Today: Microsoft shores up its AI strategy heading into a pivotal year, Meta is getting into the AI SaaS business with the former leader of Salesforce's AI division, and the latest enterprise funding.
Today: OpenAI would rather ChatGPT users spend more time using its tool than other "copilots," HPE rolls out a new supercomputer design, and the quote of the week.
Today: Why enterprise open-source contributors might be the secret weapon against patent trolls, AI models are starting to run into scaling problems, and the latest enterprise moves.
How even the best cybersecurity practices can get lost in translation
Global teams across an enterprise are likely to speak different languages, of course, but also might be using different keyboard layouts with different characters. Those differences can lead to confusion about password requirements that could hinder collaboration and even compromise security.
Cybersecurity is a global issue, and multinational businesses that haven’t developed security policies and tech-support practices that take differences in languages, characters, and keyboards into account are at a disadvantage.
Global teams across an enterprise are likely to speak different languages, of course, but even those who all speak the same language might be using different keyboard layouts with different characters. Those differences, combined with subtle linguistic variations in meaning across American versus British English, can lead to miscommunication and confusion about password requirements that could hinder collaboration and even compromise security.
To maintain security and prevent frustrating user experiences, cybersecurity experts recommend adopting a multifaceted approach that combines reinforcing awareness and taking advantage of AI-powered solutions that don’t put corporate data at risk. This process can be a challenge, but those who have dealt with these problems promise it's worth the effort.
“This topic is incredibly relevant as attackers are taking advantage of organizations expanding to a new global footprint and entering new territories,” according to Avi Pichette, product manager at CyberArk, an identity security company that specializes in privileged access management (PAM) technology. “Global security vendors are now fine-tuning their reporting capabilities to understand other regions better to meet compliance standards and also be able to understand anomalous behavior that state attackers take advantage of.”
The Tower of Babel effect
The biblical account of the Tower of Babel describes an ambitious building project that failed due to miscommunication. It was planned at a time when everyone spoke the same language, however, work ground to a halt when divine intervention disrupted their plans by mixing up their languages. While your company might not collapse if cybersecurity instructions are lost in translation, poor communication practices can introduce risks.
Communication hurdles hinder collaboration across borders, with a negative effect on project efficiency and team communication. For example, if an English-speaking tech-support person has to reach out to someone in Japan, they can’t even tell that user, “‘click here and there’ unless the UI is exactly the same,” observed Alexandre Blanc, a security expert, consultant and speaker.
Blanc noted that it’s also important to understand that not all languages are typed out from left to right — Arabic and Hebrew are written right to left — particularly when setting up passwords for access. Poorly communicated password-setting policies increase the risk of brute-force attacks and unauthorized access, jeopardizing sensitive data and business continuity.
If I am attacking you from your branch office in Germany and your reporting tool does not translate well from German to English, I have a distinct advantage.
Pichette explained that organizations that fail to take different languages into account and carry them over into their security incident-reporting tools open themselves up to greater risk. “If I am attacking you from your branch office in Germany and your reporting tool does not translate well from German to English, I have a distinct advantage,” he pointed out.
Character flaws
Charles Givre, head of AI for a cyber startup in stealth mode and adjunct professor of cyber security data analytics at Florida Atlantic University, recounted his own experience with language miscommunication while at Black Hat helping a Japanese student write a SQL query.
“We couldn't figure out why the query wouldn't work on his machine. It turned out that the Japanese keyboard has a different unicode character for the period. The character looked identical but when the query engine tried to parse it, we got all kinds of strange errors.”
When English speakers work with a Japanese speaker, they are aware that there are language and character differences, as they would be if communicating with someone who uses Arabic or Chinese characters. But what if they are both English speakers on different continents? In that case, they could be speaking the same language but with slight variations that can give rise to confusion.
That can be a problem when teams in the U.K. or the U.S. relay security information or passwords needed to gain access to an application. British and American English-speakers spell many of the same words differently, of course, but they also use different names for punctuation marks and some keys appear in different places on the ISO keyboard used in the U.K. than they do in the ANSI keyboard that Americans usually have on their computers.
An IT support specialist based in the U.S. working for a global bank (who requested anonymity to tell the story) relayed a frustrating experience he had when trying to tell a user in the U.K. which characters to enter for her password reset. The string included the punctuation mark that people in the U.K. call a “full stop” and the user didn’t know what the IT support person meant by the “period” key.
The end user also was confused when typing in the additional characters. She wasn’t familiar with the backslash key and couldn’t find it where the support person told her to look because it’s not in the same position on her ISO keyboard as it is on his ANSI one. Without either party aware of the layout the other was using, the communication gap expanded. The result was cross-continental frustration and a lot of time wasted.
Think globally
Blanc encountered similar problems when managing IT for a Canadian-based company with offices in different countries. He decided to print out the layout of the different keyboards in use across the company to be sure of the keyboard mapping during support conversations. When support staff know which keyboard the person on the other end of the line is using, it's much easier to point them in the right direction and save everyone time and hassle.
As citizens of a country with two official languages, where everything has to be communicated in both English and French by law, Canadians naturally have greater awareness of accommodating differences in keyboard mapping. Unfortunately, those conditions don't exist in the U.S., and that lack of awareness can hinder a global cybersecurity strategy.
That's because implementing standardized password policies in hopes of ensuring consistency is not enough for international organizations; they also have to provide cross-cultural and language training to foster better understanding and reinforce awareness about both security and communication. That takes more than a series of slides and videos.
“A mistake many firms make in creating their (cybersecurity) awareness programs is that they do not assign it to someone with skills in training development or marketing communications,” noted Ben Rothke, senior information security manager at Tapad. “The key driver is the quality of the content and materials used in the awareness training,” he said.
Reinforcing that awareness across a global workforce is also something that needs to be done regularly. “People forget and need to have recurrent awareness training to reinforce the awareness principles,” Rothke explained. That doesn’t mean you just take a rinse-repeat approach, he said; companies should vary the materials and forms of media used to keep people engaged and interested, and focus on the end result of securing company data.
"When it comes to security, firms should focus on building a security culture," Rothke added. "That is much more powerful and effective than just providing perfunctory awareness training.”
AI can help, but be careful
In addition to establishing training and building the right security culture, multinational organizations can use AI to mitigate problems.
Givre pointed out that “OpenAI models were trained with multilingual data,” which makes them workable in more than one language and even capable of translating one language to another. “I found that it was more than capable of translating text written in a variety of languages into SQL queries,” he said.
Another way AI can be useful is by bridging character differences through smart mapping: AI algorithms can intelligently map characters from different languages and alphabets. Security managers could then generate a password in Chinese characters or whatever form of alphabet is needed even if they were using an American keyboard.
With contextual understanding, AI can add regional and cultural awareness for languages. As described earlier, some languages are basically the same – like British English and American English – but still have some variations in expression, spelling, or nuance. AI models trained on multilingual data can understand regional variations in language, including slang, idioms, and cultural references. They can also suggest strong, culturally-appropriate passwords based on your preferred language and cultural context.
However, Blanc warned, don't assume you can rely on AI to defeat every language barrier. There are issues of accuracy and privacy that have to be taken into account when using such tools. And when it comes to translation, Blanc said generative AI is not on par with human translators who can understand not just the words being used, but their meaning.
“AI is not translating that; it’s just putting words together,” he said, and that process can fail to capture the speaker’s intent. Consequently, those who simply input text into generative AI to get a translation in a language they don’t understand at all may be getting inaccurate results without realizing it.
While free AI-powered translation tools are convenient, Blanc also warned that many people don’t realize what they’re agreeing to when they use them.
The challenge of dealing with a language and culture barrier may drive you use free (AI) tools, but you need to do a risk assessment to think of the potential risks to the organization.
Google Translate, for example assumes anyone using it grants Google the right to use their data. Some business data should not be shared with such systems, and some forms of sensitive data may even fall under specific protections of regulations like GDPR, depending on which region the business operates in.
“The challenge of dealing with a language and culture barrier may drive you use free tools, but you need to do a risk assessment to think of the potential risks to the organization,” Blanc said. If you just need them for “a one-time thing like for password reset, there’s not much risk.”
However, for sensitive or “valuable information like financial data or business secrets,” Blanc recommends using paid services that assure you they do not use your data; it’s worth the cost to be on the safe side.
For companies that operate across borders, cybersecurity calls for a multifaceted approach. While AI tools can be helpful, they need to be assessed in light of privacy concerns and risks. But businesses need to be aware of these potential security issues, and find the right tools to build a culture of international sensitivity and awareness to maintain security and foster collaboration.
Nobody has any idea when a real quantum computer will actually impact enterprise tech, but NIST wants companies to upgrade their security sooner rather than later.
A software update with one more variable than expected crashed 8.5 million Windows computers. Should Windows security vendors continue to have access to the kernel?
The shared-responsibility model is groaning under the weight of the modern security environment. Snowflake's ongoing nightmare should be a wake-up call for any infrastructure or SaaS provider that they need to do more to protect their customers, because the old model is no longer working.
RPA is reaching an inflection point as enterprises increasingly look to get more than just productivity gains from their previous investments, and AI enters the chat.