Tag Archive for: cyber attack

MI5 warns of massive intellectual property theft

/in ,

As featured on the BBC website on 18 October 2023, the head of MI5 in the United Kingdom has warned of the massive scale of intellectual property theft by Chinese agents approaching UK businesses.

Ken McCallum, the Head of MI5, speaking at Stanford University in California at a meeting of the Five Eyes alliance, has warned of the risk that penetration of UK businesses by hostile agents now presents. Read the article on the BBC website in full here.

The UK is known internationally as the source of much original thinking and innovation in product and service design. This naturally makes UK a target at many levels for unlawful penetration and theft of data. Whilst this clearly affects businesses who are generating and managing confidential information, the risk is also a major issue for universities, from which many UK startup companies originate.

The Solution?

Safe4 Information Management was set up in 2010 to provide a highly secure service to allow organisations of any size and type to share confidential information securely. The unique architecture of Safe4 allows the creation of secure vaults in the cloud to which users can be invited selectively. Granular permission and access controls ensure that sensitive information cannot be accessed by unauthorised parties. This differs radically from most other online file sharing systems, which are simply ways of sharing folders. Safe4 uses UK-only hosting in ISO 27001 accredited data centres, and sophisticated file encryption. Comprehensive audit trails and reporting facilities support business best practice and good governance. Safe4 offers a genuinely safe and secure facility for managing confidential documents and structured data.

Intellectual capital is one of the UK’s prime national assets, and should be managed in the most secure way possible. The core design of Safe4 makes this simple and affordable for any organisation, whether public or private sector, and of any scale. Safe4 is used effectively by small specialist consultancies as well as large corporates and public sector customers.

Safe4 has been adopted by a range of different organisations across many different business sectors. If you would like to learn how using Safe4 can reduce the risk of intellectual property theft, please contact us. We will be delighted to assist.

Risk of using email for the transfer of confidential information

/in , , , ,

The risk of using email for the transfer of confidential information has been highlighted yet again. In today’s edition of The Times, the penetration of an email system with criminal intent has led to the loss of confidential information.

The Safe4 system has been designed specifically to avoid the use of email for the transfer of confidential information. The secure vault, which is at the heart of the Safe4 architecture, can be used for a wide range of different applications. In order to access the contents of a vault, users have to have been specifically invited to do so, and must authenticate themselves with username, password and 2-factor authentication. Confidential information is never transferred by email.

Safe4 follows guidance from the UK National Cyber Security Centre for matters relating to password length and strength, and is regularly penetration-tested by UK Government accredited services. Combined with comprehensive reporting and audit trails, and UK-based hosting in data centres accredited to ISO 27001, Safe4 offers a secure alternative to the use of email to transfer confidential information.

For more information on how Safe4 can assist your organisation to reduce the risk of unauthorised access to your information, please contact us.

NCSC warns of cyber threats to UK law firms

/in , ,

The United Kingdom National Cyber Security Centre (part of GCHQ) has warned again about the cyber threats to UK law firms. The renewed threat is largely being driven by legal practices adopting hybrid working patterns resulting from the pandemic, with staff increasingly spending more time working from home. More background is available in an article published in The Register on 26th June 2023.

Since law firms by definition handle highly confidential information, and are increasingly dealing with very large sums of cash on behalf of their clients, the opportunity for criminals to interfere with the transfer of information is enormous. In the words of NCSC, law firms are “particularly attractive targets to attackers”.

Cyber threats to UK law firms are not new – Safe4 Information Management was formed in 2010 specifically to allow organisations to exchange information with external parties without compromising the confidentiality of the information in question. Safe4 works with a number of law firms, both large and small, and has provided its secure vault-based service to legal practices across the UK. One of the key elements in the approach adopted by Safe4 is that confidential information is NEVER transferred by email. Invitations and notifications are sent by email, but users have to authenticate themselves with a username, password and optionally 2-factor authentication before any confidential information is made available.

One of the instances where this is most valuable is with the provision of bank details by clients. Using the structured data capabilities of Safe4, clients can be invited to enter their bank details into an online form, which when completed notifies the professional practitioner that the data has been provided. The practitioner, or fee-earner, will then have read-only access to this information after they have carried out the necessary authentication. The bank details can then be used for their intended purpose, and optionally transferred into other internal systems by API.

The Register article makes the point that some of the attackers are nation states, with access to very sophisticated tools. In particular, brute-force attack technologies are being used to penetrate systems by exploiting weak passwords. To mitigate this risk, Safe4 has implemented NCSC recommendations relating to password length and strength.

All of the information held in Safe4 is stored in UK-only data centres accredited to ISO 27001. Safe4 is penetration tested regularly, and is accredited under the UK Cyber Essentials scheme by Government approved organisations under the CHECK protocol.

If you would like more information on how Safe4 can help with the battle against cyber attack, please contact us. We will be delighted to assist.

Password strength requirements for Safe4 are being increased

/in , , ,

Cyber crime, identity theft and online fraud are becoming more frequent. It is known that there are large organisations, some of whom are state-backed, whose sole purpose is to disrupt the lawful activities on which much of our normal economic life is based. Recent ransomware attacks, as well as the ever-increasing use of spam email, are evidence of the scale of the threat. For this reason, the password strength requirements for the Safe4 system are being increased.

Safe4 works very closely with a number of public-sector organisations for whom security is paramount. Acting on the advice of the UK National Cyber Security Centre, part of GCHQ, the password requirements for Safe4 are being changed to incorporate a minimum length of 10 characters and a maximum of 150 characters. As before, each password will have to contain an upper and lower case alpha character, a number, and a symbol such as a punctuation mark. Passwords will accommodate spaces as well as normal characters, thus allowing the use of pass-phrases as well as basic passwords. The advice of the NCSC is that passwords up to 8 characters can now be cracked by brute-force attack methods in a few minutes, whereas those with 10 or more characters are unlikely to be cracked in meaningful time.

Password strength matters

Choosing a new password is increasingly challenging, hence the ability to use a pass-phrase for Safe4. This can be a favourite piece of text, such as line from a book or song, which will generally be easier to remember than a shorter password containing an obtuse string of characters. The longer the password, the more difficult for criminals to crack it. A random sequence of words that are easily remembered will have the same effect.

An additional feature that Safe4 have incorporated in this release is a warning message if the password chosen by a user has already been compromised on another site. This does not prevent the selection of that password, but the user is warned of the potential risk.

Following the release of Safe4 version 6.01, scheduled for 25 May 2019, new users will be invited to create accounts using the updated password strength requirements. The new rules will also be applied to password changes and to resets.

2-Factor Authentication by Text Message

At present, the 2-factor authentication applied by Safe4 is based on the use of a 6-digit PIN as well as a username and password. In July 2019 this will be changed, and the PIN will be replaced by a numeric code sent to the user by text message.

We at Safe4 are constantly trying to ensure that the system is as secure as possible, and that our customers’ data is protected to the maximum extent. If you have any questions, or if you would like any information on how Safe4 can assist your organisation to enhance the security of your communications, please contact us.

Cyber crime is still soaring – and insecure email remains the weakest link

/in , , ,

The scourge of email scams and phishing continues to rise relentlessly. Whilst some organisations have taken steps to protect themselves, many still use email to transfer confidential information to recipients both within and beyond their own domain. A recently-published article highlights this, and the risks to corporate governance that are involved.

Professional practitioners are among the worst offenders. Much of the information that they generate on behalf of their clients is highly confidential and is sent by email as an attachment. Not only does this expose their clients to the loss or theft of the data, it is inefficient and can ultimately lead to serious difficulties for the practitioners themselves. In the UK it is estimated that more than 70% of law firms, for example, still use open email to carry confidential client information.

Sometimes the clients themselves are a problem …

Accounting firms, for example, provide services for a wide range of different clients, everything from global corporates to the local butcher, baker and candlestick-maker. At the smaller end of this scale many clients are resistant to using secure information sharing services as they find it easier to simply receive financial information as an attachment to an email. Sometimes it is securely stored away, but often it is not, leading to repeated requests for the information to be re-sent by the accountant, multiplying the scale of the risk.

VaultConnect, partners of Safe4 Information Management, have expressed the consequences of these “can you just …” requests for information. Typically they result in an interruption of approximately 23 minutes to stop a current task, go and find the requested information, respond to the client, and then try to resume the task that has been interrupted. And the result of this is to expose both the client and the accountant to increased risk.

There are better and safer options

The Safe4 service has been designed explicitly to protect any organisation that needs to share confidential information with external or internal parties, whether it be in unstructured form (such as documents), or structured (data held in columnar format, similar to spreadsheets and simple databases). Manningtons, an accounting firm in Sussex, have recently chosen to significantly expand their use of Safe4 in order to protect themselves and their clients from loss or theft of sensitive information. Read about their experiences here. The result of this approach has enabled Manningtons to enhance their compliance with both the Data Protection Act (which now embodies the recently-enacted European General Data Protection Regulation), and with the guidance issued by the Institute of Chartered Accountants of England and Wales. This strongly advises accounting firms not to send confidential information to clients by email, even if the client has actually requested that they do so.

Safe4 utilises a highly secure vault to hold information relating to each client. This can be shared with the clients themselves, allowing two-way transfer of confidential documents and data. The very granular permissions provided by Safe4, as well as comprehensive audit trails and reporting functions, add further levels of protection to the professional practitioners as well as their clients.

Contact Safe4

For more information on how Safe4 can help your organisation to achieve enhanced levels of security and compliance with regulatory frameworks, please get in touch. We will be delighted to assist you.

Met Police see ransomware as the biggest cyber-security threat in 2018

/in , ,

A series of global ransomware attacks in 2017 have reaped millions of dollars in rewards for criminals who have penetrated unsuspecting users’ IT systems and encrypted their data. In the UK, the National Health Service was one of a number of high-profile victims of such attacks.  According to London’s Metropolitan Police, ransomware looks likely to be a major threat again in 2018. Ransomware cannot prevent access to data stored in Safe4, as indicated in previous articles on this website.

In an article published in The Times newspaper today, the need for managing personal information is highlighted even more strongly. Theft of identity, and with it money, has become such an enormous issue that more and more of us are likely to be at risk through insecure management of our online activities. Using clever apps or devices on mobile phones or computers will obviously help; however using secure online services to deliver and store critical personal information will give the greatest level of protection to businesses and their clients alike.

Safe4 has been rated among the most secure 0.8% of sites on the Internet by independent agencies, out of more than 1.5 million tested. Using the Safe4 Asset Register to handle personal details for a wide range of online activities offers a unique facility for holding both confidential documents and individual elements of data, such as personal identification details. All data held in Safe4 is stored in UK-only data centres accredited to ISO 27001. Please contact us for more information.

UK corporates becoming more aware of the importance of GDPR compliance

/in , ,

Whilst the corporate sector in the UK is generally becoming aware of the need to ensure that they are compliant with the new General Data Protection Regulation that comes into force in May 2018, there are still some large firms who are alarmingly exposed to the risk of cyber attack. According to recent research, only just over half of the boards running FTSE 350 companies recognise the full impact of the threat of cyber attack, and the need to become GDPR compliant.

The impact of GDPR will affect all organisations in the UK, both large and small. In fact, it could well be the SME sector that faces the greatest risk, as many do not have a robust IT infrastructure or the necessary policies and procedures to protect their clients’ data. Safe4 are currently working with a number of organisations in the charities sector who wish to ensure that their essential information, most notably details of their donors and their financial records, do not fall prey to intrusion and thus expose them to severe penalties.

If you would like more information on how implementing Safe4 within your business can significantly reduce the risk of online fraud and data theft, please contact us.