Tag Archive for: data protection

Risk of using email for the transfer of confidential information

The risk of using email for the transfer of confidential information has been highlighted yet again. In today’s edition of The Times, the penetration of an email system with criminal intent has led to the loss of confidential information.

The Safe4 system has been designed specifically to avoid the use of email for the transfer of confidential information. The secure vault, which is at the heart of the Safe4 architecture, can be used for a wide range of different applications. In order to access the contents of a vault, users have to have been specifically invited to do so, and must authenticate themselves with username, password and 2-factor authentication. Confidential information is never transferred by email.

Safe4 follows guidance from the UK National Cyber Security Centre for matters relating to password length and strength, and is regularly penetration-tested by UK Government accredited services. Combined with comprehensive reporting and audit trails, and UK-based hosting in data centres accredited to ISO 27001, Safe4 offers a secure alternative to the use of email to transfer confidential information.

For more information on how Safe4 can assist your organisation to reduce the risk of unauthorised access to your information, please contact us.

Safe4 has passed 250,000 users

During April 2022 Safe4 has reached the quarter-of-a-million user mark. The fact that Safe4 has passed 250,000 users is significant in many ways – not least because it demonstrates the stability and reliability of the system.

The principal benefit that Safe4 brings is, of course, security. Many of the users who have created accounts in Safe4 have received vital health information through their vault, and can rest assured that their confidential personal data has not been compromised by being sent using open email. The ability to offer the highest standard of protection of personal data distinguishes Safe4 from many other systems that have been used to handle the result of Covid-19 tests, for example.

Safe4 offers the same security benefit for corporate and small business users, and is now being used extensively by many professional practitioners and service providers to manage a wide range of information safely and securely.

For more information on how Safe4 can assist your organisation to reduce costs, improve compliance and enhance client service, please contact us. Safe4 utilises UK-only data centres accredited to ISO 27001, and has been designed from first principles to maximise security and confidentiality.

 

Screen4 partners with Safe4 for Covid-19 Testing

Screen4, one of the UK’s leading providers of health screening services, has partnered with Safe4 and S4Encrypt to help to automate the processing of Covid-19 tests purchased from its website.

As one of the world’s top drug and alcohol screening services for the travel sector, with operations in 140 locations across 40 countries, Screen4 was well placed to offer Covid-19 testing facilities when the pandemic started to have an impact in the UK. From its Barnsley, Yorkshire, premises it can process in excess of 3,000 Covid-19 tests per day, in conjunction with Oncologica, a testing laboratory based in Cambridge.

Contact began in June 2020

The first contact between S4Encrypt, Safe4 sister company, and Screen4 took place on 23 June 2020, by which time the UK was in a state of lockdown and reeling from the effects of the Coronavirus. This quickly led to technical discussions between Safe4 and the technology partners of Screen4, with the intention of integrating the process for receiving orders for Covid-19 tests with the use of the Safe4 vault as a means of delivering the test result to the end customer.

Alistair Stubbs, Safe4 CTO, came up with a solution design based on the use of the system’s existing capabilities in conjunction with a new Safe4 object type – the Event. This allowed each individual test – the Safe4 Event – to be associated with one or more customers who would each become users of the system.

How the Covid-19 testing process works

The primary requirement arose from the close association that Screen4 had built up with the travel sector, and focused on the need for pre-travel testing. Many countries had determined that before anyone would be permitted to enter from abroad, the passenger would have to provide evidence of a negative PCR test for Covid-19.

Several airlines, including TUI, Virgin Atlantic and Qantas, as well as P&O Ferries, now direct passengers buying travel tickets to the Screen4 website, where Covid-19 PCR tests can be purchased. These include both self-administered and clinician-collected tests. The Screen4 internal systems then send data to Safe4 through the API, triggering the creation of a vault and an invitation for the traveler to create a user account.

After confirmation of the test, including time and location in the case of clinician-collected tests, the user is prompted to use their vault to record the barcode on the sample vial that is used to carry the PCR swab to the laboratory in Cambridge. This unique code also captures the precise time and date of entering the barcode, essential for the calculation of the pre-flight hours for the destination country: either 48 or 72 hours. After analysis of the samples by the laboratory the test results are transferred automatically to each individual’s vault. Safe4 then notifies the traveler that the result is available and produces a PDF certificate confirming the traveler’s details and the test result, which can be shown both on departure and arrival to satisfy the requirements of the destination country.

The e-wallet and the QR Code

In addition to the certificate, which can be downloaded to a computer or a smartphone, Safe4 also creates a pass that can be added to the e-wallet on most modern phones. Both the certificate and the pass carry a QR code that, when scanned, displays a page from the secure Safe4 website allowing independent verification of the test result.

The way forward

Safe4, S4Encrypt and Screen4 are looking at enhancements of the service to include different types of test, as well as exploring the capability of the solution to capture evidence of a vaccination. This can be linked with an identity verification function that will capture a photograph of the individual, for additional validation of the traveler and the test or vaccination status. This Immunity Passport facility will help the travel industry to start to resume pre-pandemic levels of activity.

David Grouse, Managing Director of Screen4, believes that the association with S4Encrypt and the use of the Safe4 vault can help to achieve higher volumes and faster customer service. David believes that “the addition of the vault capability to deliver Covid-19 test results rapidly to our customers is helping us to streamline our operations and increase throughput, as well as bringing the result to the travelling customer more quickly and securely.”

Ben Martin, director of both Safe4 and S4Encrypt, is delighted with the progress that has been made. He feels that “working closely with Screen4 has been a very productive process for us. We are conscious of the importance of handling the Covid-19 test process as quickly and efficiently as possible, bearing in mind the health consequences for the customer and the need to get our economy functioning again quickly. Using the system as an irrefutable means of proving vaccination status in the future will also help all of us to move towards an end to the disruption that everyone has suffered during the pandemic.”

The high level of security provided by the Safe4 vault is crucial to ensure that the personal health data being handled throughout the process is managed as safely as possible. Safe4 complies fully with the UK Data Protection Act 2018, incorporating the European GDPR. All the information captured in the service is held in UK-only data centres accredited to ISO 27001.

For more information, please contact us. We will be delighted to hear from you.

More news about leaks of highly sensitive information

There are now virtually daily examples in the media of how leaks of highly sensitive information are occurring, often due to human error or misbehaviour, but also due to lack of security in poorly designed or managed systems. A current article in the media today highlights a glaring example of this – click here for more information.

Safe4 was designed with security at the core

The fundamental design of Safe4 is based around the use of secure vaults, into which information can be placed by the provider of the service, such as a professional practitioner or an employer, and the individual users who have been given access to that specific vault. Information cannot “leak” in the way that seems to be occurring regularly in other systems.

Even if a hacker were to break in to the “back door” of Safe4, without using one of the normal user interfaces, nothing can be inferred due to the way that the data is obfuscated and encrypted. The secure vault design underpins this, so that each vault becomes a completely discrete storage space for information in structured form (in columns and rows, similar to spreadsheets and simple databases) or unstructured form (document files).

Regulatory compliance

Safe4 complies with a number of regulatory frameworks by virtue of the fact that all stored information is encrypted, everything is held in UK-based data centres that comply with ISO 27001, 2-factor authentication, and a full audit trail of all user actions is maintained. The ideal solution for the storage and management of highly sensitive information, in effect.

Please contact us if you would like more information on how Safe4 can help your organisation to enhance compliance, reduce costs, and improve client service.

Payment fraud using email – it’s completely avoidable

Payment fraud is a constant risk

Occurrences of payment fraud using email are continuing to hit the headlines, and it is something that can be avoided completely. The risk of using email for communication of confidential information has been evident for some years, as highlighted by this post on the Safe4 website last year.

Sending invoices by email, particularly for large sums of money, is fraught with risk. Even communicating via email regarding financial transactions can risk significant losses – as highlighted in the media today. Both supplier and customer can be victims of this type of fraud.

Personal or financial information – don’t use email

It is not just using email for communicating financial information that can lead to unnecessary risks. Personal data can also be misused if is transferred between organisations by email. The potential for theft of highly personal information is something that HR consultants face constantly, as illustrated on this website in April this year.

There is a solution

For a number of years Safe4 have been delivering invoices by uploading them into a secure vault dedicated to each customer. Only the designated users of each vault are able to access the document, and there is a comprehensive audit trail of all activity so that the supplier can be sure that the invoice has been received by the customer – and nobody else.

Options for ad-hoc sharing of confidential information have been identified by Safe4 partners OPTSM, as explained on their website. The simple rule – if you need to communicate sensitive financial or personal information, don’t use email – use SafeShare, the approach they are offering. This is based on the ability to create a Safe4 vault and invite a user in a few seconds, thus making sure that the data being shared gets to the right person immediately and with no risk of intrusion.

If you would like more information on how to avoid the risk of financial payment fraud or loss of sensitive personal data, please get in touch. We will be delighted to help.

Confusion reigns regarding responsibility for data protection compliance

A recent survey suggests that there is still a good deal of confusion regarding responsibility for data protection compliance. Given that the UK adopted the EU GDPR into the Data Protection Act in May 2018, this reflects the general lack of awareness among many organisations today.

This survey also indicates a lack of clarity over whether cloud-based information management services offer better or worse protection that traditional on-premise storage. The answer of course is that the level of security and therefore protection depends on which cloud service provider is involved. Safe4 has an unblemished record of secure service provision, with an availability record very close to 100%. Not all cloud service providers can offer this.

Safe4 has also clarified the different roles and responsibilities relating to data protection in their Data Protection Policy – click here for more details. Safe4 does not claim ownership of any data that is stored within its system, and thus acts as the Data Processor. Customers own their data and have responsibility for any information that is placed in Safe4, and therefore are Data Controllers.

Adding to the benefit of using Safe4 for information storage is the fact that Safe4 only uses UK-based hosting services accredited to ISO 27001. Together with enhanced password strength management and 2-factor authentication, Safe4 provides a platform for its customers to be confident that the system will support their own Data Protection compliance programme. No cloud service provider can make its customers compliant with the Act however – ultimate responsibility lies with the Data Controller to ensure that their own information security policies and practices are enforced. The vast majority of data security breaches are caused by human error or poorly trained employees.

For more information on how Safe4 can assist your data protection compliance programme, please contact us.

Evidence of increased threat of email intrusion

Online fraud and theft have become widespread in recent years. Email in particular presents a growing risk as criminals identify ever more devious methods of persuading individuals and businesses to expose their confidential information.

The risk is highlighted in an article on the VaultConnect website, please click here for details. VaultConnect are partners of Safe4, and are working to reduce the risk of email intrusion for professional practitioners and other businesses across the United Kingdom. This article refers to 5 scams, of which number 3 is the particular case in point. Safe4 have stressed the importance of avoiding the use of email for some years, although in many sectors it is still used routinely to transfer confidential information in spite of the potential consequences of a breach under the terms of the Data Protection Act.

For more information on how the use of Safe4 can help your organisation to reduce cost and improve regulatory compliance and governance whilst enhancing customer service, please contact us.

Safe4 is going large – version 5.20 is released

October 2018 has seen the release of Safe4 version 5.20, which contains some important enhancements to the highly secure information delivery and management service. “Safe4 is going large” is a fitting way to describe some of the changes introduced in this release.

As in all new releases, Safe4 have improved a number of the fundamental security features of the system. In order to make sure that customers’ data, as well as that of their clients, is managed in the most secure way possible, changes have been made to the way in which information is stored so that the risk of penetration is reduced. This includes some changes that will make it easier for clients to comply with the Data Protection Act, following the introduction of GDPR in May 2018. For example the Subject Access Request report, which is available at the press of a single button, has been expanded.

Large file management

However, the most significant element within this release is the ability to upload files of up to 800 megabytes per individual file. This is an interim step, with the short term objective being 2 gigabytes per individual file. The fundamental security approach of Safe4 has always meant that uploading documents was more than just moving a file from one location to another, and consequently the upload process involves a number of server-based functions such as virus-checking, content scanning, encryption, transferring the file into cloud storage and updating the database and all of the audit trails. These functions have now been separated and will be performed sequentially, so that the server-based processing is carried out after the client interface has been refreshed. Very large files will be shown on the file list immediately, but with a “Processing” indicator until the server functions have been completed.

As well as virus checking and encryption, Safe4 also performs a series of content checks to ensure the integrity of the data that is being uploaded. If the file fails one of these tests, or is found to contain a virus, a reference will be shown on the file list even though the file itself has been removed from the server. This will cover the whitelisting and blacklisting scans, as well as the ability to check for any files that have been protectively marked.

More significant developments to come

There is a lengthy list of enhancements in the pipeline for Safe4. The next release will feature the ability for files held in Safe4 to be signed digitally in a way that allows them to be submitted to both HMRC and Companies House in the UK. This important development will be a major time-saver for any organisation that needs multiple signatories to approve documents, and will be carried out entirely within Safe4, without the use of any external technology.

If you would like any further information on how Safe4 can help your business to improve client service, reduce costs and enhance regulatory compliance, please contact us. We will be delighted to assist you.

Cyber crime is still soaring – and insecure email remains the weakest link

The scourge of email scams and phishing continues to rise relentlessly. Whilst some organisations have taken steps to protect themselves, many still use email to transfer confidential information to recipients both within and beyond their own domain. A recently-published article highlights this, and the risks to corporate governance that are involved.

Professional practitioners are among the worst offenders. Much of the information that they generate on behalf of their clients is highly confidential and is sent by email as an attachment. Not only does this expose their clients to the loss or theft of the data, it is inefficient and can ultimately lead to serious difficulties for the practitioners themselves. In the UK it is estimated that more than 70% of law firms, for example, still use open email to carry confidential client information.

Sometimes the clients themselves are a problem …

Accounting firms, for example, provide services for a wide range of different clients, everything from global corporates to the local butcher, baker and candlestick-maker. At the smaller end of this scale many clients are resistant to using secure information sharing services as they find it easier to simply receive financial information as an attachment to an email. Sometimes it is securely stored away, but often it is not, leading to repeated requests for the information to be re-sent by the accountant, multiplying the scale of the risk.

VaultConnect, partners of Safe4 Information Management, have expressed the consequences of these “can you just …” requests for information. Typically they result in an interruption of approximately 23 minutes to stop a current task, go and find the requested information, respond to the client, and then try to resume the task that has been interrupted. And the result of this is to expose both the client and the accountant to increased risk.

There are better and safer options

The Safe4 service has been designed explicitly to protect any organisation that needs to share confidential information with external or internal parties, whether it be in unstructured form (such as documents), or structured (data held in columnar format, similar to spreadsheets and simple databases). Manningtons, an accounting firm in Sussex, have recently chosen to significantly expand their use of Safe4 in order to protect themselves and their clients from loss or theft of sensitive information. Read about their experiences here. The result of this approach has enabled Manningtons to enhance their compliance with both the Data Protection Act (which now embodies the recently-enacted European General Data Protection Regulation), and with the guidance issued by the Institute of Chartered Accountants of England and Wales. This strongly advises accounting firms not to send confidential information to clients by email, even if the client has actually requested that they do so.

Safe4 utilises a highly secure vault to hold information relating to each client. This can be shared with the clients themselves, allowing two-way transfer of confidential documents and data. The very granular permissions provided by Safe4, as well as comprehensive audit trails and reporting functions, add further levels of protection to the professional practitioners as well as their clients.

Contact Safe4

For more information on how Safe4 can help your organisation to achieve enhanced levels of security and compliance with regulatory frameworks, please get in touch. We will be delighted to assist you.

Safe4 releases version 5.10 to address GDPR compliance requirements

The General Data Protection Regulation becomes law across the EU on 25 May this year, and in order to assist our customers to ensure that they are compliant with the regulation we have introduced some system changes to the core Safe4 service. These changes are in fact part of a work-in-progress, since there are still some areas of uncertainty in the way that GDPR is expressed. The system modifications at this stage address the basic requirements of GDPR compliance, and will be built upon as greater clarity emerges.

As the Data Processor under data protection legislation, Safe4 makes use of a number of constructs, described within the system as providers and vaults. The new release, designated as version 5.10, allows these to be completely deleted, with all of their data content being irreversibly removed. The ability to perform such deletions will be granted to customers, the Data Controllers, at system administrator level only, and any actions of this sort will be carried out after several warnings have been given and responded to.

Users can also be deleted by Data Controllers. Safe4 permits users to have access to multiple providers and vaults, and consequently the removal of a user from a particular vault will not affect their access to any others.

However, because Safe4 is a system of record, the audit trails relating to the existence of providers, vaults and users will be retained. For example, the record of a user account’s existence will be retained as a basic “stub”, so that the integrity of audit trails can be maintained. Activity while a user was a member of a Safe4 vault will thus be available for evidential purposes in future, while any personal information that was stored about that person will be deleted.

The full range of reporting options will be developed over time as the specific needs of customers are established, and as aspects of GDPR compliance are clarified both by the Information Commissioner’s Office and by case law.

An additional function that will be made available to the Data Controller immediately will be the ability to respond to Subject Access Requests. The Safe4 administrator will be able to generate a Subject Access Request report at the touch of a button. This will create a PDF document that can be provided externally if required, or stored as a record within Safe4.

As always, we at Safe4 consider the secure handling of customers’ information to be our highest priority. This approach will continue, and will be extended as necessary through working closely with Data Controllers to ensure that their GDPR compliance obligations are being met.

For more information on how Safe4 can support your GDPR compliance programme, please contact us. We will be very pleased to assist. General information on GDPR can be obtained from the UK Information Commissioner’s Office.