October 2012 Patch Tuesday: One critical bulletin expected

Microsoft's October 2012 Patch Tuesday release will include seven bulletins, one deemed critical and six as important, affecting Microsoft Office, Microsoft Server Software, Microsoft Lync, Microsoft Windows and Microsoft SQL Server.

According to a Microsoft blog post, as expected, the patch release will also address the vulnerabilities affecting Microsoft Exchange and FAST Search Server 2010, and will require RSA key lengths to be at least 1,024 bits.

Bulletin 1, classed as "critical," addresses a remote code-execution threat in Microsoft Office and Microsoft Server Software. Applying the patch may require a restart. The specific programs to which bulletin 1 applies include Microsoft Office 2003 Service Pack 3, Microsoft Word Viewer, Microsoft Office Compatibility Pack Service Packs 2 and 3, and Microsoft Office 2007 Service Packs 2 and 3.

"We recommend being alert for the first Bulletin and prepare for a fast roll-out of that update," said Wolfgang Kandek, chief technology officer at Redwood City, Calif.-based Qualys Inc. in a statement.

The remaining bulletins all have an "important" rating:

  • Bulletins 2 and 4 also address remote code-execution threats in Microsoft Office and Microsoft Server Software, and may require a restart.
  • Bulletins 3, 5 and 7 target elevation of privilege issues in Microsoft Office, Microsoft Server Software, Microsoft Lync, Microsoft Windows and Microsoft SQL Server.
  • Bulletin 5 requires a restart, while bulletins 3 and 7 may require a restart.
  • Finally, bulletin 6 requires a restart and fixes a vulnerability that could allow for denial of service through Microsoft Windows.

Security Advisory 2737111 addresses the vulnerabilities affecting Microsoft Exchange and FAST Search Server 2010 for SharePoint Parsing, which could allow remote code execution. The vulnerabilities originated in third-party code, specifically Oracle Outside In code libraries.

Security Advisory 2661254 restricts the use of certificates with RSA keys less than 1,024 bits in length. The change comes in response to the recent Flame malware, which used fake Microsoft certificates to disguise malicious files. Once applied, the update will prevent Internet Explorer from connecting to websites using RSA certificates unless they contain at least 1,024 bits.

The relatively light volume of October patches comes on the heels of a similarly light September 2012 Patch Tuesday cycle, during which only two important bulletins were released. With a small number of patches, Microsoft encouraged customers to focus on installing Security Advisory 2661254 so users could adjust to the change in RSA key-length requirements.




Ten commandments for software security

BSIMM4 was released in September 2012 with much press fanfare, including a detailed case study featuring Intel and Fidelity. I make a big deal out of the BSIMM because it is the only data-driven model that can be used as a measuring stick for software security initiatives. The BSIMM is filled with facts and provides a detailed description of the state of software security.

Gary McgrawWhat the BSIMM does not provide is direct advice about what your firm should do when it comes to software security. I recognize that a vast majority of firms are just getting started with software security and that they might benefit from actionable guidance derived from hundreds of (collective) years of direct experience.

Based on many years of experience in the field and an interpretation of four years of BSIMM data, I present the ten commandments for software security.

The ten commandments for software security: Prescriptive guidance

0. Thou shalt lead thy software security initiative (SSI) with a software security group (SSG).

1. Thou shalt rely on risk management and objective measurement using the BSIMM-not “top ten lists” and vulnerability counts-to define SSI success.

2. Thou shalt communicate with executives, directly linking SSI success to business value and comparing thy firm against its peers.

3. Thou shalt create and adopt an SSDL methodology like the Microsoft SDL or the Cigital Touchpoints that integrates security controls (including architecture risk analysis, code review, and penetration testing) and people smarter about software security than the tools they run.

4. Thou shalt not limit software security activity to only technical SDLC activities and especially not to penetration testing alone.

5. Thou shalt grow and nurture software security professionals for thy SSG (since there are not enough qualified people to go around).

6. Thou shalt consume direction from the business and intelligence from operations and incident response staff, and adjust SSI controls accordingly.

7. Thou shalt track thy data carefully and know where the data live regardless of how cloudy thy architecture gets.

8. Thou shalt not rely solely on security features and functions to build secure software as security is an emergent property of the entire system and thus relies on building and integrating all parts properly.

9. Thou shalt fix thy identified software defects: both bugs and flaws.

Ten commandments explained

Some explanation of and justification for each of the ten commandments for software security is in order.

Lead your software security initiative (SSI) with a software security group (SSG). Each of the 51 firms in the BSIMM has an active SSG. Building a thriving SSI without standing up an SSG is very unlikely (and has never been observed in the field to date), so create an SSG before you start working to adopt software security activities. SSGs come in a variety of shapes and sizes. All good SSGs appear to include both people with deep coding experience and people with architectural chops. Code review is a very important best practice, and to perform code review you must actually understand code (not to mention the huge piles of security bugs). However, the best code reviewers sometimes make very poor software architects, and asking them to perform an Architecture Risk Analysis will only result in blank stares. Make sure you cover architectural capabilities in your SSG as well as you do code. Same goes for penetration testing, where a knack for breaking things in clever ways really helps (but does not often come with deep coding skills). Finally, the SSG will be asked to mentor, train, and work directly with hundreds of developers. Communications skills, teaching capability, and good consulting horse sense are mustâ€"haves for at least a portion of the SSG staff. For more about this issue, see the article You Really Need an SSG.

Ultimately, you need to define or adopt a prescriptive SSDL methodology of your own and then use a descriptive measurement system to track progress.

Rely on risk management and objective measurement using the BSIMM-not “Top Ten Lists” and vulnerability counts-to define SSI success. Too many software security professionals treat software security as a whack-a-mole bug hunt. Realize that finding defects alone does not create secure software nor does it communicate risk to management in an actionable way. In fact, there is nothing more discouraging to upper management than being presented with an ever-expanding list of security problems. If you spend all of your time finding bugs and flaws and none of your time fixing them, you're not really helping. Similarly, if you are fixing your security defects, but finding the same defects over and over, you're still not improving. Fortunately, the BSIMM provides a superb measuring stick for an SSI. You can compare the activities you undertake in your SSI with your peers to determine whether you are leading the pack, are in the middle of the pack, or are the slowest zebra. (Hint: do not be the slowest zebra.) A BSIMM measurement provides a detailed snapshot of an SSI that is easy to consume by upper management. Some leading firms use BSIMM measurements over time to track progress and provide real data for setting SSI strategy. How much software security is enough for your firm? Good question. Fortunately, some of your peers may know.

Communicate with executives, directly linking SSI success to business value and comparing your firm against its peers. As I said above, if you come bearing an ever-expanding list of security problems and you're not doing anything to fix them, you may well be seen as part of the problem. Executives want to see some “key performance indicators” that include all aspects of your SSI. How is training coming along? Are your developers learning what they need to know to avoid creating bugs in the first place? What is your defect density ratio? That is, is your firm creating fewer bugs per square inch than they were six months ago? Is there a huge spike in security bugs every time your development teams integrate a new technology stack? When you find and fix architectural flaws or broken requirements, do you show how much headache and money that will save you down the line? Are you finding fewer problems through late lifecycle penetration testing than you were last year? (You should be.) Finally, because an SSI has multiple moving parts, a BSIMM measurement is the most robust way to measure yourself. Senior executives love the BSIMM and immediately grasp its utility.

Create and adopt an SSDL methodology like the Microsoft SDL or the Cigital Touchpoints that integrates security controls (including architecture risk analysis, code review, and penetration testing) and people smarter about software security than the tools they run. There are as many different SSDLs as there are firms doing software security. Not all firms have a formalized SSDL; but they should. Do some reading. Borrow ideas from my book Software Security and from Microsoft's SDL. Throw in some OWASP and SAFEcode ideas as well while you're at it. Read the BSIMM and see what other firms are doing. The main thing to realize is that we do know how to do software security these days. The field has matured. At the very least, you need to adopt code review (preferrably using a tool) to find bugs, architecture risk analysis to find flaws, and penetration testing to look for vulnerabilities that sometimes slip through the cracks. Make sure that when you adopt tools, you don't just blindly use them (or worse yet throw them over the wall to developers with no clue how they work). Remember this: if all your developers could directly consume the output of security tools and fix security defects without assistance, they likely wouldn't have created the defect in the first place! The upshot is that you'll need at least one security professional on your staff who is smarter than the tools. Really. If you need help defining and building an SSDL, get some. There are plenty of consultants out there who do this kind of thing for a living.

No amount of traditional security knowledge can overcome software cluelessness. It is OK to start with seedlings and nurture them into trees.

Do not limit software security activity to only technical SDLC activities and especially not to penetration testing alone. Of course you should take advantage of penetration testing, but you need to understand its limits. The main limit is economical:  when you find a security problem in a fielded system (or a system that is just about to ship), it is exceptionally expensive to fix the problem. You are going to fix what you find, right? The main thing to realize here is that software security is not simply a technical issue filled only with arcane defects and metal-faced hacker boys. To be sure, there are plenty of technical activities to do and do properly, but never forget to link your activities directly to business impact and the management of risks. Are you fixing your development machine so that developers create fewer security defects in the first place? Are you building secure middleware solutions that your developers and architects can leverage? Are you measuring things and publishing the results internally? You should be. This is the reason that BSIMM covers much more than just what architects, developers, and testers do. We asked firms for data on everything that contributes to specifying, creating, and deploying secure software. We recorded the answers and the superset became the BSIMM. Our continuing work with dozens of firms (including software vendors) of various sizes and across multiple verticals, shows that a software security program encompassing policy, risk, compliance, governance, metrics, operations, SLAs, and related items-in addition to the all-important and crucial efforts in design, coding, and testing-reflects their belief that it is the sum of these business processes and the culture and environment they produce that is critical to producing and maintaining secure software.

Grow and nurture software security professionals for your SSG (since there are not enough qualified people to go around). The best SSG members are software security people, but software security people are often impossible to find. If you must create software security types from scratch, start with developers and teach them about security. Do not attempt to start with network security people and teach them about software, compilers, SDLCs, bug tracking, and everything else in the software universe. No amount of traditional security knowledge can overcome software cluelessness. It is OK to start with seedlings and nurture them into trees. While you're at it, try to create “Swiss Army knife” types instead of minutely-focused specialists. I always look for someone who can review code, do some penetration testing, and actually fix security problems.

Consume direction from the business and intelligence from operations and incident response staff, and adjust SSI controls accordingly. Security is a process and not a product. Software security even more so. You can build the best code in the world with a supremely bulletproof architecture, but problems will still happen in operations. Guaranteed. Use the security attacks that you experience (and that your peer group experiences) to improve your approach to software security and tune it to what your business considers important. Close the knowledge loop and know your enemy.

Track your data carefully and know where the data live regardless of how cloudy thy architecture gets. The cloud is coming and your data are going to be in it. Understand clearly that you cannot outsource software security responsibility to your cloud provider. Your customers are counting on you to protect their data and in some cases the government is regulating that responsibility. The Achilles' Heel of the cloud is the applications that run on it and over it. Build them properly now and rest easier tomorrow.

Do not rely solely on security features and functions to build secure software as security is an emergent property of the entire system and thus relies on building and integrating all parts properly. No matter how many times we say this, developers, architects and builders are going to treat security as a thing. There are simply too many years of training to think of systems as collections of features and functions to overcome. Don't fall into the “magic crypto fairy dust” trap. Sure crypto is useful and many of your systems will need to have some, but security is a systemwide property. Smart attackers rarely go after crypto, they go after defects in other obscure parts of your system. Make sure you spend at least as much time trying to eradicate bugs and flaws as you do picking and implementing security features. Software with good crypto, robust authentication, granular authorization, mind-bending CAPTCHAs, and many other fine security features coded perfectly well gets broken into every day. These features typically stop authorized users from doing known, undesirable things. They rarely prevent unauthorized users from doing unknown undesirable things. You need an SSI to build secure software effectively and efficiently across an entire portfolio.

Thou shalt fix thy identified software defects: both bugs and flaws. It's sad, but software security often looks like this in practice. You hire some reformed hackers to do a penetration test. You know they're reformed because they told you they are. They find six scurity defects in the week that you give them to probe your system from the outside. They tell you about five of them. You fix two of them that seem fixable and declare victory. But what about the other four defects? Simply put, if you spend all of your energy finding problems in your software through architecture risk analysis, code review, and penetration testing, and you spend no time fixing whay you find, your software is no more secure than it was when you started. Fix the dang software! Of course, fixing defects is a risk management activity and no firm has infinite money. Therefore, there must be prioritization based on impact, cost, and other factors important to the business. However, collective memory is short and very few firms keep track of every security bug not fixed. Do 10 low-severity bugs collectively become a medium? What about 100? 1000? In addition, very few firms correlate findings from multiple testing methods and instead make decisions in a vacuum after each testing exercise. Might the low-severity bug from the architecture assessment, the low from static analysis, the low from fuzzing, and the low found in penetration testing combine to make a critical? I don't know either, but someone should think about it. It may be easier just to fix the dang software.

Prescriptive Advice about Descriptive Models

Ultimately, you need to define or adopt a prescriptive SSDL methodology of your own and then use a descriptive measurement system to track progress.  Our advice is to use BSIMM to measure the current state of your software security initiative and determine other software security activities you should probably start doing. If your organization determines that one of the areas requiring investment matches one of the practices in the SDL (for example), you would be silly not to take advantage of Microsoft's wisdom for that activity.

Because we have been measuring real software security initiatives in 51 firms over multiple years, we can state with confidence that if your SSI is not improving every year then your firm is falling behind. We know that every SSI is unique, just like every other SSI. Yours will be too. Fortunately, no matter what prescriptive approach you take to software security, the BSIMM can serve as a measuring stick, a source of inspiration, and an objective measurement of progress.

Acknowledgements
The ten commandments for software security were developed jointly with the Cigital Principals, including Paco Hope, Scott Matsumoto, Sammy Migues, and John Steven. Some explanatory description is adopted with permission from the BSIMM4 document.

About the author: 
Gary McGraw, Ph.D., is CTO of Cigital Inc. a software security consulting firm. He is a globally recognized authority on software security and the author of eight best selling books on this topic. Send feedback on this column to editor@searchsecurity.com




Yahoo, Bing Partner With Media.net for Contextual Advertising Program

Yahoo is attempting to make a name for itself in the contextual ad network game. With the help of Microsoft and Media.net, the search engine wants to chip away at some of Google AdSense's market share by offering a similar advertising product to both businesses and web publishers.

The Yahoo! Bing Network Contextual Ads program is an ad network that allows web publishers, including blogs, online publications, and similar sites, to set up a revenue stream from ad units on their site.

The platform is powered by Media.net and is made up of advertisers from the Yahoo and Microsoft Search Alliance, which has been around since 2009 and also covers search advertising.

Since Media.net already offered contextual advertising solutions to Web publishers prior this partnership, Yahoo and Bing don't actually have to do anything in the way of powering the ad network. But for Media.net, the partnership allows them to reach more advertisers and customers with the tools it already has.

For Web publishers, this new partnership just means different options for contextual advertising. Both Media.net and the Yahoo and Microsoft Search Alliance have been around for years, but now that they've partnered up, publishers can expect a larger variety of ads available for better targeting. And those who didn't already use Media.net just have another platform with a high volume of ads to consider.

For businesses interested in advertising, this means that Yahoo and Bing now offer more than just the text or search ads advertisers may be used to, and they can have their ads displayed on more than just search results pages.  Like with AdSense, advertisers can set their own budget so the program can be feasible for businesses of all sizes.

And though Google is still the dominant player, advertising with Bing and Yahoo can mean reaching different consumers altogether.

This isn't the first time Yahoo has tried its hand at a contextual ads network. The original program was nixed in 2010, but apparently Marissa Mayer thought it would be worth another try. The former Google employee could have some helpful insights to keep the program afloat.




Don\'t Let Your Business Run You: A Snapshot of Web Development Team Success

If you're end of year project is to develop an app or work with a developer, stop what you've planned to do after reading this review and pick up Don't Let Your Business Run You: How Less Everything Makes $1 million Annually from Client Services. Meant for a web development audience, much of the book is also useful for the small business that sees technology as an increasingly necessary operation.

The authors, Allan Branch And Steve Bristol, write from their launch experience with Less Everything.com, a small award-winning development firm.  I learned about the book during Allan's appearance on Melinda Emerson's weekly twitterchat Small Biz Chat.

When you read the opening chapters, being flexible is the modus operandi behind strategic choices and reviewing potential teammate. And these authors have brash but approachable personalities  â€" the company website lists its personnel with the byline “We've assembled a team of people that give a sh**”.  The first sentence of the book says if you are not wiling to change, give the book to someone who does.   That flexibility helps to make firmer decisions, such as their opening point about selecting who the customer is.

“We put clients in two categories: the ones who listen to you (those who really want your expertise in more than just code/design) and the ones who don't…You'll have to figure out why clients are hiring you. Most clients will hire you for your knowledge and expertise, but maybe it's just because you're in the same city, or because?you have experience in their industry, or perhaps you've built the type of features they needed before. It might be simply because you're the cheapest. Whatever the reason, it will be easier in the long-run if you figure it out and accept clients with similar motivations. Once you know why they are hiring you, you can decide if you want to continue with these types of clients/projects and enhance the aspects they are looking for.”

Notice that I wrote the word “selecting” your clients instead of “understanding”.  That drawn-line-in-the-sand quote may speak to online developers, but the thoughts easily apply to other industries.  When Allan and Steve offer the other clients types, a small business owner with a few years under the belt will nod in agreement.   Combine this chapter with the book No You Can't Pick My Brain, and you get the idea.

Quick asides throughout the book display the authors' lightheartedness: When talking about partnerships being meant for each other, Steve references Allan as Forrest Gump's Jenny. And there is a nice-but-intentionally-subtle-failed plug for LessAccounting, the account software they offer. Their humor and directness makes the book a good read.

The subsequent chapters set expectations about marketing your business and what certain client responses can occur.  Here is a rundown of what I considered thought-provoking quotes.

 “Too many sites make their companies look unapproachable. Whether you like it or not, approachability is the opinion of the viewer. You never know when you'll have a potential client looking for a freelancer or a small web company. Be very conscious of how you're going to be perceived.”

“Marketing is about standing out, being approachable, showing value and giving love. Rinse and repeat.”

The follow quote reminds about how referrals are truly offered â€" from people you know, not just those who have been

“At the very least, you should be able to find 2-3 hours a day to contribute to an open-source project. Most new business comes from referrals, so becoming the hero of a bunch of developers will likely lead to those developers mentioning your name when they have the chance. This is a great way to get some fairly easy exposure.”

This last mention is a reminder of where analytics and online marketing measurement is heading â€" there are still business stuck on eyeball metrics and not engagement. Allan and Steve do not delve into social media deeply, but their thought does temper expectations to realistic business-building levels.

“The best marketing doesn't instantly get you a surge of traffic. Those people are quick to forget and never come back. Good marketing builds and builds, growing bigger and bigger. The things you do today will not affect your business for another 6-12 months.”

Building a team starts with how you talk to each other

Allan and Steve shared some really solid hints at hiring and working with technical professionals, increasingly a necessity across all businesses.  The focus in Chapter 6 on interviewing developers is a great must read.

“Hire communicators. This doesn't mean someone who just emails … Hire a person that follows up their employment application with an email that is clear and to the point.”

Allan and Steve also offer some interesting insights into what business should look for in partners. They believe resumes really don't tell a lot about who can bring a solution to your table.  And they believe in businesses building on their own “home cooking”, so to speak, such as this comment on consultancies:

“A consultancy without any of its own projects is a real head-scratcher. How is a client supposed to trust you to make decisions with their project (using their money), when your consultancy doesn't even build its own apps?“

So why should businesses have their own projects? One answer appears above this one:

“….How can you judge a consultancy based on past client work? You don't know how much of the project they were involved in. Perhaps the client had terrible requirements. You can't see through that stuff and into how the consultancy would make decisions.”

The last chapters deal with finance and accounting â€" not as deep as a standard finance book (see our short list of finance books), but still a useful reminder why cash is king.

Although the book is meant for up-and-coming developers, retailers large and small should read Don't Let Your Business Run You. It serves as an excellent supplement to project planning. Once you do read it, you'll find working with technical project managers and developers will be a piece of cake everyone can enjoy.

 




A Tip of the Cap Could Increase Credit Union Lending

As Members of Congress have returned home in the run-up to Election Day on Tuesday, November 6th, credit union supporters continue to educate elected officials about issues of importance to their industry.

There are a host of developments in Washington, DC, of importance to credit unions. Most importantly, Senate Majority Leader Harry Reid (D-NV) has stated his intentions to hold a vote on the credit union Member Business Lending legislation (S.2231/H.R. 1418). Passage of this bill, introduced by Senator Mark Udall (D-CO), would raise the lending cap - currently of 12.25% of a credit union's assets - to 27.5%.

US flag money

According to National Association of Federal Credit Unions (NAFCU), more than 1,100 credit unions are actively lending to small businesses. A number of them are offering the popular SBA loans and other financial products to entrepreneurs seeking to launch or expand their businesses.

However, a significant portion of these credit unions are approaching their law-mandated cap. Once a credit union reaches that limit, it would no longer be able to grant loan approvals.

In the Biz2Credit Small Business Lending Index, the percentage of approved loans by credit unions has dropped for three straight months. During the credit crunch, as small business owners looked for alternative options for capital, credit unions began to play an increasingly important role in small business finance.

However, the most recent analysis finds that credit union approval percentages this year have dropped from a high of 57.9% in March 2012 to 52.9% in August. Thus, small business owners are exploring opportunities from non-traditional lenders, such as accounts receivable financiers, who often charge higher percentage rates than credit unions do.

By having a wider variety of funders that are able to provide working capital, expansion loans, equipment loans, lines of credit, etc., small business owners can borrow money at more attractive rates. Limiting the options hinders the ability of entrepreneurs to shop around for the best deals.

It's a simple but important law of economics, and it is not just theory. I speak to hundreds of small business owners each month who want to grow their companies and create jobs. They tell me first-hand about the opportunities they lose out on when they have a short supply of funding options.

A vote on this issue could take place shortly after Congress reconvenes after Election Day. If they want a better competitive landscape, credit unions must work hard to distinguish themselves from banks and remind elected officials that increased member business lending by credit unions will translate into local job creation.

This is critical for any politician who wants to be elected in November.

U.s Flag and Dollar Bill Photo via Shutterstock




Tech Thursday (10/4): AT&T SYN248™ Phone System * Citibank® Small Business Pulse Survey * Dell Unveils New Business PC\'s

New AT&T SYN248â„¢ Phone System

 

Citibank® Small Business Pulse Finds Sales Growth Isn't Enough to Keep Cash Flowing

 

Dell Unveils New Business PCs Designed for the Evolving Workforce

 

 

 

Flexible New AT&T SYN248â„¢ Phone System Gives Small/Medium-Sized Businesses A Jump Start For Growth

 

Versatile Office Phone Delivers Cost-Effective Solution with Comprehensive Functionality and Easy Installation Out of the Box to Support up to 24 Users

 

BEAVERTON, Ore.,  â€" Advanced American Telephones, which manufactures AT&T-branded telephones under a license agreement with AT&T Intellectual Property, announced availability of the Syn248â„¢ Deskset and Gateway business phone system, specifically designed for small- and medium-sized businesses (SMB). The Syn248 solution boasts robust features such as easy do-it-yourself installation and setup, the ability to integrate into an existing network and convenient management through a web-based user interface.

The Syn248 is unmatched in price for performance, enabling startups, small and medium businesses to do more for less.With only two components, the system is easy to set up, eliminates the need for extra cabling with its dual-port Ethernet connection and requires no additional hardware or add-on components to expand the system or configure features. Perfect for companies looking to replace small legacy PBXs and Key Systems, the Syn248 can support 24 users straight out of the box with all of the functionality needed to maximize productivity.

The Syn248 is scalable to grow with the business by easily adding a second Gateway for up to eight analog lines total. The system is easy to manage with intuitive web-based administration capabilities and sophisticated call routing, using up to four built-in auto attendants to customize recordings for each department or division of the company. Simplifying call management, the auto attendant enables dial-by-name in-bound call routing, as well as the option to reach an operator as needed. Additional features include:

  • Support for 24 users out-of-the-box
  • Up to 8 analog lines (4 per SB35010 Gateway)
  • Multi-line appearances
  • Large backlit displays
  • Easy web-based administration
  • User customizable buttons on phones; pre-configured with commonly used and convenient features
  • Built-in voicemail, with 30 minutes recording time
  • 50/100 station/system phonebook
  • Built-in auto attendant with custom recording of on-hold message
  • Dial-by-name (first or last) functionality and operator selectable day and night modes
  • Limited 2-year warranty

For more information on the new Syn248 telephone system and the complete line of AT&T SMB telephony products, please visit http://smbtelephones.att.com/syn248

 

New Citibank® Small Business Pulse Finds Sales Growth Isn't Enough to Keep Cash Flowing

Despite cash flow challenges, 78% have given payment extensions to customers

 

NEW YORK - Maintaining and increasing sales is the most important short term business issue for 74% of small business owners, 41% of whom cite lackluster consumer spending as the root cause, according to the Citibank® Small Business Pulse released today.

Both the cause and effect of weak sales lead to cash flow concerns. According to the survey, 50% of respondents have experienced a sudden cash crunch in the last 12 months. Despite the need for careful cash management, 78% of small business owners have given payment extensions to customers.

“We admire and support the resilience and commitment shown by small business owners who find ways to move their companies forward,” said Jerome Byers, head of Citibank Small Business. “In recent years, companies have tightened belts, gained efficiency and reinvented their businesses to survive in a tough economy.”

CASH FLOW IS KING

Managing cash flow is a job most small business owners won't trust to anyone but themselves. Nearly three quarters (73%) say they are “on top of it” and manage their cash flow daily. Thirty percent of respondents say the greatest challenge to managing cash is slow/delinquent receivables and bankruptcies, while 24% blame late or non-payments for a sudden cash crunch in the last 12 months. Yet 23% of respondents find making a collection call the most uncomfortable business finance challenge â€" second only to reducing staff (35%). Referring to the need for sales, 28% report that their sudden cash crunch was due to sales that did not pick up as expected.

BUSINESS CONDITIONS AFFECTING SALES

Despite a quarter-to-quarter reduction in confidence, small businesses report slightly better business conditions than a year ago. In August 2012, 38% of respondents found business conditions positive, increasing from 34% in August 2011. Another 25% say business conditions are poor, relatively flat from the last survey in May (23%), but reduced significantly from 31% a year ago. Still concerned about the future, 85% of those surveyed believe the economy may experience another downturn. That number is slightly lower than the 90% who expected it a year ago.

When asked about their own business situations, owners report similar quarterly and yearly trends, with 34% claiming that 2012 will end up better than business was last year, but only 27% saying they have seen that improvement by August. Comparing short-term frustration to full-year results, 43% project actual sales growth for 2012 over last year. In fact, 42% of respondents expect 2012 business sales or revenue to meet their goals and 14% expect to exceed goals.

REINVENTION TO REMAIN RELEVANT

Consistent with last quarter, more than half of respondents (52%) have reinvented their businesses to stay afloat or be more competitive in today's marketplace. In August, 60% of respondents said they have added or changed the products they offer. Another 51% of “reinventors” overhauled their technology infrastructure, including replacing networks, computer systems and software systems. Among those who made changes, 40% say the initial trigger for reinvention was simply a feeling that something needed to change. Based on that gut reaction, they recommend research and to “get educated” as the first step in making those changes happen.

 

Dell Unveils New Business PCs Designed for the Evolving Workforce

 

Reveals first enterprise-class Ultrabook, 10-inch touch-optimized tablet and All-in-One PC

 

ROUND ROCK, Texas, â€"Dell has unveiled new additions to its state-of-the-art portfolio of business-class computers enabling companies to give employees devices they want to use while maintaining the IT security and manageability necessary for enterprise-class deployments. The three new devices include the Latitude 10-inch touch-enabled tablet, the Latitude 6430u Ultrabook that brings leading design to the boardroom, and a touch-enabledOptiPlex 9010 All-in-One desktop helping people interact with technology in more intuitive ways.

The Latitude 10 is a 10-inch tablet that takes advantage of the latest advances in touch-enabled applications and allows businesses to confidently bring tablets into their enterprises. The Latitude 10 fits easily into current IT environments by supporting existing Microsoft productivity applications and plugging into existing management consoles. Like all Latitude products, the Latitude 10 is engineered for business productivity by providing easy support and maintenance like a swappable battery and robust security options like Dell Data Protection | Encryption, which encrypts all data from the hard drive to the USB port.

Dell Latitude 6430u

The Latitude 6430u is a 14-inch Ultrabook that strikes the balance between aesthetic appeal and corporate needs with the combination of security, manageability and durability in a thin, highly-mobile form factor and striking design. Designed to meet the to meet MIL-STD-810G testing, a United States Military test standard where systems are subjected to the harshest conditions, the 14-inch Latitude takes durability to new extremes . The new design is 33 percent slimmer and 16 percent lighter than Dell's current 14-inch Latitude notebook, making it a desirable option for mobile workers. Preliminary battery life testing shows all-day productivity with a single battery charge1, an advantage for road warriors and always on-the-go sales executives.

The sleek OptiPlex 9010 23-inch All-in-One continues to empower productivity while preserving precious desk space. As businesses incorporate touch interfaces into work environments, collaboration and productivity can increase, but some workers have space limitations. The business-class All-in-One offers options for a multipoint touchscreen, fixed or rotating camera, and an articulating stand to optimize the user's work experience.

The Latitude 10, Latitude 6430u and OptiPlex 9010 AIO will be available for sale with the launch of Windows 8. More details on global pricing and dates will be announced when available.



Leadership Truths That Every Leader Needs To Know

Successful business leadership is about the ability to create a compelling vision that is backed up by strong values, a strong sense of purpose and that inspires other people to help you to achieve it. In order to do this it is essential that, as a leader, you create an environment where people are encouraged to work harmoniously together using their own unique talents and skills to achieve common goals.

It sounds fairly straightforward doesn't it?

simple truths

However, great leadership requires a complex set of skills which have to be continually honed and fined tuned. Great leaders all share common characteristics which make them successful. They operate based on truths which underpin all of their behaviors and actions.

Here are 5 truths that every great leader knows:

Truth#1: You Cannot Motivate Someone, You Can Only Inspire Them To Motivate Themselves

Motivation comes from within a person. All the motivation techniques in the world will not work if the people you are trying to motivate don't buy in to the idea.

Inspiration is different as it appeals at a deeper level than motivation and is designed to win hearts as well as minds. Great leaders know that to truly engage employees you need to inspire them and then they will be motivated.

Truth#2: Combining Talents, Skill And Abilities Will Achieve More Than Working Sepreately

Great leaders know that they can't achieve what they want to independently, nor do they want to. They inherently understand that human beings can gain better results from pooling resources and utilising the strengths of others to complement their own skills.

Working in this state of interdependence produces far greater outcomes than could ever be achieved by working separately.

Truth#3: Being The Change You Want To See In Others Is The First Step To Improving Things

If you want employees to adopt certain behaviors, develop specific skills and display particular attributes then you have to model them yourself first. Leaders who have a strong set of principles and guiding values, and who live by them, command much more respect than those who don't.

A leader should always display the kind of behavior that he/she would expect to see from others.

Truth#4: People Have Unlimited Potential And They Will Generally Do Their Best

Believing in people's potential is vital in a leadership role. After all, you have to trust that your employees are up to the job or can be developed to their full capability in order to achieve your organisational objectives.

Having this kind of mindset and positive expectation will help to foster a high performance culture in which people can excel.

Truth#5: To Know And Understand Yourself Is The Best Way To Achieve Excellence As A Leader

Having high degrees of self awareness and emotional intelligence are characteristics common to all great leaders. This means that they operate as their authentic selves at all times and that they behave in accordance with their own set of inner principles or values.

To be authentic you first have to know and understand who you really are and what makes you tick. You also have to be fully aware of your strengths and flaws.  Having a complete self understanding means that you can manage yourself and your emotions, develop your weaknesses and capitalize on your strengths.

Simple Truths Photo via Shutterstock




Why Online Privacy Is Not A Good Thing Online

Recently Microsoft made a decision to have “do not track” automatically turned on, in its new Internet Explorer browser and the online advertising community is angry, reports, BtoB Online. (Read the Full Article Here) Understandably angry.

I surely do not want to have my personal information used by criminals to steal from me. I am definitely more open and understanding to the digital and commercial world we live in wherein I receive many pleasures for “free” and in return agree to be marketed to.

I watch Hulu quite a bit and don't pay a thing. I think it's perfectly fair that advertisers who pay for me to enjoy Hulu for free are able to know a bit about me to better advertise and market to me.

If you want to watch a movie and have no one know you are watching it and market to as a result â€" buy a movie from some video swap service or borrow one from a friend.

Pretty much everything you do is commercialized and you will be advertised to â€" get used to it and enjoy the benefits.

If you're a guy in Texas and enjoy barbecues why should you get an advertisement in French about flying to Poland for vacation? No, instead you want a local Texas restaurant to market to you a about great barbecue sauce.

It's very scary and nerve racking to have our “privacy” invaded, on the other hand, marketers WILL market to us for sure. It's nice to get an advertisement that feels like its just for you!

About Microsoft, I think it's fine that they put the “no-tracking” feature on by default â€" that's their decision and I completely understand it. My point in this article, is to give my insight about online advertising tracking overall.



William Hague says nations are struggling against internet attacks, as he pushes for a cyber crime centre

Foreign secretary William Hague has announced plans to open a European cyber crime centre and acknowledges the ongoing challenges that the internet faces.

Speaking at the Budapest Conference on Cyber Space, Hague urged "governments, international organisations, civil society and industry experts to come together in Budapest and address one of the great challenges of our time".

A year on from his notable speech at the London Conference on Cyber Space, this year's conference will pick up on themes raised then and look at the challenges and opportunities offered by the internet.

Hague said: “Cyber space is emerging as a new dimension in conflicts of the future. Many nations simply do not yet have the defences or the resources to counter state-sponsored cyber attack.

“If we do not find ways of agreeing principles to moderate such behaviour and to deal with its consequences, then some countries could find themselves vulnerable to a wholly new strategic threat: effectively held to ransom by hostile states.”

He went on to say that it has never been easier to become a cyber criminal, as malware can be bought easily and attacks are borderless ‘with all countries in the firing line'.

Hague also said that it was "essential that we demonstrate our commitment to building a secure, resilient, open and trusted global digital environment", where governments, industry and users of the internet could work together in a collective endeavour.

“I look forward to the Budapest Conference and hope that it will accelerate the international debate on cyber space and move it further towards a permanent footing. We must establish a balance of responsibility whilst protecting human rights so that information and ideas continue to flow freely, a principle which has contributed to making the internet the dynamic force it is now,” he said in a statement.

The foreign secretary also reaffirmed plans for an EC-sponsored cyber crime centre, which will be tasked with tackling rising levels of cyber crime within member states.

Previously announced in March this year, Hague said that the centre will receive £2 million in funding from the government annually and it will be based at one of eight universities awarded ‘Academic Centre of Excellence in Cyber Security Research' status: Oxford, UCL, Southampton, Queen's Belfast, Lancaster, Bristol, Imperial College and Royal Holloway of London.

Paul Davis, director of Europe at FireEye, said: “Hague has certainly hit the nail on the head with his conclusion that it has never been easier to become a cyber criminal. While this was once the preserve of low-level hackers working alone, the emergence of determined ‘hacktivist' groups, off the shelf malware packages and readily available hacking tutorials has upped the threat level simply by making cyber crime an organised, mainstream and persistent activity.

“Hague's comments should serve as a catalyst for businesses everywhere â€" not just government organisations â€" to up their security game and remove the weaknesses that often lie within their own networks.”



Barracuda Networks and Quarri combine web application firewall with secure browser technology

Barracuda Networks has partnered with Quarri to combine its web application firewall with the Texan security company's secure browser technology.

Barracuda Networks will offer Quarri's Protect On Q (POQ) in version 7.7 of its web application firewall so that users can deploy the firewall as a front-end device for multiple independent web applications. This will enable end-to-end security of web sessions for users, according to the companies. 

The two companies said that it will also allow for efficient caching of POQ session information, minimising the amount of traffic between the firewall and the POQ Server. This will mean that users can scale POQ deployments by distributing the load between multiple POQ servers.

Carter McCrary, executive vice president of business development at Quarri, said: “Connecting the client browser and web server security enables organisations to completely control and protect web applications and content from malware and data leakage.

“Partnering with Barracuda to deliver an integrated solution enables organisations to protect their most valuable data in an easy-to-deploy manner.”

Anshuman Singh, product manager at Barracuda Networks, said: “Barracuda is excited to integrate Quarri's technology into our web application firewall. Connecting the client browser and web server security enables organisations to completely control and protect web applications and content from malware and data leakage.”



BeyondTrust releases free vulnerability management tool

BeyondTrust has launched a free version of its Retina vulnerability management software.

Available for users with up to 256 deployments, the technology became part of the company's portfolio after it acquired eEye Digital earlier this year. Speaking to SC Magazine, Brent Thurrell, director of sales for EMEA at BeyondTrust, said that it has launched ‘Retina Community', a cut-down freeware version of its Retina CS product.

He said: “It comes without so much in-depth reporting that enterprises require. It is designed for small to medium businesses (SMBs) to overcome challenges and start to implement best practise and data security. This will be instilled into SMBs as they grow and give the bad guys less chance.”

The Retina technology was acquired in April and former enterprise security manager at eEye Digital, Andrew Clark, told SC Magazine that the community product is a free version of the enterprise product with the same engineering at the back-end, but was limited to 256 devices with some features removed. “It performs the same scanning and analysis as in an enterprise, but we are giving it away for free,” he said.

Thurrell said that the heritage and acquisition of eEye allowed BeyondTrust to move into the vulnerability and management space to help identify where threats are, both internally and externally.

He said: “We seek to provide information back to IT teams and business users in some sort of semblance of order to detect security events and risk exposure across business. A big part of our context aware security is Retina. Retina CS helps organisations understand where the holes exist and where the threats come from, where an exploit can be or how a data breach could occur, it helps to report and prioritise.

“We want to help organisations who don't have huge IT teams to monitor their environment and patch 24 hours a day, we want to provide a tool to help them control and monitor their environment.”



Wagamama serves up malware from outdated site

Hackers have exploited a vulnerability in the Plesk content management system to upload malware to a website owned by the Wagamama restaurant chain.

The 'RunForestRun' attack targeted Plesk, leading users to the Blackhole Exploit kit. This allowed attackers to grab user account credentials and inject obfuscated script into JavaScript files.

According to Websense researchers, on execution the script decompiled as an iFrame with random generated URLs that pointed visitors to Blackhole.

It was not known if the targeted Plesk flaw was a result of the zero-day vulnerability revealed in July, which may have resulted in the infection of 50,000 websites. 

The affected and outdated subdomain site was down at the time of writing, but it was home to a 2009 competition between Wagamama and STA Travel, and remained active and unpatched for years.

Websense Australia and New Zealand country manager Gerry Tucker said that administrators should remove expired sites because they are a threat vector, as 82 per cent of malware was found on compromised hosts.

Tucker said: “These sites are prime targets for malware guys. In reducing risks, they should maintain assets properly and then take them offline. At the same time, the right infrastructure and controls are important to prevent the compromise of sites [and] to protect visitors from being exposed.”



A Behind The Scenes Peek: SMBInfluencer Awards Media Partners

The 2012 Small Business Influencer Awards have been a resounding success, thanks to our sponsors, media partners, and everyone who participated and helped spread the word.

The awards honor companies, organizations, apps and individuals who have made a significant, influencial impact on the North American small business market.

Supporting our efforts were some wonderful small businesses themselves, our media partners.  Below, you will find a series of short interviews I conducted with several of the SMBInfluencer media partners.

* * * * *

Adrian's Network

Adrian's NetworkAdrian's Network is a business networking community comprised of business owners and professional services providers that are joined together to help one another to make contacts and connections that lead to business opportunities. The group meets virtually and in person.  Founder Adrian Miller shares a little about herself and her company:

Small Business Trends: How many times a day do you check your email â€" be honest!

Adrian Miller: Scary to say but probably at least 20.

Small Business Trends: What's your preferred social media channel, and why?

Adrian Miller: Facebook. Fast, fun, effective.

Small Business Trends: If you had an extra $100,000 for your business, where would you spend it?

Adrian Miller:  I'd donate half to charity and use the remaining half to hire some interns, upgrade technology and my Web presence.

* * * * *

Ask The Business Lawyer

Ask The Business LawyerAsk The Business Lawyer helps women business owners escape “self-employed slavery” by teaching them how to build multimillion dollar companies for scale or sale. The company, run by Nina Kaufman, helps women business owners who are ready to catapult to the next step in their professional lives:

Small Business Trends: What's the first thing you do when getting to your office each day?

Nina Kaufman: E-mail (sad to say). It's a double-edged sword, because I love hearing from my clients. Sometimes, though, I'm a slave to email.

Small Business Trends: How many times a day do you check your email -be honest!

Nina Kaufman: Approximately 17 (that I'm consciously aware of; probably more).

Small Business Trends: What's your preferred social media channel, and why?

Nina Kaufman: LinkedIn. As a lawyer, I hate being limited to 140 wordsâ€"much less Twitter's 140 characters! For business, there are fewer temptations/distractions than there are on Facebook to check out what's going on in people's personal livesâ€" which is fun and juicy, but not always useful for client service.

* * * * *

Founding Moms

Founding MomsJill Salzman created The Founding Moms in an effort to find likeminded female entrepreneurs in her area. What started locally is now a collective of offline meetups and online resources for mom entrepreneurs in 30+ cities around the globe.  The website offers tools, tips & tricks to help women grow their businesses and get down to business:

Small Business Trends: What's the first thing you do when getting to your office each day?

Jill Salzman: Put a straw in my glass of water.  The straw is probably the most important thing to make sure I have each morning.

Small Business Trends: How many times a day do you check your email â€" be honest!

Jill Salzman: Every 25 seconds.  May be less.

Small Business Trends: If you had an extra $100,000 for your business, where would you spend it?

Jill Salzman: Hiring great people and overhauling the website.  Team is #1 and if you have that extra $100,000, please call me ASAP.

* * * * *

Editor's note: This article is part of a series highlighting key players in the Small Business Influencer Awards.




Google Do… Uh… Drive? Find Out What It\'s All About!

Nope, Google Docs isn't dead. This is not another Googleocalypse. Instead of eliminating something (like it regrettably did with Google Desktop), the search mammoth has hit one out of the ballpark with a change that gives you multiple advantages, all in a new product called Google Drive.

Now, Google combines its collaborative office suite with a cloud storage platform that lets you kill two birds with one stone. Google Drive is a place to store your pictures, create new documents, collaborate with others in content and spreadsheet creation, and access them from any device no matter where you are.

OK. There's no need to sweeten this any further. We all know that Google Drive is a powerful product. But what about its cons?

Here are a few:

  • The interface doesn't explain in-depth what a fusion table is or how to use it. If Google would have a video on this, I think that many people would use this feature. At the time of this article's publication, the fusion table (in the “Create > More” menu) is experimental, so I guess that Google will eventually have more in-depth material on this. From what I know, it's a table that allows you to join different data sets from spreadsheets.
  • Google Drive has half the space that Gmail currently gives you. How something like email would require 10 GB is beyond me. However, there's another side to the coin: Google Drive lets you upgrade from 5 GB to 25 GB for nearly $2.50 a month. It allows you to add up to 16 TB of additional storage.
  • You might lose some docs in the midst of all the new folders and labels. If you want to find a doc that you lost, click “More” below all of the folder labels. It'll be there. That's a workaround, though, and workarounds are a “no-no” when introducing people to a new piece of software.
  • It's mobile, but not as mobile as it should be. What I mean is that Google Drive currently only works on Android phones. Google says that it's working diligently (wink, wink) on getting an iOS version out. Since iOS switched over from Google Maps to Apple Maps, I'm not sure if Google's going to put such an effort on the “Google Drive for iOS” project. It might eventually end up being “Apple Drive.”
  • It's iffy on the compliance side. If your company has to comply to HIPAA, PCI DSS, SOX, or any of those other crazy acronyms that tear a hole in your head whenever you switch over to a new cloud application, it's not exactly the best idea to use Google Drive for sensitive company documents regarding customer information or information pertaining to shareholders and investors.

If the pros outweigh the cons, then by all means hop into Google Drive. It's a very powerful environment that allows you to have ultimate collaboration capabilities between you and your crew.



SBA Kicks Off Chats for Women\'s Month

The U.S. Small Business Administration has designated October as National Women's Small Business Month, recognizing the contributions of women to small business in our economy. Be sure to attend a series of live online chats for women in small business, starting today. For more on the live chats and on the role women play in entrepreneurship, see the links below in Small Business Trends National Small Business Month roundup.

Tune In

Talk the talk. Drop by for the first live chat in the National Women's Small Business Month series today at 3 p.m. ET. The discussion will cover starting and growing your business, with other topics including finding capital, contracting with the federal government, and business opportunities for young women, happening later this month. SBA.gov

Women on point. One study estimates women could create between 5 and 5.6 million new small business jobs by 2018, meaning that while entrepreneurs like Mark Zuckerberg and Bill Gates continue to make headlines, women in small business could be key to spurring the economy. The Huffington Post

Lead On

Women in leadership. And there are even more great examples of women in strong leadership roles in business. Take Meg Whitman, Hewlett-Packard's chief executive, who is spearheading a retooling of her company and repositioning it in tough economic times. There are leadership roles for women in businesses large and small. The New York Times

Need to know. There's some other data you need to know about the importance of women in small business and entrepreneurship roles. Ashley Neal shares information and a link to American Express OPEN's second annual State of Women Owned Businesses report. Small Biz Diamonds

Your Future

Stand up and be counted. For women to claim the role of leader in small business and entrepreneurship that they deserve to occupy, they must sometimes make the sacrifice of appearing at those industry events and taking a larger leadership role. For women, this sometimes conflicts with the responsibilities of family, but it is a sacrifice that must be made, says one blogger. Malla Haridat

Why women in business remain important. Of course, those interested in the progress of women and their growing role in small business and entrepreneurship must understand the issue impacts far more than just women. As Deborah Shane notes, quoting the President of the United States, it touches upon issues of family, economics, and competitiveness. Small Business Trends

A guide to moving forward. Finally, we conclude with some practical advice from a business and marketing coach on how women entrepreneurs can move their businesses forward. Don't let your company get stuck in a rut. Check out these tips and learn to get your business on track with a plan to meet your goals and achieve your dreams. Annemarie Cross