Behind the Scenes at Provident
From time to time, I like to provide a behind-the-scenes update from Provident. The focus this time will be on the steps we take to keep your data and money safe from theft.
Cybersecurity is constantly on our minds. About two years ago, we enlisted Schwab’s help to assess our cybersecurity arrangements and identify opportunities for improvement. This was not in response to any known shortcomings and wasn’t intended to diminish the role of our technology vendor. Rather, it was meant to be a second source, particularly since the Schwab consultant is an expert in our industry and understands the regulatory structure we work under. This is an ongoing process as indicated by my last request of the consultant - to schedule an annual progress update, a process we will continue.
While we had already taken many steps to be more secure, the consultant gave us several suggestions. We now require personal devices to be “registered” to handle company data. What this means is that employees wanting to occasionally work from home need to allow their laptops to be registered to follow Provident cybersecurity policies. Their computers won’t be allowed to access our data unless they are in compliance. Mobile devices (phones) can only access Provident email through the Microsoft Outlook app. We also now have the ability to wipe work data from employee devices in case of theft. Employees cannot use USB ports to access data on their computers. This reduces the chances of transmitting computer viruses, but also shuts off one means of mass theft of data.
Almost a year ago, we moved data previously held on our physical server to the Cloud using Microsoft Sharepoint and Azure. Migrating to the Cloud significantly reduces the amount of time it would take to restore our systems in the event of an outage or malfunction. Moving to the Cloud keeps client data safe, particularly when working remotely. Although our employees primarily work in the office, occasionally working from home is an option since we now have technology in place from the pandemic. Partnering with trusted firms like Microsoft is helpful because they have thousands of employees dedicated to cybersecurity and there’s no way we or their other customers could match those resources.
Following the move to the Cloud, we are told that hackers would not be able to compromise our data even if they should break into our systems. But we didn’t leave that to chance. We hired a company to try to break in, something called a “penetration test.” While we passed the test, that doesn’t mean everything went perfectly. Our tech vendor fixed the deficiencies found during the test, and we will soon undergo a re-test. Protecting our systems and our clients is a never-ending process.
For applications that contain clients’ personal data, we require “two-factor authentication” (either through a code sent to employees’ phones or the use of an authenticator app) before the application can be used on a new device. One exception is when we access the Schwab Advisor Center. Schwab requires two-factor authentication every time we access the Advisor Center even when it is through a device that has already been verified.
Our Schwab consultant cited research showing that 99% of hacks occur because of “phishing” attempts. Phishing is when bad actors entice users to click on links or attachments in an email which installs software or back doors on the victim’s computer. Our employees undergo phishing training in which enticing fake emails are mixed in with their regular email flow. Employees undergo additional training if they click on links in a phony email sent by our testing company. So far everyone has done great, but the bad guys keep upping their game so the phishing tests will keep getting more difficult as well.
Just like Microsoft and Schwab spend much more on defenses than we possibly could, Provident spends more money and attention on cybersecurity than our clients do. That being said, keeping you and your money safe is a team effort involving Provident, Schwab, and our clients. I’ve described steps we are taking, and here are some things we’d like to caution you about.
What if you receive a phishing email that appears to come from a Provident email address? Bad guys can make it seem like an email comes from a trusted source when it actually comes from a hacker. Recipients are more likely to open an email and click on links when they think it comes from a trusted source. We recently installed a feature that would prevent our email addresses from being forged in this manner. Still, don’t automatically trust anything that comes via email. Be skeptical. Consider the communication style of a friend or family member sending the email. Be especially wary of emails enticing you to click on something with language like “Invoice for your new iPhone” that you didn’t order or “I saw this hilarious photo and immediately thought of you!”
Let’s also think of worst cases. What if you get hacked or somehow give away your Schwab login credentials? First, notify us so that we can determine whether to have new numbers assigned to your accounts (in consultation with Schwab, of course).
Be assured that Schwab’s defenses are very strong. If someone attempts to use your credentials on another device, Schwab will send a code to your mobile phone that you must enter on the device to confirm it is really you (two-factor authentication). To access your account, someone would have to know your user ID and password and have stolen your computer or phone.
What if that unlikely combination of events actually happens? When we moved to Schwab, we had them disable the ability of clients to make trades or move money in their own accounts. A thief could theoretically look around your accounts but couldn’t really do any damage like stealing money.
What if they call Schwab and impersonate you? Schwab won’t take instructions from you or someone claiming to be you. They will instruct “you” to call your investment advisor (Provident). We know our clients, but maybe not perfectly. But we can’t move money to a new account just because a client says so. We require a voided check in order to confirm the authenticity of the account and the routing/account numbers. Then we would create digital instructions that you would log onto SchwabAlliance.com to authorize. And again, a thief would need your Schwab user ID, password, and your phone or computer to log on. Nothing is foolproof, but bad guys would have to steal a lot of information from a client in order to steal money.
We are in regular contact with our technology vendor regarding our office technology, and this includes receiving periodic status updates so they know we are paying attention. We are paranoid, not in the fearful, don’t-ever-leave-the-house sense, but the productive kind where concerns over unlikely events lead to proactive steps to make them even more remote. The goal isn’t to be perfect, but to be a frustrating target for the bad guys so they move on to an easier target!
Scott Horsburgh, CFA