Secure file collaboration considerations

In group communications such as project teams or in client collaboration there is a need to distribute information and files electronically. The information being processed is many times confidential, either from a business or a private data (GDPR) perspective, so protecting that information is essential.

How to take data security into account in data transfers?

How can users take full responsibility for security when it usually is such a technical and difficult problem?

A need to share and transfer information in a secure but user-friendly way

E-mail is easy to use but known to be a relatively poor tool for communication in teamwork. Especially if communication is lively and files are shared and updated frequently. How do you keep track of files? How do you know that all team members have access to and work on the latest version of a file? Also, E-mail is notoriously insecure with the information usually transported and accessible in clear text on the delivery route. It’s even so bad that it’s regarded as safe as a postcard by security professionals. In fact, it’s even far less secure than a postcard, an email can live and be searchable forever. At least a postcard can be easily discarded or permanently destroyed after being read.

There are many encrypted mail systems available but they usually require you to completely change your legacy systems, not only you but all organizations and users that you are collaborating with. And, even if you do change it all, you still have the problem with knowing that everyone has up-to-date files.

So, if we forget e-mail, nowadays the actual transfer method in most modern software solutions, regardless of the tool, is encrypted and secure. That is if they use common technologies for protecting the communication channel. You still have to trust the service and storage since the protection is just in the transfer link (hop-by-hop security). Therefore, what specifically should be taken into consideration in your data transfer process, is the security of the application and data storage provider and the ease-of-use of the tools to meet your needs.

Often, the security debate revolves around technical issues – whether they are protocols, encryption technologies, access control technologies, or processes developed to control human behavior. However, it should be remembered that just as important, although often forgotten and compromised, is that the only security worth anything is the one that actually is being used. Naturally, the technical solutions in the background must be rock solid, but if the tools are too confusing, full of unnecessary functions that users do not understand and the use of the necessary features require excessive training, then even the most technically advanced products will never be fully utilized and data security suffers.

An example of how it should be done is the secure workspace Konfident, where user experience and functionalities are intuitive and reduced to a minimum, and the strong end-to-end security is almost invisible on the surface. The user has full control over what they share and to what team through the simplified user interface.

 

Konfident - the secure workspace for end-to-end encrypted filesharing

FC Rosengård signs up for Konfident

FC Rosengård
FC Rosengård is the first club to sign up for Konfident in the Silly Season Campaign.

The FC Rosengård ladies’ football team is one of the best teams in Europe (seeded as number 5 in this years UEFA Women’s Champions League); as well as a world leader when it comes to developing professional football for women.

As a leading club, their information is highly sensitive, especially so during the Silly Season where players are recruited and traded. A lot of money is at stake when next years team is put in place by Team Director Therese Sjögran.


Hyker salesman (and football fan) Jesper Landén and FC Rosengård Sports Director Therese Sjögran

FC Rosengård has chosen Konfident as their new platform for all internal communication and document storing, like contracts, scout reports, etc. The simplicity of the application in combination with its rigorous security is perfect for this organization, where information is sensitive, both from sports, business and GDPR perspective.

“Our need to control information and rumors during the Silly Season when we are recruiting new players is extremely important, and this is what initially drew our attention to Konfident. But, after some testing, we realized that it’s also a perfect tool for our normal day-to-day information sharing and storage, protecting our sensitive information and privacy protected data under GDPR,” says Therese Sjögran.

About FC Rosengård

FC Rosengård, formerly Malmö FF Dam (1970–2007) and LdB FC Malmö (2007–2013), is a professional football club based in Malmö, Sweden. The team was established as Malmö FF Dam in 1970 and has played a total of 35 seasons in the women’s premier division. The team has won the league a record ten times, the latest in 2015. As of the end of the 2015 season, the club ranks first in the overall Damallsvenskan table. (more on Wikipedia)

Simplified GDPR Guide

Do you find GDPR overwhelming?

Where do I start?

What’s applicable to me?

Larger organizations often have allocated resources and legal expertise already working on this, but what should you prioritize if your resources are limited?

 

Take a look at the checklist from Hyker Security and get a feeling of where you and your company stands in the progress to adapt to the new EU law.
We also cover in what areas our Konfident service ease your way to becoming GDPR compliant.

GDPR means the end of email attachments

When GDPR is enforced in May 2018 there will be new requirements for employers for secure management of personal information internally. This means the end of sending documents containing private information on email, internal or external. Learn more about why you should stop with email and what a simple and cost-effective solution looks like.

What is GDPR?

GDPR is the European Union’s new data protection act. It will be enforced on May 25, 2018, and applies to all businesses that manage personal information on EU-citizens, e.g. the employees of a German company. The aim of the new legislation is to provide EU citizens greater control and influence on their personal data and how they are handled by businesses and employers.

EU means business with the new legislation and will carry out follow-ups and revisions. The fine for failure to comply is no laughing matter (up to 20 M EUR or 4% of the turnover, depending of what is highest).

An important aspect in GDPR is that personal data must be treated in a secure manner.

What does personal data mean?

In GDPR, personal data can be many things, from name, address, place, online-ID, health information, income, etc.

Examples of scenarios where personal data may occur naturally within internal communication:

  • Management follow-ups (material for salary reviews, recruitment material, CV:s, etc)
  • HR-discussions about personnel (individual support, etc)
  • Economic management (salary specifications, etc)

 

Note that according to GDPR, it’s especially important to provide extra safeguards for sensitive personal data. Examples of sensitive personal data can be personal data about an employee’s private life and health, e.g. matters that can be discussed between an employee and his or her boss or HR person.

 

Implementing extra safeguards for sensitive personal data requires both the right tools and a communication policy.

What does secure management of personal data mean?

An important aspect of GDPR is that businesses and employers must treat personal data in a secure manner. But what does that really mean? When talking about security, the term encryption usually comes in. Encryption is a way to scramble e.g. a text so that only the person with the key can decrypt the text and read it. When it comes to information managed in the cloud, there are several encryption solutions:

  • Encryption in transit. This means that a text sent e.g. between a client and a server is encrypted during the transportation phase, on its way from A to B over the internet.
  • Encryption at rest. This means that a text is encrypted when stored, e.g. on a server at a cloud service provider.
  • Encryption end-to-end. End-to-end encryption is the gold standard within security. If a message is end-to-end encrypted, only the sender and the receiver can decrypt the message, and it’s never decrypted during transit or in storage.

Note the difference between a combination of encryption in transit and at rest, with pure end-to-end encryption. In the first case, the message will be decrypted after transport and then encrypted again for storage and managed by the company that owns the storage. This company has access to the keys. Should this company suffer a successful attack the stored data may be leaked, something which is not possible with pure end-to-end encryption.

End-to-end-encryption is the recommended technique for communication involving sensitive personal data.

The end of internal email

So, what about email, this tool that everyone loves to hate? Is it safe to send sensitive personal data, e.g. as text in an email or as attachments? The answer is NO! It is simply not secure to use email. With standard email, all text and attachments are sent in clear text over the internet and are relatively easily accessible to hackers and other malevolent technical people.

An attack could mean that sensitive personal data about a corporation’s employees, contained in email communication, is leaked and published on the internet. The damage may be catastrophic for both corporation and employees and with the introduction of GDPR, there is also the threat of multi-million fines.

Now when email is no longer a valid solution for communication of sensitive personal data, a secure alternative for internal corporate communication is needed. Such alternatives were previously lacking at a reasonable cost. Both corporations and the EU, therefore, used to disregard this problem.

When GDPR is introduced, email may no longer be used for management of sensitive personal data.

End-to-end encryption for secure management of sensitive documents containing personal data

Hyker Security has released a service to manage your confidential or privacy-protected documents, called Konfident. Built upon the end-to-end encryption technologies of Hyker, Konfident offers the most secure collaboration workspace or Virtual Data Room, that still is easy to use and implement.

  • Store and share your documents securely.
  • Encryption keys only kept in the clients and never stored centrally. Not even Hyker or Hyker partners can access the files since we have no access to the keys. In most cloud solutions the vendor is managing and holds on to the encryption keys. This means that you need to trust the vendor, their employees, their data center and their suppliers.
  • Easy to use with the kind of drag-n-drop interface that you are used to from other cloud-based document management systems.
  • Designed for the way you work today – across borders, in the cloud, and in compliance.
  • Protects all data including PDF, Microsoft Office and media files without plugins.
  • Comprehensive audit trails on all user, workspace, and content activity
  • Web-based, no local installation
  • Workspace set up in minutes not days – move from desktop to secure workspace in just a few clicks. Without the need for an IT department.
image
The secure workspace
that does not
keep your keys

 

The importance of a communication policy

With older and unstructured tools, such as email, it has previously been impossible to establish a policy for internal communication. But what does a communication policy really mean?

”A communication policy is an established agreement on how to communicate in specific situations.”

It is very important that a communication policy is established and thereby well anchored with senior management as well as HR. The policy must bring up especially important situations and clarify how communication shall be handled in these contexts. For the policy to last and evolve there must also be a role and person responsible for the policy.

As for managing communication with sensitive personal data and similar information, we recommend the following policy:

In the dialogue between an employee and a boss, the boss is responsible for making sure that discussion and communication around personal data are never carried out in an unprotected channel, like email. Any data that is directly related to a person should be managed in a separate document and transferred using a secure end-to-end encrypted workspace in Konfident. In this way, a satisfactory level of security can be guaranteed.

Policy example:

  1. A discussion is going on between an employee and boss and touches upon sensitive personal data
  2. The boss realizes that the discussion is related to documents containing sensitive personal data
  3. The boss invites the employee to a team on their Konfident workspace
  4. The documents are uploaded to this team and the continuing conversation is conducted either live, over the phone or in the Konfident team chat.

In a dialogue between an employee and an HR-person, the HR-person has the same responsibility as the boss in the example above.

It is reasonable that the HR-manager is responsible for establishing, spreading and applying the communication policy. The CIO is responsible for introducing and managing the corporate secure workspaces for document sharing.

GDPR-secure your internal communication with an end-to-end encrypted workspace, with a related communication policy.

 

More information

See the following material for further information about GDPR:

EU GDPR: General Data Protection Regulation

The upcoming EU privacy regulation is relevant not only for European organizations but any business looking at Europe because of its extended scope of applicability.

The new European General Data Protection Regulation (GDPR) is expected to lead to a revolution in the privacy world. It will come into force by mid-2018, but time is short and there’s a lot of changes that must be implemented.

What It Is

GDPR entered into force on the 5th of May 2016, and European Union member states must transpose it into their national law by 6th of May 2018.
The Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights.

It focuses on:

  • reinforcing individuals’ rights
  • strengthening the EU internal market
  • ensuring stronger enforcement of the rules
  • streamlining international transfers of personal data
  • setting global data protection standards

The changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.

Most importantly, it aims at changing the way organizations that operate in the EU or that collect personal data from the Union’s citizens, approach data privacy.

The people, business, organization or other bodies that collect and manage personal data are collectively called “data controllers“. They must all respect EU law when handling the data entrusted to them.

What It Means For Individuals

Mandatory Consent

  • People will have to receive the consent form in an easily accessible and intelligible form, containing the purpose of data processing.
  • They will have the right to withdraw their consent as easily as they gave it, this being particularly relevant for subjects who have given their consent as a child, or were not fully aware of the risks involved by processing.

The Right To Be Forgotten

  • People will also have “The right to be forgotten”, or data erasure, which means that the company processing and holding his data will be obliged to delete it all, including copies.
  • This obligation is extended to third parties that have access to that data.
  • To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps.

Protect Private Data

  • Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules.
  • Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
  • Citizens will have the right to be informed about a data breach that affected their personal data in maximum 72 hours from the data holder becoming aware of the breach.

Access

  • Individuals will have the right to access information that contains a list specifying which data is being processed and the purpose of the data collection and management.
  • People will have the right to data portability, which means transmitting their personal data to another data controller.

What It Means For Companies

Harmonized Rules

  • There will be a single set of rules throughout the European Union, which will cut costs of doing business in the EU. They will only have to report to one supervisory body.
  • Companies whose main activity consist of processing data systematically obtained by monitoring data subjects at a large scale or special types of data or data related to criminal activity, will need to have in place a Data Protection Officer (DPO). The DPO will have to respect the internal record keeping requirements.
  • GDPR will have to be respected by both companies that originate from Europe, but, also those offering services to EU citizens.

User Data

  • Online identifiers including IP address, cookies and so forth will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.
  • There is no distinction between personal data about individuals in their private, public or work roles – the person is the person.
  • Companies will have the legal obligation to inform users in the event of a data breach in maximum 72 hours from the moment they found out.
  • Data controllers will have to provide an electronic copy of all personal data free of charge, at request.
  • At the request of the users, companies must erase all their personal data, stop collecting it and have third parties delete it as well.
  • Also at citizens’ request, data must be transmitted to another entity, at users’ choice.

Security And Privacy By Design

  • Companies will have to design their systems with privacy in mind, rather than adding them. This mean that they must do all efforts to protect the privacy of their users.
  • Data controllers will hold and process data only if it is absolutely necessary for the completion of their duties.
  • Companies should implement techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymization (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorized can read it) to protect personal data.
  • “Big data” analytics requires anonymised or pseudonymised data.

Substantial Fines

  • The maximum fines can go up to 4% of the company’s annual global turnover, or €20 Million, whichever is higher. These are applied in the cases when the data subjects’ rights have been infringed, such as the cases when data has been processed without a legal basis, or cross-border transfers have been performed.

  • Other infringement could attract fines of up to 2% of the annual worldwide turnover or €10 Million, whichever is greater. This is applied for example when companies cannot prove they have adequate security, haven’t appointed a DPO, or haven’t established a data processor agreement.

How To Prepare

  • Put in place an accountability framework that will prove you meet the required standards.
  • Design your product with security and privacy in mind, not add it later.
  • Establish clear policies and procedures in the event of a data breach, so you can notify people in time.
  • Verify your privacy policies and notices, so that it is easy to understand and accessible.
  • Be prepared for citizens to exercise their newly gained rights, often with unrealistic expectations.
  • If you are carrying out cross-border data transfers, including intra-group one, make sure you have a legitimate reason for transferring personal data to jurisdictions that don’t have adequate data protection regulations.

More Reading