongoing challenge for compliance teams.
There’s software available to replace sensitive information – such as names and locations – with cyphers. This software works alongside a company’s firewall to encrypt all outgoing data as it is dispatched to a third party translation service. Sensitive information is then converted back to the real values when the translated text comes back to your side of the firewall.
It’s also possible to tailor the security settings to your needs. A recipe wouldn’t usually be considered highly confidential information, but if (for instance) Coke decided to translate their closely-guarded recipe, this could be protected by encrypting the names of ingredients. Software such as this, which uses machine intelligence to encrypt and de-code content, isn’t likely to be error-free and human input will be required to unravel any issues. However, these systems are not ideal since Identifying and eradicating errors places an unnecessary burden on staff and IT departments.
Avoid unsecured public WI-FI and cloud services
The risks associated with using unsecured public WI-FI hotspots and cloud services are mostly well-known. Information can be intercepted during transfer or storage and is vulnerable when stored on public cloud servers.
It’s also wise to avoid using public WI-FI to transfer any data, so avoid emailing your translation agency with confidential documents whilst sitting in Starbucks or McDonald’s.
Remember also that any security your company has in place, such as the encryption software previously described, is ineffective if your employees are working from home – unless they are using a VPN.
Choose your third party suppliers carefully
Brands and agencies need to select their translation partners carefully since many of these companies don’t follow security protocols themselves and often share documents with their translators via email and online bulletin boards.
Recently, a translation agency under contract with the Nuclear Regulation Authority leaked an internal, classified document online from the nuclear watchdog. The document contained information on how spent nuclear fuel is reprocessed, regulations on reprocessing, and details about nuclear power plants.
For these reasons, when choosing a translation agency, it’s important to select a supplier with strong security practices and policies. You need to look out for a provider with robust terms and conditions in place, which should include adequate clauses regarding data security and privacy. It’s also important to make sure non-disclosure agreements are signed and kept up to date.
You also need to ensure your translation agency has strong infrastructure and processes in place, ensure that there are controls and audit trails on all the data you share. Proper security measures cover both the employees and their working practices and the physical infrastructure of the IT system.
Basic infrastructure requirements include things such as power backup and secure data storage and transfer. Using a translation provider with robust practices in place is far more secure than entrusting your information to an automated machine translation service online.
To really keep your data secure, you need to consider the entire process from start to finish. That includes looking at how your data is stored, transmitted, handled by a third party, and returned to you.
Your IT team or an external security consultant should be able to review any weaknesses in the process to identify any areas of concern. There’s no point having intense security practices for data kept within your company systems but no control over third parties who handle it – remember your data security is only as strong as its weakest link.
Avoid the temptation to use workarounds
It’s worth remembering that security practices will only work if they are practical and easy to use. Don’t make your systems so complex that people are tempted to avoid them when under time pressure.
Using automated processes, such as secure encryption, is one way to ensure security processes cannot be skipped to save time. One common error made by companies is making it so hard to transfer data securely that staff find workarounds, such as using cloud-based file transfer services, just in order to meet deadlines.
Your company’s security practices have to be well-matched to the tasks your team is required to do, or you can expect canny team members to find workarounds that are less secure but get the job done faster.