Tag Archive for: reduce risk

Transport Layer Security still not universally applied

/in , ,

Safe4 implemented Transport Security Layer (TLS) as the successor to Secure Sockets Layer (SSL) back in 2010 as the connection layer that is used when the system is accessed by users, but it seems that there is still some uncertainty as to how this level of security will be deployed in corporate environments, from which users are often accessing the internet through multiple layers of middleware, or middleboxes as they are sometimes known.

Not only has Safe4 implemented TLS, but this connection layer is very tightly configured to offer connected users the highest level of security possible. The configuration was significantly enhanced in 2015, when Safe4 announced a radically overhauled user interface.  Thus when Safe4 is being accessed using a device that is not under the user’s control, such as from a hotel lobby or an airport lounge, the connection is still highly encrypted and thus secure.

Making sure that customers’ information is being managed securely is the primary focus of Safe4, so that users of all levels can be confident that their data is being handled safely. Please get in touch with us if you would like more detail on how the Safe4 service could be of value for your organisation.

Safe4 Use-Case Paper: Secure Property Conveyancing

/in , ,

The Safe4 secure information delivery and storage service has been in use by law firms since 2010, but hitherto primarily in support of corporate and commercial property transactions. The introduction of the Safe4 Asset Register in May 2017 has brought new levels of functionality to the system, some of which can be applied to the process of secure property conveyancing.

How can law firms offer their clients better protection of their confidential information?

It is estimated that at least 70% of law firms in the UK use open email systems to transfer confidential information between external parties. This covers a very large number of information types in a variety of departmental activities. Residential property conveyancing, however, is one area where the use of insecure methods of information transfer has been exposed as a primary target for criminal activity.

When a lawyer is engaged by a client to handle the legal aspects associated with selling their home, the final act in the process is for the lawyer to transfer the sale proceeds from their firm’s client account to the client’s bank account. In most cases this is a simple process that is carried out without difficulty, but in recent years there has been an alarming increase in the level of criminal interception of email. It is common for the lawyer to request the client to provide the details of their bank account by email, by telephone, or by filling in a paper form and sending it back to the lawyer. All of these methods of delivery are potentially insecure, but there is mounting evidence that interception of emails and fraudulent alteration of the target bank details has become a major problem.

Impact on Professional Indemnity Insurance premiums

The existence of the problem has been recognised by the providers of professional indemnity insurance for law firms. Premiums are starting to increase steeply for those firms who use the traditional insecure means of obtaining clients’ bank account details.

Secure Property Conveyancing

The Safe4 Asset Register allows this risk to be eliminated. By opening a secure vault for each property transaction, and creating data fields into which basic bank account information – account number, sort code – can be entered directly by the client, the lawyer can offer the client a higher level of protection than has hitherto been possible.

After the client has entered their bank details, the conveyancer will receive an email automatically generated by Safe4 confirming that the information is available. After logging in, the information can then be transferred safely into the internal systems used for handling client payments. There is of course the standard Safe4 audit trail facility associated with all activity, providing a strong evidential record of everything that has been done during the transaction.

If the Safe4 Application Programming Interface (API) is used, the bank account details can be transferred completely automatically into the law firm’s practice management or accounting systems, thus improving security and efficiency further.

UK Hosting

Because all Safe4 data is hosted in the UK in ISO 27001-accredited data centres, the professional practitioner can also take advantage of Solicitors Regulation Authority compliance. All of the activities of Safe4 are conducted under the law of England and Wales.

Safe4 Information Management have partnered with VaultConnect to offer best-in-class security for the systems that handle the transfer of confidential information between the professional practitioner and the client. This collaboration is now benefiting law firms throughout the United Kingdom, who are able to gain the advantage of the security of the Safe4 platform with the expertise and experience of the VaultConnect team.

Ransomware – why Safe4 customers are protected

/in , ,

The ransomware attacks that have affected many organisations around the world over the weekend have exposed some serious vulnerabilities in the way that information is managed; using out-of-date operating systems and the failure to implement security updates are clearly primary causes of the exposure. However, it should be remembered that the problem normally arises when an unsuspecting user clicks a link in an email that is urging them to take some “essential” action, such as to update the information stored by a service provider.

Of course the email does not come from the service provider at all, but is a cleverly-disguised piece of work by a criminal organisation that will install an invasive piece of software on the user’s computer that can encrypt files and demand ransom payments in exchange for a decryption key.

Safe4 customers, and their clients, are protected against this risk in a number of ways:

  • Firstly, it is never necessary to send any confidential information, or indeed any information at all, by email. The primary function of Safe4 is to provide organisations of all types with the ability to deliver and store information of any kind in a way that makes it accessible to authorised users only. Thus if a Safe4 user receives an email requesting them to take any unusual or unexpected action, it can safely be ignored.
  • Secondly, all the files held in Safe4 are maintained in UK-based data centres accredited to ISO 27001, and are only available after the user has authenticated themselves through a web portal. The user does not therefore have direct access to the information in the way that they would if the files were held on a local or network drive.
  • The third reason for the safety of Safe4 customers is the inherent design of the system. Safe4 is a system of record. Files held in the system cannot be changed; this means they cannot be encrypted. Even if malware were to penetrate the security layers of Safe4, it cannot alter the files that have been stored. New versions of files could theoretically be created containing an encryption code, but the original files are still available for retrieval at any time – without having to pay any ransom.

We at Safe4 are continuing to remain vigilant in the constant battle against cyber criminals. Independent tests have rated Safe4 among the most secure 0.8% of sites on the internet out of millions tested due to the measures that we have put in place to protect our customers’ data. Please contact us if you would like any further detail on the security features of Safe4.

More concern over the use of public email

/in , ,

Interference with personal email accounts has become a major source of fraud in the UK. Take a look at this alarming article. However, more than 70% of UK law firms are still communicating with clients via their clients’ personal email accounts, in many cases to carry highly confidential information such as bank account details when executing conveyancing transactions. Repeatedly, criminals are intercepting email messages to fraudulently change bank details, resulting in money being transferred to the wrong account – and innocent lives being ruined.

The Safe4 Asset Register has been designed to eliminate the risk of fraudulent interception of email. It allows clients to enter their banking information directly into one of the most secure sites on the Internet, and automatically notifies the conveyancer that the information has been provided. The lawyer can then login and obtain the information, whilst audit trails are recording all of the details.

Not only does the Safe4 Asset Register eliminate a risk of major financial loss and severe reputational damage, but it enhances compliance with the SRA guidance on the use of cloud computing services. Furthermore, leading brokers in the Professional Indemnity sector believe that using facilities such as that offered by Safe4 will significantly slow down the recent dramatic rises in premiums.

Please contact us. We can help you to improve compliance and reduce risk.

Safe4 Asset Register is launched with release of version 5.0

/in , ,

Since 2010 Safe4 has become established as one of the most secure services on the Internet for the delivery and storage of documents. With the release of Safe4 version 5.0 that capability is dramatically enhanced, as now the inclusion of the Safe4 Asset Register allows the direct input of data into fields that can be set up and managed by the the service provider.

Safe4 Asset Register driven by business requirements

This development was triggered by a number of different requirements, partly arising from the work that Safe4 has been doing in the fields of will-writing and inheritance planning, and more recently in property conveyancing. Whilst Safe4 has always offered the ability for document files to be uploaded securely by both service providers and their clients, this was not always the most efficient way to record some types of information. Details such as National Insurance numbers, personal contact information, or references to memberships are more easily recorded as data, simply entered directly into on-screen fields.

Ever-increasing occurrence of fraud

Furthermore, in recent years the huge increase in fraudulent interception of emails has meant for example that when an end-client needs to provide a conveyancer with the bank details for the transfer of funds to complete a property transaction, both parties have been exposed to significant risk. In most cases today, this information is sent in an open email, or communicated by telephone.

Professional Indemnity insurers have been aware of this for some time, and as a consequence many law firms and other professional practitioners have seen their PI insurance premiums rise steeply, with very large excess payments in respect of every claim.

The Safe4 Asset Register enables a service provider to define classes of asset themselves, and to associate them with attributes which become the fields into which the end client can input their details directly, without using email or voice. This all happens under the protection of the industry-leading security offered by Safe4. Email is only used to notify the service provider that the data has been entered, whereupon they must login to the system to obtain the necessary information. All actions are captured in the Safe4 audit trail, which provides a strong evidential record should any dispute arise.

Reduce risk, improve compliance

As well as helping to mitigate risk and thus slow down the ever-increasing cost of PI insurance, it is believed that use of the Safe4 Asset Register will also enhance compliance with the Solicitors Regulation Authority guidelines for the use of cloud computing services. Avoidance of email for the transfer of confidential information, UK hosting in ISO 27001-accredited data centres, powerful encryption, independent annual penetration testing and other measures offer genuine protection for service providers and their clients.

A wide range of other business applications can be supported by the Safe4 Asset Register. Safe4 will be publishing a series of articles and announcements in the coming months highlighting the benefits that can accrue to different types of organisation, including those in the financial services, health, business continuity planning, charities, property, government, training and skills development sectors.

Please get in touch with us for more information on how the Safe4 Asset Register can add value to your business.

US / European Privacy Shield progress has stalled

/in , ,

The recently-appointed US administration has put a hold on recruitment in many branches of the government, including the appointment of an ombudsman for dealing with data privacy issues. Transfer of personal data between the US and other jurisdictions is a complex subject, and will need careful treatment as the discussions relating to the new agreement unfold. Click here for more information.

The safest way to avoid the issues relating to the movement of any confidential information across international boundaries, including personal data, is to host it in the UK. This policy was adopted by Safe4 in 2010, and has remained a fundamental pillar in the company’s information security strategy ever since. For a large number of professional practitioners in the legal, financial, insurance, property and medical sectors, Safe4 provides a secure and effective information delivery and storage service based on UK storage in ISO 27001-accredited data centres.

If you would like any further information on how Safe4 can assist your business, please contact us.

Ransomware has become a major business and social menace

/in , ,

Instances of businesses of all sizes being infected by ransomware are becoming more and more common. It is not just corporate bodies that are being hit – individual members of the public are also being asked to pay sums of money to criminals in order to remove viruses from their data. It is also understood that 30% of National Health Service hospitals in the UK have suffered ransomware attacks.

There are a range of measures that will help to protect against the effects of ransomware, as outlined in this recent article. As well as taking protective steps, however, the safest way to reduce the risk of being infected by ransomware is for businesses to inform their customers, employees, associates, partners, suppliers and any other parties that they communicate with is to make it clear that no information of any importance will ever be transmitted by email, which is the source of the overwhelming majority of the malware that leads to ransomware problems.

Safe4 have been highlighting this issue for some time – if important or confidential information is placed into a secure vault where it will be available to authorised users whenever they need it, the need for sending anything of consequence by email is dramatically reduced. Whilst it is almost impossible to remove the threat of being infected by malware completely, there are safer ways to communicate that radically reduce this risk.

Please contact us. We will be very pleased to assist in the fight against fraud and cyber crime.

US may be set to change data privacy laws – again!

/in , ,

The Safe Harbor data privacy agreement between the US and the EU was deemed to be ineffective in 2015, and was subsequently replaced with a Privacy Shield arrangement – which is still considered by many to be inadequate. Recent announcements by the new US administration suggest that the internal data privacy laws in the US will be subject to further change, affecting those who are not US citizens or permanent residents in the US. Please click here for more background on this development.

Safe4 decided back in 2010 that all of the data held within its secure document delivery and storage service would be stored in UK-located data centres, accredited to ISO 27001. This offers maximum protection to our customers and their clients, employees, suppliers, partners and associates. Reliance on US-hosted data storage could be seen to carry unnecessary risk of misuse or disclosure of personally-identifiable information, hence the benefit of keeping all stored data onshore within the UK.

For more detail on the measures that Safe4 applies to keep information secure, please contact us. We would be very pleased to speak with you.

Safe4 announces the release of version 4.6

/in , ,

Further upgrades and enhancements to Safe4 are being introduced, as version 4.6 of the secure document delivery and storage service is released. As well as a series of significant improvements to both security and performance, the new release also provides a comprehensive refresh to the user interface for most parts of the system.

The key changes relate to responsiveness when used on mobile devices. Safe4 already provides a means of uploading photographs from smartphones and tablets directly into folders in the system, and this has now been extended to support the upload of multiple photographs or videos in a single action.

Among the changes are:

  • Completely rewritten upload and download routines, to make the system faster and more secure to use. The use of Flash in the multi-file upload process has been removed, resulting in a smoother and quicker user experience.
  • Re-organisation of the provider administration functions, with better control of system configuration options.
  • Re-scaled input screens for usernames, passwords and PINs, to make logging into the system from smartphones much easier.
  • Changes to the way in which the Public Folder facility works, to allow more flexible movement of files within a vault, and to support access from WebDAV connections through Windows and iOS.
  • A completely re-engineered development environment, to lay a flexible platform for some major functional enhancements planned for the first quarter of 2017.

This release of Safe4 underlines our commitment to offer the best possible service to our customers and their employees, clients, partners, suppliers and associates. The number of external threats to online security has never been greater, so the pressure to maintain a secure environment for confidential information is unrelenting. For more information on Safe4 and how it can make a difference to your business, please contact us.

Email phishing scams increasing rapidly – what is the answer?

/in , ,

Almost everyone who has an email account will have received large numbers of unsolicited emails from an unknown sender requesting that the recipient “click here” to gain access to a website or service that offers something of interest or value. Some of these are laughably inept, and are so obviously scams that they can be deleted immediately. However, an increasing number are from criminals who purport to represent a reputable and trusted party, often cleverly formatted in a way that makes it very difficult to differentiate between the scam and the real thing.

In 2015, the last full year for which there is appropriate data, instances of phishing emails of this type rose by 21% in the UK, as reported in the media by Silicon.  As the article suggests, the organisations that have been falsely represented most often in the UK are BT, Apple and HMRC. The Apple emails in particular are very realistic. Clicking the link as requested will normally result in ransomware or some other form of malware being downloaded on to the recipient’s computer, leading to problems that can be very damaging and difficult to deal with.

Increasingly the criminals have turned their attention to banks and their clients, and social media services such as LinkedIn. Safe4 have recently worked with Investec, one of the financial sector’s most respected specialist banking and asset management service providers, to offer solutions to this ever-worsening problem. This involves using the Safe4 service to create a highly secure vault, into which clients can place their own important documents, and which can also be used as a means of distributing bank-generated documents to clients. It will thus become possible to inform clients that if any unsolicited email is received bearing the bank’s branding, it should be deleted immediately.

Investec, headquartered in Johannesburg, South Africa, also have a substantial presence in the UK and in other locations internationally. The Safe4 integration project was carried by the Investec Digital team in Johannesburg, who worked closely with the Safe4 developers in the UK and South Africa. Investec are no strangers to innovation, and are constantly seeking ways to improve their clients’ banking experience, and importantly to increase the level of protection offered to clients.

Safe4 offers a highly secure facility for distributing documents to any recipient outside the sender’s own IT domain. Using UK-located data centres only, accredited to the ISO 27001 international security standard, Safe4 has been independently ranked among the 0.8% most secure site on the internet, out of millions tested.

Contact us for more information on the Safe4 service, and for ideas on how using Safe4 can enhance the security of your communication with the outside world.