Posts

Password strength checker improvements for Safe4

One of the challenges of enforcing strict rules about the strength of passwords is how to make them secure and still easily usable by people who perhaps utilise a system occasionally and often need rapid access to share or obtain important information.

Safe4 has now been updated to make it easier for users to select passwords in the first place, by listing each of the strength requirements and showing visually when these have been satisfied. Because Safe4 is used in many countries around the world and by speakers of many languages, it can be difficult to prevent users from choosing a password that is a common word in one language but not in another. Using sequential characters on a keyboard is also potentially an issue, as in several European countries different keyboard layouts are utilised. Beyond Europe, in countries where alphabets may also differ, keyboard layouts are often radically different from those familiar in Anglophone regions.

Keeping it simple without sacrificing security

Safe4 has become established as one of the most secure sites on the Internet, and consequently enforcing strict password requirements is essential given the presence of brute-force attack systems that can crack simple passwords very quickly. Whilst setting a strong password is the responsibility of each individual user, applying specific rules governing this, as well as limiting the number of unsuccessful login attempts within a single browser session, makes it easier to prevent unauthorised access to the system. The changes made by Safe4 will inform new users of the strength of their password as each character is chosen, and show any discrepancies visually.

Please contact us if you would like any further information on the security measures that are taken by Safe4 to protect the integrity of information that we hold, and the protection that this offers for our customers.

Cyber crime is still soaring – and insecure email remains the weakest link

The scourge of email scams and phishing continues to rise relentlessly. Whilst some organisations have taken steps to protect themselves, many still use email to transfer confidential information to recipients both within and beyond their own domain. A recently-published article highlights this, and the risks to corporate governance that are involved.

Professional practitioners are among the worst offenders. Much of the information that they generate on behalf of their clients is highly confidential and is sent by email as an attachment. Not only does this expose their clients to the loss or theft of the data, it is inefficient and can ultimately lead to serious difficulties for the practitioners themselves. In the UK it is estimated that more than 70% of law firms, for example, still use open email to carry confidential client information.

Sometimes the clients themselves are a problem …

Accounting firms, for example, provide services for a wide range of different clients, everything from global corporates to the local butcher, baker and candlestick-maker. At the smaller end of this scale many clients are resistant to using secure information sharing services as they find it easier to simply receive financial information as an attachment to an email. Sometimes it is securely stored away, but often it is not, leading to repeated requests for the information to be re-sent by the accountant, multiplying the scale of the risk.

VaultConnect, partners of Safe4 Information Management, have expressed the consequences of these “can you just …” requests for information. Typically they result in an interruption of approximately 23 minutes to stop a current task, go and find the requested information, respond to the client, and then try to resume the task that has been interrupted. And the result of this is to expose both the client and the accountant to increased risk.

There are better and safer options

The Safe4 service has been designed explicitly to protect any organisation that needs to share confidential information with external or internal parties, whether it be in unstructured form (such as documents), or structured (data held in columnar format, similar to spreadsheets and simple databases). Manningtons, an accounting firm in Sussex, have recently chosen to significantly expand their use of Safe4 in order to protect themselves and their clients from loss or theft of sensitive information. Read about their experiences here. The result of this approach has enabled Manningtons to enhance their compliance with both the Data Protection Act (which now embodies the recently-enacted European General Data Protection Regulation), and with the guidance issued by the Institute of Chartered Accountants of England and Wales. This strongly advises accounting firms not to send confidential information to clients by email, even if the client has actually requested that they do so.

Safe4 utilises a highly secure vault to hold information relating to each client. This can be shared with the clients themselves, allowing two-way transfer of confidential documents and data. The very granular permissions provided by Safe4, as well as comprehensive audit trails and reporting functions, add further levels of protection to the professional practitioners as well as their clients.

Contact Safe4

For more information on how Safe4 can help your organisation to achieve enhanced levels of security and compliance with regulatory frameworks, please get in touch. We will be delighted to assist you.

Manningtons responds strongly to the challenge of GDPR by expanding the use of Safe4

 

With a client base numbering close to 3,000 and offices across Sussex and Kent, Manningtons have become one of south-east England’s best-established accounting practices.  From their head office in Heathfield, East Sussex, they offer a wide range of accounting, taxation, and financial management services.  Like all professional practitioners, they have had to respond to the challenge of GDPR.

Manningtons relationship with Safe4 began in 2010, shortly after the secure document delivery and storage service was launched.  Alan Staples, Managing Partner at Manningtons, recognised that the application of technology to the running of an accountancy practice was gathering pace, and was determined to explore better and more secure ways to communicate with the firm’s clients.  Traditional methods of communication such as hard copy post and email were still in everyday use, as indeed they were in much of the UK business community.  However, these methods were often costly and inefficient, and in recent years have become increasingly unsafe as online fraud and theft have emerged as significant threats.

GDPR is driving change

The adoption of the Safe4 service by Manningtons has gathered momentum with the arrival of the General Data Protection Regulation across Europe.  Alan Staples is extremely conscious that protecting Manningtons clients from misuse or loss of personal information is not only best practice, but is also demanded by the Institute of Chartered Accountants of England and Wales.  Thus combining a high standard of service to clients with a high level of compliance has triggered a significant increase in the use of Safe4 as a means of getting confidential information to and from clients.

Alan’s view on this matter is very clear: “We can no longer send confidential information to clients by email.  That is the clear directive to our staff, and we are now putting Safe4 to greater use in order to ensure that we are taking the best possible care of our clients’ interests.  Manningtons serves a very varied client base across a range of different sectors.  Not all of our clients have been quick to adopt the use of modern technology, but they are now increasingly aware of the risks that they run by sticking with email as a way of transferring their confidential information.  We cannot run the risk of email intrusion, and must ensure that client information is kept confidential at all times.  The Technical Helpsheet from the ICAEW makes it clear that even if clients ask us to use email, this should not be an option that we choose.”

In areas such as payroll management, for example, the need for security is paramount.  The application of Safe4 to the transfer of key personal and financial information has increased significantly, and is not only providing heightened security but is also aiding efficiency.  Above all, Manningtons is able to offer GDPR-compliant services to its clients, thereby ensuring that their clients’ businesses and reputations are not damaged by costly and avoidable breaches or leaks of information.

Ben Martin, director of Safe4, is delighted with the progress that Manningtons have made in their adoption of Safe4.  “We have enjoyed a close relationship with Manningtons since 2010, and they were one of the first professional practitioners to adopt Safe4 in their business.  The advent of GDPR has led to important changes in the way that the Safe4 system works, giving greater control to our customers and increased security to their clients” claims Martin.  “We are in the process of making some significant enhancements to Safe4, including several that will be of value to Manningtons – such as the ability to sign documents within Safe4 – and it is of great value to have their feedback and input as we go forward.”

Safe4 has adapted to address the requirements of GDPR

GDPR has provided a catalyst for many businesses to overhaul the way that they manage their communication with their clients, and the recent changes in the Safe4 system have supported this.  The ability for a complete client vault to be deleted permanently is clearly an essential requirement, and this has been handled within the Safe4 system not just by the irrevocable deletion of data, but the maintenance of an audit trail record of the deletion and the “stub” of data that recorded the activity within the vault while it was live.  This audit trail will protect Safe4 customers by providing an evidential record should a former client have been engaged in illegal or improper activity, and is fully compliant with the GDPR requirement for data retention by contract.

Safe4 also allows a Subject Access Request report to be generated at the touch of a button, should a client ask for all of the personal information to which they have had access.

By increasing the adoption of the Safe4 system across its business, Manningtons is building a strongly compliant platform for further growth in the south east of England.  Safe4 is also enjoying the benefit of a close relationship with a professional customer whose real-world experience is proving to be a valuable reference point for the functional development of the system.

If you would like more information on how the use of Safe4 can support your GDPR compliance programme, please contact us.

Insecure email communication still causing huge losses through fraud

Recent news has highlighted once again the risks caused by using insecure email communication to transfer confidential information, as this article shows.

The effect of online theft is clearly devastating for those that have had their money stolen – in many cases these losses represent life savings and cannot be recovered. Criminals posing as conveyancing solicitors, or alternatively hacking into private email accounts and falsifying bank account details so that the conveyancer transfers the proceeds from the sale of a property into a criminal’s account have become much more frequent in recent years.

To allow conveyancers to be confident that they are transferring funds into the correct account, Safe4 are offering the use of their highly secure information transfer service, into which clients or indeed any other party can enter bank details directly into designated fields. This completely eliminates the risks posed by using insecure email communication to transfer this information. It is not only email that is insecure – hard copy post and voice communication also carry risks of their own.

Safe4 are also working with other organisations that have to transfer funds into a client account at the completion of a transaction. These include art galleries, auction houses, and others who may be selling assets on a client’s behalf.

In addition to the storage of all data in UK-only data centres accredited to ISO 27001, Safe4 have just completed another penetration test carried by an independent UK Government accredited agency. Again this has confirmed the high levels of security offered by using Safe4 as the means of transferring confidential information between parties that are involved in high-value transactions. Compliance with the SRA guidelines for cloud computing gives conveyancers additional confidence that information is being transferred between parties with minimum risk.

For more information on how Safe4 can help your organisation to improve the protection of clients’ money, please contact us.

Charities are exposed to serious risk when documents are lost

Proper management of sensitive records can be challenging, but when the documents in question relate to vulnerable individuals who are receiving care from charities or local authorities, the consequences of information falling into the wrong hands can be very damaging.  Recent cases of paper documents being lost highlight this risk.

The impending arrival of GDPR will of course impose far more severe penalties than have hitherto been possible under current data protection legislation. Among the organisations most exposed to such potential penalties are small-to-medium charities, who in many cases handle highly sensitive information about individuals. Such charities are generally staffed by dedicated and highly competent volunteers, but often they lack the experience or resources to implement processes or systems that give proper protection to the information they handle.

Converting paper documents into electronic records can be difficult, particularly if volumes are large and the documents them selves are not in good condition. However, electronic systems do provider much tighter control of information, and also provide a host of other benefits including speed of retrieval and access while away from the office or filing cabinet.

Among the key benefits of applying a highly secure electronic system such as Safe4 to the management of confidential information is that it will not only eliminate or reduce the risk of document loss, but will permit the organisation in question to achieve and maintain compliance with GDPR. This could prove to be a key safeguard in the coming years when some of the UK’s most high-profile charities have suffered enormous reputational damage and are now seeing the cancellation of direct debit donations doubling in recent weeks. Maintaining the highest possible standards in record-keeping and information management will be a valuable means for the charity to protect their most valuable asset – their donor subscribers, who provide the majority of funds to support the important work that charities carry out to assist the members of our society who are most in need of help.

In conjunction with a number of partners, Safe4 Information Management is launching an initiative to offer the charitable sector solutions that will help them not only protect their information to the highest possible standard, but also to reduce costs and improve the efficiency of their operations. Further details of this initiative will be published in the coming months, as GDPR approaches.

If you like to know more about how Safe4 can help your organisation to enhance the secure management of confidential records, please get in touch with us.

Transport Layer Security still not universally applied

Safe4 implemented Transport Security Layer (TLS) as the successor to Secure Sockets Layer (SSL) back in 2010 as the connection layer that is used when the system is accessed by users, but it seems that there is still some uncertainty as to how this level of security will be deployed in corporate environments, from which users are often accessing the internet through multiple layers of middleware, or middleboxes as they are sometimes known.

Not only has Safe4 implemented TLS, but this connection layer is very tightly configured to offer connected users the highest level of security possible. The configuration was significantly enhanced in 2015, when Safe4 announced a radically overhauled user interface.  Thus when Safe4 is being accessed using a device that is not under the user’s control, such as from a hotel lobby or an airport lounge, the connection is still highly encrypted and thus secure.

Making sure that customers’ information is being managed securely is the primary focus of Safe4, so that users of all levels can be confident that their data is being handled safely. Please get in touch with us if you would like more detail on how the Safe4 service could be of value for your organisation.

Safe4 Use-Case Paper: Secure Property Conveyancing

The Safe4 secure information delivery and storage service has been in use by law firms since 2010, but hitherto primarily in support of corporate and commercial property transactions. The introduction of the Safe4 Asset Register in May 2017 has brought new levels of functionality to the system, some of which can be applied to the process of secure property conveyancing.

How can law firms offer their clients better protection of their confidential information?

It is estimated that at least 70% of law firms in the UK use open email systems to transfer confidential information between external parties. This covers a very large number of information types in a variety of departmental activities. Residential property conveyancing, however, is one area where the use of insecure methods of information transfer has been exposed as a primary target for criminal activity.

When a lawyer is engaged by a client to handle the legal aspects associated with selling their home, the final act in the process is for the lawyer to transfer the sale proceeds from their firm’s client account to the client’s bank account. In most cases this is a simple process that is carried out without difficulty, but in recent years there has been an alarming increase in the level of criminal interception of email. It is common for the lawyer to request the client to provide the details of their bank account by email, by telephone, or by filling in a paper form and sending it back to the lawyer. All of these methods of delivery are potentially insecure, but there is mounting evidence that interception of emails and fraudulent alteration of the target bank details has become a major problem.

Impact on Professional Indemnity Insurance premiums

The existence of the problem has been recognised by the providers of professional indemnity insurance for law firms. Premiums are starting to increase steeply for those firms who use the traditional insecure means of obtaining clients’ bank account details.

Secure Property Conveyancing

The Safe4 Asset Register allows this risk to be eliminated. By opening a secure vault for each property transaction, and creating data fields into which basic bank account information – account number, sort code – can be entered directly by the client, the lawyer can offer the client a higher level of protection than has hitherto been possible.

After the client has entered their bank details, the conveyancer will receive an email automatically generated by Safe4 confirming that the information is available. After logging in, the information can then be transferred safely into the internal systems used for handling client payments. There is of course the standard Safe4 audit trail facility associated with all activity, providing a strong evidential record of everything that has been done during the transaction.

If the Safe4 Application Programming Interface (API) is used, the bank account details can be transferred completely automatically into the law firm’s practice management or accounting systems, thus improving security and efficiency further.

UK Hosting

Because all Safe4 data is hosted in the UK in ISO 27001-accredited data centres, the professional practitioner can also take advantage of Solicitors Regulation Authority compliance. All of the activities of Safe4 are conducted under the law of England and Wales.

Safe4 Information Management have partnered with VaultConnect to offer best-in-class security for the systems that handle the transfer of confidential information between the professional practitioner and the client. This collaboration is now benefiting law firms throughout the United Kingdom, who are able to gain the advantage of the security of the Safe4 platform with the expertise and experience of the VaultConnect team.

Ransomware – why Safe4 customers are protected

The ransomware attacks that have affected many organisations around the world over the weekend have exposed some serious vulnerabilities in the way that information is managed; using out-of-date operating systems and the failure to implement security updates are clearly primary causes of the exposure. However, it should be remembered that the problem normally arises when an unsuspecting user clicks a link in an email that is urging them to take some “essential” action, such as to update the information stored by a service provider.

Of course the email does not come from the service provider at all, but is a cleverly-disguised piece of work by a criminal organisation that will install an invasive piece of software on the user’s computer that can encrypt files and demand ransom payments in exchange for a decryption key.

Safe4 customers, and their clients, are protected against this risk in a number of ways:

  • Firstly, it is never necessary to send any confidential information, or indeed any information at all, by email. The primary function of Safe4 is to provide organisations of all types with the ability to deliver and store information of any kind in a way that makes it accessible to authorised users only. Thus if a Safe4 user receives an email requesting them to take any unusual or unexpected action, it can safely be ignored.
  • Secondly, all the files held in Safe4 are maintained in UK-based data centres accredited to ISO 27001, and are only available after the user has authenticated themselves through a web portal. The user does not therefore have direct access to the information in the way that they would if the files were held on a local or network drive.
  • The third reason for the safety of Safe4 customers is the inherent design of the system. Safe4 is a system of record. Files held in the system cannot be changed; this means they cannot be encrypted. Even if malware were to penetrate the security layers of Safe4, it cannot alter the files that have been stored. New versions of files could theoretically be created containing an encryption code, but the original files are still available for retrieval at any time – without having to pay any ransom.

We at Safe4 are continuing to remain vigilant in the constant battle against cyber criminals. Independent tests have rated Safe4 among the most secure 0.8% of sites on the internet out of millions tested due to the measures that we have put in place to protect our customers’ data. Please contact us if you would like any further detail on the security features of Safe4.

More concern over the use of public email

Interference with personal email accounts has become a major source of fraud in the UK. Take a look at this alarming article. However, more than 70% of UK law firms are still communicating with clients via their clients’ personal email accounts, in many cases to carry highly confidential information such as bank account details when executing conveyancing transactions. Repeatedly, criminals are intercepting email messages to fraudulently change bank details, resulting in money being transferred to the wrong account – and innocent lives being ruined.

The Safe4 Asset Register has been designed to eliminate the risk of fraudulent interception of email. It allows clients to enter their banking information directly into one of the most secure sites on the Internet, and automatically notifies the conveyancer that the information has been provided. The lawyer can then login and obtain the information, whilst audit trails are recording all of the details.

Not only does the Safe4 Asset Register eliminate a risk of major financial loss and severe reputational damage, but it enhances compliance with the SRA guidance on the use of cloud computing services. Furthermore, leading brokers in the Professional Indemnity sector believe that using facilities such as that offered by Safe4 will significantly slow down the recent dramatic rises in premiums.

Please contact us. We can help you to improve compliance and reduce risk.

Safe4 Asset Register is launched with release of version 5.0

Since 2010 Safe4 has become established as one of the most secure services on the Internet for the delivery and storage of documents. With the release of Safe4 version 5.0 that capability is dramatically enhanced, as now the inclusion of the Safe4 Asset Register allows the direct input of data into fields that can be set up and managed by the the service provider.

Safe4 Asset Register driven by business requirements

This development was triggered by a number of different requirements, partly arising from the work that Safe4 has been doing in the fields of will-writing and inheritance planning, and more recently in property conveyancing. Whilst Safe4 has always offered the ability for document files to be uploaded securely by both service providers and their clients, this was not always the most efficient way to record some types of information. Details such as National Insurance numbers, personal contact information, or references to memberships are more easily recorded as data, simply entered directly into on-screen fields.

Ever-increasing occurrence of fraud

Furthermore, in recent years the huge increase in fraudulent interception of emails has meant for example that when an end-client needs to provide a conveyancer with the bank details for the transfer of funds to complete a property transaction, both parties have been exposed to significant risk. In most cases today, this information is sent in an open email, or communicated by telephone.

Professional Indemnity insurers have been aware of this for some time, and as a consequence many law firms and other professional practitioners have seen their PI insurance premiums rise steeply, with very large excess payments in respect of every claim.

The Safe4 Asset Register enables a service provider to define classes of asset themselves, and to associate them with attributes which become the fields into which the end client can input their details directly, without using email or voice. This all happens under the protection of the industry-leading security offered by Safe4. Email is only used to notify the service provider that the data has been entered, whereupon they must login to the system to obtain the necessary information. All actions are captured in the Safe4 audit trail, which provides a strong evidential record should any dispute arise.

Reduce risk, improve compliance

As well as helping to mitigate risk and thus slow down the ever-increasing cost of PI insurance, it is believed that use of the Safe4 Asset Register will also enhance compliance with the Solicitors Regulation Authority guidelines for the use of cloud computing services. Avoidance of email for the transfer of confidential information, UK hosting in ISO 27001-accredited data centres, powerful encryption, independent annual penetration testing and other measures offer genuine protection for service providers and their clients.

A wide range of other business applications can be supported by the Safe4 Asset Register. Safe4 will be publishing a series of articles and announcements in the coming months highlighting the benefits that can accrue to different types of organisation, including those in the financial services, health, business continuity planning, charities, property, government, training and skills development sectors.

Please get in touch with us for more information on how the Safe4 Asset Register can add value to your business.