A new IT Strategy to support professional services

The client 

Richmond House Group (RHG) has been serving private and corporate clients from offices in Stevenage, Hertfordshire since 1964. Their in-house discretionary investment management team has an excellent track record in managing investment portfolios in these challenging times. RHG are also experts in providing advice regarding employee benefit schemes, compulsory workplace pensions, life assurance, private medical insurance and inheritance tax planning. 

The issue 

The Financial Services Authority’s (now the Financial Conduct Authority) 2008 report on Data Security in Financial Services focused on the issues surrounding client data losses through theft of laptops and memory sticks. 

Knowing that any breaches of Personal Identifiable Information (PII) within the company would result in fines by the regulator, the senior management team took seriously their responsibility for the security of sensitive clients data and Octree was asked to review the company’s IT systems, processes and security. 

Octree’s approach 

Suitable for businesses with multiple servers and a complex IT infrastructure, Octree’s Professional-Complete Managed IT Service provides 24/7 support covering everything, from networks and servers to mobile devices to security appliances. 

Like many financial services companies, RHG had become totally reliant on the use of technology, from office-based servers and PCs to laptops, and the use of USB memory sticks to transfer information. All employees had access to the Internet and email was widely used to communicate with clients and suppliers. 

We conducted an audit of the company’s IT systems and infrastructure using a detailed questionnaire that Octree has developed to accurately assess the level of compliance with the FCA’s data security guidelines and accepted industry best practice. The methodology ensured that fundamental weaknesses in IT security systems and procedures were quickly identified. 

Based on the findings of the audit, we implemented a range of measures to improve data security, including:

• Development of an internal high level security policy based on a holistic risk assessment program, to be reviewed annually for relevance.
• Development of individual policies covering password complexity and change management, data sharing, acceptable use, individual technical controls, business continuity and disaster recovery.
• Development of an appropriate Security Awareness Program for all management, staff and contractors.
• Full disk encryption of company laptops, providing protection against unauthorised access to data in the event of hardware being lost or stolen.
• Web filtering to control employee access to inappropriate or non-work related websites and to protect endpoints (PCs and laptops) from web-based malware.
• Email filtering to protect users against phishing email, spam, email-borne viruses and malware. It also ensures that inappropriate or defamatory material is blocked.
• Email encryption for secure client communications.
• Endpoint security on desktops and server with anti-virus, anti-malware and proactive threat protection (IPS).
• Patch and vulnerability remediation to keep software up to date.
• A managed firewall and VPN offering secure remote access for mobile users.