Articles about security – will be highlighted on the security page.

Enhanced user management as Safe4 version 6.03 is released

The release of Safe4 version 6.03 sees an upgrade in the way that vault users can be managed. It is now possible for vault users to be given specific permission to issue invitations to those with whom they wish to share their own vault. Hitherto the issuing of user invitations has been restricted to provider users. This enhanced user management will support the implementation of Safe4 in a number of particular application scenarios, principally in situations where a vault user wishes to share their inheritance vault or life vault with a member of the family, for example.

As before, the ability to alter permission settings on folders and user accounts remains under the control of provider users. Invitations issued by vault users will carry by default a read-only security group setting, thus preventing any potentially unwanted addition or removal of documents or data in the vault by the invited user.

Safe4 version 6.03 also incorporates a number of server-side enhancements to security and performance, to ensure that the system remains among the safest and most reliable on the internet.

Please contact us if you would like more detail on this release, or for general information on how the implementation of Safe4 can bring benefits to your business.

Enhanced 2-Factor Authentication from Safe4

In line with the Safe4 policy of constantly enhancing security, as well as maintaining compliance with the recommendations of the UK National Cyber Security Centre, the latest release of Safe4, version 6.02, features 2-Factor Authentication using 7-digit codes sent to the user’s mobile device by text message. This enhanced 2-Factor Authentication from Safe4 (2FA) replaces the PIN, which has been a feature of the system since inception in 2010. The advice from the NCSC is summarised here.

Safe4 users with a PIN on their account will be prompted to enter a mobile phone number to which authentication codes will be sent. Once this has been done, they will be challenged to enter the code when logging in. The authentication code will have a life of 24 hours. When this period has elapsed a new code will be sent to the user’s mobile device on the next login.

Flexible options for applying 2-Factor Authentication

The use of 2FA can be enforced by a provider administrator, or can be selected optionally by each user in their own personal settings. In either case the registration of the mobile phone number will be followed immediately by the sending of an authentication code that must be entered before access is gained to the system.

The mobile phone number that is registered is held in the user’s My Account settings, to which entry will be controlled by a further 2FA code challenge. This will prevent a user’s settings being altered without authority. If a user changes their mobile phone number for any reason, the provider administrator will be able to require the user to reset 2FA with a different phone number.

Other enhancements in version 6.02

As always, version 6.02 of Safe4 includes a number of server-based security updates that relate to the way that data is held and managed on our servers. It is our policy not to publish details of these changes.

A further change in version 6.02 relates to the way in which folders are displayed. Folders and subfolders will be shown in the right-hand pane of the screen, together with any files that are stored in that folder. This is the first step towards more flexible management of folders.

Additionally, version 6.02 will allow the selection of which users will receive notification of file uploads. This will involve a further option in the Upload Files dialog box.

The Safe4 User Guides have been updated to reflect these changes.

For more information on how Safe4 can help your organisation to reduce cost, enhance client service and improve security and compliance, please contact us. We will be delighted to assist you.

Password strength requirements for Safe4 are being increased

Cyber crime, identity theft and online fraud are becoming more frequent. It is known that there are large organisations, some of whom are state-backed, whose sole purpose is to disrupt the lawful activities on which much of our normal economic life is based. Recent ransomware attacks, as well as the ever-increasing use of spam email, are evidence of the scale of the threat. For this reason, the password strength requirements for the Safe4 system are being increased.

Safe4 works very closely with a number of public-sector organisations for whom security is paramount. Acting on the advice of the UK National Cyber Security Centre, part of GCHQ, the password requirements for Safe4 are being changed to incorporate a minimum length of 10 characters and a maximum of 150 characters. As before, each password will have to contain an upper and lower case alpha character, a number, and a symbol such as a punctuation mark. Passwords will accommodate spaces as well as normal characters, thus allowing the use of pass-phrases as well as basic passwords. The advice of the NCSC is that passwords up to 8 characters can now be cracked by brute-force attack methods in a few minutes, whereas those with 10 or more characters are unlikely to be cracked in meaningful time.

Password strength matters

Choosing a new password is increasingly challenging, hence the ability to use a pass-phrase for Safe4. This can be a favourite piece of text, such as line from a book or song, which will generally be easier to remember than a shorter password containing an obtuse string of characters. The longer the password, the more difficult for criminals to crack it. A random sequence of words that are easily remembered will have the same effect.

An additional feature that Safe4 have incorporated in this release is a warning message if the password chosen by a user has already been compromised on another site. This does not prevent the selection of that password, but the user is warned of the potential risk.

Following the release of Safe4 version 6.01, scheduled for 25 May 2019, new users will be invited to create accounts using the updated password strength requirements. The new rules will also be applied to password changes and to resets.

2-Factor Authentication by Text Message

At present, the 2-factor authentication applied by Safe4 is based on the use of a 6-digit PIN as well as a username and password. In July 2019 this will be changed, and the PIN will be replaced by a numeric code sent to the user by text message.

We at Safe4 are constantly trying to ensure that the system is as secure as possible, and that our customers’ data is protected to the maximum extent. If you have any questions, or if you would like any information on how Safe4 can assist your organisation to enhance the security of your communications, please contact us.

Invoice fraud still a major threat

In December 2018 Safe4 published an article highlighting the increasing instance of invoice fraud in the UK. This is not just a UK issue – criminals across Europe are defrauding businesses of huge sums by intercepting emails and changing the bank details on invoices.

Invoice fraud remains a major problem

Further evidence of invoice fraud was published yesterday on the BBC website. Again, the use of email was highlighted as one of the most prevalent means of getting a customer to pay the funds rightfully due to their supplier into a fraudulent bank account. in 2018 3,280 cases were reported, although it is likely that the actual number was higher. In total at least £93 million was stolen through invoice fraud.

There is a solution …

Safe4 provides a secure means of transferring information of any kind between businesses of any size and type. Use of UK-only data centres accredited to ISO 27001, comprehensive audit trails, and industry-leading encryption techniques radically reduce the risk of fraud, and thus the potential for incurring significant financial losses.

Please get in touch with us if you would like to ensure that your business does not suffer from invoice fraud – we will be delighted to assist you.

Record of 100% availability of Safe4 continues – but not for all service providers

Safe4 recorded another month of 100% availability in December 2018, to continue a remarkable record of availability in excess of 99.99% that stretches back to October 2017. In addition to providing the highest standards of security in managing customers’ documents and data, Safe4 also ensures that information is always available when needed.

Not all service providers are able to claim such a record, as published today. As well as utilising UK-only data centres accredited to ISO 27001 and being fully compliant with the Solicitors Regulation Authority guidance for cloud computing, Safe4 has been able to ensure that customers’ business activities are not curtailed or interrupted by the system being unavailable.

For more information on how Safe4 can help your organisation to improve security, reduce costs and enhance client service, please contact us. We will be very pleased to assist you.

Evidence of increased threat of email intrusion

Online fraud and theft have become widespread in recent years. Email in particular presents a growing risk as criminals identify ever more devious methods of persuading individuals and businesses to expose their confidential information.

The risk is highlighted in an article on the VaultConnect website, please click here for details. VaultConnect are partners of Safe4, and are working to reduce the risk of email intrusion for professional practitioners and other businesses across the United Kingdom. This article refers to 5 scams, of which number 3 is the particular case in point. Safe4 have stressed the importance of avoiding the use of email for some years, although in many sectors it is still used routinely to transfer confidential information in spite of the potential consequences of a breach under the terms of the Data Protection Act.

For more information on how the use of Safe4 can help your organisation to reduce cost and improve regulatory compliance and governance whilst enhancing customer service, please contact us.

Password strength checker improvements for Safe4

One of the challenges of enforcing strict rules about the strength of passwords is how to make them secure and still easily usable by people who perhaps utilise a system occasionally and often need rapid access to share or obtain important information.

Safe4 has now been updated to make it easier for users to select passwords in the first place, by listing each of the strength requirements and showing visually when these have been satisfied. Because Safe4 is used in many countries around the world and by speakers of many languages, it can be difficult to prevent users from choosing a password that is a common word in one language but not in another. Using sequential characters on a keyboard is also potentially an issue, as in several European countries different keyboard layouts are utilised. Beyond Europe, in countries where alphabets may also differ, keyboard layouts are often radically different from those familiar in Anglophone regions.

Keeping it simple without sacrificing security

Safe4 has become established as one of the most secure sites on the Internet, and consequently enforcing strict password requirements is essential given the presence of brute-force attack systems that can crack simple passwords very quickly. Whilst setting a strong password is the responsibility of each individual user, applying specific rules governing this, as well as limiting the number of unsuccessful login attempts within a single browser session, makes it easier to prevent unauthorised access to the system. The changes made by Safe4 will inform new users of the strength of their password as each character is chosen, and show any discrepancies visually.

Please contact us if you would like any further information on the security measures that are taken by Safe4 to protect the integrity of information that we hold, and the protection that this offers for our customers.

Safe4 is going large – version 5.20 is released

October 2018 has seen the release of Safe4 version 5.20, which contains some important enhancements to the highly secure information delivery and management service. “Safe4 is going large” is a fitting way to describe some of the changes introduced in this release.

As in all new releases, Safe4 have improved a number of the fundamental security features of the system. In order to make sure that customers’ data, as well as that of their clients, is managed in the most secure way possible, changes have been made to the way in which information is stored so that the risk of penetration is reduced. This includes some changes that will make it easier for clients to comply with the Data Protection Act, following the introduction of GDPR in May 2018. For example the Subject Access Request report, which is available at the press of a single button, has been expanded.

Large file management

However, the most significant element within this release is the ability to upload files of up to 800 megabytes per individual file. This is an interim step, with the short term objective being 2 gigabytes per individual file. The fundamental security approach of Safe4 has always meant that uploading documents was more than just moving a file from one location to another, and consequently the upload process involves a number of server-based functions such as virus-checking, content scanning, encryption, transferring the file into cloud storage and updating the database and all of the audit trails. These functions have now been separated and will be performed sequentially, so that the server-based processing is carried out after the client interface has been refreshed. Very large files will be shown on the file list immediately, but with a “Processing” indicator until the server functions have been completed.

As well as virus checking and encryption, Safe4 also performs a series of content checks to ensure the integrity of the data that is being uploaded. If the file fails one of these tests, or is found to contain a virus, a reference will be shown on the file list even though the file itself has been removed from the server. This will cover the whitelisting and blacklisting scans, as well as the ability to check for any files that have been protectively marked.

More significant developments to come

There is a lengthy list of enhancements in the pipeline for Safe4. The next release will feature the ability for files held in Safe4 to be signed digitally in a way that allows them to be submitted to both HMRC and Companies House in the UK. This important development will be a major time-saver for any organisation that needs multiple signatories to approve documents, and will be carried out entirely within Safe4, without the use of any external technology.

If you would like any further information on how Safe4 can help your business to improve client service, reduce costs and enhance regulatory compliance, please contact us. We will be delighted to assist you.

Cyber crime is still soaring – and insecure email remains the weakest link

The scourge of email scams and phishing continues to rise relentlessly. Whilst some organisations have taken steps to protect themselves, many still use email to transfer confidential information to recipients both within and beyond their own domain. A recently-published article highlights this, and the risks to corporate governance that are involved.

Professional practitioners are among the worst offenders. Much of the information that they generate on behalf of their clients is highly confidential and is sent by email as an attachment. Not only does this expose their clients to the loss or theft of the data, it is inefficient and can ultimately lead to serious difficulties for the practitioners themselves. In the UK it is estimated that more than 70% of law firms, for example, still use open email to carry confidential client information.

Sometimes the clients themselves are a problem …

Accounting firms, for example, provide services for a wide range of different clients, everything from global corporates to the local butcher, baker and candlestick-maker. At the smaller end of this scale many clients are resistant to using secure information sharing services as they find it easier to simply receive financial information as an attachment to an email. Sometimes it is securely stored away, but often it is not, leading to repeated requests for the information to be re-sent by the accountant, multiplying the scale of the risk.

VaultConnect, partners of Safe4 Information Management, have expressed the consequences of these “can you just …” requests for information. Typically they result in an interruption of approximately 23 minutes to stop a current task, go and find the requested information, respond to the client, and then try to resume the task that has been interrupted. And the result of this is to expose both the client and the accountant to increased risk.

There are better and safer options

The Safe4 service has been designed explicitly to protect any organisation that needs to share confidential information with external or internal parties, whether it be in unstructured form (such as documents), or structured (data held in columnar format, similar to spreadsheets and simple databases). Manningtons, an accounting firm in Sussex, have recently chosen to significantly expand their use of Safe4 in order to protect themselves and their clients from loss or theft of sensitive information. Read about their experiences here. The result of this approach has enabled Manningtons to enhance their compliance with both the Data Protection Act (which now embodies the recently-enacted European General Data Protection Regulation), and with the guidance issued by the Institute of Chartered Accountants of England and Wales. This strongly advises accounting firms not to send confidential information to clients by email, even if the client has actually requested that they do so.

Safe4 utilises a highly secure vault to hold information relating to each client. This can be shared with the clients themselves, allowing two-way transfer of confidential documents and data. The very granular permissions provided by Safe4, as well as comprehensive audit trails and reporting functions, add further levels of protection to the professional practitioners as well as their clients.

Contact Safe4

For more information on how Safe4 can help your organisation to achieve enhanced levels of security and compliance with regulatory frameworks, please get in touch. We will be delighted to assist you.

More good news for Safe4 customers – outstanding availability record

Safe4 has achieved outstanding availability in the last 7 months.  Since 1 October 2017 the highly secure information delivery and storage service has achieved 100% uptime, with not a single second lost through system outages of any kind. This represents a stark contrast with other cloud-based information management services, many of which report outages almost weekly. Availability of the Safe4 service is monitored independently, and reported on every month.

This outstanding availability record for Safe4 underlines the quality of service that is the basis of the way the system functions. During the period from 1 October 2017 to date, Safe4 has undergone 4 major upgrades, none of which interrupted access to the system. This process of enhancement included the changes associated with enabling Safe4 to support customers’ GDPR compliance programmes, many of which went deep into the core of the software.

Safe4 delivers value

An exceptional level of availability is just one of the significant benefits that Safe4 offers. Safe4 has been independently assessed among the most secure 0.8% of sites on the internet, out of millions tested. Other benefits include automated upload notifications, comprehensive audit trails and reporting facilities, and UK hosting in ISO 27001-accredited data centres. Extensive customer branding and white labeling, granular permission and content controls as well as a unique and flexible architecture allow Safe4 customers to derive a wide range of financial and operational benefits.

Maintaining a strong commitment to a high quality of customer service is one of the key objectives of Safe4, together with providing class-leading levels of security. For more information on how Safe4 can provide benefits for your business, please get in touch with us. We will be delighted to assist you.