October 2018 Newsletter
What we’re talking about in October:
- It’s Halloween, so we are talking about truly scary stuff – cyberattacks!
- LAI website attacks and email cyber threats
- Ruth S. tells you how you can protect your Sage software
- ICYMI: Ledgerwood has a You Tube channel for YOU
- Awesome ‘Tips and Tricks’ for Sage 300 CRE | Sage 100 CON | Sage Estimating
Is your Construction company at risk of a cyberattack?
by Joanie Hollabaugh, Sr. Director of Marketing
Absolutely, yes — it’s ubiquitous!
According to Wikipedia:
In computers and computer networks an attack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an Asset. A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructures, computer networks, or personal computer devices. Depending on context, cyberattacks can be labelled as a cyber campaign, cyberwarfare or cyberterrorism. A cyberattack can be employed by nation-states, individuals, groups, society or organizations. A cyberattack may originate from an anonymous source.
Ledgerwood website under attack
Sadly, I recently informed the Ledgerwoods that, it’s no longer a matter of ‘if’ our website would get hacked — but when. We are constantly being crawled by Russian bots, American bots, and random attempts to log into our admin page DAILY. Take into account that the LAI site is considered a ‘brochure site,’ with no shopping cart or credit card transactions, no personal data collection (short of the newsletter sign up option); no paid SEO (Google Adwords) to rank up visits (so, relatively low traffic) — yet it’s always under attack from multiple entities.
I receive notices like this every morning (imagine how many attacks “big” websites like Google or Wikipedia would get):
As the marketing director, a major part of my responsibilities includes safeguarding the internet identity and assets of LAI. I monitor the site constantly (via automation plugs ins and third-party contracts) to prevent what seems inevitable. It’s truly a battle against brains far more technical than mine. My advice is to layer your security programs and services to cover every scenario.
How they attack
Via your website
Malware deployed by hackers can hold your website hostage unless you pay a “ransom.” This is a tricky situation, because timing is everything, especially if your site has a user portal or performs financial transactions. (I highly recommend NOT paying it; start planning a strategy for that situation NOW.)
Through personal email
According to CyberArk CMO, John Worrall,* phishing emails accounts for 90% of cyberattacks. These seemingly ‘legit’ emails encourage users to click a link which will either give them access to the recipient’s system or ask for credentials to gain personal data or financial accounts.
Now, this phishing ploy seems obvious, until you see a notice from your bank or a major vendor. On a personal note, I recently received an email notice from Wells Fargo (below) that looked 100% authentic. Luckily, my “spidey sense” kicked in, and I didn’t click on it. Later, I remembered that WF is linked to my personal email and not to my work account. I logged into WF and confirmed that my personal email was the single account linked; plus I checked the account numeric string and discovered it was a bogus account number.
To me, this looks EXACTLY like a WF notice. It even has a fraud link! I received the same email the next day, with a different four-number string after the XXXXXXXX’s. Again, it’s not an account of mine. For someone who is more paranoid than cautious about cyber threats, they almost fooled me. Scary stuff! (I did report it to WF’s fraud division.)
Why your small construction company isn’t safe
Cyberattacks don’t happen just at larger construction companies. Small and mid-sizes businesses generally don’t have robust security policies or insurance. This makes the SMB companies ‘low-hanging fruit.’ Less effort, with generally better results. They are looking for YOUR proprietary data including designs, bid info, pricing on materials or equipment, or again, private information on employees.
Ways to combat:
- Always make sure that your SERVER and HARD DRIVE are BACKED UP
- Use strong login passwords that mix upper and lowercase with numbers and symbols
- Caution employees (put it your handbook or employee manual) NOT to CLICK LINKS on emails unless they are 100% trustworthy
- Remember to check the actual email account, not just the ‘from’ header. Even though the branding may look authentic, the sender can be identified by the fraudulent email sender.
- Safeguard your website as well:
- Set up daily scans
- Add multiple layers of security (settings in your hosting account, plugins, etc.)
- Have health checks installed and operating
- Use two-factor verifications for admin level account log-ins
- Purchase and install an SSL certificate (google is now blocking sites without them now — deeming them ‘unsafe’)
Move to the Cloud
This may seem counter-intuitive, as keeping your business identity and assets ‘close to the vest’ may seem safer that putting it “out there.” However, consider that the safeguards that cloud-hosting entities put into place will far outreach your spending or your technical understanding and capabilities. Our hosting partner, Swizznet, assures that they have 99.95% network uptime, with “anti-ransomware, cutting-edge technology to secure your cloud hosted accounting service data.” Soon, LAI will be totally on the Swizznet cloud. This is a reputable, trustworthy company which Tony Merry fully vetted before bringing to LAI and Sage — read about it HERE. If you want to learn more, click the button below.
Lastly, protect your company with scheduled security audits, and clearly communicated email policies. Use server firewalls, ad blockers, spam filters and other tools that will help to protect your assets. If you don’t have the internal resources, outsource it. Many services charge reasonable monthly fees to monitor your website. I use SiteLock for the LAI website and have been happy with their service and response time.
You can never use too much caution! It’s scary out there…
*Citations and more resources
Safeguard your Sage software from cyber threats
by Ruth Stockdale, Director of Professional Services
Borrow from the ‘biggies’ when it comes to cybersecurity
Cybersecurity is a significant priority for everyone these days. It can also be a complex and confusing issue. Like many business problems, the best way to start is with an overall strategy. Googling “cybersecurity” produces some interesting information about the variety of strategies. Organizations such as Microsoft, Department of Homeland Security, various municipal authorities, AT&T — all have defined strategy frameworks from which you can borrow.
YOU are a ‘soft target!’
What these frameworks have in common is a definition of separate areas for which to plan. Preventing attacks, protecting data, and minimizing the potential damage in case of an attack are typical areas to consider. It is also important to understand that attacks may now target people more often than just systems. People are soft targets and can innocently cooperate with an outsider by responding to phishing e-mails and phone calls. Providing login and passwords to a supposed IT person and transferring money to an outside bank based on an e-mail that seems to be from the CEO’s address —both are real-life examples of successful attacks using innocent participants.
Ruth’s tips for prevention
Securing your Sage software needs to part of your strategy and we can help with that. Here are some tips about what to do and what you can expect from us:
Utilize the permissions options in Sage aggressively and keep them current
Your software has operator IDs, task and role permissions and passwords—this is in addition to your network and workstation logins. Avoid “permission creep” when one operator inherits a position, login and possible access that was not intended for them.
Stay informed about what your IT providers do
This includes us — we work with your IT people to accommodate both the requirements of Sage software and their need to secure networks and workstations. Our consultants sometimes need access to your systems remotely to help you, but they also partner with IT to do this securely.
Backup, backup, backup!
Your systems should be totally backed up regularly and the backups should periodically be tested. The generations of backup should be deep enough — far enough back in time to recover in case of a ransomware attack or malware. We can advise your IT people about the specific backup requirements of Sage.
Use various alerts, within Sage and externally
This could include using MyAssistant, system logs, internal exception reports, alerts from your credit card company and banks. We can help with setup and report design for any of the Sage options, and we can help if you need a report or file upload for a bank feature such as Positive Pay.
Train your users
Make sure your people understand the risks. The phone call from an IT tech asking for password information? No IT person is likely to ask for a password, especially over the phone. The emergency e-mail that supposedly came from the CEO to transfer funds to an offshore bank immediately? It is unlikely any CEO would do that, and a true emergency would call for procedures other than an e-mail
Understand how LAI professional services operate
We will always double check with you to get authorization for any change in your contact information in our system. Our consultants will always confirm authorization for any changes to your system. If an e-mail from you looks suspicious, we will call to double check it–your address may have been compromised. Please do the same with e-mails from any of us.
If you have any questions or concerns about any aspect of cyber security, please ask your consultant or call us. We can provide you information directly related to your Sage applications or refer you to an appropriate resource. We all want to prevent cyber attacks if possible and mitigate damage if they do occur.
Have you checked out the LAI You Tube channel?
We are all about giving you training resources, new Sage product enhancements or versions, and information on integration business solutions. So, we put all of our good stuff up on You Tube! SUBSCRIBE HERE.
Worth your time watching:Love construction but hate timekeeping? Watch hh2 Remote payroll webinar
- Say good bye to data entry! Check out: Eliminate data entry with Core Cloud Services
- Interested in the new SQL version of Sage Estimating? Tony Merry walks you through it here: Estimating SQL Webinar
- Looking for a cloud hosted solution? We love Swizznet, and here’s why: An Exclusive Look at LAI’s Success with Sage CRE + Swizznet
- Job based accounting. That’s the difference: QuickBooks CAN’T but Sage 100 Con CAN
- And yes, we love to help you with Year End! Here’s Kyle Z.’s “cheatsheet” for Sage 300 CRE: Year End Preparation Checklist
If you like what you’ve seen, let us know with a ‘thumbs up’ and hit the ‘share’ button to help promote us on social media. That way, we’ll know you’re watching, and we will keep adding content that’s relevant to YOU!
Follow LAI on Social Media for current construction and technology news!
Upcoming LAI Online Training and Networking Events:
Qualified Business Income (QBI) deduction regulations
Submitted by Bryan Eto, CPA BeachFleischman
The IRS has finally issued eagerly awaited regulations addressing the new deduction for up to 20% of qualified business income (QBI) from pass-through entities. The QBI deduction was a major piece of the Tax Cuts and Jobs Act, which was signed into law last December.
The deduction is available to eligible owners of pass-through entities for tax years beginning in 2018 through 2025. The deduction will sunset after 2025 unless Congress extends it.
For QBI deduction purposes, the term “pass-through” entities refers to:
- Sole proprietorships,
- Single-member (one owner) limited liability companies (LLCs) that are treated as sole proprietorships for tax purposes,
- LLCs that are treated as partnerships for tax purposes, and
- S corporations.
The QBI deduction is only available to individuals, estates and trusts with income from eligible pass-through entities. The new proposed regs refer to all three as “individuals.” We will follow that terminology to stay consistent with the proposed regs.
In defining what constitutes a business for QBI deduction eligibility purposes, the IRS references Section 162 of the Internal Revenue Code. Unfortunately, this section of the tax code doesn’t explicitly define the terms “trade” or “business.” However, case law and administrative guidance based on Sec. 162 generally characterize a trade or business as an activity engaged in with continuity and regularity — and with an income or profit motive. Rather than relying on bright-line rules, Sec. 162 identifies a trade or business based on an examination of the facts in each case.
At this time, it’s still not entirely clear when a rental activity can qualify as a Sec. 162 trade or business for QBI deduction purposes. That said, the proposed regs specify that a rental activity can qualify as a trade or business under a special exception: When the rental or licensing of tangible or intangible property doesn’t rise to the level of a Sec. 162 trade or business, the rental or licensing activity is still treated as a trade or business for QBI deduction purposes — if the property is rented or licensed to a trade or business that’s commonly controlled.
For example, the common-control exception would apply when an individual owns a single-member LLC that owns an intangible asset and licenses it to a corporation that’s owned at least 50% by the same individual. The single-member LLC’s licensing income would count as QBI that’s passed through to the LLC’s owner. (This assumes the single-member LLC is treated as the owner’s sole proprietorship for tax purposes.)
When final QBI regs are issued, they may include safe-harbor rules that taxpayers can rely on for classifying activities as businesses (or not) for QBI deduction purposes.
Income from the trade or business of being an employee doesn’t count as QBI. Reasonable salary received by an S corporation shareholder-employee and guaranteed payments received by a partner (or an LLC member treated as a partner for tax purposes) for services rendered to a partnership (LLC) are also excluded from QBI.
Close-Up on Limitations
If you’ve read previous articles on the QBI deduction, you already know that the deduction is subject to numerous rules and limitations. The limitations begin to phase in when the individual’s taxable income (calculated before any QBI deduction) exceeds $157,500, or $315,000 for married people who file jointly.
The limitations are fully phased in once taxable income exceeds $207,500 for unmarried people, or $415,000 for married people who file jointly. After it’s fully phased in, the QBI deduction is limited to the greater of:
- The individual’s share of 50% of W-2 wages paid to employees and properly allocable to QBI during the tax year, or
- The sum of the individual’s share of 25% of such W-2 wages plus the individual’s share of 2.5% of the unadjusted basis immediately after acquisition (UBIA) of qualified property.
The QBI deduction can never exceed the lesser of:
- 20% of QBI, or
- 20% of the individual’s taxable income calculated before 1) any QBI deduction, and 2) any net capital gain amount (net long-term capital gains in excess of net short-term capital losses plus qualified dividends).
The proposed regs explain how to calculate a business’s W-2 wages for purposes of applying the QBI deduction limitations. A business’s UBIA of qualified property generally equals the original cost. Qualified property means depreciable tangible property (including real estate) that:
- Is owned by a qualified business as of its tax year end,
- Is used by that business at any point during the tax year for the production of QBI, and
- Hasn’t reached the end of its depreciable period by the tax year end.
By aggregating (combining) businesses, an individual with taxable income that’s high enough to be affected by the limitations based on W-2 wages and the UBIA of qualified property may be able to claim a bigger QBI deduction than if the businesses were considered separately.
For instance, say a high-income individual owns an interest in a business with substantial QBI but little or no W-2 wages and an interest in a second business with minimal QBI but significant W-2 wages. Aggregating the two businesses can result in a higher QBI deduction than if the deduction were separately calculated for each business based on that business’s W-2 wages and UBIA of qualified property.
The proposed regs set forth tests to determine whether the aggregation of businesses is allowed. The rules for aggregating businesses for purposes of the QBI deduction are notrelated, in any way, to how they might be aggregated for other tax-law purposes (such as the passive activity loss rules) and vice versa.
Service Trades or Businesses
Under the proposed regs, a specified service trade or business (SSTB) can’t be aggregated with any other business. Status as an SSTB (or not) is important, because QBI deductions based on SSTB income begin to be phased out when an owner’s taxable income (calculated before any QBI deduction) exceeds $157,500, or $315,000 for a married couple who files jointly. Phaseout is complete when taxable income exceeds $207,500, or $415,000 for a married couple who files jointly. At that point, no QBI deduction based on SSTB income is allowed.
The term “SSTB” refers to any trade or business involving the performance of services in one or more of the following fields:
- Accounting (and actuarial science),
- Financial, brokerage, investing, and investment management services,
- Investment trading,
- Dealing in securities, partnership interests, or commodities,
- Athletics and performing arts, and
- Any trade or business where the principal asset is the reputation or skill of one or more of its employees or owners.
Before the proposed regs were released, there was concern that the last item on the list could snare unsuspecting businesses, such as restaurants with well-known chefs. Fortunately, the proposed regs limit the definition to trades or businesses that receive fees, compensation, or other income for:
- Endorsing products or services,
- Using an individual’s image, likeness, name, signature, voice, trademark or any other symbol associated with that individual’s identity, and/or
- Appearing at an event or on a media format (such as a radio or television appearance).
Note: Architecture and engineering firms aren’t considered SSTBs.
The proposed guidance also includes an antiabuse rule intended to prevent service business owners from separating out parts of what would otherwise be an integrated SSTB, such as an optometry practice’s retail sales of vision-care items, to make income from the separated (nonservice) segment eligible for the QBI deduction.
This article only scratches the surface of the proposed regs. Your tax advisor can help you sort through the details to get the most from the QBI deduction based on your specific circumstances.
Consult with your accounting, finance, and tax professionals who are familiar with construction best practices. This will make your life easier down the road as well as more profitable.
Beach Fleischman 2201 E. Camelback Rd. Phoenix, AZ 85016 | 602.265.7011 | http://beachfleischman.com | twitter: @BeachFleischman
Sage 100 CON V21.2 will help you clean up files
by Pam Schulz, Sage Certified Consultant
New features will declutter your system for Year End
It’s a good time to do some clean-up and preparation for year end. New program enhancements in Version 21.2 will help, going WAY beyond what was possible before!
Do you have “duplicate” vendors or clients? Now you can “merge” their records:
- The Vendor Setup screen (4-4) and the Client Setup screen (3-6) have new options to MERGE records. The invoices and other associated records will be combined into one record, and the other record will be made inactive. Do this NOW- a little spent now is better than getting an error message for a duplicate vendor when you are trying to meet a 1099 deadline.
Do you have General Ledger accounts or Cost Codes that need to be phased out? Use the “Inactive Record” feature to eliminate these choices from the pull down menus so users stop posting to these items and they can then be deleted after archiving.
- To label a Cost Code as “inactive,” note the column in the Cost Code setup screen (option 6-5.) To label a General Ledger account as inactive, see the “Edit>Inactive Record” option in the General Ledger account setup screen (option 1-7). Inactive records do not show up in lookup windows — force users to stop using inactive records NOW so you can ultimately delete the unwanted record sooner. (Some records are just “pesky” — you can’t delete them, like System required accounts — but labeling them as inactive will remove their clutter.
Update your security setup
New choices available:
- New Security options allow you to designate the users allowed to use the “Exclusive Access” option to log in. This option, along with the “Administrative Rights” option are now visible only to users who have been granted the right. While some may not think of your nightly backup as “Security,” it is an important component to the safety of your data. New options now allow the nightly backup to be copied to an alternate location to allow even better data protection.
Update your Vendor Certificates and take advantage of the new JOB SPECIFIC Vendor Certificates
- You can now track Vendor Certificates by job in addition to the “general” tracking. This is a great time to update all vendor files — not just with the Job Specific security, but also with new W-9 and address verification information. Don’t wait until January. You can easily set up a W-9 as a certificate and enact all of the expired warnings that go along with this — to make sure you get your updated W-9 by year end.
Update Employee Information- plus view the Raise History!
In addition to the program tracking future raises, you can “backfill” prior information
- Updating employee information now will save having to change addresses when you are busy with W-2s. You can now do ‘more’ in this screen. The Raise History button opens to show raises that occur — you can backfill history as desired. In addition, the new “Custom Fields” option allows the creation of unlimited custom fields in many screens; use this to add fields like T-Shirt sizes, etc. Don’t forget to update employee’s training and licenses, and create ALERTS to be notified when critical expirations are pending.
A little time spent now will surely pay off many times over! Take care of this easy cleanup now, so you can focus better later.
Need help implementing your software? It’s ‘no big deal’ getting support from LAI — just click the form below.
How to Create a File Tools Backup in Sage 300 CRE
by Kyle Zeigler, Sage Senior Certified Consultant
Backing up your Sage 300 CRE accounting data is critical to mitigating the risk of data loss. While you no doubt are having your data backed up nightly by a third-party backup process, the only Sage-supported method for backing up your accounting data is through the use of File Tools.
To back up your data using File Tools:
- In Sage Desktop, launch File Tools from Common Tasks > Tools and leave the selection at the default Backup.
- Click Next.
- Select the folder or files to back up:
- To back up the entire data folder from which File Tools was launched, select Add Folder and click OK (no need to navigate to the folder – the folder from which File Tools was launched will be automatically selected).
- To back up individual files, such as the General Ledger or Job Cost master files, click Add Files. You will be presented with the files present in the data folder from which File Tools was launched. Select the desired file(s) to back up and click Open.
- Confirm that the appropriate data folder or file has been selected.
- Click Next.
- Click the Browse button to select a destination. NOTE: Do not store your backups on your server or in your Sage 300 CRE data folder. If you experience a catastrophic failure of your server, your backups will be lost. Instead, create a folder on your local computer or store backups on an external drive.
- Enter an archive name for the backup and click the Append button to add the date/time stamp to the name.
- Click Next. Note that File Tools will complete the following checks:
- Validate files – this will let you know if any potential data corruption is identified in the files you are backing up.
- Check for files that might be overwritten – adding the date/time stamp to your backup will prevent this.
- Ensure files are not in use – files in use will not be backed up. It is best to ask all users to exit Sage 300 CRE prior to beginning the backup. However, if files are in use, you can ask other users to exit the software and then click the Back button and Next button again to refresh the checks.
- Verify space is available for the operation – the .tszip2 file that is created will have a maximum size of about 2 GB.
- Click Next. The list of files to be backed up will be presented. Files can be selected to be skipped at this point if desired.
- Click Next two more times to begin the execution of the backup.
- When the backup has completed, confirm that the Operation Journal reports that the operation was successfully completed.
If you have questions about customizing your Sage 300 CRE software or would like assistance, please call 480.423.8300, or click below:
Still not on Estimating 18.11?
by Renee Mullen, Sage Marketing Manager
Recap of what is new in this SQL version
Highlights of version 18.11 include:
- Improved sort sequences and item sequences
- Improved spreadsheet layouts
- Metric unit conversions
- Ability to copy standard databases and address books
- Improved Report Manager
Version 18.11 also includes several additional enhancements and fixes. For detailed information about all the new features and fixes in this release, see the Release Notes.
Note: Depending on your purchase agreement, some features described here or in the Release Notes may not be available in your product.
Questions? Chat with Sage Monday through Friday, from 9 a.m.–8 p.m. ET.
Join the conversation at Sage City. Available 24/7, the online community is your gateway to many Sage resources.