Cyber Security and data privacy
We take our cyber security and data protection responsibilities seriously. Our cyber security preparedness continues to evolve to address the changing risk landscape as well as ensuring we comply with the relevant jurisdictional regulations and data protection legislation.
Cyber security is the practice of defending computers, services, mobile devices, electronic systems, networks and data from malicious attacks. Increased connectivity, remote working, reliance on technology, and automation increases the risk of attack. Furthermore changes in ways of working driven by the pandemic have created more opportunities for cybercriminals. RWS understands that our cyber security preparedness must continue to evolve to address the changing risk.
The strategic security posture for RWS is set by the Information Security Steering Committee (ISSC), chaired by the CIO who is the executive sponsor for security. This group includes stakeholders from all divisions and selected business units to collaborate on the continual improvement of the Information Security Management System (ISMS) which also helps drive our integration programme, increases awareness and supports a consistent risk-based approach to information security. Furthermore, the ISSC provides oversight and governance of information security risks.
RWS continues to expand its Information Security Management System (ISMS) which is the framework that underpins the globally recognised ISO 27001:2013 certification. We hold this for our hosted product solutions, Regulated Industries division, IP Services division and their supporting services, people, processes and technology.
RWS also holds SOC2 certificates for its Cloud Operations and Language Services functions. The ISMS provides a robust baseline which gives RWS the agility to develop further the controls necessary to meet a variety of sector specific information security compliance requirements if identified as being in the business interest. Our ongoing work to improve and expand the scope of our certified ISMS ensures the implementation and external validation of internationally recognised information security controls which benefit both RWS and our clients.
Acknowledging that security risks will always exist, our organisation adheres to a suite of information security policies which will provide high level security guidance to all RWS functions in a number of areas including, but not limited to: risk management; physical security; privacy, and incident management. They set out our approach to supporting business aims and objectives whilst ensuring a consistent approach to the management of risk.
The analysis of security risks in accordance with approved policies and processes identifies threats, considers the likelihood of the threat materialising and assesses any potential impact on business objectives. This structured approach informs decision makers and allows them to identify whether mitigation is appropriate and if so, what form it should take. This could, for example, be to stop an activity, to implement technical controls or update processes which reduce the risk to an acceptable level. Selection of appropriate mitigating measures or controls are informed by advice and guidance from the security team but is the responsibility of the asset/risk owner. If the owner of an asset is unable to address the risk satisfactorily, it can be escalated to the next level in the management chain. Security risks are captured and managed through our risk management process which is the responsibility of our CFO, and shared with the Board annually.
RWS employs ‘defence in depth’ in its security posture and understands that regular testing of its security controls is important. As such we routinely conduct vulnerability scanning of our internal and external infrastructure and, at the request of some of our clients, elements of our public facing infrastructure are subject to periodic penetration testing. This allows the identification of weaknesses which are analysed to determine the most appropriate mitigation to be applied.
The UK’s Cyber Security Breaches Survey identified that 83% of businesses reported phishing attacks in the last 12 months, making it the most prevalent type of attack. RWS has also been regularly subjected to such attacks and whilst our technical controls block most spam and malicious messages, it is inevitable that some phishing emails get through. Because we realise this is likely to be the weakest link, we maintain and continually improve our security awareness regime to provide collegues with the information necessary to identify such threats thereby reducing the risks. In addition to regular messaging and security awareness delivered through our learning management system, MyLX, RWS uses external providers to deliver security training, knowledge assessments, and testing, allowing us to identify where additional training may be needed, track its delivery and participation and test its effectiveness.
Our security roadmap takes a cost effective and balanced approach to its continual improvement to provide appropriate protection so that our defences are sufficient to meet known threats, but not excessive. As an example, RWS has completed the implementation of multi-factor authentication (MFA) to access our virtual private network and is expanding this to require MFA to access all web based business applications going forward. Furthermore, we understand that not all cyber attacks can be prevented and have engaged an external partner to provide a 24/7 detection and response capability to enable incidents to be addressed as soon as possible to minimise any business impact.
RWS ensures it complies with the relevant jurisdictional data protection legislation. Headquartered in the UK, RWS has adopted the EU GDPR and UK Data Protection Act 2018 as its benchmark for data protection. We have a comprehensive set of policies which reflect the applicable privacy legislation and identify processes, procedures and practices focused on the protection of confidential business information (CBI) and personally identifiable information (PII).
RWS, being cognisant of the requirement for privacy by design, provides functionality within RWS software to enable clients to comply with their obligations under data protection law.
RWS processes personal data on behalf of clients when providing localisation services or when licensing our software via SaaS. Our clients collect the data and transfer it to RWS to process. Client data is translated, transmitted and stored within the RWS environment and on completion is deleted in accordance with internal deletion policies or as specified by the client. Similarly, when RWS licenses web content management software, the client determines the parameters of data collection and retention. RWS processes client data in accordance with instructions agreed with clients in non-disclosure agreements, contracts and data processing agreements. We only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.
RWS does not undertake detailed profiling of consumer clients on behalf of clients. Data provided by clients is never sold or rented. As required to perform the services, RWS will disclose data between affiliate companies and approved third party subcontractors; appropriate data processing agreements are in place to govern these transfers.
In FY22 there have been no disclosures or unauthorised movement of sensitive information including CBI and PII.