GDPR Security Improvements

Changes coming soon.

Security Improvements

New Password Policy Options

The platform has to date enforced a simple 6 character minimum length password, with a focus on making it easy for users to get started with our service. We’re adding a Password Policy drop-down to the Organisation Setup page which gives you more control over user password requirements. Aside from our default Basic policy, there will be two further options based on current best practice recommendations:

  • NIST SP 800-63
    A phrase-based policy based on the latest recommendations of NIST, which encourages human-friendly passwords that are still hard to crack.
  • OWASP 2017
    A strict policy which favours complex passwords that are hard to crack but also harder for people to remember.

Both of these new policy options will add stronger password security requirements for your user accounts, so consider what is best for you.
For now, our platform will continue to set our Basic 6 character minimum policy as the default on new company accounts, but you can change this at any time. When you change the Password Policy, this will be applied to existing users when they next change their passwords.

Maximum Password Attempts Lockout

We’re adding a temporary lockout feature to user accounts which will be applied when an incorrect password is attempted more than 5 times in a row.  This is based on NIST recommendations and provides better security against brute force password attacks.  For now, this will apply to our web platform, but we’ll be extending this behaviour to app logins within the next few months.

Validation of Passwords Against 10,000 Most Common

We’ve loaded up the 10,000 most common passwords – as found by NIST linked security researchers – and will be blocking users from setting/updating their passwords to be any of these. This enforces NIST and OWASP guidance on preventing users from having easily crackable passwords.

Regenerable Integration API Keys 

When working with our API there has been only one secret Key value per company account, and this Key value was fixed at the date of account creation. We’re adding a second Key which works just the same as the existing one, thus allowing you to rotate between using Key 1 and 2 in your integrations. This also unlocks the ability to regenerate an unused Key at any time, thus enabling you to enact greater security procedures (i.e. key rotation/regeneration) when using our API.

 

New Personal Data Options

We wanted to make it easier for you to export data out of our platform while still being able to meet obligations you may have around personal data. Basic user account information like name and email is also considered to be personal data by default.
For other data that you control, we’re adding a new “Is Personal Data” checkbox into key areas of the platform including Forms, Data Sources and Connectors.

This new checkbox allows you to indicate that a field or column may contain personal/sensitive data.  In of itself, this option does not add any further security or protection, but it enables the platform to offer anonymisation of those data values when exporting.
You’ll notice this through new “Anonymise Personal Data” options that will appear on most system exports and Form Connectors when the presence of personal data has been indicated.

For API users, we adding a new set of “Anonymise” Keys.  These work the same as our existing Full Access keys, with the difference being that any responses to requests authenticated on Anonymise keys will result in personal data values being converted to non-human readable formats.

 

 

Finding the Time

I was speaking with a client a couple of weeks ago, who already signed up to get mobile forms working for his team as part of a plan to reduce paper usage and to speed up their operation.  Let’s call him Ted. 

Now when Ted first spoke with us, he loved the product and, after trialling it, realised that it could do all the things on his “wish list”.  But, a few months on, his project was no further forward and the organisation was still not getting the benefits of a solution they already investigated and selected.  Sound familiar?

Ted is not alone – this is a situation which crops up fairly regularly, and there are recurrent themes and issues which are common to most of these cases.

I thought I’d share some of them, as they relate to other types of project too.  Some of it is familiar territory, but I reckon it doesn’t hurt to remind ourselves sometimes.

The Moon On A Stick Will Take Longer

Yes, it’s great to know the full picture about where you’d like to be at the end of the project.  You probably won’t get there if you don’t know the direction in which you’re heading.

But, for all but the simplest projects, it’s a good idea to break the project down into more manageable chunks, and to have milestones and deliverables along the way.

In Ted’s case, the ultimate aim is to have data flowing freely from the office to the mobile workforce and then get the results back into the Head Office system, with a copy to his clients.  For that, the Head Office system is going to require some adjustment by a 3rd party supplier, which is a possible hold-up.

So we created a “Phase 1” project where the data comes back to the office, and to the end client, in PDF format.  We identified with Ted that this would immediately cut a large hole in his team’s administration task, and impress his clients with the increased speed of reporting.  It’s a “quick win”, while the software people look at writing the code for the full integration.

No One Said It Would Be Easy

If you’re implementing something new, there WILL be issues.  It’s a fact of life, but it seems to stop some folks in their tracks, whilst others crack on.

Could it be that those who push onward were expecting to have issues and so were not perturbed?  Or is it that the non-implementers weren’t so serious about the project as they thought?

At the outset, it’s worth doing a couple of things.

Firstly, ask yourself if this change is going to drive your company forward and improve the way you work in some material way.  Is it going to save you money?  Save you time?  Improve the quality of your product or service, or increase the speed at which you provide it?  Is it going to help you comply better with your policies, for instance your Environmental Policy?

If you’re answering “yes” to these kind of questions, then it’s a no-brainer.  COMMIT!  Decide that you’re going to implement your plan, and mean it.

Secondly, get it clear in your head from the start that there will probably be some hurdles to overcome along the way.  This is to be expected and your commitment (remember, you just made it?) will help to see you through.

We’re Just Too Busy!

This one sort of comes under the same heading as the previous one, but is often the reason given for “Failure To Implement”.

Being busy is a good thing, of course.  But if the planned project truly is a priority for you, I’d strongly suggest that you can usually find one or two current activities which are lower priority, and slip or skip those in order to progress your money-saving/time-saving/product-enhancing project.

Most of us spend some time on business-related social media, for instance.  You’re reading an article right now!

If you cannot give your important project any time during a 14 day period, then it probably just isn’t a priority for you, is it?  Maybe go back and re-examine the potential benefits to see if you’re short-changing yourself and your business.

Use All Your Resources

It transpired that one of the things holding Ted up was that he didn’t know how to create the forms he needed.  We’d actually offered to do them for him but he hadn’t picked up on that.

Once he realised that a large chunk of the exercise could be delegated, the pace soon picked up in that area.

You may need to call on colleagues or employees, your senior management, or perhaps external third parties.

Maybe, if your time is in short supply, someone else needs to be the “Champion” for the project.  Whatever it takes, within reason, to keep things on track.

Everybody Onboard?

Because change can be difficult, you need to get everyone onside.  If your senior management don’t see the benefit of the project, then it may be hard to keep it on track and/or to fund it.

But equally, if those “on the ground” (who have to use the new solution) can’t see something in it for them, then it will make implementation a steeper climb.

You already identified the benefits of your project up front.  But try to also see those benefits from each stakeholder’s point of view.

In Ted’s case, he admitted that he’d been working pretty much alone on the project.  Once he talked to the field service team, they were so excited about the whole thing that they went out of their way to help drive things forward.

Call To Action?

Whether your project is mobilising your data or something completely different, I really hope you won’t let inertia hold things up.

Seize the day and you’ll be glad you did.

Oh and Ted?  He is a real client of ours and he gave me permission to talk about his project – only his name has been changed, to spare his blushes!  The good news is that he now has six mobile workers submitting their data electronically with FormsFly and they no longer have to buy multi-part stationery, nor decipher scrappy handwriting on their returns.