ESG Report 2022 single pages web - Flipbook - Page 62
Governance (continued)
CYBER SECURITY
Cyber security is the practice of defending computers,
services, mobile devices, electronic systems, networks
and data from malicious attacks. Increased connectivity,
remote working, reliance on technology, and automation
increases the risk of attack. Furthermore changes in ways
of working driven by the pandemic have created more
opportunities for cybercriminals. RWS understands that
our cyber security preparedness must continue to evolve
to address the changing risk.
The strategic security posture for RWS is set by the
Information Security Steering Committee (ISSC), chaired
by the CIO who is the executive sponsor for security.
This group includes stakeholders from all divisions and
selected business units to collaborate on the continual
improvement of the Information Security Management
System (ISMS) which also helps drive our integration
programme, increases awareness and supports a
consistent risk-based approach to information security.
Furthermore, the ISSC provides oversight and governance
of information security risks.
RWS continues to expand its Information Security
Management System (ISMS) which is the framework
that underpins the globally recognised ISO 27001:2013
certification. We hold this for our hosted product
solutions, Regulated Industries division, IP Services
division and their supporting services, people, processes
and technology.
RWS also holds SOC2 certificates for its Cloud Operations
and Language Services functions. The ISMS provides a
robust baseline which gives RWS the agility to develop
further the controls necessary to meet a variety of sector
specific information security compliance requirements if
identified as being in the business interest. Our ongoing
work to improve and expand the scope of our certified
ISMS ensures the implementation and external validation
of internationally recognised information security controls
which benefit both RWS and our clients.
Acknowledging that security risks will always exist, our
organisation adheres to a suite of information security
policies which provide high level security guidance to all
RWS functions in a number of areas including, but not
limited to: risk management; physical security; privacy,
and incident management. They set out our approach to
supporting business aims and objectives whilst ensuring a
consistent approach to the management of risk.
The analysis of security risks in accordance with approved
policies and processes identifies threats, considers the
likelihood of the threat materialising and assesses any
potential impact on business objectives. This structured
approach informs decision makers and allows them
to identify whether mitigation is appropriate and if so,
what form it should take. This could, for example, be
to stop an activity, to implement technical controls or
62
RWS — ESG Report 2022
FRAMEWORKS
update processes which reduce the risk to an acceptable
level. Selection of appropriate mitigating measures or
controls are informed by advice and guidance from the
security team but is the responsibility of the asset/risk
owner. If the owner of an asset is unable to address the
risk satisfactorily, it can be escalated to the next level in
the management chain. Security risks are captured and
managed through our risk management process which is
the responsibility of our CFO, and shared with the Board
annually.
RWS employs ‘defence in depth’ in its security posture and
understands that regular testing of its security controls
is important. As such we routinely conduct vulnerability
scanning of our internal and external infrastructure
and, at the request of some of our clients, elements of
our public facing infrastructure are subject to periodic
penetration testing. This allows the identification of
weaknesses which are analysed to determine the most
appropriate mitigation to be applied.
The UK’s Cyber Security Breaches Survey identified that
83% of businesses reported phishing attacks in the last
12 months, making it the most prevalent type of attack.
RWS has also been regularly subjected to such attacks
and whilst our technical controls block most spam and
malicious messages, it is inevitable that some phishing
emails get through. Because we realise this is likely to be
the weakest link, we maintain and continually improve our
security awareness regime to provide colleagues with the
information necessary to identify such threats thereby
reducing the risks. In addition to regular messaging
and security awareness delivered through our learning
management system, MyLX, RWS uses external providers
to deliver security training, knowledge assessments, and
testing, allowing us to identify where additional training
may be needed, track its delivery and participation and
test its effectiveness.
Our security roadmap takes a cost effective and balanced
approach to its continual improvement to provide
appropriate protection so that our defences are sufficient
to meet known threats, but not excessive. As an example,
RWS has completed the implementation of multi-factor
authentication (MFA) to access our virtual private network
and is expanding this to require MFA to access all webbased business applications going forward. Furthermore,
we understand that not all cyber attacks can be prevented
and have engaged an external partner to provide a 24/7
detection and response capability to enable incidents
to be addressed as soon as possible to minimise any
business impact.
