July - 2021CONSTRUCTIONTECHREVIEW.COM9which come from external entities. Many modern email clients have embedded cybersecurity and anti-phishing options to help users identify and flag potentially harmful messages, and we encourage our people to take advantage of these tools. In our experience, the most potentially damaging phishing schemes have targeted our people and led them to believe the message received is from within the organization and is urgent. This false sense of urgency is another technique to prompt users to make quick, less thoughtful decisions about whether to respond to an email message. Education is key to properly equip employees to recognize such phishing schemes.Austin flags each incoming email originating outside the company with an "EXT" tag, to make it instantly recognizable in our employee-owners' inbox. We also use bright colors to mark such messages to make them stand apart from internal messages. As an added layer of safety, we identify harmful attachments before they reach the user's inbox. We make a practice of reviewing all licensing and maintenance agreements for email client and server software to ensure we take advantage of all protections offered.Banking securityAt Austin, we recognize there are times when the old tried-and-true methods work best. For banking security, verbal verification is an effective method to ensure banking inquiries and changes are legitimate. Take direct deposit as an example. We recommend establishing a company policy to contact employees by phone to confirm changes to direct deposit. If an organization allows electronic submission for payroll or direct deposit information, safeguards must be in place to ensure the requests are not fraudulent.Joe McLaughlinPersonally, I have seen too many occasions when an organization becomes complacent on security practices or prioritizes speed over safety. Skipping a simple verification can cost the company when money is sent in error electronically. Doing so will likely cause a brief hardship for the employee when it is entirely avoidable.A similar verification process should be implemented for any changes to banking information for vendors. Flags or protections from modifications to vendor banking information should remain active at all times. Removal of these protections should only be activated when making approved changes. After approved changes are made, it's important to restore the flags or protection to ensure continued account safety. In addition, verification procedures should be in place for any changes requested to a vendor's contact or banking information. We recommend always contacting the finance department of the organization making the request, a reliable last line of defense against potential security breaches.In fact, several SAS (software as a solution)providers put the liability of account information on the payee. Due to this, and because of the risk of electronic payment fraud, many companies have reverted to manual issuing of large checks if not being paid through a secure third-party SAS, a practice we recommend.Going a step further, at Austin we've implemented an added layer of security for our banking information that we learned from an industry peer. We stipulate contractually that any change to Austin's banking information necessitates a change to our contract or, at a minimum, a formal change order. This protects us from imposters providing new banking information to customers who might unwittingly make payments to the fraudsters. This innovation requires all changes to be formally documented and establishes a clear process for managing our banking process. Of course, these are just two examples of the cybersecurity threats that challenge Austin Industries and our peers in the construction industry. For all threats large and small, we believe in establishing robust security processes and creating consistent training and communication strategies to support them. While we may sacrifice some of the speed that today's electronic and cloud-based solutions offer, the added security provided is well worth the added effort.
< Page 8 | Page 10 >