Alpha Tracker - Tips & Tricks - Webinar #17

Robin 

So welcome everybody to the Alpha Tracker Wednesday webinar, which is a lot easier to say than the Alpha Tracker tips and tricks Tuesday. I knew I wouldn't get that out. So they're on a Wednesday night. So we've got this one, we've got one in a month's time, one in another month's time, and then we'll have some more later in the year. You're very welcome. Today's topic is security, partly because of all of the recent news with M&S and the Co-op and Harrods and lots of other people.

Partly just because we haven't covered security in our Alpha Tracker webinars. Quick intros. So I'm Robin. I'm the director here. We've got Jack joining us with his lovely new background. Jack is the Alpha Tracker product manager, and I've got Kim next to me. Kim's our Alpha Tracker specialist who many of you will know. Lots of people joining us live. Thank you again for doing that. Just a few shout outs. Hi, Angela, Dan, Hannah, Howard, Jordan, Magda. Lots and lots of people. Viviana, Victoria, Zac. Nice to see you, Zac. If you're watching on recording, by the way, thanks for catching up on that. Do share with your colleagues. So let's get cracking. 20 to 30 minutes, 20 to 30 minutes today, we think. Bit of housekeeping. You've got a Q&A chat button in your Zoom window. If you can just say hello in it, that'll be wonderful. And that's where you ask questions. So if you just say hello and let us know that you can hear us okay, Jack will be keeping an eye on that. And we'll interrupt us as the questions come in. Let me just make sure I'm seeing them as well. So please do say hello. Like I say, 20 to 30 minutes. And that's all you need to know, I think. And it'll be on the website afterwards for you to share with your colleagues. So Kim's going to go first. Kim will be talking about security within Alpha Tracker itself. So the basics of how to set up an account, what to do when people leave, client portal, that sort of thing. We've got a couple of new features to tell you about as well. I'm going to do you a little briefing on cyber security in general. So this is how to keep yourself and your business safe on the internet, including a new one, reputational damage attacks, you might not have heard of those. And then we'll wrap up with Jack talking about how we take care of your data and documents to keep them safe from all sorts of threats and risks that exist on the internet. So we'll wrap up with that. Like I say, ask questions at any time, please just do interrupt us. And Jack will tell us when a question pops in. Right, off we go then. Kim and security within Alpha Tracker. 

Kim 

Yeah, right. Well, I'll start with user records, I think. So first thing, the question is like, who are they for? They're there for anyone who you want to be able to log into your Alpha Tracker. So you might not want all your surveyors to be able to log in.

You might just want them to be using tracker mobile. But if you want someone to be able to log into Alpha Tracker in the browser to look at the data changes and things, then they need a login. And the first thing that they need there is that they need a staff record. So I would check first that the staff record exists. So you go to staff set up. And in there, you can search. I'm going to search for Adam and check that the person I want to set up that user record for has got a staff record already. If not, create one. 

Robin 

So, this is before they get a login, they need a staff record. 

Kim 

They do.

Robin 

 Right. 

Kim 

Yeah, okay, so that's recording their name everywhere in Alpha Tracker. Okay, so they've got a record. Then I would be creating my user record. That's down here in web security under users. Now this area is only available to super users and administrators, so it's quite restricted as any of those with higher permissions.

On the user bit here, I would search again just to make sure that it doesn't already exist. See what I've got and I will create a new one if I need to create a new one. I'm gonna create one here. To create my user, I put in a user name and a password. So it's the credentials that they use for logging in. Okay, so that could be any part of the name or the whole one, if you like, whatever it needs to be. I can't even spell his name properly, it seems. 

Robin 

You never have too many Es. 

Kim 

Normally we would say use an email address. It's definitely the safest thing to use. 

Robin 

It is. These days yeah we don't recommend using first names or first names and then the first letter of the surname use the email address instead it's guaranteed to be unique and it also means you can use some of the other features that we're going to tell you about in a moment. 

Kim 

Exactly, it's that uniqueness that's important, so you put in your user ID, I put in the password. There are some rules about the password, so it's got to have uppercase, lowercase letters, it's got to have numbers, it's got to have a special character.

The easy way to do it is to leave that field blank and let the system generate one for you to create a random password. But whatever it is, you can put them in to start with and then pass it on to that person and they can change it themselves. 

Robin 

We'd expect that, wouldn't we? We'd expect them to change it on first login. 

Kim 

We would. If I click that button, it's going to create my user details. It's showing them to me here, and I click on this little copy button here so I can copy those to the clipboard and then paste them into, say, an email to send to them so that they've got everything that they need. And that's it, that's the user record created.

So it's there, but it's not fully defined yet. What I've got to do is link it to the staff ID. So that staff record that we checked first, we would go over here, this red field, and we would look for that staff record. So I would search, and I could just be filtering by staff as well to find the right one. So there we go, that's what I want to link it to. That's nicely linked now.

Then I've got some other fields to complete to set up some default letters. So you know the letters that you've got on the project references and the quotation references, this is that office letter at the beginning and saying what they want to have as default. And then you've got another one saying which one should they be allowed to access. So you could be restricting them to certain letters only. 

Robin 

Right, so if they were only working in your southern office and your southern office had the S project letter You could just put S in there and that's all they'd ever see they wouldn't see the jobs and quotes for the northern office I say right.

Kim 

Right, yeah. Or you could allow them access to everything and put all the letters of the alphabet in. Fine.

Okay, so that's great. Then we've got the groups. So these are the permission groups, very important. If you don't put a user into a group, they can't see anything, they can't log in. So you've got to put them in at least one group, and you can put them in more than one. Think of these as roles. So what are they doing? What's their job role? Are they a surveyor? Do they actually also do survey admin? Perhaps also project admin. So you can have multiple selected like this, depending on their roles, and that will give them the right menu options when they log in. 

Robin 

Are there any special ones on there that you need to be careful of? 

Kim 

Yes, be careful of things like quality, because that's one where it puts you into the list so that you can sign off reports. Okay. And also, especially something like auditor, because that makes your login read only, which tends to throw a few people. So be careful of some of them.

So make sure you know what you're ticking there. Okay, that's my user. So if I save, it's going to save my user record. And that's it created. A couple of extra features. I think you might want to talk about these, Robin. So we've got.

Robin 

Oh yeah, MFA, Multi-Factor Authentication. You'll be used to this when you do your online banking. If you log in on your laptop when you do online banking, sometimes you'll get a text message with a code on your phone that you have to put into your browser. In other words, you need your phone as well as your username and password, Multi-Factor Authentication. We support this from the next release, two different types. We'll either support text message, you'll get a code texted to you, or you'll be able to use an authenticator app, the Google Authenticator app from the app stores. We're really going to push this with our clients to suggest you switch this on because it means you won't be able to access Alpha Tracker unless you also have your phone, which really increases the security of the system. So that's MFA or Multi-Factor Authentication.

A couple of ways to switch it on.

Kim 

All available up here as well, isn't it? 

Robin 

It is. And the other one, again, another three-letter abbreviation here, SSO, Single Sign-On. Lots of our clients use this now. It's a feature that Jack and the team built into Alpha Tracker a couple of releases ago, but it suddenly got very popular. What this does, Kim, is it links your Alpha Tracker login to your Microsoft login. So in other words, when you log into your laptop, log into your Microsoft network, your Microsoft account, you're already logged into Alpha Tracker. So there's no login screen in Alpha Tracker in that case, and all of your security is controlled through your Microsoft account. Makes it incredibly secure because your Microsoft account is almost certainly protected with a phone, Multi-Factor Authentication anyway. And it also means things like passwords. You've only got one password. It's your Microsoft password. You don't have to log into Alpha Tracker at all. It is. Single Sign-On. Contact the support desk if you want to find out more about that. 

Kim 

Okay, so in terms of user logins, we could also say something about the linking these to Tracker Mobile and Alpha Tracker Mobile. 

Robin 

Yeah, so if you use Alpha Tracker Mobile in the App Store, this is the way you set up users. So it's the same user account with our app in the App Store.

Slightly different for asbestos surveyors collecting data using the other app, our older app. Although you can now set individual passwords on that app as well. That's a new feature. Yeah, so if you're concerned about the old method we had of one, essentially one password for all of your asbestos surveyor staff when they're out on the road, you can now set individuals. 

Kim 

Excellent. Okay.

Right now, let's also talk about client portal logins. So that's the other type of login. So these are also users on your system. And they will be the different types of users. So they log into the system, but they can only see their data. So these are the ones that you give to your clients. If we take a look at one of those, they are created exactly the same, exactly the same way, but there are a few important differences. When you have one, you can see it's got a little world symbol. So that's just indicating to you that it's a client portal login. And the main difference is, instead of being linked to a staff ID, it's linked to the client ID. Okay, so you can search for these here. You can click on clients to filter your list by clients and find the client ID that way. You don't need to bother about the default project letters because they're not creating them. And you've got groups. So in terms of groups, what's really important here is that you put them in either the clients or the client admin group. Not both. Just one of them, and not any other group. Just one. It makes what they see on client portal nice and clean. A few other areas, you've got the key services. So this is where you're selecting what they can see on the portal. So if you've got more than more than just the asbestos module, if you've also got water hygiene, you might want them to be able to see that data and any other modules that you might have, you just tick the box. You can also look at permissions. So instead of this being in settings, which it was previously, we're now controlling this here. So you can say whether this user can see any sites that have been shared with them and whether they can update items or add items or if it's just read only for them. 

Robin 

Brilliant. So tell me again, what's the difference between a client admin and a client here? 

Kim 

Well, the client admin is the higher level user. So they can do a few extra things and they've got more controls.

Well, the standard one is clients. So I would generally put people in clients.

You might have one client admin user per client. 

Robin 

Okay, and client admin users, can they create their own users? 

Kim 

They can, yes, can I speak to the system we've got, yeah. 

Robin 

Right, so that's just popped up a question. So the question, Jack, I'm reading the questions now. The question is, does that cost our clients anything?

So if our client gives access to the data to one of their clients, and their client creates 10 client admin, client users, if that makes sense, does that cost anything down the line? 

Jack 

The answer is no.

So the client portal is bundled in with your Alpha Tracker subscription so it's no charge to you. If you'd like to charge your customers for the client portal access then we'll leave that up to you but there's no charge from us. 

Robin 

Right, okay, thanks a lot. 

Kim 

One more thing to mention in terms of these client portal users is that you can restrict them to see only certain sources. 

Robin 

That's useful. 

Kim 

Yeah, so if you've, as a client, they've got a whole portfolio, but you only want this user to be able to see one site say or a couple of sites, then you can restrict it to those particular sites. 

Robin 

Right, so if this client was a collection of academies, schools... 

Kim 

Yeah. 

Robin 

but you only wanted a caretaker or a secretary at a school to see you there. It's either, right, that's how you do it. 

Kim 

Select it there. If there's nothing selected in there they can see everything.

Okay so then when you've done all that you've created your client portal user, do test it, test the login, or actually sign in. Make sure that that login can see exactly what you think they should be able to see and they can do what you think they should be able to do. 

Robin 

Yes, good point. Very, very good point. 

Kim 

Yes, and as we said, there are a couple of other ways of adding users into the system. You can, for example, create new client portal users from the client screen. The client admin user can create them in the portal. And if you've got lots to set up, you might want to use an import facility.

Robin 

Okay, we've got that as well. 

Kim 

Yeah, nice easy way to create users. 

Robin 

Right? What about people leaving then? 

Kim 

Right, people leaving, yes. So I would firstly go to their staff record, find the staff record and set it to inactive. 

Robin 

Okay. 

Kim 

So this will make them no longer a valid choice in the system, but you can still see everything that's related to them and their name is linked to work. 

Robin 

Right. So that's the important thing. So by making them inactive, even work that they did three, four, five, six years ago, you'd still see their details on the job. Right. 

Kim 

Don't delete it right don't delete staff record just make it inactive but on the user record feel free to delete it.

Robin 

So they can't actually log in. 

Kim 

So they can't actually log in. 

Robin 

Right. Okay, that makes perfect sense. Great. Okay. Any questions at this point, Jack, other than the Monday one that we had? 

Jack 

No, none so far.

Robin 

Good.

I'll plow on. Right so now what I'm going to do is there we go show just talk briefly about some cyber security essentials. I used to be on until very recently in fact I was on the cyber security panel for the institute of analysts and programmers. Not easy to say. So I've got a background in this and I actually help other companies with cyber security attacks and things so this is a part of my background. Here are just some quick tips to help you through this cyber security jungle. And like I say prompted with all of the recent things that have been the news M&S took weeks to get back online properly Co-op had major issues Harrods had major issues I shop at two of those shops not all three just the two I won't tell you which. First of all then scams and social engineering so scams this is the old thing if it seems like it's too good to be true it probably is the old Nigerian Prince email that was going to do in the rounds you know help me move this money and you can make some money along the way. It's a lot more sophisticated than that now social engineering really plays a big part here and in fact those retailers I just mentioned all were impacted because of social engineering in the first instance and what this is Kim is where people are contacted and subtly asked for information over a period which adds up then to give them enough information to do something useful with it. 

Robin 

One of those retailers in fact the way in was via a public teams meeting so they'd made created a teams meeting for their staff they made it as a public link a hacker got to find the link joined the meeting there's so many people on the meeting nobody noticed and then they started to make contacts then within the business so just think about you know all aspects of how you share information who you're telling information to giving information to share links of documents things like that just be aware but anything that looks like it's too good to be true probably is.

Robin 

Malware is the second one just a general term for bad software so we used to think about viruses in particular and they used to arrive as attachments you know and you double click the attachment and all of a sudden your hard drive would be trashed it's again more sophisticated than that now often links in documents or attachments that look like useful documents to you so you might get a document that says it's a purchase order from a client you think oh great we've got some business some new business but if it's not something you were expecting don't open it phone the person that sent it to you double check they did actually send it to you and make sure that it's safe before you open it the main protection of course with malware is antivirus software so make sure that you've got antivirus software installed and importantly that it's regularly updated or automatically updated and get your support company your IT support company to double check that for you.

Robin 

Phishing really common at the moment is doing the rounds again again this is where people send emails or whatsapp or texts they can come in any any which way asking you subtly for information that doesn't seem to be particularly important but would give somebody advantage and help them to break into your system. For example again you might have a document with a link in you click the link it then says oh this is a really important secure document so put in your Microsoft credentials to authenticate that it's you that's reading it. Stop and think why am I having to put in my user id and password to read a purchase order that doesn't seem right that's what phishing is all about it's about extracting data from you that might be useful to somebody else.

Robin 

Another one that's been asked for regularly now is dates of birth so you click on a link it says I need to validate that your this is appropriate for you put in your date of birth. Well they then know your email address your date of birth that's starting to get the sort of information that would be useful to a hacker so be careful that's phishing.

Robin 

Ransomware is the most evil of all of the cyber attacks in my opinion ransomware many people watching this this webinar or the recording will be familiar with it may have been struck by it. It's when you get some malware on your pc or your servers and the ransomware the malware runs and encrypts all of your files and they leave a ransom note and the ransom note will say in order to get your data back you need to pay us so many bitcoins and the bitcoins will depend on how big a company you are Co-op and M&S were both hit with ransomware they managed to get ransomware into their systems.

Robin 

 There's actually another type of ransomware now, which is called a double exploit ransomware, where they extract your data before encrypting it. So they leave you with an encrypted server, which is no use to you, but they threaten to sell your data to other people for a ransom, you know, so there's two ransoms involved, double exploit ransomware, horrible.

Protection, antivirus, being careful what you click on, but most importantly, your backups. If you've got good backups, if you know your backups are secure, the worst that will happen is that you'll lose today's data and you have to rekey it. You'll just go back to yesterday's backup. Otherwise, yeah, ransomware, I think the most evil of all of the cyber attacks. Cyber attacks in general, well, there's lots that can happen. You can be targeted by hackers to take your system offline. There's a whole variety of those. What I would say is if you think you're under cyber attack, contact the police. If you just Google it, there's something called Action Fraud, which is a government service. You can tell them what's going on to you. They will give you good advice for free over the phone and by email. They'll then put the local police force or the police force in the area where your servers are in touch with you. And they do take it seriously. In the last 12 months, I've been involved with three criminal level cyber attacks for other businesses, not our business, but other businesses and the police have been great. So tell the police, tell them what's going on. You'll get good advice. There is one product that you could talk to your IT support companies about, which can protect you. It's called CloudFlare. Just ask your company if you're protected by that. If you're not talk to them about it, because that can help with lots of different types of cyber attack. 

Kim 

Great advice, great advice. 

Robin 

Last one is the one that you might not have heard about. It's doing the rounds at this moment and it's a reputational damage attack. If you've spent years building your TrustPilot score up, so you've really looked after your TrustPilot reviews or your Google reviews, you've managed to get sort of four and a half out of five or four point eight out of five, all of a sudden you look on TrustPilot you see that your scores plummeted to three out of five because the last 20 posts, the last 20 reviews have been really negative. What's going on there is that you're about to get a ransom note and there are organizations, criminal organizations now that are targeting TrustPilot and Google reviews in order to cause your company reputational damage and they'll want a ransom to stop.

Again it's a criminal act, tell the police but also talk to TrustPilot straight away. They're now getting really good at dealing with this and they'll help you remove the reviews that are not valid. They've got ways of checking now to see whether they're likely to be real reviews or not but that's a new type of attack, reputational damage attack. Last thing I would say for your business, if you haven't got cyber essentials I would get it. It's relatively simple to do and it will help you just be checking that you're doing the right thing with your passwords, your operating systems, your anti-virus, making sure all your devices are up to date. So that's something you can get relatively easily and relatively cheaply. ISO 27001 is a bit different, that's an international standard for information security. We have both of them at Start Software so your Alpha Tracker systems are protected because we have cyber essentials and ISO 27001. More complicated but if you're a bigger consultancy ISO 27001 might be worth looking into if you haven't already. It's more expensive, it's more complicated but it's more of an internationally recognized standard to show that you take security of data and documents seriously.

Okay hope that was a five-minute whiz through, hope that's useful. Scams, just be careful. Malware is anti-virus to protect yourself. Phishing again, be careful. Education, explain to your staff what that's all about. Ransomware, make sure your backups are in place, that's the key protection. Cyber attacks, tell the police as soon as it happens, they will give you good advice and reputational damage. Talk to TrustPilot or talk to Google, they're better than you think. Right we'll wrap up now, any questions Jack, are we still good? 

Jack 

We have had some but I've answered them in the chapter? It's all good. 

Robin 

Well done. Thank you. 

Robin 

All right, wrap up then in terms of how we protect your data. Now, a fundamental principle here in our business is that this is your data, your documents, and we are the custodians for you. And we take so much care, so much care, and time, and money, and energy to protect your business.

Jack's screenshotted a page there out of a document. It's a safeguarding document. And it's actually on our website. I'm just going to remember where I left it. I left it there. There we go. So you can find it on our website, Security Business Continuity, the Alpha Tracker Safeguard. So Jack's taking a screenshot. And that explains exactly what you do. But we'll just run through a few things. So Jack, Cloud Security, where is the Alpha Tracker Cloud? 

Jack 

So the vast majority are all stored in AWS, that stands for Amazon Web Services. If you're a UK customer, all of the servers are in the UK, they're in the London region.

If you're an Australian or New Zealand customer, then the servers are located in the Sydney region. 

Robin 

And Amazon Web Services, that is Amazon, the shop, Amazon.

Jack 

 That's right, it is. Yes, they're the one of the largest cloud providers along with Microsoft and Google.

Robin 

Great. Okay, so we've got lots of safeguards there. Amazon security is unbelievably comprehensive. So there's some security backups, presumably backup daily. 

Jack 

That's right. Yeah. So all of the servers in AWS have what's called a snapshot taken, which is a full copy of the server every day. And we keep 14 days worth of those snapshots.

So we can go back 14 days if we needed to get a full copy of the entire server, including all of the documents, etc. If we needed to. 

Robin 

And we rehearse the restoring of those backups, don't we? Yes. 

Jack 

So we take backups at random and restore those to make sure that it's in a restoreable point. 

Robin 

Brilliant. So yeah, if you've got other servers, not just Alpha Tracker, if you've got other servers in your business and your support company isn't rehearsing the backup restores, the backups are useless. Backups are only ever of use if they can be restored. So make sure your support company is doing trial restores of any backups that you've got.

Pen testing, Jack, that's nothing to do with pens, is it?

Jack 

Nothing to do with pens, no. That's the software term for penetration testing. So it's a method of finding common exploits, those type of things in software that someone who wanted to do some damage could take advantage of.

And of every Alpha Tracker release, we do penetration testing to make sure we've not introduced any of those sort of problems. 

Robin 

Thanks. And we review those, by the way, at a monthly risks meeting that Jamie chairs where we cover all these things and more to make sure that we're not missing any opportunity to protect your data and documents, which is absolutely core to our business. It's fundamental to what we do.

And as I just mentioned, we also have cyber essentials and I said 27001 just as a bit of reassurance. Thanks, Jack. Right. I think we've just about got there in the 30 minutes. 29 minutes in that was that was quite a lot to take in, but hopefully it was useful. We'll just have a quick recap. So Kim covered security within Alpha Tracker that's leavers starters, leavers, client portal, and we touched on the new features, the Multi-Factor authentication using your phone as well as using writing password and single sign on really recommend you get into those. I did the quick whiz through all of the cyber security stuff. If you want a longer version of that, just let me know. I'll be happy to give a presentation to your company that you could share some really useful tips and I hope in there to help you keep yourselves safe on the Internet.

And then we just wrapped up there with Jack with the specific things we do in Alpha Tracker to protect your data and documents. We really appreciate you joining us today. The recording will be on our webinars webinars page. Do share that with your colleagues and see us next month for asbestos reinspections. So look forward to seeing you then. Thanks again for joining us. Have a lovely day. 

Kim 

Thank you.