Projectfusion

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption

Surprise surprise.. 

Checking the details of deals is an essential step which, despite potential drawbacks, can ensure the success of mergers and acquisitions, as Rebecca Brace reports... 

...Suddenly  there’s effectively an impersonal and backward looking MOT test carried out on the seller’s company, which can damage the ( buyer/seller) relationship  if not handled correctly..

A good read for those new to due diligence, talks about the emotional side of things and the rise of M&A Insurance in Europe.

Knowledge is power in M&A  - raconteur

If you’re still using CD’s or DVD’s to archive important files, did you know they have an expected life span of 2-5 years?

It is still hugely popular to store important files on CD or DVD, and expect them to last forever. Expert opinion varies - according to the US National Archives, the life expectancy of recorded CDs and DVDs is between 2 and 5 years. Most manufacturers reckon a happier 15 years plus. Experience has taught me the hard way that DVD’s are also very easy to damage and render useless. 

The other problem with using a CD for storage is it's not redundant - if it breaks, or gets destroyed, you have no other copy of the data (so there's a fire in your office, the files are gone forever). Remember:

If there’s only one copy, it’s not backed up.

So what are the best options for long term archival of digital data?

Well, the bad news is, any option is going to be more expensive than a CD, and you may need IT help. The good news - it's pretty cheap.

Here’s your best bets:

Cheap and sort of OK if you have no money or IT! File the CD as normal, but before you do, store a copy on a flash drive in a different location (readonly flash drives last a long time) Cost: $ Pro: Cheap. Con’s : Tricky to manage and file. Hard to search. Hard to find things when you have lots of cd's. When you lend a cd to a colleague how do you get it back!

Option 1 - self replicating drive

Use a self replicating drive like myprivybox.com or a QNAP Nas. Keep one box in your office and one somewhere else. When you get data to archive, copy it to one box, and the other one will be backed up automatically Cost: $$$

Pro: You can control security, and make it so even the NSA can't get in!  Con’s : Limited search. Can be hard to get colleagues access to files. Can be tricky to setup, may need IT.

Option 2 -  Cloud service Cost: $$$$ Most cloud storage services like Projectfusion will store your files in several places for redundancy. You can search, tag and access from anywhere. Pro: Fully managed - you don’t have to do anything except upload your content once in a while. Files can be accessed from other locations and by other people. Search will work well. Easy to setup, no IT required. Cons: Can be expensive as you get to large volumes of storage. Trust - do you trust your cloud provider (and the NSA!), they may be theoretically able to access your files.

Option 3 - Hybrid - Local store with encrypted cloud backup Keep a local hard disk storage device, and sync or back it up it with a cloud service. Software like Goodsync can sync a local server with a cloud server like Amazon S3 or Projectfusion, and encrypt both file names and contents as well. Cost: $$$

Pro: Fairly cheap. You don’t even need a raid server, a cheap desktop with a drive will do. You can control security. If the server fails buy a new one and recover from the cloud.  Cons:  Limited search. Can be hard to get colleagues access to files. Can be tricky to setup, may need IT.

Further reading

Xlab article on optical disk life spans

Great article above, with some great advice, my favourites:

When constructing a VDR, it is often best to disclose more rather than disclose less.

Allowing unfettered access to one or more potential buyers can cripple a deal if a party decides to walk during the due diligence phase.

Having a well-thought-out, logical, organized VDR not only creates a strong positive first impression and bond of trust, it may also provide the vendor with a first-mover advantage in regard to shaping the terms of the deal.

2 factor authentication is a no longer an option, it's a requirement. Agree.

Two particularly interesting points in this article:

1: It looks like Apple may have allowed API calls to bypass basic security steps like brute force protection. If true this is a pretty basic mistake.

We knew we had to make data room folder permissions easier, so we've crafted a 1 page interface that lets you see all your data room permissions in one place, and change them.

You can manage groups, and see exactly what they can view, down to the file level, on one screen.

Here's an example:

Along the top are group names, and below the roles they have for different folders.

You can see the HomeOffice group have access (PDF only) to most folders, but not to a Restricted Content folder. You can also see that InternalDevOps group have got the higher level role (Contributor) to folder A11.

Using simple colours from green to orange lets you easily see where restrictions have been changed.

Just click on a folder/group intersection to change the permissions. Simple.

So it’s really easy to add new groups, and restrict folder and file views as you need.

When would I need this?

Here's a few examples:

Auditors - need access to a section of files, but not internal HR notes.

M&A - each bidder gets their own folder for files only they can see.

When choosing cloud services that will be hosting your data, it's important to think about access to your content, and how you can get it. In the context of a document or management system content will be files and folders, and also things like comments and meta data. 

When  you have uploaded thousand or millions of valuable files and associated metadata to your cloud you need to be able to access it from other apps and get it off if needs be.

We support the Content Management Interoperability Services standard,  CMIS.

CMIS is a new but widely adopted open standard that allows different content management systems to inter-operate over the internet. The CMIS standard is supported by around 20 or more enterprise content management systems (ECMS) like Oracle and Sharepoint.

By supporting the CMIS standard we give our clients complete data freedom to seamlessly move documents, comments, questions and answers, wiki's, discussions etc and their associated meta data.

You can do things like access Projectfusion content from Sharepoint - without getting involved in complex API's or projects.

Projectfusion will be offering 2 step authentication from August 14th. It's simple for users, just requiring them to enter a token sent to their email address. This offers great protection from risks like hackers,  3rd party leavers and deliberate leaks.

Like all good things it appears simple, however a lot of thought has gone into this release, in particular the use of 'known networks' will continue to allow the use of standards based tools for mobile devices and syncing and uploading data (like WebDAV and the new content management interoperability service CMIS).

Major risks protected include: Hackers - having 2 step authentication on makes it much harder to force entry to a users account. Even if they have the password, they also need to have compromised the users email account to gain access. 3rd party leavers - you're protected against people leaving other companies and maintaining access to your information (see here for more). Leaks - it becomes harder to leak information if you have to share your username, password, and a short validity token that only works once. We also track the network location of all logins, this can often identify access points down to street number level. 

During a recent risk review we came up with a widespread risk: the 3rd party leaver. If you share files with any external parties you need to think about this. It’s a big risk common to all services that let you share files with external people.

Sharing sensitive files for M&A Acme Ltd are selling their firm. They're using a virtual data room run by their advisors. One of the 'other side' is Bad Bob. Mid transaction, he leaves his firm, nobody tells Acme. Bob continues to access the data room, although he now works for a different competitor.

The client extranet Dubious Dana is a freelancer working for an agency doing work for blue chip Nestles. She has access to the Nestles extranet, which has the next 12 months ad plans online. When she leaves to work for a competing agency, nobody tells Nestles - she’s free to steal and share plans until someone notices her account should be closed. 

What does this mean for me? If you are sharing files with other firms through extranets or data rooms that you control, then your data is at risk when people change jobs. 

Options that don't work

- Contractual  This is a hard one, as it relies on people you are sharing data with having a leavers policy that will tell you, a 3rd party,  when someone leaves. You can specify in your terms that they must tell you, but experience tells me you’ll be told late, if at all.

- Periodic review Once a month review all access rights, and revoke as needed. But will you know Bad Bob has left?

- Token based access You could issue RSA type key fobs - however, would you know when to ask for them back?

- 2 step authentication - with a phone call or text A lot of people will take their mobile number with them to the next job, so whilst this is a good security option, it's not great against leavers.

4 things that work

- Terms of use agreement ✔ (quite helpful) By using a click wrap agreement or acceptance usage policy before letting people access files, you can get some legal protection against misuse. 

- Don't use personal email addresses ✔ (quite helpful) Just use business email. At least that way you'll be warned with a bounce if an email account stops working.

- IP restrict  ✔ (good) Only allow access from some IP ranges. So e.g. the folk at Acme can only log in from the acme office.

- 2 step authentication - company email address ✔ (our favourite) By adding 2 step authentication that specifies something owned by the company (not the individual), you  get good protection. At Projectfusion we make our 2 step authentication use a corporate email address - so when someone loses their corporate email, they lose access to your data. We have a policy of not sharing with personal email accounts.

"There are indications that Verizon is legally required to provide certain things to the NSA, and that's one of the reasons the co-operation with Verizon won't continue,” said German interior ministry spokesman Tobias Plate.

"Furthermore, the ties revealed between foreign intelligence agencies and firms in the wake of the US National Security Agency affair, show that the German government needs a very high level of security for its critical networks," he said.

Full story: http://www.computerweekly.com/news/2240223464/German-government-terminates-Verizon-contract-over-NSA-snooping-fears

The Information Commissioner’s Office (ICO) has published a new security report highlighting eight of the most common IT security vulnerabilities that have resulted in organisations failing to keep people’s information secure.

No real surprises here, the top eight computer security vulnerabilities covered in the ICO’s report comprise:

a failure to keep software security up to date;

a lack of protection from SQL injection;

the use of unnecessary services;

poor decommissioning of old software and services;

the insecure storage of passwords;

failure to encrypt online communications;

poorly designed networks processing data in inappropriate areas; and

the continued use of default credentials including passwords.

We just updated our index feature - we now offer a one page printable summary of the entire data room, and a full excel index.

When you are reviewing documents the onscreen index gives you an at a glance overview of the entire data room, and tells you how large the main folders are.

If you need detail, the new excel index is right there - a nice list of all documents on the site - it’s formatted ready to print, and will handle international character sets.

In excel you can easily create a closing bible, or use filters to show the bits you want to look at.

Here’s the browser view - it’s a one page summary of the top 3 levels of the site - it easily lets you get a feel for the size, and structure of the data room. And it will always print out nicely on A4 or letter.

We all know email can be used for spam, and you may even know about phishing and other attacks. What we tend to forget is that when we send information via email, it can be open for the world to see.  It's like sending a postcard. Here's the life of a typical business email to 1 person. 1 – The corporate network, your IT team Your IT team will have access to all your emails, and they’ll back them up (possibly unencrypted), and yes, they’ll read them occasionally, if they’re bored, or just curious as to what their management is thinking. Additionally, 55% of US employers do actually monitor and read their employees' email. 2 – The accidental forward or the wrong address Woops – we’ve all done it (well certainly the US Air force has, when they sent air force 1′s flightpath to a webmaster, hundreds of times). And once you’ve done it, you can’t get it back. Let’s assume you sent it to the right people. 3 – Emails outside your business - the Internet From here, we venture onto the big bad internet. First your ISP may be able to read it. Or your government has requested a 'tap', so they can see what you're up to. Then your email is bounced around, usually with no encryption, through a series of ISP (Internet service providers) computers. If one of these special computers, or “routers” is hacked, then hackers can view all the traffic passing through it, including your email. Anyone of the tens of routers your email will pass through could be compromised, and someone may be interested in what you’re saying. 4 – The authorities In the UK the Government has got the “Regulation of Investigatory Powers Act” which gives trustworthies like the Ambulance Services, The Department for Transport and local Councils the ability with a little paperwork, to take a look at our communications. In the US the government has been using the Stored Communications Act (SCA) to read private e-mails without a search warrant (also see Patriot act, Prism etc)

“Most unencrypted email is vulnerable to unauthorised access and alteration as it passes over the Internet.. Firms are recommended to adopt systems that… automatically encrypt all outgoing email to those offering similar facilities” The Law Society Email Guidelines 2005

5 – The recipient’s IT team So the email makes your recipients servers. Again, their IT team may be interested in taking a peek, and they’ll take a backup, and perhaps their security isn’t as good as yours, so the emails may be now accessible via a weakly secured webmail for example. Or their backups aren't encrypted. 6 – The recipient’s computer It may be compromised, or backed up somewhere crazily insecure.  What can you do? Until some sort of global email security standard can be setup and enforced, it's best to use something else for anything sensitive. The Kremlin are using typewriters! There are plenty of commercial and free secure messaging and collaboration services out there. Our own safedrop is great for messaging.

Great infographic from Forbes. Click here for the whole article.

Projectfusion can help with all these - our cloud technology can get your team out of email, and talking online.

We're preparing our new Q&A rollout,  it will be going out to all our customers over the next few weeks.  It's designed for M&A and Procurement, scales to 10s of thousands of questions, and exports nicely to excel.

The biggest improvement for me is the tagging, which interacts with search to provide things like "Show me all questions tagged "warranty claim" that also contain the word UK asked this week.

more to come soon!

You probably know that the Patriot act gives the US government easy access to your data whilst its in the cloud, without telling you or your government. Here's an overview, and 5 steps you can take to protect your cloud data.

Two ways the FBI get your data: 1- US owned data centres. They can obtain data from companies that store their data in any US-owned data centre - even those based in Europe! The data centre owner is not even allowed to inform their clients that their information has been handed over to the US authorities.