Posts

Evidence of increased threat of email intrusion

Online fraud and theft have become widespread in recent years. Email in particular presents a growing risk as criminals identify ever more devious methods of persuading individuals and businesses to expose their confidential information.

The risk is highlighted in an article on the VaultConnect website, please click here for details. VaultConnect are partners of Safe4, and are working to reduce the risk of email intrusion for professional practitioners and other businesses across the United Kingdom. This article refers to 5 scams, of which number 3 is the particular case in point. Safe4 have stressed the importance of avoiding the use of email for some years, although in many sectors it is still used routinely to transfer confidential information in spite of the potential consequences of a breach under the terms of the Data Protection Act.

For more information on how the use of Safe4 can help your organisation to reduce cost and improve regulatory compliance and governance whilst enhancing customer service, please contact us.

Safe4 is going large – version 5.20 is released

October 2018 has seen the release of Safe4 version 5.20, which contains some important enhancements to the highly secure information delivery and management service. “Safe4 is going large” is a fitting way to describe some of the changes introduced in this release.

As in all new releases, Safe4 have improved a number of the fundamental security features of the system. In order to make sure that customers’ data, as well as that of their clients, is managed in the most secure way possible, changes have been made to the way in which information is stored so that the risk of penetration is reduced. This includes some changes that will make it easier for clients to comply with the Data Protection Act, following the introduction of GDPR in May 2018. For example the Subject Access Request report, which is available at the press of a single button, has been expanded.

Large file management

However, the most significant element within this release is the ability to upload files of up to 800 megabytes per individual file. This is an interim step, with the short term objective being 2 gigabytes per individual file. The fundamental security approach of Safe4 has always meant that uploading documents was more than just moving a file from one location to another, and consequently the upload process involves a number of server-based functions such as virus-checking, content scanning, encryption, transferring the file into cloud storage and updating the database and all of the audit trails. These functions have now been separated and will be performed sequentially, so that the server-based processing is carried out after the client interface has been refreshed. Very large files will be shown on the file list immediately, but with a “Processing” indicator until the server functions have been completed.

As well as virus checking and encryption, Safe4 also performs a series of content checks to ensure the integrity of the data that is being uploaded. If the file fails one of these tests, or is found to contain a virus, a reference will be shown on the file list even though the file itself has been removed from the server. This will cover the whitelisting and blacklisting scans, as well as the ability to check for any files that have been protectively marked.

More significant developments to come

There is a lengthy list of enhancements in the pipeline for Safe4. The next release will feature the ability for files held in Safe4 to be signed digitally in a way that allows them to be submitted to both HMRC and Companies House in the UK. This important development will be a major time-saver for any organisation that needs multiple signatories to approve documents, and will be carried out entirely within Safe4, without the use of any external technology.

If you would like any further information on how Safe4 can help your business to improve client service, reduce costs and enhance regulatory compliance, please contact us. We will be delighted to assist you.

Cyber crime is still soaring – and insecure email remains the weakest link

The scourge of email scams and phishing continues to rise relentlessly. Whilst some organisations have taken steps to protect themselves, many still use email to transfer confidential information to recipients both within and beyond their own domain. A recently-published article highlights this, and the risks to corporate governance that are involved.

Professional practitioners are among the worst offenders. Much of the information that they generate on behalf of their clients is highly confidential and is sent by email as an attachment. Not only does this expose their clients to the loss or theft of the data, it is inefficient and can ultimately lead to serious difficulties for the practitioners themselves. In the UK it is estimated that more than 70% of law firms, for example, still use open email to carry confidential client information.

Sometimes the clients themselves are a problem …

Accounting firms, for example, provide services for a wide range of different clients, everything from global corporates to the local butcher, baker and candlestick-maker. At the smaller end of this scale many clients are resistant to using secure information sharing services as they find it easier to simply receive financial information as an attachment to an email. Sometimes it is securely stored away, but often it is not, leading to repeated requests for the information to be re-sent by the accountant, multiplying the scale of the risk.

VaultConnect, partners of Safe4 Information Management, have expressed the consequences of these “can you just …” requests for information. Typically they result in an interruption of approximately 23 minutes to stop a current task, go and find the requested information, respond to the client, and then try to resume the task that has been interrupted. And the result of this is to expose both the client and the accountant to increased risk.

There are better and safer options

The Safe4 service has been designed explicitly to protect any organisation that needs to share confidential information with external or internal parties, whether it be in unstructured form (such as documents), or structured (data held in columnar format, similar to spreadsheets and simple databases). Manningtons, an accounting firm in Sussex, have recently chosen to significantly expand their use of Safe4 in order to protect themselves and their clients from loss or theft of sensitive information. Read about their experiences here. The result of this approach has enabled Manningtons to enhance their compliance with both the Data Protection Act (which now embodies the recently-enacted European General Data Protection Regulation), and with the guidance issued by the Institute of Chartered Accountants of England and Wales. This strongly advises accounting firms not to send confidential information to clients by email, even if the client has actually requested that they do so.

Safe4 utilises a highly secure vault to hold information relating to each client. This can be shared with the clients themselves, allowing two-way transfer of confidential documents and data. The very granular permissions provided by Safe4, as well as comprehensive audit trails and reporting functions, add further levels of protection to the professional practitioners as well as their clients.

Contact Safe4

For more information on how Safe4 can help your organisation to achieve enhanced levels of security and compliance with regulatory frameworks, please get in touch. We will be delighted to assist you.

Manningtons responds strongly to the challenge of GDPR by expanding the use of Safe4

 

With a client base numbering close to 3,000 and offices across Sussex and Kent, Manningtons have become one of south-east England’s best-established accounting practices.  From their head office in Heathfield, East Sussex, they offer a wide range of accounting, taxation, and financial management services.  Like all professional practitioners, they have had to respond to the challenge of GDPR.

Manningtons relationship with Safe4 began in 2010, shortly after the secure document delivery and storage service was launched.  Alan Staples, Managing Partner at Manningtons, recognised that the application of technology to the running of an accountancy practice was gathering pace, and was determined to explore better and more secure ways to communicate with the firm’s clients.  Traditional methods of communication such as hard copy post and email were still in everyday use, as indeed they were in much of the UK business community.  However, these methods were often costly and inefficient, and in recent years have become increasingly unsafe as online fraud and theft have emerged as significant threats.

GDPR is driving change

The adoption of the Safe4 service by Manningtons has gathered momentum with the arrival of the General Data Protection Regulation across Europe.  Alan Staples is extremely conscious that protecting Manningtons clients from misuse or loss of personal information is not only best practice, but is also demanded by the Institute of Chartered Accountants of England and Wales.  Thus combining a high standard of service to clients with a high level of compliance has triggered a significant increase in the use of Safe4 as a means of getting confidential information to and from clients.

Alan’s view on this matter is very clear: “We can no longer send confidential information to clients by email.  That is the clear directive to our staff, and we are now putting Safe4 to greater use in order to ensure that we are taking the best possible care of our clients’ interests.  Manningtons serves a very varied client base across a range of different sectors.  Not all of our clients have been quick to adopt the use of modern technology, but they are now increasingly aware of the risks that they run by sticking with email as a way of transferring their confidential information.  We cannot run the risk of email intrusion, and must ensure that client information is kept confidential at all times.  The Technical Helpsheet from the ICAEW makes it clear that even if clients ask us to use email, this should not be an option that we choose.”

In areas such as payroll management, for example, the need for security is paramount.  The application of Safe4 to the transfer of key personal and financial information has increased significantly, and is not only providing heightened security but is also aiding efficiency.  Above all, Manningtons is able to offer GDPR-compliant services to its clients, thereby ensuring that their clients’ businesses and reputations are not damaged by costly and avoidable breaches or leaks of information.

Ben Martin, director of Safe4, is delighted with the progress that Manningtons have made in their adoption of Safe4.  “We have enjoyed a close relationship with Manningtons since 2010, and they were one of the first professional practitioners to adopt Safe4 in their business.  The advent of GDPR has led to important changes in the way that the Safe4 system works, giving greater control to our customers and increased security to their clients” claims Martin.  “We are in the process of making some significant enhancements to Safe4, including several that will be of value to Manningtons – such as the ability to sign documents within Safe4 – and it is of great value to have their feedback and input as we go forward.”

Safe4 has adapted to address the requirements of GDPR

GDPR has provided a catalyst for many businesses to overhaul the way that they manage their communication with their clients, and the recent changes in the Safe4 system have supported this.  The ability for a complete client vault to be deleted permanently is clearly an essential requirement, and this has been handled within the Safe4 system not just by the irrevocable deletion of data, but the maintenance of an audit trail record of the deletion and the “stub” of data that recorded the activity within the vault while it was live.  This audit trail will protect Safe4 customers by providing an evidential record should a former client have been engaged in illegal or improper activity, and is fully compliant with the GDPR requirement for data retention by contract.

Safe4 also allows a Subject Access Request report to be generated at the touch of a button, should a client ask for all of the personal information to which they have had access.

By increasing the adoption of the Safe4 system across its business, Manningtons is building a strongly compliant platform for further growth in the south east of England.  Safe4 is also enjoying the benefit of a close relationship with a professional customer whose real-world experience is proving to be a valuable reference point for the functional development of the system.

If you would like more information on how the use of Safe4 can support your GDPR compliance programme, please contact us.

More good news for Safe4 customers – outstanding availability record

Safe4 has achieved outstanding availability in the last 7 months.  Since 1 October 2017 the highly secure information delivery and storage service has achieved 100% uptime, with not a single second lost through system outages of any kind. This represents a stark contrast with other cloud-based information management services, many of which report outages almost weekly. Availability of the Safe4 service is monitored independently, and reported on every month.

This outstanding availability record for Safe4 underlines the quality of service that is the basis of the way the system functions. During the period from 1 October 2017 to date, Safe4 has undergone 4 major upgrades, none of which interrupted access to the system. This process of enhancement included the changes associated with enabling Safe4 to support customers’ GDPR compliance programmes, many of which went deep into the core of the software.

Safe4 delivers value

An exceptional level of availability is just one of the significant benefits that Safe4 offers. Safe4 has been independently assessed among the most secure 0.8% of sites on the internet, out of millions tested. Other benefits include automated upload notifications, comprehensive audit trails and reporting facilities, and UK hosting in ISO 27001-accredited data centres. Extensive customer branding and white labeling, granular permission and content controls as well as a unique and flexible architecture allow Safe4 customers to derive a wide range of financial and operational benefits.

Maintaining a strong commitment to a high quality of customer service is one of the key objectives of Safe4, together with providing class-leading levels of security. For more information on how Safe4 can provide benefits for your business, please get in touch with us. We will be delighted to assist you.

Safe4 releases version 5.10 to address GDPR compliance requirements

The General Data Protection Regulation becomes law across the EU on 25 May this year, and in order to assist our customers to ensure that they are compliant with the regulation we have introduced some system changes to the core Safe4 service. These changes are in fact part of a work-in-progress, since there are still some areas of uncertainty in the way that GDPR is expressed. The system modifications at this stage address the basic requirements of GDPR compliance, and will be built upon as greater clarity emerges.

As the Data Processor under data protection legislation, Safe4 makes use of a number of constructs, described within the system as providers and vaults. The new release, designated as version 5.10, allows these to be completely deleted, with all of their data content being irreversibly removed. The ability to perform such deletions will be granted to customers, the Data Controllers, at system administrator level only, and any actions of this sort will be carried out after several warnings have been given and responded to.

Users can also be deleted by Data Controllers. Safe4 permits users to have access to multiple providers and vaults, and consequently the removal of a user from a particular vault will not affect their access to any others.

However, because Safe4 is a system of record, the audit trails relating to the existence of providers, vaults and users will be retained. For example, the record of a user account’s existence will be retained as a basic “stub”, so that the integrity of audit trails can be maintained. Activity while a user was a member of a Safe4 vault will thus be available for evidential purposes in future, while any personal information that was stored about that person will be deleted.

The full range of reporting options will be developed over time as the specific needs of customers are established, and as aspects of GDPR compliance are clarified both by the Information Commissioner’s Office and by case law.

An additional function that will be made available to the Data Controller immediately will be the ability to respond to Subject Access Requests. The Safe4 administrator will be able to generate a Subject Access Request report at the touch of a button. This will create a PDF document that can be provided externally if required, or stored as a record within Safe4.

As always, we at Safe4 consider the secure handling of customers’ information to be our highest priority. This approach will continue, and will be extended as necessary through working closely with Data Controllers to ensure that their GDPR compliance obligations are being met.

For more information on how Safe4 can support your GDPR compliance programme, please contact us. We will be very pleased to assist. General information on GDPR can be obtained from the UK Information Commissioner’s Office.

Charities are exposed to serious risk when documents are lost

Proper management of sensitive records can be challenging, but when the documents in question relate to vulnerable individuals who are receiving care from charities or local authorities, the consequences of information falling into the wrong hands can be very damaging.  Recent cases of paper documents being lost highlight this risk.

The impending arrival of GDPR will of course impose far more severe penalties than have hitherto been possible under current data protection legislation. Among the organisations most exposed to such potential penalties are small-to-medium charities, who in many cases handle highly sensitive information about individuals. Such charities are generally staffed by dedicated and highly competent volunteers, but often they lack the experience or resources to implement processes or systems that give proper protection to the information they handle.

Converting paper documents into electronic records can be difficult, particularly if volumes are large and the documents them selves are not in good condition. However, electronic systems do provider much tighter control of information, and also provide a host of other benefits including speed of retrieval and access while away from the office or filing cabinet.

Among the key benefits of applying a highly secure electronic system such as Safe4 to the management of confidential information is that it will not only eliminate or reduce the risk of document loss, but will permit the organisation in question to achieve and maintain compliance with GDPR. This could prove to be a key safeguard in the coming years when some of the UK’s most high-profile charities have suffered enormous reputational damage and are now seeing the cancellation of direct debit donations doubling in recent weeks. Maintaining the highest possible standards in record-keeping and information management will be a valuable means for the charity to protect their most valuable asset – their donor subscribers, who provide the majority of funds to support the important work that charities carry out to assist the members of our society who are most in need of help.

In conjunction with a number of partners, Safe4 Information Management is launching an initiative to offer the charitable sector solutions that will help them not only protect their information to the highest possible standard, but also to reduce costs and improve the efficiency of their operations. Further details of this initiative will be published in the coming months, as GDPR approaches.

If you like to know more about how Safe4 can help your organisation to enhance the secure management of confidential records, please get in touch with us.

Version 5.04 of Safe4 is released

Safe4 have released version 5.04 of the secure information delivery and storage service. This release includes a significant number of internal enhancements, and will assist with the administration and management of the service.

Users will notice changes in the way that reports and messages are handled and displayed, with more flexible options for listing and presentation. The method of PIN management has also been updated, as has the user invitation process. Further changes are in the pipeline to address the requirements of GDPR, which becomes law on 25 May 2018. It is anticipated that Safe4 will be GDPR-ready by the end of the first quarter of 2018, to ensure that customers will be fully supported in their own GDPR compliance programmes.

For more information on how Safe4 can assist your organisation to handle confidential information more securely and efficiently, as well as helping with your own GDPR compliance, please get in touch with us.

Slow progress for GDPR across Europe

Most EU member states are not making much progress towards preparing their own legislative position for the effective date of the General Data Protection Regulation on 25 May this year, according to an article published today. As many UK businesses are aware, the Information Commissioner’s Office has been issuing guidance and warnings on GDPR for quite some time, but as yet response across many sectors has been patchy.

We at Safe4 have already started the process of making our highly secure information delivery and storage service GDPR-ready, so that our customers can use the system with confidence, knowing that their own compliance programmes will be strongly supported. This will involve relatively minor changes to the system, and our plan is to have these adjustments ready for deployment by the end of March 2018, well in advance of the date when the Regulation comes into force.

For more information on how Safe4 can help your business to become GDPR compliant, please contact us.

GDPR compliance – what will it mean for you?

Most of us now are receiving a barrage of email relating to the need for GDPR compliance in our inboxes.  Consultants, assessors, seminar organisers, and a host of others are trying to get our attention in advance of the date when the General Data Protection Regulation comes into force in May this year.

Some of this communication is helpful, but the majority seems to be opportunistic.  It is refreshing to come across a realistic and well-considered article that highlights the simple facts about GDPR – there is no magical solution to make any organisation compliant, just the realisation that the only effective approach lies in a thorough review of the information that is being used, who uses it, how it is managed and transmitted, and what protection measures have been taken to safeguard it.

Safe4 can help to support GDPR compliance

Every organisation, of any size or structure, will have to make sure that its information management house is in order to become compliant with GDPR. No IT system can perform this service, but a compliance programme will be more successful if it is underwritten by applying technology that allows the necessary processes to be properly implemented. We at Safe4 are making some minor changes to the way the system works to make sure that it will offer full support for GDPR. But the responsibility for achieving compliance will still lie with the organisation itself, and how it manages its own activities.

We will be publishing further information about the changes that the Safe4 system will undergo in the coming months. The basic design and architecture of Safe4, as well as other factors including UK-only storage in ISO 27001-accredited data centres, full encryption of data, no reliance on email to carry confidential information, a full audit trail of all activity, and contractual arrangements under English law already provide an effective platform for ensuring best practice in the management of information.

For more information on how using Safe4 can assist your organisation to comply with GDPR, please contact us.