Tag Archive for: password strength

NCSC warns of cyber threats to UK law firms

/in , ,

The United Kingdom National Cyber Security Centre (part of GCHQ) has warned again about the cyber threats to UK law firms. The renewed threat is largely being driven by legal practices adopting hybrid working patterns resulting from the pandemic, with staff increasingly spending more time working from home. More background is available in an article published in The Register on 26th June 2023.

Since law firms by definition handle highly confidential information, and are increasingly dealing with very large sums of cash on behalf of their clients, the opportunity for criminals to interfere with the transfer of information is enormous. In the words of NCSC, law firms are “particularly attractive targets to attackers”.

Cyber threats to UK law firms are not new – Safe4 Information Management was formed in 2010 specifically to allow organisations to exchange information with external parties without compromising the confidentiality of the information in question. Safe4 works with a number of law firms, both large and small, and has provided its secure vault-based service to legal practices across the UK. One of the key elements in the approach adopted by Safe4 is that confidential information is NEVER transferred by email. Invitations and notifications are sent by email, but users have to authenticate themselves with a username, password and optionally 2-factor authentication before any confidential information is made available.

One of the instances where this is most valuable is with the provision of bank details by clients. Using the structured data capabilities of Safe4, clients can be invited to enter their bank details into an online form, which when completed notifies the professional practitioner that the data has been provided. The practitioner, or fee-earner, will then have read-only access to this information after they have carried out the necessary authentication. The bank details can then be used for their intended purpose, and optionally transferred into other internal systems by API.

The Register article makes the point that some of the attackers are nation states, with access to very sophisticated tools. In particular, brute-force attack technologies are being used to penetrate systems by exploiting weak passwords. To mitigate this risk, Safe4 has implemented NCSC recommendations relating to password length and strength.

All of the information held in Safe4 is stored in UK-only data centres accredited to ISO 27001. Safe4 is penetration tested regularly, and is accredited under the UK Cyber Essentials scheme by Government approved organisations under the CHECK protocol.

If you would like more information on how Safe4 can help with the battle against cyber attack, please contact us. We will be delighted to assist.

Safe4 renews Cyber Essentials accreditation

/in , ,

Safe4 has renewed its Cyber Essentials accreditation through the IASME Consortium for the year ending August 2023. This forms an important component in the company’s internal governance and compliance programme, which also encompasses the Cyber Primed information security standard. The accreditation of Safe4 is now featured on the National Cyber Security Centre’s website.

As well as providing a class-leading level of security in the handling of customers’ information, Safe4 recognises the need for a diligent approach towards the management of its own internal activities and processes. An extensive series of information security policies has been implemented, to form the basis of a comprehensive programme of best practice measures.

The requirements for Cyber Essentials accreditation have been updated by the NCSC, and since April 2022 a different set of criteria have been applied. Safe4 has followed NCSC guidance for many years, notably in the case of password strength requirements, which allow passwords of up to 150 characters in length to be selected by users of the secure cloud-based Safe4 service.

For more information on how Safe4 can assist your organisation to manage confidential information safely and securely, please contact us. We will be delighted to assist you.

Confusion reigns regarding responsibility for data protection compliance

/in , , ,

A recent survey suggests that there is still a good deal of confusion regarding responsibility for data protection compliance. Given that the UK adopted the EU GDPR into the Data Protection Act in May 2018, this reflects the general lack of awareness among many organisations today.

This survey also indicates a lack of clarity over whether cloud-based information management services offer better or worse protection that traditional on-premise storage. The answer of course is that the level of security and therefore protection depends on which cloud service provider is involved. Safe4 has an unblemished record of secure service provision, with an availability record very close to 100%. Not all cloud service providers can offer this.

Safe4 has also clarified the different roles and responsibilities relating to data protection in their Data Protection Policy – click here for more details. Safe4 does not claim ownership of any data that is stored within its system, and thus acts as the Data Processor. Customers own their data and have responsibility for any information that is placed in Safe4, and therefore are Data Controllers.

Adding to the benefit of using Safe4 for information storage is the fact that Safe4 only uses UK-based hosting services accredited to ISO 27001. Together with enhanced password strength management and 2-factor authentication, Safe4 provides a platform for its customers to be confident that the system will support their own Data Protection compliance programme. No cloud service provider can make its customers compliant with the Act however – ultimate responsibility lies with the Data Controller to ensure that their own information security policies and practices are enforced. The vast majority of data security breaches are caused by human error or poorly trained employees.

For more information on how Safe4 can assist your data protection compliance programme, please contact us.

Password strength requirements for Safe4 are being increased

/in , , ,

Cyber crime, identity theft and online fraud are becoming more frequent. It is known that there are large organisations, some of whom are state-backed, whose sole purpose is to disrupt the lawful activities on which much of our normal economic life is based. Recent ransomware attacks, as well as the ever-increasing use of spam email, are evidence of the scale of the threat. For this reason, the password strength requirements for the Safe4 system are being increased.

Safe4 works very closely with a number of public-sector organisations for whom security is paramount. Acting on the advice of the UK National Cyber Security Centre, part of GCHQ, the password requirements for Safe4 are being changed to incorporate a minimum length of 10 characters and a maximum of 150 characters. As before, each password will have to contain an upper and lower case alpha character, a number, and a symbol such as a punctuation mark. Passwords will accommodate spaces as well as normal characters, thus allowing the use of pass-phrases as well as basic passwords. The advice of the NCSC is that passwords up to 8 characters can now be cracked by brute-force attack methods in a few minutes, whereas those with 10 or more characters are unlikely to be cracked in meaningful time.

Password strength matters

Choosing a new password is increasingly challenging, hence the ability to use a pass-phrase for Safe4. This can be a favourite piece of text, such as line from a book or song, which will generally be easier to remember than a shorter password containing an obtuse string of characters. The longer the password, the more difficult for criminals to crack it. A random sequence of words that are easily remembered will have the same effect.

An additional feature that Safe4 have incorporated in this release is a warning message if the password chosen by a user has already been compromised on another site. This does not prevent the selection of that password, but the user is warned of the potential risk.

Following the release of Safe4 version 6.01, scheduled for 25 May 2019, new users will be invited to create accounts using the updated password strength requirements. The new rules will also be applied to password changes and to resets.

2-Factor Authentication by Text Message

At present, the 2-factor authentication applied by Safe4 is based on the use of a 6-digit PIN as well as a username and password. In July 2019 this will be changed, and the PIN will be replaced by a numeric code sent to the user by text message.

We at Safe4 are constantly trying to ensure that the system is as secure as possible, and that our customers’ data is protected to the maximum extent. If you have any questions, or if you would like any information on how Safe4 can assist your organisation to enhance the security of your communications, please contact us.

Password strength checker improvements for Safe4

/in , , ,

One of the challenges of enforcing strict rules about the strength of passwords is how to make them secure and still easily usable by people who perhaps utilise a system occasionally and often need rapid access to share or obtain important information.

Safe4 has now been updated to make it easier for users to select passwords in the first place, by listing each of the strength requirements and showing visually when these have been satisfied. Because Safe4 is used in many countries around the world and by speakers of many languages, it can be difficult to prevent users from choosing a password that is a common word in one language but not in another. Using sequential characters on a keyboard is also potentially an issue, as in several European countries different keyboard layouts are utilised. Beyond Europe, in countries where alphabets may also differ, keyboard layouts are often radically different from those familiar in Anglophone regions.

Keeping it simple without sacrificing security

Safe4 has become established as one of the most secure sites on the Internet, and consequently enforcing strict password requirements is essential given the presence of brute-force attack systems that can crack simple passwords very quickly. Whilst setting a strong password is the responsibility of each individual user, applying specific rules governing this, as well as limiting the number of unsuccessful login attempts within a single browser session, makes it easier to prevent unauthorised access to the system. The changes made by Safe4 will inform new users of the strength of their password as each character is chosen, and show any discrepancies visually.

Please contact us if you would like any further information on the security measures that are taken by Safe4 to protect the integrity of information that we hold, and the protection that this offers for our customers.