Cybersecurity: Finances Digital Frontier

Joe McLaughlin, Chief Financial Officer, Austin Industries

In the construction industry, and at Austin Industries, the disciplines of both accounting and financial management face disruptions on several technological fronts. Yet, the most prevalent at our organization remains cybersecurity. As CFO, the security of our financial assets is my number one priority. Though we face many threats, we believe email protection and banking security are first and foremost in our cyber defense strategy.

 As our company has grown in recent years, we’ve expanded our digital footprint, implementing cloud-based solutions for dated manual processes and paper-based record keeping. As a result, our employee-owners, customers, and business partners alike have become accustomed to these new solutions. Trust in digital solutions has grown, and complacency has emerged as a new risk. Without consistent communication and education on the importance of cybersecurity, we risk exposing ourselves to threats simply not possible before the advent of cloud-based computing.

To enhance our approach, we’ve made important adjustments to company email and network security to keep phishing schemes from accessing our systems. 

 Email protection

At Austin, we’ve communicated extensively with our employeeowners on the dangers of email phishing schemes. We recognize that anyone within an organization, from senior management to college interns, may fall victim to a phishing scheme that puts the entire network at risk. It is critical that all employees know to exercise caution when opening and reviewing emails. All should look closely at the sender and contents of each email. All should use caution when clicking on embedded links and NEVER provide company credentials, user names, or passwords.

 At Austin, we flag all email that originates from outside our company, making it easy for employee-owners to know which messages are internal and which come from external entities. Many modern email clients have embedded cybersecurity and anti-phishing options to help  users identify and flag potentially harmful messages, and we encourage our people to take advantage of these tools. In our experience, the most potentially damaging phishing schemes have targeted ourpeople and led them to believe the message received is from within the organization and is urgent. This false sense of urgency is another technique to prompt users to make quick, less thoughtful decisions about whether to respond to an email message. Education is key to properly equip employees to recognize such phishing schemes. 

Austin flags each incoming email originating outside the company with an “EXT” tag, to make it instantly recognizable in our employee-owners’ inbox. We also use bright colors to mark such messages to make them stand apart from internal messages. As an added layer of safety, we identify harmful attachments before they reach the user’s inbox. We make a practice of reviewing all licensing and maintenance agreements for email client and server software to ensure we take advantage of all protections offered.

 Banking security

At Austin, we recognize there are times when the old tried-and-true methods work best. For banking security, verbal verification is an effective method to ensure banking inquiries and changes are legitimate. Take direct deposit as an example. We recommend establishing a company policy to contact employees by phone to confirm changes to direct deposit. If an organization allows electronic submission for payroll or direct deposit information, safeguards must be in place to ensure the requests are not fraudulent.

Personally, I have seen too many occasions when an organization becomes complacent on security practices or prioritizes speed over safety. Skipping a simple verification can cost the company when money is sent in error electronically. Doing so will likely cause a brief hardship for the employee when it is entirely avoidable.

 A similar verification process should be implemented for any changes to banking information for vendors. Flags or protections from modifications to vendor banking information should remain active at all times. Removal of these protections should only be activated when making approved changes. After approved changes are made, it’s important to restore the flags or protection to ensure continued account safety. In addition, verification procedures should be in place for any changes requested to a vendor’s contact or banking information. We recommend always contacting the finance department of the organization making the request, a reliable last line of defense against potential security breaches.

In fact, several SAS (software as a solution) providers put the liability of account information on the payee. Due to this, and because of the risk of electronic payment fraud, many companies have reverted to manual issuing of large checks if not being paid through a secure third-party SAS, a practice we recommend.

 Going a step further, at Austin we’ve implemented an added layer of security for our banking information that we learned from an industry peer. We stipulate contractually that any change to Austin’s banking information necessitates a change to our contract or, at a minimum, a formal change order. This protects us from imposters providing new banking information to customers who might unwittingly make payments to the fraudsters. This innovation requires all changes to be formally documented and establishes a clear process for managing our banking process.

Of course, these are just two examples of the cybersecurity threats that challenge Austin Industries and our peers in the construction industry. For all threats large and small, we believe in establishing robust security processes and creating consistent training and communication strategies to support them. While we may sacrifice some of the speed that today’s electronic and cloud-based solutions offer, the added security provided is well worth the added effort.