Posts

More news about leaks of highly sensitive information

There are now virtually daily examples in the media of how leaks of highly sensitive information are occurring, often due to human error or misbehaviour, but also due to lack of security in poorly designed or managed systems. A current article in the media today highlights a glaring example of this – click here for more information.

Safe4 was designed with security at the core

The fundamental design of Safe4 is based around the use of secure vaults, into which information can be placed by the provider of the service, such as a professional practitioner or an employer, and the individual users who have been given access to that specific vault. Information cannot “leak” in the way that seems to be occurring regularly in other systems.

Even if a hacker were to break in to the “back door” of Safe4, without using one of the normal user interfaces, nothing can be inferred due to the way that the data is obfuscated and encrypted. The secure vault design underpins this, so that each vault becomes a completely discrete storage space for information in structured form (in columns and rows, similar to spreadsheets and simple databases) or unstructured form (document files).

Regulatory compliance

Safe4 complies with a number of regulatory frameworks by virtue of the fact that all stored information is encrypted, everything is held in UK-based data centres that comply with ISO 27001, 2-factor authentication, and a full audit trail of all user actions is maintained. The ideal solution for the storage and management of highly sensitive information, in effect.

Please contact us if you would like more information on how Safe4 can help your organisation to enhance compliance, reduce costs, and improve client service.

Payment fraud using email – it’s completely avoidable

Payment fraud is a constant risk

Occurrences of payment fraud using email are continuing to hit the headlines, and it is something that can be avoided completely. The risk of using email for communication of confidential information has been evident for some years, as highlighted by this post on the Safe4 website last year.

Sending invoices by email, particularly for large sums of money, is fraught with risk. Even communicating via email regarding financial transactions can risk significant losses – as highlighted in the media today. Both supplier and customer can be victims of this type of fraud.

Personal or financial information – don’t use email

It is not just using email for communicating financial information that can lead to unnecessary risks. Personal data can also be misused if is transferred between organisations by email. The potential for theft of highly personal information is something that HR consultants face constantly, as illustrated on this website in April this year.

There is a solution

For a number of years Safe4 have been delivering invoices by uploading them into a secure vault dedicated to each customer. Only the designated users of each vault are able to access the document, and there is a comprehensive audit trail of all activity so that the supplier can be sure that the invoice has been received by the customer – and nobody else.

Options for ad-hoc sharing of confidential information have been identified by Safe4 partners OPTSM, as explained on their website. The simple rule – if you need to communicate sensitive financial or personal information, don’t use email – use SafeShare, the approach they are offering. This is based on the ability to create a Safe4 vault and invite a user in a few seconds, thus making sure that the data being shared gets to the right person immediately and with no risk of intrusion.

If you would like more information on how to avoid the risk of financial payment fraud or loss of sensitive personal data, please get in touch. We will be delighted to help.

Confusion reigns regarding responsibility for data protection compliance

A recent survey suggests that there is still a good deal of confusion regarding responsibility for data protection compliance. Given that the UK adopted the EU GDPR into the Data Protection Act in May 2018, this reflects the general lack of awareness among many organisations today.

This survey also indicates a lack of clarity over whether cloud-based information management services offer better or worse protection that traditional on-premise storage. The answer of course is that the level of security and therefore protection depends on which cloud service provider is involved. Safe4 has an unblemished record of secure service provision, with an availability record very close to 100%. Not all cloud service providers can offer this.

Safe4 has also clarified the different roles and responsibilities relating to data protection in their Data Protection Policy – click here for more details. Safe4 does not claim ownership of any data that is stored within its system, and thus acts as the Data Processor. Customers own their data and have responsibility for any information that is placed in Safe4, and therefore are Data Controllers.

Adding to the benefit of using Safe4 for information storage is the fact that Safe4 only uses UK-based hosting services accredited to ISO 27001. Together with enhanced password strength management and 2-factor authentication, Safe4 provides a platform for its customers to be confident that the system will support their own Data Protection compliance programme. No cloud service provider can make its customers compliant with the Act however – ultimate responsibility lies with the Data Controller to ensure that their own information security policies and practices are enforced. The vast majority of data security breaches are caused by human error or poorly trained employees.

For more information on how Safe4 can assist your data protection compliance programme, please contact us.

Evidence of increased threat of email intrusion

Online fraud and theft have become widespread in recent years. Email in particular presents a growing risk as criminals identify ever more devious methods of persuading individuals and businesses to expose their confidential information.

The risk is highlighted in an article on the VaultConnect website, please click here for details. VaultConnect are partners of Safe4, and are working to reduce the risk of email intrusion for professional practitioners and other businesses across the United Kingdom. This article refers to 5 scams, of which number 3 is the particular case in point. Safe4 have stressed the importance of avoiding the use of email for some years, although in many sectors it is still used routinely to transfer confidential information in spite of the potential consequences of a breach under the terms of the Data Protection Act.

For more information on how the use of Safe4 can help your organisation to reduce cost and improve regulatory compliance and governance whilst enhancing customer service, please contact us.

Safe4 is going large – version 5.20 is released

October 2018 has seen the release of Safe4 version 5.20, which contains some important enhancements to the highly secure information delivery and management service. “Safe4 is going large” is a fitting way to describe some of the changes introduced in this release.

As in all new releases, Safe4 have improved a number of the fundamental security features of the system. In order to make sure that customers’ data, as well as that of their clients, is managed in the most secure way possible, changes have been made to the way in which information is stored so that the risk of penetration is reduced. This includes some changes that will make it easier for clients to comply with the Data Protection Act, following the introduction of GDPR in May 2018. For example the Subject Access Request report, which is available at the press of a single button, has been expanded.

Large file management

However, the most significant element within this release is the ability to upload files of up to 800 megabytes per individual file. This is an interim step, with the short term objective being 2 gigabytes per individual file. The fundamental security approach of Safe4 has always meant that uploading documents was more than just moving a file from one location to another, and consequently the upload process involves a number of server-based functions such as virus-checking, content scanning, encryption, transferring the file into cloud storage and updating the database and all of the audit trails. These functions have now been separated and will be performed sequentially, so that the server-based processing is carried out after the client interface has been refreshed. Very large files will be shown on the file list immediately, but with a “Processing” indicator until the server functions have been completed.

As well as virus checking and encryption, Safe4 also performs a series of content checks to ensure the integrity of the data that is being uploaded. If the file fails one of these tests, or is found to contain a virus, a reference will be shown on the file list even though the file itself has been removed from the server. This will cover the whitelisting and blacklisting scans, as well as the ability to check for any files that have been protectively marked.

More significant developments to come

There is a lengthy list of enhancements in the pipeline for Safe4. The next release will feature the ability for files held in Safe4 to be signed digitally in a way that allows them to be submitted to both HMRC and Companies House in the UK. This important development will be a major time-saver for any organisation that needs multiple signatories to approve documents, and will be carried out entirely within Safe4, without the use of any external technology.

If you would like any further information on how Safe4 can help your business to improve client service, reduce costs and enhance regulatory compliance, please contact us. We will be delighted to assist you.

Cyber crime is still soaring – and insecure email remains the weakest link

The scourge of email scams and phishing continues to rise relentlessly. Whilst some organisations have taken steps to protect themselves, many still use email to transfer confidential information to recipients both within and beyond their own domain. A recently-published article highlights this, and the risks to corporate governance that are involved.

Professional practitioners are among the worst offenders. Much of the information that they generate on behalf of their clients is highly confidential and is sent by email as an attachment. Not only does this expose their clients to the loss or theft of the data, it is inefficient and can ultimately lead to serious difficulties for the practitioners themselves. In the UK it is estimated that more than 70% of law firms, for example, still use open email to carry confidential client information.

Sometimes the clients themselves are a problem …

Accounting firms, for example, provide services for a wide range of different clients, everything from global corporates to the local butcher, baker and candlestick-maker. At the smaller end of this scale many clients are resistant to using secure information sharing services as they find it easier to simply receive financial information as an attachment to an email. Sometimes it is securely stored away, but often it is not, leading to repeated requests for the information to be re-sent by the accountant, multiplying the scale of the risk.

VaultConnect, partners of Safe4 Information Management, have expressed the consequences of these “can you just …” requests for information. Typically they result in an interruption of approximately 23 minutes to stop a current task, go and find the requested information, respond to the client, and then try to resume the task that has been interrupted. And the result of this is to expose both the client and the accountant to increased risk.

There are better and safer options

The Safe4 service has been designed explicitly to protect any organisation that needs to share confidential information with external or internal parties, whether it be in unstructured form (such as documents), or structured (data held in columnar format, similar to spreadsheets and simple databases). Manningtons, an accounting firm in Sussex, have recently chosen to significantly expand their use of Safe4 in order to protect themselves and their clients from loss or theft of sensitive information. Read about their experiences here. The result of this approach has enabled Manningtons to enhance their compliance with both the Data Protection Act (which now embodies the recently-enacted European General Data Protection Regulation), and with the guidance issued by the Institute of Chartered Accountants of England and Wales. This strongly advises accounting firms not to send confidential information to clients by email, even if the client has actually requested that they do so.

Safe4 utilises a highly secure vault to hold information relating to each client. This can be shared with the clients themselves, allowing two-way transfer of confidential documents and data. The very granular permissions provided by Safe4, as well as comprehensive audit trails and reporting functions, add further levels of protection to the professional practitioners as well as their clients.

Contact Safe4

For more information on how Safe4 can help your organisation to achieve enhanced levels of security and compliance with regulatory frameworks, please get in touch. We will be delighted to assist you.

Safe4 releases version 5.10 to address GDPR compliance requirements

The General Data Protection Regulation becomes law across the EU on 25 May this year, and in order to assist our customers to ensure that they are compliant with the regulation we have introduced some system changes to the core Safe4 service. These changes are in fact part of a work-in-progress, since there are still some areas of uncertainty in the way that GDPR is expressed. The system modifications at this stage address the basic requirements of GDPR compliance, and will be built upon as greater clarity emerges.

As the Data Processor under data protection legislation, Safe4 makes use of a number of constructs, described within the system as providers and vaults. The new release, designated as version 5.10, allows these to be completely deleted, with all of their data content being irreversibly removed. The ability to perform such deletions will be granted to customers, the Data Controllers, at system administrator level only, and any actions of this sort will be carried out after several warnings have been given and responded to.

Users can also be deleted by Data Controllers. Safe4 permits users to have access to multiple providers and vaults, and consequently the removal of a user from a particular vault will not affect their access to any others.

However, because Safe4 is a system of record, the audit trails relating to the existence of providers, vaults and users will be retained. For example, the record of a user account’s existence will be retained as a basic “stub”, so that the integrity of audit trails can be maintained. Activity while a user was a member of a Safe4 vault will thus be available for evidential purposes in future, while any personal information that was stored about that person will be deleted.

The full range of reporting options will be developed over time as the specific needs of customers are established, and as aspects of GDPR compliance are clarified both by the Information Commissioner’s Office and by case law.

An additional function that will be made available to the Data Controller immediately will be the ability to respond to Subject Access Requests. The Safe4 administrator will be able to generate a Subject Access Request report at the touch of a button. This will create a PDF document that can be provided externally if required, or stored as a record within Safe4.

As always, we at Safe4 consider the secure handling of customers’ information to be our highest priority. This approach will continue, and will be extended as necessary through working closely with Data Controllers to ensure that their GDPR compliance obligations are being met.

For more information on how Safe4 can support your GDPR compliance programme, please contact us. We will be very pleased to assist. General information on GDPR can be obtained from the UK Information Commissioner’s Office.

Version 5.04 of Safe4 is released

Safe4 have released version 5.04 of the secure information delivery and storage service. This release includes a significant number of internal enhancements, and will assist with the administration and management of the service.

Users will notice changes in the way that reports and messages are handled and displayed, with more flexible options for listing and presentation. The method of PIN management has also been updated, as has the user invitation process. Further changes are in the pipeline to address the requirements of GDPR, which becomes law on 25 May 2018. It is anticipated that Safe4 will be GDPR-ready by the end of the first quarter of 2018, to ensure that customers will be fully supported in their own GDPR compliance programmes.

For more information on how Safe4 can assist your organisation to handle confidential information more securely and efficiently, as well as helping with your own GDPR compliance, please get in touch with us.

UK corporates becoming more aware of the importance of GDPR compliance

Whilst the corporate sector in the UK is generally becoming aware of the need to ensure that they are compliant with the new General Data Protection Regulation that comes into force in May 2018, there are still some large firms who are alarmingly exposed to the risk of cyber attack. According to recent research, only just over half of the boards running FTSE 350 companies recognise the full impact of the threat of cyber attack, and the need to become GDPR compliant.

The impact of GDPR will affect all organisations in the UK, both large and small. In fact, it could well be the SME sector that faces the greatest risk, as many do not have a robust IT infrastructure or the necessary policies and procedures to protect their clients’ data. Safe4 are currently working with a number of organisations in the charities sector who wish to ensure that their essential information, most notably details of their donors and their financial records, do not fall prey to intrusion and thus expose them to severe penalties.

If you would like more information on how implementing Safe4 within your business can significantly reduce the risk of online fraud and data theft, please contact us.

US may be set to change data privacy laws – again!

The Safe Harbor data privacy agreement between the US and the EU was deemed to be ineffective in 2015, and was subsequently replaced with a Privacy Shield arrangement – which is still considered by many to be inadequate. Recent announcements by the new US administration suggest that the internal data privacy laws in the US will be subject to further change, affecting those who are not US citizens or permanent residents in the US. Please click here for more background on this development.

Safe4 decided back in 2010 that all of the data held within its secure document delivery and storage service would be stored in UK-located data centres, accredited to ISO 27001. This offers maximum protection to our customers and their clients, employees, suppliers, partners and associates. Reliance on US-hosted data storage could be seen to carry unnecessary risk of misuse or disclosure of personally-identifiable information, hence the benefit of keeping all stored data onshore within the UK.

For more detail on the measures that Safe4 applies to keep information secure, please contact us. We would be very pleased to speak with you.