Blog

Case Study Financial Advisor in Portsmouth, New Hampshire (Podcast)

Dave Hodgdon, founder of PCG, talks with John Maher about one of PCG’s clients. He discusses the IT support, managed services, and cyber security training PCG provides for a financial advisor in Portsmouth, New Hampshire. Then, he explains how PCG’s services help this client support its clients and stay compliant with industry regulations.

Portsmouth Computer Group · PCG Case Study – Financial Advisor in Portsmouth New Hampshire

John Maher: Hi, I’m John Maher. I’m here today with Dave Hodgdon, CEO and founder of PCG, a managed services and security provider with headquarters in Portsmouth, New Hampshire. Today, we’re doing a case study on a financial advisor in Portsmouth, New Hampshire. Welcome, Dave.

Dave Hodgdon: Good afternoon, John. How are you doing today?

Background of the Client

John: Good. So, Dave, tell me a little bit more about this financial firm in Portsmouth and some of the issues that they came to you with when you first started working with them.

Dave: John, this particular firm was dealing with an existing managed service provider. And I think it’s tough that in firms, whether you’re 10, 20, 50 users, you should get the same quality of service. Their business was important to them, taking care of their clients was critical to them and they felt they weren’t getting the attention they needed.

A lot of our clients are 20, 30, 50 seats. So this was a slightly smaller firm of 10 users, but that was important to them because their culture was very, very adamant about providing the best customer service to their clients, and that’s what they expected from us.

They were not getting that attention, and once we had that first initial call with them, we understood what made them tick. Understanding their culture, understanding how they embraced IT…and it was clear to us this client was the perfect client for us. They understood IT. They want it to work, they want to invest in it. They want to make money with it, and that was important for us. So we knew that the first step was good.

The second part, one of their larger goals… This was about two years ago, was their security and compliance, where they stood now and what they needed to do. And the other part they were really looking for was more value toward guidance, similar to what they do with their clients is giving the right advice, not what’s right for PCG, but what’s right for their firm and giving them the guidance they need and giving the response times their users need.

Initial Strategies to Help This Client

John: Okay, and then what was your strategy after you first met with them to really get them up to speed and where they wanted to be?

Dave: First step, John… we always talked about this as if you’re going to purchase a house. Before you purchase a house, you’re going to do the building inspection. So we did the network audit just to get an idea of where they stood.

Was there any hardware that was not up to date? Was there some inefficiencies of how they’re trying to do the work? Or whether they’re on the right internet, the right wireless? Do they have the right switches in place? Were their PCs up to date? Were there anything odd about their applications that should be on premise versus the cloud?

So it’s just to get a good baseline of where they are, and then part of that also is asking them where they want to be. We want to understand the foundation, but ultimately, if we’re going to build this new house for you, where do you want to be in the next three to five years?

If they don’t want to be all on premise and they want to work more remotely, we want to move them to more of an Azure Cloud environment. But if they want to all stay in the building, it could be a hybrid version or a combination of both. So it’s very important that the network audit ties together what they want to get out of their goals.

Second part, being in the financial sector, is the risk assessment. There are more and more compliance requirements necessary for that, especially being in the financial industry. And we went over the steps for the risk assessment and how that works, the time frame, how long they had to be engaged for, the results that they would get. And they were excited to understand how our process worked, and then once we finished both those scenarios, we came back to them with a plan.

IT Compliance in the Financial Sector

John: Right, and when you’re talking about compliance, like you said, for a financial advisor, they’re in that financial industry and they’re dealing with people. I’m sure people’s Social Security Numbers, all of their bank statements, all of that kind of thing. And so it’s not just a good idea for them to have good network security, but it’s absolutely essential and part of doing their business as a financial advisor.

Dave: A very good point, John. It’s similar to the medical world. You have access to most of that stuff in finance. Besides having that Social Security Number and that information at the medical site, medical providers don’t really have access to your financial information or everything that you’re doing.

And it’s important that that stuff is locked down and is secure with financial firms. And they understood that because they’re dealing with people with wealth and you want to make sure you’re taking care of them.

Results of the Network Assessment

John: Right. So you mentioned that you did a network assessment. What came out of that network assessment in terms of issues that they had?

Dave: Some of the tactics we were to look at currently include: how they were using their server, because it was aging and were they a candidate to move that up to Microsoft Azure? Was there a reason to stay there, knowing they want to be more remote? We also did a 365 assessment, which is their email and verified the plans that were in place were correct and checked if the necessary security add-ons were in place.

So we determined right away that there were some gaps in both of those scenarios, and we were able to come up with a plan. We talked about the roadmap to the plan, and how our IT strategy review works.

During the course of the year, we’re going to have two or three meetings. This is more high level… bringing their goals, their issues to the table, looking at where their current house is and how we’re going to build that house, how they want to be. How to be more efficient. How to have better flexibility working from home. How to make sure my connections are secure, knowing my staff can work at home, at work. And I’m all in the right place using the right equipment and making sure that equipment is secure and my communications, anything I do, whether it’s email, access to a website, access to my financial stuff, is in a secure connection.

One thing they weren’t doing, John, was the big thing that came out of that was multifactor authentication. And they embraced it. They wanted to have everything locked down, not only from their email, but logging into their key applications. We use a product called Duo, which is owned by Cisco. So it actually authenticates them logging onto the network as well as their key applications.

Improving the Client’s Security

John: And what sorts of other tactics did you implement for this client?

Dave: One thing that came out of the risk assessment that was clear to us, was training. We want to provide training to the staff. We do that on a yearly basis now. We did the first one. We’ve done I think twice since then, but we do training on here’s the current trends on what’s going on. Here’s the current bad guys, how they’re trying to get to you.

And part of that training is after the fact, like we’ve always talked about how you talk to your kids. You talk to your kids, clean your room, do your homework, and you repeat it. Just doing that training session once isn’t adequate enough. So we followed up with the fake phishing campaigns that are sent out monthly… and we use specific examples… whether it’s a free Amazon gift card or It’s a friend’s asking you to send this particular information. You want to do something that relates to them to see if they click. So we’re trying to educate them what to look for.

A big part following the financial guidelines was having certain things in place for email discovery. Making sure their backup was in place in case there was an audit and they could go back to it. We also implemented a… There’s a product from the dark web, that’s kind of where the bad stuff happened, John. We’re looking for email compromises. We monitor that daily.

We knew their firewall had to be changed out and updated with the right security services in place, and we knew we had to retire their server because it was aging and we wanted to get them up to the cloud.

How Do Phishing Campaigns Work?

John: You mentioned that you send out these sort of fake phishing emails to the employees on a monthly basis to see whether or not they click on them. What’s your attitude toward that, and how do you talk to the client about that? Obviously, it’s not to try to trick the employees or to call out a certain employee and say, oh, you did the wrong thing or something like that. What’s the strategy there, and how do you approach that with the client?

Dave: I love that question, John, because that gets brought to us a lot that you don’t want to embarrass them, especially if it’s the owner, key leadership, clicking on that, but…

John: Right.

Dave: They need to understand this is an important part of continuing to educate. We’re not calling out anyone in particular. We’re letting them know we’re doing this to help you, and when you click it once, nothing bad’s going to happen, because it’s going to let them know that this is what you did. Here’s a video of what to look for.

If you do it a second or a third time, that’s kind of a trigger to us and the key management, this particular person, we either need to do more training or something. We need to make an adjustment right here.

You need to be vigilant about your security and security training is a key part of that. I think it’s probably one of the number one things you can do out there is consistent security training. We’re always teaching our kids to be a better driver. What to do around the house, etc. You have to be consistent. You have to embrace it internally.

That training is… I feel the number one strategy is to remove the bad guys, and it is a service and what’s nice about the service, there’s additional videos available in their industry, finance. There are a lot of additional videos of what to look for and what to do, which actually they really enjoyed.

Outcomes of Working With PCG

John: And so what were the results or the outcomes of this project? How long have you been working with them?

Dave: Been there about two and a half, three years. As we said hereinafter, one of the things I didn’t mention earlier is anytime you take on a new client, is always the concern is how does this transition work? So the onboarding process, our blueprint, is there going to be success there? How do they get away from the existing vendor? What does it look like moving to PCG? How does that process work for the client for getting help, to submitting tickets, to reaching out, to knowing that we’re monitoring you?

So, that was probably the first part of doing the transition. Once we took them on, we had to clean them up for Microsoft. We knew they weren’t on the right products to get the right security, so that was step number one. Then we activated, got them up to the Azure Cloud and then synced the 365 to the cloud. We made sure One Drive was set up for all of their personal files, and they were able to retire the old server, which made it more flexible for them to be anywhere, which was an important part, because they want to be able to work from anywhere.

They loved having a dedicated engineer, and all our clients do have a dedicated engineer that’s focused on their network. What drives the technology for them? Where are issues that need to be addressed in the long term… We don’t want to put bandaids on stuff.

We’re trying to let our clients know, even though they think of us as fixing computers or help desk, that’s not what PCG does. PCG is adding the value of making that technology work for them. How can we leverage IT to help them have better workflows and to make more money? So they loved having that idea of that.

We helped them with the logistics of… Their current internet provider wasn’t right, so we helped them get to a new internet provider. They want redundancy with no downtime. So we got two circuits in place, John, with automatic failover. So, when you’re trading or you’re doing correspondence, you can’t risk downtime. They didn’t want downtime to happen at all. It is going to happen through a bad storm, but if you lose power, you’re kind of in trouble. But the more you can put up in the cloud, they can work from anywhere. But while in the office they want that dual circuit. It was important that we did that.

We were constantly striving with them to make sure they meet the compliance needs, the Sarbanes-Oxley, the Gramm-Leach-Bliley Act, the email encryption. We’re constantly looking for areas to help them. They did the risk assessment. It’s important to come back. You don’t do the risk assessment just once, John. You have to review it to make sure you have this roadmap that we did x year one, but what are we going to do this year to improve our locks on our doors this year?

And we worked on having a better, what we call a WISP, which is a written information security policy. What do we need to do now for our hiring? What are we doing for our background checks? What are we doing working from home? Working from home, John, it’s not the same as everybody being under one roof at the office that you can control.

Now I have 15, 20 people in all these other homes, which really aren’t under a firewall, wide open wireless, no protocols in place. So they wanted a remote workforce working on their equipment behind a secure VPN, protecting those assets. So those are very big parts of that.

But you couldn’t ask for a client that embraces IT more. They want the best for their clients and we’re giving the best possible service.

Contact PCG to Talk About Your Company’s IT Needs

John: Well, that’s really great information, Dave. Thanks again for speaking with me today.

Dave: My pleasure.

John: And for more information, you can visit the PCG website at pcgit.com, or call (603) 431-4121.