One of the questions we often get asked by our Auderli customers is about security. Putting all their important documents in one place online has made some people initially feel a bit nervous. We can tell you that keeping information safe is our top priority. That we guard our customers data with the latest security measures including end-to-end encryption, multi-factor authentication and other security protocols. But what does that really mean? And why have we made those decisions?
We thought who better to ask for a no fluff, no guff answer about our security, than our resident security specialist and CTO, Nick Doyle.
An Intro...
Hi, I’m Nick Doyle and I head up the technology team at Auderli and have done for the last 18 months. I’ve worked in tech for around 25 years and I’ve played a part in countless projects, many of them in the financial services space. Unfortunately, I found that in some cases security was an afterthought. It wasn’t necessarily an oversight by the teams I was working with, it was often down to the way the organisation chose to structure itself, with security specialists being in silos separate from product delivery teams. Unfortunately, what this can lead to is a situation where security requirements are delivered very late in a digital product’s lifecycle. Problems can be found too late in the day and sometimes corners will be cut due to time pressure, budget pressure, or other reasons beyond a product team’s control.
Even after a digital product has been delivered to the market, it needs constant ongoing care and attention, particularly for security reasons. Malicious parties are getting more advanced all the time and a product which was deemed secure 5 years ago is not necessarily so today. I try to encourage the teams I work with to have security front-and-centre in their minds.
Approaching Security at Auderli
Right from my very first Auderli meeting with our founder Steve, we were talking about security being paramount. We agreed that we would continue to talk about it regularly, we would recruit people into our team with a security mindset and we would deliver on the product’s security requirements with equal importance compared to the more exciting user-facing features of the product.
Every day, I try to think about Auderli from the perspective of an end user, rather than just from the perspective of a member of the team. This helps me to have empathy with all our users and in particular, any concerns they may have about the security of their information. I’m pleased to say that I’m more than happy to hold a real Auderli account!
Our Security Protocols
As a team, we discuss the security implications of new features right from the outset. Everyone is part of this conversation. We do not exclude anyone, as we believe the more of us who talk about it, the stronger our product will be.
Security requirements are captured alongside everything else and delivered together. There is a term in our industry called “shift left”, which refers to those things which traditionally may have been done late in the day (i.e. to the right). Now we shift them to the left - earlier in our overall process - to ensure quality from the outset as opposed to afterthoughts. This is what we do at Auderli.
For the techies amongst you, our systems are built with the latest and greatest security technology baked in. Everything from end-to-end 256-bit enhanced encryption for data in transit and at rest, to multi-factor authentication and passwordless log in.
We also automate certain aspects of our security testing. We have automatic scanning of our systems, every time code is changed, to detect any potential vulnerabilities as early as possible, meaning any risk to our users is massively reduced.
The Fight against Hacking
I’ll be totally honest – in the world we live in today, it is not possible for the maintainers of any system to offer a 100% guarantee that they will never be hacked. It comes down to how seriously the company providing the product takes security. Is it usually an afterthought, or is it baked into everything they do? If the right decisions are made, then the risk will be miniscule.
There are certain behaviours which users can adopt to help too, such as enabling multi-factor authentication on their account. This one thing alone dramatically reduces the chance of somebody hacking your account by discovering your password. Of course, this doesn’t just apply to Auderli but to any website or app that you use, particularly banking.
One bold decision we made at Auderli was to avoid the use of passwords altogether. While this may sound a bit unusual (maybe even insecure!), it was based on a large amount of research and evidence that suggests that the use of passwords is the single biggest security risk faced by users. People often re-use exactly the same password across many different websites and apps, meaning if just one of those websites or apps is hacked, then all of them are at risk. There is a lot of research now which envisages a password-less future. Instead of passwords, we encourage other forms of authentication such as one-time numerical passcodes and authenticator apps. Auderli has all of these methods built in already, to help our users to follow the latest and greatest security advice. But no passwords.
Realistic about Risk
Whilst it’s right to be concerned about security, it’s very important to note that Auderli will never have the kind of access required to access your assets, liabilities and other financial products. We are all about helping you to consolidate the information on these products in one convenient place and there are many reasons you would want to do that. But we will never have the authority or the access to physically move money, for example.
We even go one step further and within our back-end systems, whereby we physically separate what’s known as your personally identifiable information (PII) away from other data about what’s contained in your financial portfolio. This means that nobody can make a connection between who you are (name, email address, etc.) with what you own (financial products). Only you can do that, by logging in to your Auderli account.
As a team, we recognise and embrace our responsibilities when it comes to the security of our users’ data. Just as we have always done, we will continue to treat security as utmost importance, as if it were our own personal data.