One of the main purposes for storing your data is to provide you with tools and services to help your organisation do more. We do this through our proprietary applications. We have a whole host of applications available but we treat them all the same when it comes to security.
You also play a part in security, especially when it comes to how you protect your password to our applications. We have taken great care to ensure the infrastructure, processes and policies are in place to protect your organisation's data whilst it is in our possession alongside active monitoring and threat detection, but you also need to ensure you employ good password management.
One of the biggest areas of weakness of ANY SaaS solution is the logon screen. Here are some of the steps we take to protect your account.
- All access to our applications is through encrypted communication (https).
- We provide usernames and passwords to individual users to access our applications (we don't charge our clients by the number of user accounts they require because that leads to credential sharing).
- Every user session is logged.
- User Accounts that have not accessed our applications in the previous 12 weeks are automatically ‘suspended’ until their email has been validated again.
- We automatically lock accounts where the password has been incorrectly provided 3 times for a duration of 10 minutes – this prevents hackers from performing ‘brute force’ attacks through our applications.
- IP address identified with suspicious activity are blocked.
- Upon request we can further limit access to client accounts to named IP addresses
Be a Password Super Hero
Here are some tips that you need to consider to help keep your account safe:
- Is your password complex (i.e. not a dictionary word, it contains numbers and symbols and a mixture of upper and lower case and is longer than 8 characters long
- Is your password different to other sites? If you use the same password for other sites you are compromising your account, you only need to enter your email address here to see if your email address has been compromised. If your email address HAS been compromised then the password used on that site is also known to potential hackers.
- Do you change your password regularly? We recommend changing your password at least four times a year.
- Do not allow your browser to save your password. Why not? Windows is one of the easiest operating systems to break into unless your company employs additional security measures like Drive Encryption. Therefore, if your laptop or PC is stolen - all your passwords should be assumed to be known to the criminal and you must act accordingly.
- Do not leave your PC unattended without it being locked and ensure you log out of our applications before you leave it unattended, especially in public, non-safe, spaces.
These are simple steps that you should employ with ALL sites that contain sensitive information.
On a monthly basis and after every major release we perform Penetration Tests. This is designed to bring to our attention any vulnerabilities that may have been introduced since the last test. The outcome of each of our monthly tests is raised with our senior management teams and appropriate resources are made available to resolve any issues.
In addition to the continuous monitoring of our data centre provider, we also review firewall traffic on a daily basis.
Every website is constantly being probed for vulnerabilities and these threats change regularly. By monitoring the firewall traffic on a daily basis we are able to understand how threats are evolving, in near real time, where they are coming from and to identify any suspicious behaviour that warrants further investigation.
This allows us to react, and take all appropriate action quickly so that potential threats do not become an actual threat. We are able to stay ahead of the threats rather than responding to a data breach. It's also a help to us in understanding if there has been any kind of breach, no matter how small. The ability to understand IF there has been a breach and to implement our breach management process which is designed not only to contain any damage, but also to empower the data owner to uphold their commitments with their patrons such as making "notifications" at the appropriate time.