Tag Archive for: 2-Factor Authentication

Risk of using email for the transfer of confidential information

The risk of using email for the transfer of confidential information has been highlighted yet again. In today’s edition of The Times, the penetration of an email system with criminal intent has led to the loss of confidential information.

The Safe4 system has been designed specifically to avoid the use of email for the transfer of confidential information. The secure vault, which is at the heart of the Safe4 architecture, can be used for a wide range of different applications. In order to access the contents of a vault, users have to have been specifically invited to do so, and must authenticate themselves with username, password and 2-factor authentication. Confidential information is never transferred by email.

Safe4 follows guidance from the UK National Cyber Security Centre for matters relating to password length and strength, and is regularly penetration-tested by UK Government accredited services. Combined with comprehensive reporting and audit trails, and UK-based hosting in data centres accredited to ISO 27001, Safe4 offers a secure alternative to the use of email to transfer confidential information.

For more information on how Safe4 can assist your organisation to reduce the risk of unauthorised access to your information, please contact us.

NCSC warns of cyber threats to UK law firms

The United Kingdom National Cyber Security Centre (part of GCHQ) has warned again about the cyber threats to UK law firms. The renewed threat is largely being driven by legal practices adopting hybrid working patterns resulting from the pandemic, with staff increasingly spending more time working from home. More background is available in an article published in The Register on 26th June 2023.

Since law firms by definition handle highly confidential information, and are increasingly dealing with very large sums of cash on behalf of their clients, the opportunity for criminals to interfere with the transfer of information is enormous. In the words of NCSC, law firms are “particularly attractive targets to attackers”.

Cyber threats to UK law firms are not new – Safe4 Information Management was formed in 2010 specifically to allow organisations to exchange information with external parties without compromising the confidentiality of the information in question. Safe4 works with a number of law firms, both large and small, and has provided its secure vault-based service to legal practices across the UK. One of the key elements in the approach adopted by Safe4 is that confidential information is NEVER transferred by email. Invitations and notifications are sent by email, but users have to authenticate themselves with a username, password and optionally 2-factor authentication before any confidential information is made available.

One of the instances where this is most valuable is with the provision of bank details by clients. Using the structured data capabilities of Safe4, clients can be invited to enter their bank details into an online form, which when completed notifies the professional practitioner that the data has been provided. The practitioner, or fee-earner, will then have read-only access to this information after they have carried out the necessary authentication. The bank details can then be used for their intended purpose, and optionally transferred into other internal systems by API.

The Register article makes the point that some of the attackers are nation states, with access to very sophisticated tools. In particular, brute-force attack technologies are being used to penetrate systems by exploiting weak passwords. To mitigate this risk, Safe4 has implemented NCSC recommendations relating to password length and strength.

All of the information held in Safe4 is stored in UK-only data centres accredited to ISO 27001. Safe4 is penetration tested regularly, and is accredited under the UK Cyber Essentials scheme by Government approved organisations under the CHECK protocol.

If you would like more information on how Safe4 can help with the battle against cyber attack, please contact us. We will be delighted to assist.

Enhancements for Safe4

Version 6.04 of the highly secure Safe4 information delivery and storage service has been released. These enhancements for Safe4 reflect response to customer requirements, especially those who operate internationally, and those who are particularly active in uploading and sharing documents.

Enhancements for Safe4

As well as general security and performance improvements, version 6.04 of Safe4 delivers a number of specific changes:

  • Individual users are now able to choose the time and frequency of receiving upload notifications of file uploads or changes in structured data. Busy accounts can generate significant volumes of email traffic, resulting in very full inboxes. Selecting a specific time of day when these are received, as well as deciding the number of days’ interval between emails arriving, offers more flexibility and control for users. The selections can be made easily from each user’s My Account settings:

  • Safe4 has become Accessible. Users who are impaired in some way, particularly those who suffer from vision difficulties, can navigate around Safe4 screens by using the tab key. When used in conjunction with screen readers, users will receive an audio description of where they are on the page and can activate Safe4 functions without needing to use a mouse or tap the screen.
  • Signing documents in Safe4 has become easier, and users who have issued documents for signature can follow their progress more easily. If several documents are issued for signature as a pack by a number of different users, for instance, the initiating user can establish how the request has progressed, and which individual signatures are yet to be added. Documents signed in Safe4 are accepted by Companies House and HMRC in the UK.
  • For customers who have users or clients in other countries, using the 2-Factor Authentication security function has potentially been a problem. Several countries in Africa cannot receive text messages from the United Kingdom, and other nations such as Canada have barred the receipt of text messages generated automatically by IT systems. 2FA codes are now sent by text and email, so that users will definitely be able to receive the codes even if text messages cannot be delivered. This will also be helpful in situations when a user’s phone may be lost, damaged, or out of signal, and unable to receive text messages.

Contact Us

Safe4 is being improved constantly, with the addition of more functional enhancements as well as security updates. Please contact us if you would like more information on forthcoming changes, and in particular how these changes might be of value for your business.

 

More news about leaks of highly sensitive information

There are now virtually daily examples in the media of how leaks of highly sensitive information are occurring, often due to human error or misbehaviour, but also due to lack of security in poorly designed or managed systems. A current article in the media today highlights a glaring example of this – click here for more information.

Safe4 was designed with security at the core

The fundamental design of Safe4 is based around the use of secure vaults, into which information can be placed by the provider of the service, such as a professional practitioner or an employer, and the individual users who have been given access to that specific vault. Information cannot “leak” in the way that seems to be occurring regularly in other systems.

Even if a hacker were to break in to the “back door” of Safe4, without using one of the normal user interfaces, nothing can be inferred due to the way that the data is obfuscated and encrypted. The secure vault design underpins this, so that each vault becomes a completely discrete storage space for information in structured form (in columns and rows, similar to spreadsheets and simple databases) or unstructured form (document files).

Regulatory compliance

Safe4 complies with a number of regulatory frameworks by virtue of the fact that all stored information is encrypted, everything is held in UK-based data centres that comply with ISO 27001, 2-factor authentication, and a full audit trail of all user actions is maintained. The ideal solution for the storage and management of highly sensitive information, in effect.

Please contact us if you would like more information on how Safe4 can help your organisation to enhance compliance, reduce costs, and improve client service.

Confusion reigns regarding responsibility for data protection compliance

A recent survey suggests that there is still a good deal of confusion regarding responsibility for data protection compliance. Given that the UK adopted the EU GDPR into the Data Protection Act in May 2018, this reflects the general lack of awareness among many organisations today.

This survey also indicates a lack of clarity over whether cloud-based information management services offer better or worse protection that traditional on-premise storage. The answer of course is that the level of security and therefore protection depends on which cloud service provider is involved. Safe4 has an unblemished record of secure service provision, with an availability record very close to 100%. Not all cloud service providers can offer this.

Safe4 has also clarified the different roles and responsibilities relating to data protection in their Data Protection Policy – click here for more details. Safe4 does not claim ownership of any data that is stored within its system, and thus acts as the Data Processor. Customers own their data and have responsibility for any information that is placed in Safe4, and therefore are Data Controllers.

Adding to the benefit of using Safe4 for information storage is the fact that Safe4 only uses UK-based hosting services accredited to ISO 27001. Together with enhanced password strength management and 2-factor authentication, Safe4 provides a platform for its customers to be confident that the system will support their own Data Protection compliance programme. No cloud service provider can make its customers compliant with the Act however – ultimate responsibility lies with the Data Controller to ensure that their own information security policies and practices are enforced. The vast majority of data security breaches are caused by human error or poorly trained employees.

For more information on how Safe4 can assist your data protection compliance programme, please contact us.

Enhanced 2-Factor Authentication from Safe4

In line with the Safe4 policy of constantly enhancing security, as well as maintaining compliance with the recommendations of the UK National Cyber Security Centre, the latest release of Safe4, version 6.02, features 2-Factor Authentication using 7-digit codes sent to the user’s mobile device by text message. This enhanced 2-Factor Authentication from Safe4 (2FA) replaces the PIN, which has been a feature of the system since inception in 2010. The advice from the NCSC is summarised here.

Safe4 users with a PIN on their account will be prompted to enter a mobile phone number to which authentication codes will be sent. Once this has been done, they will be challenged to enter the code when logging in. The authentication code will have a life of 24 hours. When this period has elapsed a new code will be sent to the user’s mobile device on the next login.

Flexible options for applying 2-Factor Authentication

The use of 2FA can be enforced by a provider administrator, or can be selected optionally by each user in their own personal settings. In either case the registration of the mobile phone number will be followed immediately by the sending of an authentication code that must be entered before access is gained to the system.

The mobile phone number that is registered is held in the user’s My Account settings, to which entry will be controlled by a further 2FA code challenge. This will prevent a user’s settings being altered without authority. If a user changes their mobile phone number for any reason, the provider administrator will be able to require the user to reset 2FA with a different phone number.

Other enhancements in version 6.02

As always, version 6.02 of Safe4 includes a number of server-based security updates that relate to the way that data is held and managed on our servers. It is our policy not to publish details of these changes.

A further change in version 6.02 relates to the way in which folders are displayed. Folders and subfolders will be shown in the right-hand pane of the screen, together with any files that are stored in that folder. This is the first step towards more flexible management of folders.

Additionally, version 6.02 will allow the selection of which users will receive notification of file uploads. This will involve a further option in the Upload Files dialog box.

The Safe4 User Guides have been updated to reflect these changes.

For more information on how Safe4 can help your organisation to reduce cost, enhance client service and improve security and compliance, please contact us. We will be delighted to assist you.