I believe that economy is some kind of running war and the market is the battle field , So security is mandatory.Mohamed Saadi
The use of encryption techniques for protection of our customers‘ personal data
How do we cope with the latest security challenges and how can we ensure our customers‘ information remains intact and secure (at all times)
Company formation and management, accountancy fillings and financial reporting – these are just part of the services that we provide to our international customers. Our customers also make extensive use of online banking services in Bulgaria. These activities are very privacy sensitive and require great deal of attention and safeguarding.
Data protection – beyond the legal responsibility
The new challenges
In our world of electronic storage and instant communication, data protection has become a vital part of each responsible company‘s business survival strategy. Long gone are the days when paper files and hard copy bank statements were safely locked in a vault, providing a 100% protection. The challenges nowadays are much harder to confront. With virtually every computer connected to the internet, data theft has become a part of our everyday life. Business and political doxing (a new word has emerged – doxing, sometimes doxxing, from the word “documents”. It emerged in the mid 1990s as a hacker revenge tactic, and has since been an evil tool to harass people and businesses), information leaks, just name it. And the consequences can be really harsh. Many businesses have found their reputation ruined overnight. Many individuals have had their private life destroyed in an instant. Business secrets have been revealed and many criminal cases have been filed against the victims for tax avoidance, illegal trading techniques, etc. In many cases, the victims of information (mostly through the internet) theft have fought their case and have successfully defended themselves in the court of law. At what cost however, when they have had not only their secrets revealed to the world, but have done the almost impossible – fight the state machine and defy allegations of all kind. Once ones documents are being stolen and transmitted over the internet for everyone to see, the consequences are often disastrous.
In 2014, the government of North Korea hacked the giant corporation Sony. Hackers, the FBI believes, were working for North Korea, broke into the company‘s networks, stole a huge amount of corporate data, and published it online. The reputational damage to the company was enormous; the company estimated the cost at USD 41 million. Unfortunately, what happened to Sony is not isolated only to huge corporations. Earlier, thousands of private bank accounts data was stolen from a Swiss bank and published by investigating journalists. Some of the victims were money launderers and tax evaders, but the vast majority were innocent savers, who have stashed their money in a country they believed, is more secure than their own. What a horrible mistake they made. Their national tax offices had them under fire, they were soon enough deemed guilty until proven innocent.
But is the internet the only threat to ones data? Absolutely not! Legal seizures, searches, warrants, and the list goes on. An average computer hard drive contains thousand of customers‘ files. A decent server can hold millions. If one and only one of those files gets the attention of the authorities (doesn‘t matter the reason), then the whole system gets compromised. All other customer files that are saved on the device, although not required to be revealed, will be compromised. Then one can only hope and prey that the officials will stick to the law and will not use the information as they wish. We rather not say what happens most of the time.
So what do we do to help our customers keep their files theirs? We take security very seriously, and while we are fully determined to fight all kind of illegal activities and work closely with the authorities if such cases occur, we believe our valued customers deserve a maximum level of privacy and security. We assess with our customers their required level of security and, as a standard, follow the procedures below:
- We employ RSA-AES standard end to end encryption in all our correspondence with the customer. It means all messages are encrypted with 256 bits symmetric AES key and then the key is encrypted by 2048 bits asymmetric RSA key (the public key of the recipient/customer). In that way nothing unencrypted ever leaves our computers and all the information stays encrypted until received by the recipient. Even if the information is intercepted while in the wild (the internet), it is just a junk of random data and can not be read by anyone except the recipient;
- While the customer‘s information is stored on our computers and servers, it is always in encrypted form (AES or similar, i.e. Twofish, Serpent). The encryption key is only known to a limited number of people, more specifically to the ones who work closely with the customer and need to access the data on a regular basis. In this way, even in the extremely unlikely event that some of our computers are compromised (either by a hacker or the by the authorities), the customer‘s data remains intact (unless of course we are required by court order to reveal it). Without the encryption key it is absolutely useless – it can‘t be read or used;
- Even with all customers‘ information being encrypted while in transit and while at rest, we always discuss with the client what information he or she wants being transmitted to him/her in his/her home country. We decide on the best communication channel. Sometimes it is advisable to setup a separate email account to be used exclusively for correspondence with us. Most of the time, we are requested to retain all paper copies in safe storage in our offices, rather than forwarding them to the customer‘s country of residence. In such cases, a suitable solution is when we scan, encrypt the documents and send them by electronic means to the dedicated email of the client for review;
- The technology is changing rapidly, new technologies are being developed and old algorithms (encryption) are being found insecure. We try to keep track with all developments in the information security industry. We were one of the first companies to advocate rapid change of the outdated TrueCrypt encryption software, even long before the fatal vulnerabilities CVE-2015-7358 and CVE-2015-7359 were identified. Since 2012 we are not using RSA public keys with key length less than 2048 bits. And of course, we regularly educate our partners and customers on how to cope with the latest security threats.
No matter the challenges ahead, we always work closely with the customer and his financial institution (i.e. his bank), we advice on the most secure online banking service and we believe that when it comes to business, security comes first. Keeping the data encrypted and transmitting it only when instructed specifically helped our company through the years to avoid any data leakage or loss.