Christmas and New Year business hours

We would like to thank all our valued clients for their custom this year and take the opportunity to wish everyone a very Merry Christmas and a Happy New Year!

Our office hours will be as follows over Christmas & New Year:

  • Tuesday 25th December – CLOSED
  • Wednesday 26th December – CLOSED
  • Tuesday 1st January – CLOSED
  • Wednesday 2nd January – CLOSED

If you require emergency assistance during these times, please email support@boxportable.com or log a support ticket using our online form.

We’re open for business as usual on all other days, our standard office hours are 8:30am until 5:30pm.

DocuSign Spoof Emails – detect and prevent secure document phishing attacks

DocuSign have admitted they were the victim of a data breach that has led to massive phishing attacks using the compromised DocuSign user data. Secure document phishing attacks are some of the latest in client endpoint exploits that to the unsuspecting user can have serious repercussions. This latest hack resulted in a 3rd party gaining unauthorised access to a list of email addresses stored on an unsecured DocuSign platform – other than this no private user account data was accessed, however this has resulted in a significant volume of ‘spoof’ DocuSign emails being sent to these users in an attempt to trick recipients into opening an attached Word or PDF document that, when clicked, installs malicious software.

The attackers hit a “non-core system that allows us to communicate service-related announcements to users via email”, the company said in a blog post on the incident.

DocuSign have released the following helpful guidance:

What should I do if I receive a suspicious email?

First and foremost, if you don’t recognise the sender of a DocuSign envelope and you are uncertain of the authenticity of an email, look for the unique security code at the bottom of the notification email. All DocuSign envelopes include a unique security code.

If you think that you have received a fraudulent email, please forward the email to spam@docusign.com, then delete the email.

Please check out the DocuSign Trust Center for the most up-to-date information about personal security and review our whitepaper on phishing.

If there is a security code…

  • Access your documents directly from www.docusign.com, click Access Documents then enter the unique security code.

If there is NO security code…

  • DO NOT click on links or open attachments within the email. This is not a valid DocuSign email and it should be sent to our security team immediately at spam@docusign.com

IMPORTANT: If you did click on a link and provided your DocuSign credentials, please be sure to change your password immediately to ensure the security of your account.

Please update and run antivirus immediately to ensure the security of your system or contact your IT support provider for immediate assistance.

Draytek Security Notification – DNS Web Interface Attacks

Users of Draytek routers are vulnerable to a Zero-Day attack unless updating to the latest firmware release which addresses the security flaw. DrayTek announced that hackers are exploiting a zero-day vulnerability to change DNS settings on some of its routers.

Clients using Draytek routers should get in contact to arrange firmware updates on their equipment – clients on our managed IT service contracts have already had these firmware updates applied and need take no further actions.

Further information can be found at www.draytek.co.uk

EU General Data Protection Regulation (GDPR)

An Introduction to the GDPR

The EU General Data Protection Regulation (GDPR) will be enforced from 25 May 2018. It affects all organisations that hold personal data on EU citizens, regardless of where the organisation is based in the world. Implementing a data protection strategy that includes encryption and anti-malware security is vital. GDPR contains a whole range of new rules that companies may need to enact for proper compliance, as there are strict fines for non-compliance. Your business may be fined up to 4% of global annual turnover for your previous financial year or 20 million, depending on the larger amount.

How will GDPR affect my business?

Whether you’re a family bakery storing a list of local delivery addresses, or a multinational selling globally online, the EU’s General Data Protection Regulation almost certainly applies to you.

Loosely speaking, any organisation that holds data about any resident of the EU is expected to comply.

GDPR was adopted as an EU law in April 2016 but will take effect in May 2018. Amongst other things, GDPR deals with the data you collect in the first place, how you tell people what you are going to do with it, what you actually do with it, how you store it securely, whom you allow to access it, and – the part that seems to attract the most interest and attention – what happens if you fail to comply. Falling foul of GDPR means the possibility of a fine, and GDPR fines can go significantly higher than most laws that existed around Europe before GDPR came in.

GDPR will standardise data protection across the EU; if you do business in Europe you almost certainly need to comply; the law may seem onerous, but in a world with as many breaches as we have had in recent years, GDPR seems like just the sort of regulation we need; and you can expect to end up in hot water if you don’t comply.

GDPR applies and will continue to apply in the UK even post Brexit as the current UK government plans to pass a legislation that will essentially mirror the EU GDPR.

What do I need to do?

    1. Be aware. It’s not enough for CEOs, IT staff and compliance officers to be aware of what GDPR requires. Employees from the top to the bottom of an organization need to be extensively educated on the regulation’s importance and the role they have to play.
    2. Be accountable. Companies must make an inventory of all personal data they hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
    3. Communicate with staff and service users. This is an extension of being aware. Review all current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organization does and how aware customers, staff and service users are.
    4. Protect privacy rights. Review procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
    5. Review how access rights could change. Review and update procedures and plan how requests within new timescales will be handled.
    6. Understand the legal fine print. Companies should look at the various types of data processing they carry out, identify their legal basis for carrying it out and document it.
    7. Ensure customer consent is ironclad. Companies that use customer consent when recording personal data should review how the consent is sought, obtained and recorded.
    8. Process children’s data carefully. Organisations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.
    9. Have a plan to report breaches. Companies must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point.
    10. Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them.
    11. Hire data protection officers. The important thing is to make sure that someone in the organization or an external data protection advisor takes responsibility for data protection compliance and understands the responsibility from the inside out.
    12. Get educated on the internal organisations managing GDPR. The regulation includes a “one-stop-shop” provision to assist organisations operating in EU member states. Multinational organisations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.

You can read the full legislation text here – NB 261 page PDF.