Secure Translations - Employee Training - Phishing - Part 8 of Many

Security Drills like Ethical Phishing Attacks are a must-do to keep digital assets secure.

This immediately poses the question: Are you and your service providers training users on cybersecurity? We need employees to master security, not just to be aware. The employee awareness programs that most auditors are after are a good start but not enough to make sure that your employees act as a trusted line of defense. Trust but verify! With successful Business Email Compromise (BEC) scams on the raise Paranoia is the only effective defense.

This is the 8th post on my Secure Translation series, and this time I am discussing the lack of strong employee security training.

As usual, let us use our simple yet effective quantitative risk management framework to analyze this threat.

• Threat: Companies are tempted just to check the box when it comes to employee training as part of regulatory compliance. Unfortunately, just caring about compliance is not the same as caring about security.
• Asset: All digital assets are at risk when employees are not highly trained on security issues.
• Vulnerability: Users with access to confidential information do not truly know how to combat security dangers like phishing.
• Risk: The impact of any single employee not knowing how to actively fight threats like phishing is the highest security risk Companies face today. The likelihood of this happening is extremely high with attacks getting so sophisticated that even information technology professionals fall for phishing scams nowadays.
• Safeguard: Actively craft your own internal ethical attacks, collect statistics like percentage of employees that are failing to identify threats over time, share the statistics openly, help personally those employees that are having trouble with recognizing threats. Make sure not a single user is left behind. Work with the staff, vendors and even contacts for mastery and not for punishment. Do not just ask for audit reports and certifications from your service providers, but in addition ask them for the specific employee training program and proof that such continuous training is happening. Furthermore demand proof about ethical hacking drills performed internally. A service provider like a language service provider cannot provide secure services like secure translations, unless they have a highly qualified cybersecurity program in place. If a single employee or vendor falls for phishing attacks for example, such provider cannot provide secure services. If such providers do not have in place an ethical hacking drill program, they cannot keep your information safe.

The reason why my series are about secure translations is that the processes being used today to translate documentation for international Corporations are in hands of users that are most likely not well trained. If your organization has trusted translations to Language Service Providers (LSP) that do not have strong continuous employee mastery-training programs, then your risk of data loss is high, no matter what such providers promise. If your LSP is not training users for security mastery, then such Language Service Provider cannot offer secure translations. They might sell themselves as secure translation providers but the devil is in the details. You are ultimately in charge of requesting proof that your content is handled by employees and vendors that master the art of fighting cybercriminals, of being cautious, of being knowledgable. This requires constant training and testing. This is serious cybersecurity matter.

You can follow the "Secure Language Translations" series in this blog, on linkedIn, Twitter or Google+. My objective is to educate executives and managers but also to help engineers in reducing the organization risk through sound security measures.

Smart Marketing - Understand the Hollywood Principle

Growth hacking has taught Marketing the importance of Applied Software Engineering. Growth Marketing practitioners should understand how consumers think. Consumers apply the Hollywood Principle: "Don't call us, we'll call you". The Consumer should be calling the Producer instead of the reverse. This inversion of control mechanism would, in my opinion, benefit the marketing mix: Products will deliver exactly what customers are demanding. Price will be transparent and commensurate to the offered value. Placement of the product will be dictated by the buyer interest and profitable customer retention analysis, rather than artificially and temporarily apparent customer demand. Promotion of the product will be achieved by free subscription to relevant material rather than expensive ads, and more educated clients will look into comparison matrices emerged from a community rather than paid artificially generated benchmarks.

The Hollywood Principle brings to software development two important benefits: Decoupling, which is needed to make sure code can be tested in isolation; and Cohesion, which is needed to make sure software is packaged together to work towards a very specific goal.

This principle also brings to the customer two important benefits: Decoupling, which is needed to avoid locking into sub-par services as the priority becomes a match on prioritized needed features rather than existing relationships; and Cohesion, which is needed to make sure consumed services offer highly specialized value rather than a one size fits all requirements.

Traditional marketing is still predominant: pushy follow ups on cold email campaigns, pushy follow ups on consumption of published content, pushy ads that do not let you navigate through clean content, pushy commercials that disrupt your productivity ...

We all want our services to be bought but pushing at the wrong time has an adverse effect. Pulling is safer. Instead of overwhelming the potential future customers with unnecessary calls, emails and ads; marketers should keep the good job of publishing meaningful content that educates and makes the customer ultimately decide for the best.

Marketing should be modernized and respect the modern knowledge user. Do not call the customer, let the customer call you later when your service is of interest. Offer your potential and existing customers a valuable newsletter/podcast/videocast without fluff but just stuff, make your website rich in content that educates on the possibilities of your services, showcase previous successful client engagements, make all content short and educative. Everybody wants free lunch, which we know it does not exist, but we should know when is the right time to charge for it.

Here is a simple recipe:

1. Create relevant content in different media (some prefer video, others audio, others written information)
2. Allow to subscribe to such content and explain clearly who and how to reach out for further questions and suggestions
3. Listen to feedback, measure impact and segment the audience to determine what relevant content should be created next

Here are examples of pushy marketing that has not worked for me and probably it is not working for most because it does not respect the Hollywood Principle:

Stop phishing - Use the "Presumption of Guilt" principle

Have you been phished? Watch this video so that you start thinking twice, before you end up clicking even once on a dangerous link

But let us write it down as well:

1. All emails, phone calls, regular mails, external links from a website and in general any form of interactive communication, without exception, are all guilty of illegally trying to invade your privacy and security, until you demonstrate the contrary.
2. It is your responsibility not to click, take a call, place a call, and in general to avoid responding to any communication unless you have demonstrated such communication is not an illegal attempt to invade your privacy and security.
3. If by mistake you click, speak, and in general interact through any channel you are responsible to not provide any information after such action. Stop communication immediately and instead initiate yourself the communication by visiting a well known website (instead of clicking, type its URL!), call a well known phone number, ask your IT department for help!
4. Be curious. Do your homework as you should do it with any news you receive. Right click and copy the link, paste it somewhere so that you can read it and determine where it would take you if you would click it. Google keywords from the email, the link, the sender. Lookup the phone number calling you. Search for complaints about the suspicious domain or email. Find out if the email or the email domain of the person contacting you is being reported to be part of criminal activities before. We live in a world full of scams, false news and hoaxes. Learn, which always means to look at the problem from more than one perspective.

Apply the "presumption of guilt" principle. In particular for emails, please learn (do not just read):

1. Look at the details of the sender. The "from" in an email tells you if the person that sent it is known to you, not because of a name but because of the address. The address has an id (the identifier for the sender), an "at" sign (@) and a domain (usually the official website of an organization or person).
2. An email id that is not as clear as "john.doe", "jdoe", "johnd" is suspicious. Do not trust any stranger up front.
3. The email domain part would be separated by "dots" (.). For example "evil.com" from jdoe@evil.com. You should ask yourself how that domain looks like? Is "evil.com" a place you know and trust?. Go to a browser and type that domain, do not copy and paste. Consider for example the letters "P/p" which in Cyrillic look exactly the same as in Latin script but they are different and therefore https://www.philosophy.com/ is not the same as https://www.рhilosoрhy.com. The second URL is built with the Cyrillic "р". What you see is not actually what you get.
4. If you trust the user id and the domain then ask yourself if you are expecting that email. The fact that you have seen a similar email before does not mean this one is legit as well. If you do not expect that email, assume it is evil. If in doubt, send a separate email to that user writing the email from scratch or getting it from your contact list.
5. If something is not expected, immediately mark that email as spam, do not engage.
6. Do look carefully into the URLs you navigate, compare them letter by letter with those you know are correct using tools like https://www.diffchecker.com/diff. That is how you see that "https://facebook.com" and "https://facebооk.com" are two very different URLs. The first is the one you use while the second uses Cyrillic characters. The list of confusable Unicode characters is huge. The possibilities to get phished are literally infinite.
7. Beware of popups, specially that their URLs are real and not a simulation. Do look into the address bar of any popup. The URL should be visible in the address bar and should be editable by you. All modern browsers ensure that this URL is visible and this is why you are supposed to use a safe browser. And yet as mentioned above double check that it is actually the URL you are supposed to be visiting. This could make the last phishing exploit linked at the beginning of this blog post even smarter and harder to combat.
8. Needless to say that you should maintain all your devices updated. Do not leave that patch for later. Apply it ASAP (do not procrastinate on protecting yourself).

Cyber Threat Intelligence (CTI) Program

Does your organization and all your service providers have a Cyber Threat Intelligence (CTI) Program?

In other words what is the ability of your organization and your service providers to prevent cyber attacks?

Despite the little typo, the The 2018 ENISA Threat Landscape Report outlined CTI program representation in the picture is a starting point to consider reading the rest of this document that coverages current threats and safeguards that you should consider when going through quantitative risk management.

While we want security first and then compliance, both are as important. To achieve a high security maturity level we need to look at the strategy (compliance), tactics (ways to compile intelligence), operations (tooling), and technology (secure DevOps and SDLC practices).

My series about secure translations is actually applicable to any kind of service providers but naturally, based on my current role, I am concerned about the impact of globalization in security and privacy. I am particularly concerned about the modus operandi practices currently being used by multiple top Language Service Providers (LSP).

It is worrisome to see claims about security in LSP corporate websites that tend to deceive customers. For example the claim that they hold security reports and certifications pointing to the hosting providers they use. Let us make this clear, security is not reached because you ride on a mature hosting provider. Instead, security is a journey that an organization decides to make and that must cover internal strategic, tactical, operational and ultimately technical/logical areas.

If you are an international organization executive you should be aware that the biggest cyber-risk faced by your organization lies on the fact that your LSP of choice cannot deliver secure translation services. All efforts around internationalization, localization, trans-creation and therefore globalization might be actually compromising your bottom line.

No person left behind - Anybody can master any subject matter

Salman Khan puts it way better that anybody could:

"Learn math the way you'd learn anything, like riding a bicycle. Stay on that bicycle. Fall off that bicycle. Do it as long as necessary, until you have mastery. The traditional model, it penalizes you for experimentation and failure, but it does not expect mastery. We encourage you to experiment. We encourage you to fail. But we do expect mastery."

If you think there are smart and dumb people you are simply wrong. All we, human beings, are smart, period. In fact we all are equally smart, period. What makes some of you look smarter than others is just the way we as society evaluate and measure intelligence. As it stands, society is plain wrong when it comes to measuring intelligence.

This is an argument that I have so many times that I decided to write it down so that I can share it for the years to come, instead of repeating myself. We can all be prepared for the Fourth Industrial Revolution and for the industrial revolutions yet to come. We just need to stop teaching the way we teach. The learning pace of each individual is sacred and must be respected and applauded because the ones that are ahead could be behind soon. It all comes down to determination for mastery. The determination is affected by the society we live in which rewards the fast learner instead of mastery. The so called "gifted" are just fast learners. To master a subject you just need determination whether you were ever called "gifted" or not.