Cyber Security and data privacy
Cyber security is the practice of defending computers, services, mobile devices, electronic systems, networks and data from unauthorised access. Cyber incidents have been on the rise in recent years, driven by increased connectivity, remote working, reliance on technology, and automation. RWS understands that its cyber security preparedness must continue to evolve to address the changing risk.
The strategic security posture for RWS is set by the Information Security Steering Committee (ISSC), chaired by the CIO. This group includes stakeholders from all relevant business units to collaborate on continual improvement of increasing awareness and supporting a consistent risk-based approach to information security. Furthermore, the ISSC provides oversight and governance of information security risks.
The Information Security Management System (ISMS) is the framework that underpins the globally recognised ISO 27001:2013 certification. We hold this for our hosted product solutions, Regulated Industries division, IP Services division and their supporting services, people, processes and technology. RWS also holds SOC2 certificates for its Cloud Operations function. The ISMS provides a robust baseline which gives RWS the agility to further develop the controls needed to meet a variety of sector specific information security compliance requirements, if identified as being in the business interest. Our ongoing work to improve and expand the scope of our certified ISMS ensures the implementation and external validation of internationally recognised information security controls which benefit both RWS and our clients.
Acknowledging that security risks will always exist, our organisation adheres to a suite of information security policies which provide high level security guidance to all RWS functions in several areas including, but not limited to, risk management; physical security; privacy, and incident management. They set out our approach to supporting business aims and objectives whilst ensuring a consistent approach to the management of risk.
The analysis of security risks in accordance with these approved policies and processes identifies threats, considers the likelihood of the threat materialising, and assesses any potential impact on business objectives. This structured approach informs decision makers and allows them to identify whether mitigation is appropriate and if so, what form it should take. This could, for example be to implement technical controls or update processes which reduce the risk to an acceptable level, or even to stop an activity altogether. Selection of appropriate mitigating measures or controls are informed by advice and guidance from the security team but is the responsibility of the asset/risk owner. If the owner of an asset is unable to address the risk satisfactorily, it can be escalated to the next level in the management chain. Security risks are captured and managed through our security risk management process which is the responsibility of our CIO, and shared with the Board annually.
RWS employs ‘defence in depth’ in its security posture and understands that regular testing of its security controls is important. As such we routinely conduct vulnerability scanning of our internal and external infrastructure and, at the request of some of our clients, elements of our public facing infrastructure are subject to periodic penetration testing. This allows the identification of weaknesses which are analysed to determine the most appropriate mitigation to be applied.
The UK’s Cyber Security Breaches Survey identified that 83% of businesses reported phishing attacks in the last 12 months, making it the most prevalent type of attack. Like other businesses RWS is regularly subjected to such attacks and whilst our technical controls block most spam and malicious messages, it is inevitable that some phishing emails get through. Because we understand that employees are likely to be our weakest link, we continually aim to improve our annual security awareness training to provide colleagues with the information necessary to identify such threats thereby reducing the risks. In addition to regular messaging and security awareness delivered through our learning management system, MyLX, RWS uses external providers to deliver security training, knowledge assessments, and testing, allowing us to identify where additional training may be needed, track its delivery and participation and test its effectiveness.
Our security roadmap takes a cost effective and balanced approach to provide appropriate protection that is prioritised in response to market threats and in areas that our clients tell us are important. Examples include the implementation of multifactor authentication across the RWS Group and M365 estate, deployment of VDI environments and roll out of 24/7 monitoring and detection capability to enable incidents to be addressed as soon as possible to minimise any business impact.
RWS ensures it complies with the relevant jurisdictional data protection legislation. Headquartered in the UK, RWS has adopted the EU GDPR and UK Data Protection Act 2018 as its benchmark for data protection. We have a comprehensive set of policies which reflect the applicable privacy legislation and identify processes, procedures and practices focused on the protection of personally identifiable information (PII).
Compliance with data privacy is one crucial aspect of responsible business practices. We understand that personal, demographic, and financial details are just some of the information that may be disclosed, and we take appropriate measures to safeguard our clients' data. This includes complying with relevant data protection laws, regularly reviewing our data privacy policies and practices, and investing in technologies and tools to protect our clients' data. We believe that by upholding high standards of data privacy, we can not only build trust with our clients but also contribute to the wider goal of creating a safer and more secure digital environment for everyone.
RWS, being cognisant of the requirement for privacy by design, provides functionality within RWS software to enable clients to comply with their obligations under data protection law.
RWS processes personal data on behalf of clients when providing localisation services or when licensing our software via SaaS. Our clients collect the data and transfer it to RWS to process. Client data is translated, transmitted and stored within the RWS environment and on completion is deleted in accordance with internal deletion policies or as specified by the client. Similarly, when RWS licences web content management software, the client determines the parameters of data collection and retention. RWS processes client data in accordance with instructions agreed with clients in non-disclosure agreements, contracts and data processing agreements. We only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.
RWS does not undertake detailed profiling of consumers on behalf of clients. Data provided by clients is never sold or rented. As required to perform the services, RWS will disclose data between affiliate companies and approved third party subcontractors; appropriate data processing agreements are in place to govern these transfers.