In this context, human error is one of the most serious challenges for the security of sensitive data. In the era of growing importance of UX (user experience), user needs for simplicity and intuitiveness of software must not compromise the technological basis of security of digital solutions. The system must therefore be simple enough for the user not to have problems with its operation, but complex enough to counteract the threats. It should also support the elimination of the most common threats lying on the operational side, in a way encouraging the user to apply good practices and educating him.
Developers indicate two basic features of a secure design: identification and authentication. In practice, this translates into using a login and a password. While passwords are not the most comfortable solution from the user’s perspective, especially on mobile devices, there is a justification for using them, especially in the case of enterprises that have to take care of protecting strategic data while sharing them.
The method we use in the FORDATA system are access links sent to users that enable them to log in to Data Room. As our system does not require installation, we can additionally hide the fact that someone is using it at all, as communication between the Customer Service Team and User is limited to email (and phone). Work in the system is done through the browser. After initial logging in, the user is asked to set his own secure password and is informed about character sequences that he should avoid in order to better secure access. Additionally, it is possible to use two-factor authentication via SMS.
First of all, paper. When using VDR, you do not need to make copies of documents available for inspection, or to produce reports, confidentiality agreements, etc. There is just one link under which the user has access to all documents intended for him, while the administrator can handle many transactions simultaneously. It means significant savings of paper or its complete elimination. Ecology in the company is a comprehensive concept. Virtualization assisted by the right approach to the production of energy needed to power electronics results in an environmentally-neutral solution. For example, our company has used, among others, server providers that use produced heat to heat the floor of the building in which it is located. And that’s not all the advantages.
Even if both conditions are met, i.e. if the user is correctly identified (login) and authenticated (password), we cannot speak of full security. Threats go far beyond the login mechanism and the designer’s task is to constantly seek a compromise between user comfort and protection. The ideal situation is one where the user does not have to think about his or her security at all. In practice, when it comes to protecting privacy or company secrets, such a solution does not exist. After all, login data and authenticated sessions must also be protected.
The mechanisms supporting secure logging and protecting the data we use in FORDATA system include, for example, the need to change the password periodically, the impossibility to log in at the same time using the same login or limiting the pool of IP addresses from which it is possible to log in to the system. Each of these protections will more or less restrict the user’s freedom, but the benefits of their use are much greater.
The above list is by no means exhaustive. Depending on our work environment and existing threats, the technology must be constantly adapted. However, using even the most advanced data protection methods may not be enough. Suffice it to say that the most common reason for breaching confidentiality is simple inattention of users. In this context, it is worth focusing on another, particularly important area of security.
Cloud-share your files safely.
With the best customer support.
It can be stated with a high degree of certainty that the key to data security is the compromise between technology and proper usage practices. However, the growing level of integration of friendly design and security of software and application of good practices exposes companies to the ever increasing danger of phishing, i.e. attempts to defraud electronic data. These, unfortunately, are becoming increasingly creative and sophisticated. Data migrates to increasingly secure clouds, so criminals look for ways to reach them, impersonating, for example, a service provider, a company client, a colleague, sometimes even superiors, and use a million other methods based on psychology and user inexperience. The so-called BEC (business email compromise) attacks involve, among other things, whaling, i.e. personalized attacks on decision-makers in the company, and spear phishing aimed at lower-level employees.
In order to prevent such attacks, companies should use online services offering anti-phishing protection and introduce the already mentioned standard operating procedures into their activities, while paying close attention to every email and every link we click. The year 2020 is to be marked by an increased phishing threat. The third pillar of security that we are discussing is building awareness of this threat – at every level of the company. The Internet will not be free of cybercrime threats for a long time to come, and perhaps it will never be totally safe. Therefore, secure and even the best-planned technology will not fully protect us if we are not able to counteract the threats ourselves.
Main picture: Unsplash.com