Payment fraud using email – it’s completely avoidable

Payment fraud is a constant risk

Occurrences of payment fraud using email are continuing to hit the headlines, and it is something that can be avoided completely. The risk of using email for communication of confidential information has been evident for some years, as highlighted by this post on the Safe4 website last year.

Sending invoices by email, particularly for large sums of money, is fraught with risk. Even communicating via email regarding financial transactions can risk significant losses – as highlighted in the media today. Both supplier and customer can be victims of this type of fraud.

Personal or financial information – don’t use email

It is not just using email for communicating financial information that can lead to unnecessary risks. Personal data can also be misused if is transferred between organisations by email. The potential for theft of highly personal information is something that HR consultants face constantly, as illustrated on this website in April this year.

There is a solution

For a number of years Safe4 have been delivering invoices by uploading them into a secure vault dedicated to each customer. Only the designated users of each vault are able to access the document, and there is a comprehensive audit trail of all activity so that the supplier can be sure that the invoice has been received by the customer – and nobody else.

Options for ad-hoc sharing of confidential information have been identified by Safe4 partners OPTSM, as explained on their website. The simple rule – if you need to communicate sensitive financial or personal information, don’t use email – use SafeShare, the approach they are offering. This is based on the ability to create a Safe4 vault and invite a user in a few seconds, thus making sure that the data being shared gets to the right person immediately and with no risk of intrusion.

If you would like more information on how to avoid the risk of financial payment fraud or loss of sensitive personal data, please get in touch. We will be delighted to help.

HR Consultants are benefiting from using Safe4

HR Consultants no longer have to worry about the safety and security of communications with their clients

Safe4 Channel Development Director

Paul Stallard

 

HR Consultants are benefiting from using Safe4. Paul Stallard, Channel Development Director of Safe4, has stressed that by its very nature the information that is passed between HR consultants and their clients, particularly employee information, is extremely confidential. Of course, it is covered explicitly by the UK Data Protection Act of 2018, which has embraced the European General Data Protection Regulation. However, the loss or improper use of personally-identifiable information can lead to massive penalties and serious reputational damage.

 

Safe4 provides a highly secure online vault for HR Consultants to share and store confidential information. With over 48,000 users Safe4 is a well-established platform that provides a range of benefits:-

  • Complete confidentiality – Safe4 has been designed to be secure from first principles
  • A secure vault is set up for each client or employee of the principal client. There is no possibility of any unauthorised access to information – only specifically-invited and authorised parties can access the vault
  • All data is stored in the UK
  • A comprehensive audit trail captures records of all user activity
  • No information is actually sent by email. Whilst so-called “secure” email services might be able to transfer information safely between parties, they do not manage any documents or data throughout the life of a consultant / client relationship, or indeed of a client / employee relationship – Safe4 does
  • The Safe4 asset register allows information to be held as structured data and displayed in columns and rows similar to a spreadsheet or simple database. This is a highly secure and efficient way to hold specific details about an individual, allowing such confidential data as National Insurance numbers, bank details, and general personal information to be entered directly into fields online, as opposed to having to include them within a document
  • Automatic notification of any new upload, whether of a document or a data record
  • Signing documents online – this can cover service agreements between consultant and client, as well as contracts of employment for the clients’ staff. The Safe4 document signing facility is accepted by both HMRC and Companies House in the UK
  • The Safe4 compliance framework can be used as a means of sharing policy and procedure documents with staff, and can also provide confirmation that these documents have been read and understood

In short, the implementation of this approach can allow HR Consultants to furnish their clients with confidential information in a completely secure way, and can also be extended to allow the Consultant’s client companies to manage the information they handle on behalf of their own staff.

For more information on how HR Consultants are benefiting from using Safe4, please contact us. We will be delighted to share with you some of the success stories achieved so far.

Safe4 version 6.1 is released – managing large file uploads safely

Alistair Stubbs

 

The release of Safe4 version 6.1 represents a significant move forward. The task of managing large file uploads safely has proved to be a considerable challenge, but members of the Safe4 development team, led by Alistair Stubbs and Darren Hamilton, have completely overhauled the upload function within the system to make it more secure and much more robust.

File size limit is increased to 2 gb

Safe4 can now accept uploads of up to 2 gb per individual file. Safe4 does not function in the same way as an FTP site by simply transferring files from one location to another, but processes files by checking for viruses and applying industry-leading encryption. Security policies are also enforced through whitelist and blacklist checking, as well as scanning for protective markings and rejecting the upload of password-protected files when appropriate settings are applied. This comprehensive content checking also extends to ZIP files, nested to an arbitrary level. Updating comprehensive audit trails enables the system to maintain a full record of all user activity.

The enhanced upload process now manages a series of queues, so that if network connections are broken, or hardware failure occurs in the server environment, uploads will still be completed without further user intervention.

Opportunities for new applications

The increase in the file size limit opens up new areas of opportunity for the application of Safe4. Capture of PST files from email systems is one area that is of great interest to law firms, who may need to store very large files as records of projects or cases. Medical requirements can also be addressed; video files generated by endoscope examinations are frequently very large, and can now be handled within the context of patient records.

Please contact us if you would like any further information on how Safe4 can be used within your organisation – we will be delighted to assist you.

March 2020 sees the millionth upload to Safe4

This month has seen the millionth upload to Safe4. The number of uploads to Safe4 had already eclipsed the previous monthly record before we reached the middle of March, reflecting the dramatic changes in working practices caused by the rapid spread of the Coronavirus in the United Kingdom.

When a pandemic such as Covid-19 has such an enormous impact on the way organisations operate, the need for rapid and safe communication is paramount. Safe4 has assisted a number of customers to set up new channels of communication so that interaction with staff who are working from home is made easier and more effective.

The availability of cloud-based services and resources has had a profound impact on our ability to withstand the effects of the Covid-19 pandemic. Business resilience is greatly improved, and although the UK economy will undoubtedly be severely disrupted during this period, we will maintain a greater semblance of normality than would have been the case several decades ago.

If you would like more information on how Safe4 can assist your organisation to deal with the effects of major disruptive events, please contact us.

Confusion reigns regarding responsibility for data protection compliance

A recent survey suggests that there is still a good deal of confusion regarding responsibility for data protection compliance. Given that the UK adopted the EU GDPR into the Data Protection Act in May 2018, this reflects the general lack of awareness among many organisations today.

This survey also indicates a lack of clarity over whether cloud-based information management services offer better or worse protection that traditional on-premise storage. The answer of course is that the level of security and therefore protection depends on which cloud service provider is involved. Safe4 has an unblemished record of secure service provision, with an availability record very close to 100%. Not all cloud service providers can offer this.

Safe4 has also clarified the different roles and responsibilities relating to data protection in their Data Protection Policy – click here for more details. Safe4 does not claim ownership of any data that is stored within its system, and thus acts as the Data Processor. Customers own their data and have responsibility for any information that is placed in Safe4, and therefore are Data Controllers.

Adding to the benefit of using Safe4 for information storage is the fact that Safe4 only uses UK-based hosting services accredited to ISO 27001. Together with enhanced password strength management and 2-factor authentication, Safe4 provides a platform for its customers to be confident that the system will support their own Data Protection compliance programme. No cloud service provider can make its customers compliant with the Act however – ultimate responsibility lies with the Data Controller to ensure that their own information security policies and practices are enforced. The vast majority of data security breaches are caused by human error or poorly trained employees.

For more information on how Safe4 can assist your data protection compliance programme, please contact us.

Enhanced user management as Safe4 version 6.03 is released

The release of Safe4 version 6.03 sees an upgrade in the way that vault users can be managed. It is now possible for vault users to be given specific permission to issue invitations to those with whom they wish to share their own vault. Hitherto the issuing of user invitations has been restricted to provider users. This enhanced user management will support the implementation of Safe4 in a number of particular application scenarios, principally in situations where a vault user wishes to share their inheritance vault or life vault with a member of the family, for example.

As before, the ability to alter permission settings on folders and user accounts remains under the control of provider users. Invitations issued by vault users will carry by default a read-only security group setting, thus preventing any potentially unwanted addition or removal of documents or data in the vault by the invited user.

Safe4 version 6.03 also incorporates a number of server-side enhancements to security and performance, to ensure that the system remains among the safest and most reliable on the internet.

Please contact us if you would like more detail on this release, or for general information on how the implementation of Safe4 can bring benefits to your business.

Enhanced 2-Factor Authentication from Safe4

In line with the Safe4 policy of constantly enhancing security, as well as maintaining compliance with the recommendations of the UK National Cyber Security Centre, the latest release of Safe4, version 6.02, features 2-Factor Authentication using 7-digit codes sent to the user’s mobile device by text message. This enhanced 2-Factor Authentication from Safe4 (2FA) replaces the PIN, which has been a feature of the system since inception in 2010. The advice from the NCSC is summarised here.

Safe4 users with a PIN on their account will be prompted to enter a mobile phone number to which authentication codes will be sent. Once this has been done, they will be challenged to enter the code when logging in. The authentication code will have a life of 24 hours. When this period has elapsed a new code will be sent to the user’s mobile device on the next login.

Flexible options for applying 2-Factor Authentication

The use of 2FA can be enforced by a provider administrator, or can be selected optionally by each user in their own personal settings. In either case the registration of the mobile phone number will be followed immediately by the sending of an authentication code that must be entered before access is gained to the system.

The mobile phone number that is registered is held in the user’s My Account settings, to which entry will be controlled by a further 2FA code challenge. This will prevent a user’s settings being altered without authority. If a user changes their mobile phone number for any reason, the provider administrator will be able to require the user to reset 2FA with a different phone number.

Other enhancements in version 6.02

As always, version 6.02 of Safe4 includes a number of server-based security updates that relate to the way that data is held and managed on our servers. It is our policy not to publish details of these changes.

A further change in version 6.02 relates to the way in which folders are displayed. Folders and subfolders will be shown in the right-hand pane of the screen, together with any files that are stored in that folder. This is the first step towards more flexible management of folders.

Additionally, version 6.02 will allow the selection of which users will receive notification of file uploads. This will involve a further option in the Upload Files dialog box.

The Safe4 User Guides have been updated to reflect these changes.

For more information on how Safe4 can help your organisation to reduce cost, enhance client service and improve security and compliance, please contact us. We will be delighted to assist you.

Password strength requirements for Safe4 are being increased

Cyber crime, identity theft and online fraud are becoming more frequent. It is known that there are large organisations, some of whom are state-backed, whose sole purpose is to disrupt the lawful activities on which much of our normal economic life is based. Recent ransomware attacks, as well as the ever-increasing use of spam email, are evidence of the scale of the threat. For this reason, the password strength requirements for the Safe4 system are being increased.

Safe4 works very closely with a number of public-sector organisations for whom security is paramount. Acting on the advice of the UK National Cyber Security Centre, part of GCHQ, the password requirements for Safe4 are being changed to incorporate a minimum length of 10 characters and a maximum of 150 characters. As before, each password will have to contain an upper and lower case alpha character, a number, and a symbol such as a punctuation mark. Passwords will accommodate spaces as well as normal characters, thus allowing the use of pass-phrases as well as basic passwords. The advice of the NCSC is that passwords up to 8 characters can now be cracked by brute-force attack methods in a few minutes, whereas those with 10 or more characters are unlikely to be cracked in meaningful time.

Password strength matters

Choosing a new password is increasingly challenging, hence the ability to use a pass-phrase for Safe4. This can be a favourite piece of text, such as line from a book or song, which will generally be easier to remember than a shorter password containing an obtuse string of characters. The longer the password, the more difficult for criminals to crack it. A random sequence of words that are easily remembered will have the same effect.

An additional feature that Safe4 have incorporated in this release is a warning message if the password chosen by a user has already been compromised on another site. This does not prevent the selection of that password, but the user is warned of the potential risk.

Following the release of Safe4 version 6.01, scheduled for 25 May 2019, new users will be invited to create accounts using the updated password strength requirements. The new rules will also be applied to password changes and to resets.

2-Factor Authentication by Text Message

At present, the 2-factor authentication applied by Safe4 is based on the use of a 6-digit PIN as well as a username and password. In July 2019 this will be changed, and the PIN will be replaced by a numeric code sent to the user by text message.

We at Safe4 are constantly trying to ensure that the system is as secure as possible, and that our customers’ data is protected to the maximum extent. If you have any questions, or if you would like any information on how Safe4 can assist your organisation to enhance the security of your communications, please contact us.

Invoice fraud still a major threat

In December 2018 Safe4 published an article highlighting the increasing instance of invoice fraud in the UK. This is not just a UK issue – criminals across Europe are defrauding businesses of huge sums by intercepting emails and changing the bank details on invoices.

Invoice fraud remains a major problem

Further evidence of invoice fraud was published yesterday on the BBC website. Again, the use of email was highlighted as one of the most prevalent means of getting a customer to pay the funds rightfully due to their supplier into a fraudulent bank account. in 2018 3,280 cases were reported, although it is likely that the actual number was higher. In total at least £93 million was stolen through invoice fraud.

There is a solution …

Safe4 provides a secure means of transferring information of any kind between businesses of any size and type. Use of UK-only data centres accredited to ISO 27001, comprehensive audit trails, and industry-leading encryption techniques radically reduce the risk of fraud, and thus the potential for incurring significant financial losses.

Please get in touch with us if you would like to ensure that your business does not suffer from invoice fraud – we will be delighted to assist you.

Document signing in Safe4 is now available – version 6.0 is released

The need for documents to be signed electronically in accordance with the requirements of HMRC and Companies House in the UK has been highlighted by a number of Safe4 customers. Consequently Safe4 have now added a document signing facility to their highly secure information delivery and storage service, without the need for any external technologies.

How the signing function works

There are a couple of prerequisites for this facility: the document must be held in Safe4 in PDF format, and the required signatories must be users of Safe4 and have access to the folder in which the document is located.

Single or multiple documents can be issued for signature, and if required multiple users can be requested to sign. In the case of multiple documents being selected, there is an option to create a “pack”, so that all of the documents can be signed in a single action. Requested signatories will receive an email with a link to the document/s requiring signature. When this is clicked they will be presented with an option to sign or decline the document, after having entered their Safe4 password and PIN. When all documents have been signed and all users have actioned the signature request, a new version of the PDF file will be created with an added page – this will show a complete list of all of the signatures, together with a verification code, made up of a hash of the user details, the document ID, and the date and time of signature. This functions in a similar way to blockchain, being an immutable record of the signing event.

Other enhancements

In addition to the document signing function, a setting has been added to the provider administration screen, allowing Safe4 Common Folders to be disabled. If selected, this will prevent users uploading files into the Common Folders area of a Safe4 vault in error.

Significant changes have also been made to the Safe4 server architecture, enhancing security and performance, to ensure that the class-leading safety and availability provided by Safe4 is maintained in line with industry best practice.

If you would like any further information on how these enhancements can add value to your business, please contact us at Safe4. We will be delighted to hear from you.