For a Modesto-area mid-market finance team, “secure document sharing” is not a file-transfer product — it is an ordered workflow that covers the PBC list going to your auditors, the diligence data room going to your banker, and the wire-approval packet that BEC scammers actively target every week. Five workflow controls collapse the most common leaks in a single quarter.
Last quarter, the controller at a 280-employee food and beverage processor on the Modesto industrial corridor called us in a panic. A thread titled “2025 audit PBC — REVISED” had been forwarded to a Gmail address two letters off from the outside CPA’s real domain. Inside were W-2s, the merchant card statements, and three months of ACH origination files. The CPA never received them. The Gmail account did not exist by Friday.
That call is why this post is not a generic “best practices” list. If your corporate finance department shares documents the way most teams do — over email, with a Dropbox link, via a personal OneDrive — you do not have a file-transfer problem. You have a workflow problem. Below is the real document flow at a mid-market finance department, the controls we layer onto it, and where Datapath’s Continuous Protection, Operational Stability, and Strategic Accountability services fit.
What the damage actually looks like in 2024 and 2025
The headline numbers tell you which workflow to fix first. Business email compromise (BEC) alone drove about $2.8 billion in reported losses across roughly 21,442 complaints to the FBI’s Internet Crime Complaint Center in 2024 1, on top of $16.6 billion in total reported cybercrime losses for the year 1. The ACFE’s Report to the Nations 2024 puts the median loss per occupational fraud case at $145,000, with financial statement fraud — the category sloppy audit-document handling invites — at $766,000 2.
A Tuesday in the Modesto finance office
The same week, the team was juggling four document streams:
- PBC list (auditors). A 180-item “Prepared-by-Client” list covering trial balances, bank confirmations, vendor contracts, payroll reports, and W-2s.
- Credit-line renewal data room (banker). Three years of tax returns, lease abstracts, capex schedules, and weekly ratio refreshes.
- ACH positive-pay and wire-approval packet. A $640,000 vendor payment plus a same-day wire to a new supplier, both in a reply-all approval thread.
- Board packet. Q1 financials, the audit committee charter, the cyber-insurance renewal, and the CEO’s KPI dashboard, needed Friday.
Each stream has a different audience, a different regulator behind that audience, and a different attacker pattern. And yet most teams run all four through the same inbox, the same personal OneDrive, and the same “send the link” shortcut. That is the workflow, and the workflow is the vulnerability.
”How do I stop sending PBC files over email?”
You do not stop by buying a portal; you stop by replacing the workflow. Most controllers we work with have tried a secure client portal in the last two years — Suralink, FileCloud, a CPA-branded SharePoint — and reverted to email within a quarter. The portal added a step without removing one. For the file-transfer-product layer most IT teams start with, see our related guide on what to require from IT for secure file transfer.
Here is the workflow we install:
1. Owner and cadence
The controller owns one calendar block per week — typically Monday morning — in which PBC items are reviewed, marked complete in the audit-firm’s PBC tool (Suralink, DataSnipper UpLink, AuditFile, or Karbon, depending on what the auditor is already using 3), or staged in a Datapath-managed secure workspace for the auditor’s portal. Exceptions get a peer review by a second finance staffer before they leave the building.
2. Channel by document class
We separate three document classes and assign a channel to each:
- Auditor-bound workpapers. Routed through the auditor’s PBC tool or a Datapath-managed secure workspace, never through a personal OneDrive.
- Banker-bound diligence materials. Routed through a virtual data room with named-user watermarks, view-only by default, and revocation at deal close.
- Wire approvals and ACH files. Routed through dual-approval workflow with an out-of-band phone verification for any new payee or new account, plus read-receipt and delivery logs.
This is exactly the path the FBI recommends for BEC 4.
3. Retention and audit evidence
Every document class ships with a retention period and an evidence trail. The auditor-bound workpapers roll into the audit binder. The banker-bound files expire with the deal. The wire approvals live in the journal-entry system. The board packets land in a Datapath-managed encrypted archive with named-user access, not in the CEO’s personal Gmail.
”What’s the smallest set of controls that actually move the needle?”
This is the second-call question every CFO asks, because boards are tired of buying tools that sit on the shelf. The five controls that close the largest share of finance-document leaks:
- Identity-bound sharing, not link-bound sharing. Stop distributing “anyone-with-the-link” URLs; every external audience gets a named identity with MFA, ideally through the existing Microsoft Entra tenant under our Continuous Protection stack.
- Sensitivity-labeled attachments. Microsoft Purview sensitivity labels can encrypt a single email attachment so it is unreadable outside the named recipients, with rights that auto-expire 5. This replaces most “send the auditor a link” behavior with something audit-ready by default.
- Out-of-band verification on every new payee and every wire-instruction change. The FBI’s BEC playbook says it. So do we. So will your banker. Make it a written procedure, not a Slack reminder.
- A dedicated, watermarked data room for any transaction. Credit-line renewal, sale, or tax-attribute study — do not stage diligence in a shared folder.
- A named Datapath lead, not a ticketing queue. The difference between a near-miss and an eight-figure breach is a phone call to a person who already has context.
If you install only those five, you will not have solved every leak in a corporate finance department, but you will have closed the categories the FBI and ACFE are tracking.
What about the audit data room and the banker’s box?
Most of the document-sharing pain in mid-market finance is actually data-room pain. A Modesto or Merced processor renewing a $20M revolving credit line will push three years of returns, contracts, lease abstracts, and a capex schedule into a banker-managed folder over a four-to-six-week window. The same data set also feeds the year-end audit and the cyber-insurance questionnaire — three audiences, three windows, three governance postures.
We treat the data room as a workflow, not a folder:
- The CFO designates one Datapath data-room owner per deal.
- Documents carry recipient + access-date watermarks.
- View-only is the default; per-document download requires a logged reason.
- Expiry is hard-coded: the room closes at deal execution or audit sign-off, whichever is later, with rights auto-revoked.
- A signed evidence package is delivered to the GC, the audit committee chair, and the controller at close.
This is the pattern our Operational Stability service runs every quarter for clients in regulated verticals. For the data room itself, we lean on the same secure-workspace tooling we already manage under Continuous Protection so the CFO is not buying a separate unbudgeted license.
The wire-approval packet is the highest-value target
The dollars in the numbers above trace back, most often, to one document: the wire-approval email. The Modesto story nearly became a wire story — the second part of that week was a new-payee vendor payment for $214,000 the controller caught by calling the requesting vendor on a known phone number. The email thread looked legitimate; the sender was a real employee whose mailbox had been compromised two weeks earlier.
Here is the working table we use when we walk a finance team through the wire workflow, and which control catches which leak.
| Workflow step | Where it most often leaks | Control we install | Tool category |
|---|---|---|---|
| Vendor master file update | Typo-squatting domain in the “new bank details” email | Out-of-band phone verification on every change | Verified callback procedure + auditable log |
| Wire approval email thread | Reply-all compromise, account-takeover of CFO mailbox | Named-identity MFA, no link-based forwarding | Microsoft Entra ID + Purview sensitivity labels 5 |
| ACH origination file emailed to bank | Misdirected reply to a look-alike domain | SFTP-mediated drop to the bank’s portal, no email | Direct bank-portal upload or secure MFT |
| PBC list cycle | Document attached to a thread the sender later realizes went to the wrong domain | Auditor’s PBC tool (Suralink, UpLink, AuditFile) is the only approved outbound channel | PBC platform 3 |
| Diligence demand from banker or PE buyer | Generic link accidentally shared with the wrong code | Watermarked virtual data room with named users | Virtual data room |
| Board packet distribution | Stolen personal-device login on a director’s Gmail | Forced MFA on every reader, device-posture check, audit-trail logging | Conditional-access + audit retention |
After the table, the operational question is always the same: which row is the largest dollar exposure in your shop this quarter? For most mid-market finance departments, it is the wire-approval email.
Where Datapath fits in your finance workflow
Datapath is a California-headquartered managed IT and cybersecurity firm with offices in Modesto, Fresno, Dublin, and Irvine, serving K-12, healthcare, local government, finance and credit unions, and mid-market businesses of roughly 100+ employees. Conversations with finance teams feeling this pressure usually start one of three ways:
- A one-hour workflow review with a Datapath vCIO and your controller, mapping the five document streams to the controls you already own.
- A focused engagement under Strategic Accountability to install sensitivity labels, PBC channels, and a named data-room owner before the next audit cycle.
- A broader Managed Services path if the workflow gaps are symptoms of wider IT technical debt.
The thing we will not sell you is a file-transfer product and call it done. We will help you buy back a workflow your controller can actually run on a Tuesday in November, with the audit binder half-full and three wires waiting.
If you would rather walk a finance workflow through this lens with us, reach out and we will route the call to the team closest to your office — our Modesto HQ serving the Central Valley, our Dublin office across Ohio, or our Irvine office in Southern California.
A short checklist for the next 30 days
If you only have one quarter to harden document sharing in the finance department, here is the order we run it:
- Identify the four streams (auditor PBC, banker diligence, wire approvals, board packets) and assign one named owner per stream.
- Replace “anyone-with-the-link” shares with named-identity MFA on every external audience.
- Route PBC exchange through the auditor’s PBC platform; do not freelance it in email 3.
- Stand up a watermarked, view-only virtual data room for any active transaction.
- Write the dual-approval + out-of-band verification procedure for wires into your controller’s desk manual this month.
That checklist — and the workflow behind it — is the difference between a Modesto-area finance team that hears about BEC on the news and one that has already engineered the leak closed.
