Verizon DBIR 2013: Damage caused by simple attacks, slow detection

For all the industry discussion about the evolution of so-called advanced cyberattacks, data from the Verizon 2013 Data Breach Investigations Report indicates a select few attack types are responsible for the majority of last year's reported breaches. Despite that consistency, the majority of organizations fail to identify breaches until months after the initial compromise.

Particularly in cases of espionage attacks, investigations from one organization lead to other organizations that have been attacked.

Kyle Maxwell,
senior analyst, Verizon

The report, released late Monday, is Verizon's annual analysis of data breaches and breach investigations conducted in the previous year. In addition to Verizon's own data, this year's Data Breach Investigations Report (DBIR) includes breach incident data from 18 other organizations around the world.

The 2013 DBIR showed that just three attack types -- ATM skimming, what Verizon calls "POS smash-and-grab" involving a combination of brute force and malware, and a combination of phishing, malware and hacking -- were used in 68% of the breaches in this year's data set.

"While there is still some wiggle room for the baddies to be creative," Verizon wrote in the report, "this is an indication that treating our adversaries as random and unpredictable is counterproductive. We may be able to reduce the majority of attacks by focusing on a handful of attack patterns."

According to Verizon, hacking -- defined for the purposes of the report as all attempts to intentionally access or harm information assets by circumventing logical security mechanisms -- played a role in slightly more than half of the breaches Verizon analyzed; those incidents were dominated by the use of stolen account credentials, a backdoor or a brute-force attack. As Verizon noted, the use of something other than a single-factor username-password credential would have likely thwarted 80% of the hacking attacks reported last year.

Countries represented in the combined caseload (Verizon and partners) Source: Verizon DBIR 2013 - used with permission

Rick Holland, senior analyst with Cambridge, Mass.-based Forrester Research, said organizations must be aware of the significant number of attacks that don't involve malware and hence don't have any signature that can be used for detection.

"Organizations shouldn't get hyper-focused on malware. Get ready for incidents involving password theft and abuse of credentials," Holland said. "That's why network visibility is so critical; to look for anomalous behavior."

However, malware -- malicious software, script or code -- was involved in 40% of the breaches in its data set. The majority of malware installations were either direct or via email, though large organizations saw a small but notable uptick this year in Web "drive-by" malware downloads.

In cases where attackers had largely financial motivations, spyware -- including keyloggers and form-grabbers -- was the malware variety of choice. In cyber-espionage-related breaches, attackers used a variety of types of malware with no predominant type.

Compromise taking longer; so is breach detection

The 2013 DBIR detailed the typical timespan of a breach. In 60% of the breaches in this year's data set, the initial compromise took place over a period of multiple hours, a small window indeed, but slightly longer than in years past.

Top 10 origin countries of external data breach actors Source: Verizon DBIR 2013 - used with permission

However, organizations struggled mightily with breach detection: a majority of breach events (62%) were not discovered until months after the initial compromise; discovery time in 4% of the breaches was measured in years. Additionally, seven out of every 10 breach events were initially discovered by someone outside the breached organization.

"Victims regularly do not discover breaches themselves," said Kyle Maxwell, a senior analyst with Verizon. "They are either notified by law enforcement or card brands, or other organizations that are doing breach notifications. Particularly in cases of espionage attacks, investigations from one organization lead to other organizations that have been attacked."

"I don't think a lot of organizations have the appropriate technology in the right spots," Holland said. In particular, he referenced the difficulty enterprises have in securing third-party software like Java; attackers seeking a way into an organization often take advantage of the many enterprises that struggle to quickly implement third-party patches.

"Even though we know when the Microsoft Patch Tuesday releases come out … by the time we can get a patch out, there's always going to be a lag," Holland said. "If I were an attacker, I'd go after third-party applications all day long."

The report, not without a touch of irony, noted that the most effective means of detecting a breach internally proved to be end users. Often the weak link in the information security chain, the data showed run-of-the-mill users were first to discover suspicious activity and report it to IT or management.

"Enterprises have a difficult time managing the threat landscape and operational impact of security in terms of staffing and resources," Holland said. "People want the easy button and there is no easy button."




Verizon data breach report 2013: Data shows need for risk awareness

Know your adversary. It's a classic mantra of information assurance professionals. While it's further reinforced with the release of the 2013 Verizon Data Breach Investigations Report, the report offers a treasure-trove of data that also underscores the importance of organizational self-analysis in determining what attackers want and how they're likely to go after it.

Organizations can't take a one-size-fits-all approach to their defenses; different types of attackers use different methods.

Kyle Maxwell,
senior analyst, Verizon

The report, released late Monday, is Verizon's annual analysis of data breaches and breach investigations conducted in the previous year. In addition to Verizon's own data, this year's Data Breach Investigations Report (DBIR) includes breach incident data from 18 other organizations around the world (see sidebar below), including more than a dozen first-time contributors. Prior to analysis, Verizon once again standardized its breach dataset, this year encompassing 621 breach events and more than 44 million compromised records, using its VERIS incident-sharing framework.

Data points in the 2013 DBIR indicate clear patterns in the motives and methods adversaries used to successfully breach victim organizations. Of the 92% of breaches in this year's data set that were caused by external threat actors, Verizon tied more than half (55%) to purely profit-driven organized criminal groups.

According to Verizon, these profit-driven adversaries are most interested in companies in the finance, retail and food-services industries, and their attacks most often originate from countries in Eastern Europe or North America.

Not surprisingly, attackers seeking immediate profit favor payment data and personal information; for knowledgeable cybercriminals, it remains trivial to quickly convert those commodities into cash.

Increase in state-affiliated cyber-espionage tied to China

Verizon noted a rise in breaches linked to state-affiliated actors, comprising 21% of the breaches in this year's data set. Verizon, however, was reluctant to confirm an industry-wide increase in state-affiliated breaches, despite admitting its own breach investigations included more espionage-related cases than in any previous year.

Threat actor profiles. Items appear in order of prevalence among breaches attributed to each threat actor variety. Source: Verizon DBIR 2013 - used with permission

Nonetheless, state-affiliated actors were active in 2012, focusing on cyber-espionage against victims in industries rich in valuable intellectual property, such as manufacturing, transportation and professional services industries; targets favored by financially driven attackers, namely retail and food-service firms, were ignored almost entirely by threat actors engaged in espionage campaigns.

Malicious actors conducting cyber-espionage campaigns sought out trade secrets, sensitive internal data and system information above all else. Impressively, more than 95% of state-affiliated espionage breaches somehow involved the use of phishing to gain entry into the target organization.

"I think that's big," said Rick Holland, senior analyst with Cambridge, Mass.-based Forrester Research Inc. "That clearly tells you if you're in an IP-rich vertical, you need to take your security controls for anti-phishing pretty solidly."

And it wasn't just Fortune 500 firms that lost intellectual property to attackers: cyber-espionage-related data breaches among companies with fewer than 10,000 employees happened more frequently than at larger firms by an 81-to-19 ratio.

"Small attorney firms or professional services firms are getting compromised because they have sensitive data on clients," said Kyle Maxwell, senior analyst with Verizon. "So rather than try to breach a large, well-defended network, it's easier just to compromise the outside counsel or auditing firm, and get financials statements or plans for M&As [mergers and acquisitions] or other trade secrets from those firms."

Perhaps the most striking finding of all, Verizon said 96% of espionage cases in the 2013 DBIR were attributed to threat actors in China. While Verizon did not indicate how many of the incidents could be classified as state-sponsored cyber-espionage, the findings are no surprise on the heels of the recent Mandiant Corp. APT1 report, which offered compelling evidence indicating that Unit 61398 of China's People's Liberation Army has been perpetrating a massive, years-long cyber-espionage campaign against U.S. interests.

Hacktivists steal less data; no one-size-fits-all defense

The malicious activist or hacktivist archetype, which was featured prominently in the 2012 DBIR, stole far less data last year. Despite being tied to roughly the same number of externally driven breach incidents (about 2%), Verizon believes their decreased prominence is a result of a change in tactics.

"[Hacktivists] stole a lot less data, partly because their attacks have changed," Maxwell said. "They have been using DDoS [distributed denial-of-service] attacks now, which are out of scope for the DBIR because there's no breach involved in a DDoS attack." Maxwell suggested that the arrests of the major players in the hacktivistm community may have also contributed to the decline.

This year's report goes to great lengths to illustrate the differences among various groups of threat actors, and that's no coincidence. Maxwell said organizations must strive to better understand what data attackers want and prioritize their defensive efforts accordingly.

"Organizations can't take a one-size-fits-all approach to their defenses; different types of attackers use different methods," Maxwell said. "Organizations of all sizes and all sectors need to understand their threats and plan accordingly rather than assume they can set up static defenses that'll work for everything."

The insider threat: Significant or over-emphasized?

The 2013 DBIR offers some contradiction regarding data breaches caused by insiders: The 2013 data set features the highest percentage of insider-driven data breach incidents since 2009 (14%), yet within a larger sample of security incidents Verizon examined, nearly seven out of every 10 were caused by an insider acting carelessly, though not necessarily maliciously.

"When not dealing with breaches per se, certainly insiders rule the roost if you will in that larger data set," Maxwell said. "We do believe that overall more attacks occur by outsiders, but that doesn't mean what an insider does may be any less damaging."

In the report, Verizon noted that previous years' data sets may have over-emphasized what it calls "highly scalable remote attacks that essentially overwhelmed the external-internal ratio" and that a broader set of data from its new partners this year has likely restored a more accurate picture of the industry-wide internal-external balance.

Still, certain data points may be cause for renewed concern regarding insider threats. The majority of insider breaches, according to Verizon, continue to be intentional, profit-driven acts, though organizations are also plagued by a surprising number of low-tech events, like lost and misdirected documents.

In smaller organizations, Verizon found that employees directly involved in handling payments, namely cashiers, waiters and bank tellers, were most often responsible for insider breaches, often at the behest of external parties in support of a larger fraud ring.

Separately, Verizon noted the less-frequent but ongoing risk of mistakes by administrators or programmers that lead to data exposure, particularly in large organizations. It offered up a specific example of an application debug setting that inadvertently caused sensitive financial data to be stored insecurely, and in turn become exposed to unauthorized parties.

Philip Alexander, founder of Chandler, Ariz.-based consultancy Data Privacy Network, said the risks of disgruntled or careless employees are ever-present and shouldn't be ignored. He said organizations should combat those risks with ongoing awareness and a policy that restricts data access. He also recommended the use of data auditing.

"People are much less likely, maliciously or just lazily, to mishandle data if they know it could be tracked back to them," Alexander said. "Auditing is not a preventative control, but it will track misuse and let you respond accordingly."

2013 DBIR expands beyond breaches, de-emphasizes record tally

A new twist in this year's DBIR is the inclusion of more than 47,000 reported security incidents, yet Verizon carefully delineated data points from that larger data set from those drawn from confirmed data breaches.

Data breaches sorted by victim industry (filtered for network intrusions). Industries based on North American Industry Classification System. Source: Verizon DBIR 2013 - used with permission

Rich Mogull, analyst and CEO with Phoenix-based research firm Securosis, lauded Verizon for making two key decisions that he said really enhanced the quality of the 2013 DBIR.

"The first was the choice to drop record counts almost completely from the report. These are fairly meaningless overall and merely distracted from the incident-oriented nature of the data," Mogull said. "The second was to focus only on confirmed breaches, even though they had a much larger data set of incidents. This allows readers to make informed decisions on what will actually cause damage vs. what they might merely see that doesn't actually hurt them."

"This is definitely the best year [yet]," Mogull added, "with an insane amount of useful data."

Despite Verizon's efforts to improve how it quantifies breach data, perhaps the most frightening data point in the entire report involves organizations' inability to quantify data loss.

According to Verizon, of the breach events comprising its data set, organizations had a complete and reliable count of compromised records only 15% of the time. In other words, in 85% of breach incidents, the organizations could not determine the full extent of the breach.

Alexander said Verizon's findings highlight how important it is for organizations to conduct a baseline inventory of sensitive data, so it's easier to discover what's missing or what has been tampered with in the wake of a security incident.

"I'm a big fan of not only knowing what data you have, but also putting it only on approved sites, because putting security controls on tired systems can be more expensive," Alexander said. "I may have 1,000 servers with sensitive data across all of them, but if I only have sensitive data on 20 servers, it's a lot cheaper to secure just those 20."

Holland advocated for a greater enterprise focus on network visibility, using a variety of gateway, endpoint, Web and email security technologies.

"Customers always ask us, 'Where am I going to put my advanced threat budget?' and they want to direct it toward one technology, but they can't," Holland said. "But it starts with having increased visibility, because we all know prevention is going to fail."




Verizon data breach report 2013: Data shows need for risk awareness

Know your adversary. It's a classic mantra of information assurance professionals. While it's further reinforced with the release of the 2013 Verizon Data Breach Investigations Report, the report offers a treasure-trove of data that also underscores the importance of organizational self-analysis in determining what attackers want and how they're likely to go after it.

Organizations can't take a one-size-fits-all approach to their defenses; different types of attackers use different methods.

Kyle Maxwell,
senior analyst, Verizon

The report, released late Monday, is Verizon's annual analysis of data breaches and breach investigations conducted in the previous year. In addition to Verizon's own data, this year's Data Breach Investigations Report (DBIR) includes breach incident data from 18 other organizations around the world (see sidebar below), including more than a dozen first-time contributors. Prior to analysis, Verizon once again standardized its breach dataset, this year encompassing 621 breach events and more than 44 million compromised records, using its VERIS incident-sharing framework.

Data points in the 2013 DBIR indicate clear patterns in the motives and methods adversaries used to successfully breach victim organizations. Of the 92% of breaches in this year's data set that were caused by external threat actors, Verizon tied more than half (55%) to purely profit-driven organized criminal groups.

According to Verizon, these profit-driven adversaries are most interested in companies in the finance, retail and food-services industries, and their attacks most often originate from countries in Eastern Europe or North America.

Not surprisingly, attackers seeking immediate profit favor payment data and personal information; for knowledgeable cybercriminals, it remains trivial to quickly convert those commodities into cash.

Increase in state-affiliated cyber-espionage tied to China

Verizon noted a rise in breaches linked to state-affiliated actors, comprising 21% of the breaches in this year's data set. Verizon, however, was reluctant to confirm an industry-wide increase in state-affiliated breaches, despite admitting its own breach investigations included more espionage-related cases than in any previous year.

Threat actor profiles. Items appear in order of prevalence among breaches attributed to each threat actor variety. Source: Verizon DBIR 2013 - used with permission

Nonetheless, state-affiliated actors were active in 2012, focusing on cyber-espionage against victims in industries rich in valuable intellectual property, such as manufacturing, transportation and professional services industries; targets favored by financially driven attackers, namely retail and food-service firms, were ignored almost entirely by threat actors engaged in espionage campaigns.

Malicious actors conducting cyber-espionage campaigns sought out trade secrets, sensitive internal data and system information above all else. Impressively, more than 95% of state-affiliated espionage breaches somehow involved the use of phishing to gain entry into the target organization.

"I think that's big," said Rick Holland, senior analyst with Cambridge, Mass.-based Forrester Research Inc. "That clearly tells you if you're in an IP-rich vertical, you need to take your security controls for anti-phishing pretty solidly."

And it wasn't just Fortune 500 firms that lost intellectual property to attackers: cyber-espionage-related data breaches among companies with fewer than 10,000 employees happened more frequently than at larger firms by an 81-to-19 ratio.

"Small attorney firms or professional services firms are getting compromised because they have sensitive data on clients," said Kyle Maxwell, senior analyst with Verizon. "So rather than try to breach a large, well-defended network, it's easier just to compromise the outside counsel or auditing firm, and get financials statements or plans for M&As [mergers and acquisitions] or other trade secrets from those firms."

Perhaps the most striking finding of all, Verizon said 96% of espionage cases in the 2013 DBIR were attributed to threat actors in China. While Verizon did not indicate how many of the incidents could be classified as state-sponsored cyber-espionage, the findings are no surprise on the heels of the recent Mandiant Corp. APT1 report, which offered compelling evidence indicating that Unit 61398 of China's People's Liberation Army has been perpetrating a massive, years-long cyber-espionage campaign against U.S. interests.

Hacktivists steal less data; no one-size-fits-all defense

The malicious activist or hacktivist archetype, which was featured prominently in the 2012 DBIR, stole far less data last year. Despite being tied to roughly the same number of externally driven breach incidents (about 2%), Verizon believes their decreased prominence is a result of a change in tactics.

"[Hacktivists] stole a lot less data, partly because their attacks have changed," Maxwell said. "They have been using DDoS [distributed denial-of-service] attacks now, which are out of scope for the DBIR because there's no breach involved in a DDoS attack." Maxwell suggested that the arrests of the major players in the hacktivistm community may have also contributed to the decline.

This year's report goes to great lengths to illustrate the differences among various groups of threat actors, and that's no coincidence. Maxwell said organizations must strive to better understand what data attackers want and prioritize their defensive efforts accordingly.

"Organizations can't take a one-size-fits-all approach to their defenses; different types of attackers use different methods," Maxwell said. "Organizations of all sizes and all sectors need to understand their threats and plan accordingly rather than assume they can set up static defenses that'll work for everything."

The insider threat: Significant or over-emphasized?

The 2013 DBIR offers some contradiction regarding data breaches caused by insiders: The 2013 data set features the highest percentage of insider-driven data breach incidents since 2009 (14%), yet within a larger sample of security incidents Verizon examined, nearly seven out of every 10 were caused by an insider acting carelessly, though not necessarily maliciously.

"When not dealing with breaches per se, certainly insiders rule the roost if you will in that larger data set," Maxwell said. "We do believe that overall more attacks occur by outsiders, but that doesn't mean what an insider does may be any less damaging."

In the report, Verizon noted that previous years' data sets may have over-emphasized what it calls "highly scalable remote attacks that essentially overwhelmed the external-internal ratio" and that a broader set of data from its new partners this year has likely restored a more accurate picture of the industry-wide internal-external balance.

Still, certain data points may be cause for renewed concern regarding insider threats. The majority of insider breaches, according to Verizon, continue to be intentional, profit-driven acts, though organizations are also plagued by a surprising number of low-tech events, like lost and misdirected documents.

In smaller organizations, Verizon found that employees directly involved in handling payments, namely cashiers, waiters and bank tellers, were most often responsible for insider breaches, often at the behest of external parties in support of a larger fraud ring.

Separately, Verizon noted the less-frequent but ongoing risk of mistakes by administrators or programmers that lead to data exposure, particularly in large organizations. It offered up a specific example of an application debug setting that inadvertently caused sensitive financial data to be stored insecurely, and in turn become exposed to unauthorized parties.

Philip Alexander, founder of Chandler, Ariz.-based consultancy Data Privacy Network, said the risks of disgruntled or careless employees are ever-present and shouldn't be ignored. He said organizations should combat those risks with ongoing awareness and a policy that restricts data access. He also recommended the use of data auditing.

"People are much less likely, maliciously or just lazily, to mishandle data if they know it could be tracked back to them," Alexander said. "Auditing is not a preventative control, but it will track misuse and let you respond accordingly."

2013 DBIR expands beyond breaches, de-emphasizes record tally

A new twist in this year's DBIR is the inclusion of more than 47,000 reported security incidents, yet Verizon carefully delineated data points from that larger data set from those drawn from confirmed data breaches.

Data breaches sorted by victim industry (filtered for network intrusions). Industries based on North American Industry Classification System. Source: Verizon DBIR 2013 - used with permission

Rich Mogull, analyst and CEO with Phoenix-based research firm Securosis, lauded Verizon for making two key decisions that he said really enhanced the quality of the 2013 DBIR.

"The first was the choice to drop record counts almost completely from the report. These are fairly meaningless overall and merely distracted from the incident-oriented nature of the data," Mogull said. "The second was to focus only on confirmed breaches, even though they had a much larger data set of incidents. This allows readers to make informed decisions on what will actually cause damage vs. what they might merely see that doesn't actually hurt them."

"This is definitely the best year [yet]," Mogull added, "with an insane amount of useful data."

Despite Verizon's efforts to improve how it quantifies breach data, perhaps the most frightening data point in the entire report involves organizations' inability to quantify data loss.

According to Verizon, of the breach events comprising its data set, organizations had a complete and reliable count of compromised records only 15% of the time. In other words, in 85% of breach incidents, the organizations could not determine the full extent of the breach.

Alexander said Verizon's findings highlight how important it is for organizations to conduct a baseline inventory of sensitive data, so it's easier to discover what's missing or what has been tampered with in the wake of a security incident.

"I'm a big fan of not only knowing what data you have, but also putting it only on approved sites, because putting security controls on tired systems can be more expensive," Alexander said. "I may have 1,000 servers with sensitive data across all of them, but if I only have sensitive data on 20 servers, it's a lot cheaper to secure just those 20."

Holland advocated for a greater enterprise focus on network visibility, using a variety of gateway, endpoint, Web and email security technologies.

"Customers always ask us, 'Where am I going to put my advanced threat budget?' and they want to direct it toward one technology, but they can't," Holland said. "But it starts with having increased visibility, because we all know prevention is going to fail."




Verizon DBIR 2013: Damage caused by simple attacks, slow detection

For all the industry discussion about the evolution of so-called advanced cyberattacks, data from the Verizon 2013 Data Breach Investigations Report indicates a select few attack types are responsible for the majority of last year's reported breaches. Despite that consistency, the majority of organizations fail to identify breaches until months after the initial compromise.

Particularly in cases of espionage attacks, investigations from one organization lead to other organizations that have been attacked.

Kyle Maxwell,
senior analyst, Verizon

The report, released late Monday, is Verizon's annual analysis of data breaches and breach investigations conducted in the previous year. In addition to Verizon's own data, this year's Data Breach Investigations Report (DBIR) includes breach incident data from 18 other organizations around the world.

The 2013 DBIR showed that just three attack types -- ATM skimming, what Verizon calls "POS smash-and-grab" involving a combination of brute force and malware, and a combination of phishing, malware and hacking -- were used in 68% of the breaches in this year's data set.

"While there is still some wiggle room for the baddies to be creative," Verizon wrote in the report, "this is an indication that treating our adversaries as random and unpredictable is counterproductive. We may be able to reduce the majority of attacks by focusing on a handful of attack patterns."

According to Verizon, hacking -- defined for the purposes of the report as all attempts to intentionally access or harm information assets by circumventing logical security mechanisms -- played a role in slightly more than half of the breaches Verizon analyzed; those incidents were dominated by the use of stolen account credentials, a backdoor or a brute-force attack. As Verizon noted, the use of something other than a single-factor username-password credential would have likely thwarted 80% of the hacking attacks reported last year.

Countries represented in the combined caseload (Verizon and partners) Source: Verizon DBIR 2013 - used with permission

Rick Holland, senior analyst with Cambridge, Mass.-based Forrester Research, said organizations must be aware of the significant number of attacks that don't involve malware and hence don't have any signature that can be used for detection.

"Organizations shouldn't get hyper-focused on malware. Get ready for incidents involving password theft and abuse of credentials," Holland said. "That's why network visibility is so critical; to look for anomalous behavior."

However, malware -- malicious software, script or code -- was involved in 40% of the breaches in its data set. The majority of malware installations were either direct or via email, though large organizations saw a small but notable uptick this year in Web "drive-by" malware downloads.

In cases where attackers had largely financial motivations, spyware -- including keyloggers and form-grabbers -- was the malware variety of choice. In cyber-espionage-related breaches, attackers used a variety of types of malware with no predominant type.

Compromise taking longer; so is breach detection

The 2013 DBIR detailed the typical timespan of a breach. In 60% of the breaches in this year's data set, the initial compromise took place over a period of multiple hours, a small window indeed, but slightly longer than in years past.

Top 10 origin countries of external data breach actors Source: Verizon DBIR 2013 - used with permission

However, organizations struggled mightily with breach detection: a majority of breach events (62%) were not discovered until months after the initial compromise; discovery time in 4% of the breaches was measured in years. Additionally, seven out of every 10 breach events were initially discovered by someone outside the breached organization.

"Victims regularly do not discover breaches themselves," said Kyle Maxwell, a senior analyst with Verizon. "They are either notified by law enforcement or card brands, or other organizations that are doing breach notifications. Particularly in cases of espionage attacks, investigations from one organization lead to other organizations that have been attacked."

"I don't think a lot of organizations have the appropriate technology in the right spots," Holland said. In particular, he referenced the difficulty enterprises have in securing third-party software like Java; attackers seeking a way into an organization often take advantage of the many enterprises that struggle to quickly implement third-party patches.

"Even though we know when the Microsoft Patch Tuesday releases come out … by the time we can get a patch out, there's always going to be a lag," Holland said. "If I were an attacker, I'd go after third-party applications all day long."

The report, not without a touch of irony, noted that the most effective means of detecting a breach internally proved to be end users. Often the weak link in the information security chain, the data showed run-of-the-mill users were first to discover suspicious activity and report it to IT or management.

"Enterprises have a difficult time managing the threat landscape and operational impact of security in terms of staffing and resources," Holland said. "People want the easy button and there is no easy button."




It Takes 3 to 5 Years to Prepare to Sell a Small Business

sell a small business

Are you considering selling your small business? It’s fairly likely that you may be ready to sell a small business, considering that more businesses have been bought and sold this year than at this time last year, according to a BizBuySell survey.

However, valuations of those businesses could be lower in 2013, thanks to some tax changes. So if you want to get the best sales price possible, there are likely some steps you should already be taking, even if you’re not quite ready to sell.

Most owners don’t realize that selling a business can be so time consuming, according to Bob Pullar of Owners University, who recently suggested that owners spend three to five years preparing to sell in order to get the best price possible. Pullar said that preparing your business for sale over time will allow you to demonstrate how well your company trends over time, both financially and operationally.

And those who don’t take the time to properly prepare are leaving money on the table. According to Pullar, an owner that takes the time to complete all the necessary valuation enhancing projects can see an increase of up to 400% in valuation, depending on their industry.

So what steps do owners need to take to make sure they get the best sale price? Pullar recommends having three to five years of audited or reviewed financial statements, along with an annual business plan and three-year projection.

In addition, owners should have a detailed succession plan, which includes key managers to run the business after the sale, other employees who are key to the business’s success, and up-to-date contracts with third party suppliers.

According to a PriceWaterhouseCoopers survey (DOC), 79% of business owners identified maximizing the financial return as their top objective for succession. But not all of those owners said they had a succession plan in place. In fact, the most common step taken to prepare for succession was improving profitability by cutting costs and restructuring debts and compensation.

Though profitability improvements can certainly have an impact on valuations, Pullar said that most companies don’t require any massive changes in this area when preparing to sell. And even those that do need to make significant changes should begin preparations early and not discount the other steps involved in improving valuations.

“The most important thing for an owner to realize is that they can’t afford to wait until they know 100% that they want to sell their businesses,” said Pullar.

There is no magic formula for making sure your business is ready to sell. Targeting buyers and evaluating your business’s value can vary by industry. But having a plan and allowing enough time to implement it is essential for any industry.




It Takes 3 to 5 Years to Prepare to Sell a Small Business

sell a small business

Are you considering selling your small business? It’s fairly likely that you may be ready to sell a small business, considering that more businesses have been bought and sold this year than at this time last year, according to a BizBuySell survey.

However, valuations of those businesses could be lower in 2013, thanks to some tax changes. So if you want to get the best sales price possible, there are likely some steps you should already be taking, even if you’re not quite ready to sell.

Most owners don’t realize that selling a business can be so time consuming, according to Bob Pullar of Owners University, who recently suggested that owners spend three to five years preparing to sell in order to get the best price possible. Pullar said that preparing your business for sale over time will allow you to demonstrate how well your company trends over time, both financially and operationally.

And those who don’t take the time to properly prepare are leaving money on the table. According to Pullar, an owner that takes the time to complete all the necessary valuation enhancing projects can see an increase of up to 400% in valuation, depending on their industry.

So what steps do owners need to take to make sure they get the best sale price? Pullar recommends having three to five years of audited or reviewed financial statements, along with an annual business plan and three-year projection.

In addition, owners should have a detailed succession plan, which includes key managers to run the business after the sale, other employees who are key to the business’s success, and up-to-date contracts with third party suppliers.

According to a PriceWaterhouseCoopers survey (DOC), 79% of business owners identified maximizing the financial return as their top objective for succession. But not all of those owners said they had a succession plan in place. In fact, the most common step taken to prepare for succession was improving profitability by cutting costs and restructuring debts and compensation.

Though profitability improvements can certainly have an impact on valuations, Pullar said that most companies don’t require any massive changes in this area when preparing to sell. And even those that do need to make significant changes should begin preparations early and not discount the other steps involved in improving valuations.

“The most important thing for an owner to realize is that they can’t afford to wait until they know 100% that they want to sell their businesses,” said Pullar.

There is no magic formula for making sure your business is ready to sell. Targeting buyers and evaluating your business’s value can vary by industry. But having a plan and allowing enough time to implement it is essential for any industry.




CISPA Passes House Amid Worries Over Privacy

cispa passes

Last week, the U.S. House of Representatives passed a groundbreaking cybersecurity bill that’s been widely debated lately.  Some tech forms support it, while other organizations, firms and citizens have rallied against it.

The House voted on Thursday afternoon, 288 to 127, to pass the Cyber Intelligence Sharing and Protection Act (CISPA). The bill will now move on to the U.S. Senate. If passed, it moves on to President Barack Obama for final approval.

This is the second year in a row that a CISPA bill has passed the House.  Last year it died in the Senate, but now it’s back.

As we noted in last week’s report, battle lines have been drawn over CISPA.

  • Proponents says it is needed in order to protect U.S. citizens and companies from increasing computer attacks.
  • Critics of CISPA say that in its current form, the law violates privacy rights because it lacks protections on how private data can be used by the government.

The bill is supported by some of the tech industry’s giants like Oracle and Intel.  It allows them to alert the federal government of a security breach on their networks and provide information.

After CISPA passed the House on Thursday, it did not take long for critics to voice their displeasure. U.S. Rep. Nancy Pelosi said CISPA, as it was passed, “offers no policies and did not allow any amendments or real solution that upholds Americans’ right to privacy,” according to a report at RT.com.

Other opponents say that CISPA, as written now, is too broad. It would supersede privacy agreements that companies have with their users.

The bill, according to Business Insider, would also allow the government to compile a database of information shared by private companies and search that information for violations of criminal law. Critics say this information sharing is done under the guise of cybersecurity.  However, currently there is no language written into the bill that dictates when the federal government could collect that information, and CISPA would override current privacy protections, critics claim.

The Electronic Frontier Foundation (EFF) has advocated strongly against the bill. It mounted an effort to help citizens contact legislators to oppose the bill.  The EFF offers an online form where you can send a communication to your Senator to oppose CISPA.  The EFF calls the bill’s passage in the House “shameful.”

“CISPA is a poorly drafted bill that would provide a gaping exception to bedrock privacy law,” EFF Senior Staff Attorney Kurt Opsahl said in a prepared statement on the EFF website. “While we all agree that our nation needs to address pressing Internet security issues, this bill sacrifices online privacy while failing to take common-sense steps to improve security.”

Other groups opposed to CISPA include the American Library Association, the American Civil Liberties Union, Mozilla, Reporters Without Borders, and the National Association of Criminal Defense Lawyers. Below is an open letter by opponents of CISPA to House members before the recent House vote:

CISPA Photo via Shutterstock




Three Things Every Business Owner Should Be Thinking About! A Conversation with Shashi Bellamkonda, VP of Digital Marketing at Bozzuto Group

I recently had a call with Shashi Bellamkonda, VP of Digital Marketing at The Bozzuto Group. Shashi, who recently left Network Solutions after twenty years, talked with me about his previous role and what his new role will entail. He also shared three things that he focused on as he prepared to enter his new role - three things that he feels every business owner should be thinking about.

During his time at Network Solutions, Shashi said that he felt like he changed roles / jobs every three to four years: from customer service, to product management to product marketing. Then came social media, which Shashi immediately took an interest in and convinced Network Solutions that they should venture into as a new way of talking to their customers. With that, Shashi took over the social media role and spent his last many years overseeing their social media efforts: building a community and handling their contact marketing.

In his new role as VP of Digital Marketing at Bozzuto Group, which is a privately held integrated real estate services organization, Shashi will be concentrating his efforts on bolstering their digital presence so that more people think of them when they want an apartment in the mid-Atlantic region.

In preparation for this new role, Shashi stressed how important it was for him to take time to disconnect from everything and use this time to think about his new role prior to beginning. Shashi highly recommends ‘disconnecting’ to everyone, as it’s the best time to think clearly. During this time of thought, Shashi kept thinking about three things:

  • Look at who your existing customers are and how you can get them to refer more business to you.
  • Think about all of the people who may be searching for you online and if they are not able to locate you, or you don’t have a solid online reputation, then they are most likely going to find a competitor
  • What are the ‘talk-able’ stories that you could be saying about your business?

Shashi points out that these three points are relative to every business owner, not just someone coming into a new role. It’s imperative that you know who your customers are, because in doing so you’ll know how to better service them, which will organically lead to them referring your business to their friends.

As for point #2, Shashi says, “I think we are in an age of visible strangers, in a way. We tend to believe what people write, and most of the time it is believable, because people go out to businesses, they review products, and they go to SmallBizTechnology.com to check out the reviews there; so its peer reviews or people similar to you reviewing products. It has certainly become the big thing right now.”

Shashi points out, “The lesson to businesses is if people are posting something online about your business, it is almost like an email to you. Hopefully most of the time it is good, but if it is bad, it is an opportunity for you. Having a bad review is not the end of the world, and I always recall this statement from a chef friend of mine in the DC area. He said, ‘look I use it as an opportunity. 1.) If there is something wrong that what we did in the business, we correct it. 2.) If it’s something that was very poor to this customer and we can fix it the next time they come, we tell them that. Ask the customer to come back and tell them we will make it right for you, and people like that. People want to be heard’.”

Point three is one of the most difficult for most businesses, Shashi points out and I tend to agree; but it’s really quite simple. A ‘talk-able’ story is ANYTHING about your business that people are talking about.

As an example, Shashi notes, “We visited a restaurant in D.C. called Indique Heights. They have a menu item that’s called Meen Fry, it is like a French fry from the South of India and I know this because I used to be a chef in my previous life. But two to three people actually had a conversation online about this particular dish, so that’s the ‘talk-able’ part of this. What the business owner should now be doing is using social media to point out this ‘talk-able’ point, with posts like ‘love Meen Fry’ and use the hash tag #spicyconversation or ‘hey people who come to my restaurant like Meen Fry, maybe you would too’.

Many people come to me and say ‘What should I write about in my blog’ or ‘I don’t know what to Tweet about or what to post on social media’. As Shashi points out, both of these questions are answered with the same item: focus on those ‘talk-able’ points. He suggests that businesses not shy away from telling everyone about their good quality - they should be proud of what their product is and tell people about it. This doesn’t mean you over-sell to them, but noting stories from customers who had positive experiences, or gave you positive comments, is the best way to spread the word.

Shashi has given us some great advice on what, as business owners, we need to be thinking of in reference to our customers and online footprint. As obvious and simple as these three things may be, they need to remain in the forefront of our thinking as small business owners. And while the examples are not a ‘one-size-fits-all’ solution for every business, the core principle of each is.

When was the last time you unplugged and thought about any of these items for your business?  Let us know in the comments.



New Book, ‘The Ultimate Guide To Pinterest For Business’ Reveals How To Leverage The Popular Social Platform

Business author and columnist Karen Leland will release her new book, Ultimate Guide to Pinterest for Business, on May 1st.  This book outlines how businesses can take full advantage of Pinterest, the social bookmarking site that has grown exponentially over the last three years.

Pinterest allows users to create their own online scrapbook of images to share with followers. The site has grown rapidly since its launch in 2010, by co-founder Ben Silbermann, now the company’s CEO, alongside Evan Sharp and Paul Sciarra.

In May of last year, the site gained significant investment from Japanese e-commerce company Rakuten to the tune of $100,000, which along the site’s previous investors valued Pinterest at $1.5 billion.  The site is now the third largest social network with 48.7 million members globally and as of February of this year, is valued at $2.5 billion, according to Reuters.

Much like Facebook, Twitter, et al that have revolutionized the world of marketing and promotion, Pinterest now joins the elite group of social media platforms, where small businesses need to leverage its benefits. Retail companies were the first to take advantage of the site’s possibilities and marketing professionals were quick to know a good thing when they see it. Karen Leland has delved headfirst into this area with her new book Ultimate Guide to Pinterest for Business.

With a publication date of May 1st, Ultimate Guide to Pinterest for Business, published by Entrepreneur Magazine Press, aims to collate the vital information a business needs to leverage the social media platform for their advantage.

Leland starts with the basics on how to get registered and begin pinning, and from there, how to grow your Pinterest presence. Whether it’s drawing traffic to your page, driving potential customers to a sale or devising pinning strategies, Leland goes into much depth to show you how to benefit from Pinterest, both here and now, and in the long term.

She will run you through the different ways to organize your pin board in the best way to suit your business and most importantly, how to make sense of features like Pinterest Web Analytics to gauge your audience and tailor your reach to them.

Karen has previously written nine books on business and marketing, including ‘Time Management In An Instant: 60 Ways to Make the Most of Your Day’ and ‘Public Speaking In An Instant: 60 Ways to Stand Up and Be Heard’. She is also the President of the Sterling Marketing Group, working alongside many high profile companies like AT&T, Apple and American Express and many Fortune 500 businesses.

If you’re looking for even more reading on the power of social media in small business, Small Biz Technology editor Ramon Ray’s new book The Facebook Guide to Small Business Marketing gives insight into the roles of social media in business, specifically the use of Facebook as a marketing tool.

Both reads will give you unique look into the ever changing worlds of digital media marketing and how to get the most out of every option available to you.



How You Can Benefit From “Clean Slate” Brands

new brands

[Clean Slate Brand, Lockitron: Home Security Via Smartphone App]

Conventional wisdom has always been that it’s hard to bring a new product to market because consumers have an inherent preference for the familiar. Humans are hard-wired to resist change, because in our caveman days, change meant danger. So whether they’re buying toilet paper for the bathroom or telemarketing services for their business, most people stick with brands they already know versus unknown new brands.

But that may be changing, Trendwatching reports, thanks to new consumer attitudes creating a preference for “clean slate” brands. That is, new and unknown brands that are suddenly enjoying consumer approval.

What’s behind the clean slate trend? Several factors, Trendwatching says. First, big brands are widely perceived as tired or even evil. With just 33 percent of U.S. consumers saying they trust big brands, new, small, innovative businesses have a built-in edge.

Second, consumers are crazy for the new because thanks to social media, everyone wants to be the first to discover and share new trends. Sticking with the tried and true isn’t seen as smart, but as stodgy. Since consumers can quickly find out from friends and family (what Trendwatching calls the “F Factor”) whether a brand is worthwhile, the hurdle of gaining trust is lessened.

Finally, there’s a fresh feeling to new products and brands that consumers like. Newer brands and businesses are typically leaner, more transparent and more flexible. And many new companies and products are based on socially responsible foundations.

So how can you benefit from the clean slate craze? You don’t have to be a startup, or even be launching a new product or service, to take part. Here’s how to wipe the slate clean for your business, no matter what stage you’re in.

Be Transparent

Complexity befuddles customers and makes them suspicious you’re hiding something. Make your customer service process simple and straightforward. Be transparent to your employees, too.

Share Who You Are

Authenticity is a big part of clean slate brands. Customers want to know who’s behind the business, what they stand for and what the company’s story is. Put your story on your website and in your marketing materials.

Interact

Social media makes it easier than ever to engage with your customers. Don’t just push your messages out to them, but also listen to what they have to say and what they want from you.

Harness the Friend Factor

Solicit testimonials and reviews from satisfied customers. Ask them to share your business on social media and spread the word. Ask for referrals to others who might want to try your product or service. Recommendations build instant trust.

Be Socially Responsible

Don’t try to force this, but if getting involved with causes can flow naturally from your business model, all the better. Tell customers what you do to help the causes you care about and show them how buying from you makes them part of the solution.

Work With Clean Slate Brands

Use locally sourced produce and meats in your restaurant and tell customers where it’s from. Highlight products from small, new or socially responsible businesses in your retail store or on your website. Partnering with other clean slate brands creates a halo effect that boosts your own business.

Visit the Trendwatching site for more examples of clean slate brands that are making waves.




How You Can Benefit From “Clean Slate” Brands

new brands

[Clean Slate Brand, Lockitron: Home Security Via Smartphone App]

Conventional wisdom has always been that it’s hard to bring a new product to market because consumers have an inherent preference for the familiar. Humans are hard-wired to resist change, because in our caveman days, change meant danger. So whether they’re buying toilet paper for the bathroom or telemarketing services for their business, most people stick with brands they already know versus unknown new brands.

But that may be changing, Trendwatching reports, thanks to new consumer attitudes creating a preference for “clean slate” brands. That is, new and unknown brands that are suddenly enjoying consumer approval.

What’s behind the clean slate trend? Several factors, Trendwatching says. First, big brands are widely perceived as tired or even evil. With just 33 percent of U.S. consumers saying they trust big brands, new, small, innovative businesses have a built-in edge.

Second, consumers are crazy for the new because thanks to social media, everyone wants to be the first to discover and share new trends. Sticking with the tried and true isn’t seen as smart, but as stodgy. Since consumers can quickly find out from friends and family (what Trendwatching calls the “F Factor”) whether a brand is worthwhile, the hurdle of gaining trust is lessened.

Finally, there’s a fresh feeling to new products and brands that consumers like. Newer brands and businesses are typically leaner, more transparent and more flexible. And many new companies and products are based on socially responsible foundations.

So how can you benefit from the clean slate craze? You don’t have to be a startup, or even be launching a new product or service, to take part. Here’s how to wipe the slate clean for your business, no matter what stage you’re in.

Be Transparent

Complexity befuddles customers and makes them suspicious you’re hiding something. Make your customer service process simple and straightforward. Be transparent to your employees, too.

Share Who You Are

Authenticity is a big part of clean slate brands. Customers want to know who’s behind the business, what they stand for and what the company’s story is. Put your story on your website and in your marketing materials.

Interact

Social media makes it easier than ever to engage with your customers. Don’t just push your messages out to them, but also listen to what they have to say and what they want from you.

Harness the Friend Factor

Solicit testimonials and reviews from satisfied customers. Ask them to share your business on social media and spread the word. Ask for referrals to others who might want to try your product or service. Recommendations build instant trust.

Be Socially Responsible

Don’t try to force this, but if getting involved with causes can flow naturally from your business model, all the better. Tell customers what you do to help the causes you care about and show them how buying from you makes them part of the solution.

Work With Clean Slate Brands

Use locally sourced produce and meats in your restaurant and tell customers where it’s from. Highlight products from small, new or socially responsible businesses in your retail store or on your website. Partnering with other clean slate brands creates a halo effect that boosts your own business.

Visit the Trendwatching site for more examples of clean slate brands that are making waves.




7 Things To Look For In Web Conferencing and Three Companies Who Strive To Provide

Despite the amazing strides that cloud providers have made to ensure a proper future for small businesses around the world, their efforts in web conferencing have been unexceptional. Small providers’ efforts in this camp have gone mostly unnoticed, and most businesses have been focusing their energies in using “tried and true” platforms such as Skype and Cisco’s WebEx. But are these really services that can help squeeze out all of your potential?

The story of business-level video conferencing has been a very murky one. We have all sorts of solutions, but many of them have isolated features we like while lacking in areas that are crucial. It’s mostly a hit-and-miss with practically any service you use. The level of innovation in video conferencing for small businesses has been, well, small. Any high-end solution that includes HD videos, cloud meetings, and highly-scalable environments would often require purchasing expensive hardware that’s not within the reach of businesses that already have other disproportionately enormous budgets to contend with, such as travel budgets for employees or loan payments.

But here’s the good news: Video conferencing has been getting some cloud juice lately. New solutions have been popping up all over the Web, namely bluejeans, LifeSize Connections, and Zoom.

Each of the services mentioned above has its own perks. Bluejeans has a massive interoperability portfolio, meaning it will work with virtually anything you combine it with. LifeSize gives you an astounding amount of video conferencing capabilities and is backed by Logitech, a very popular name in computing. Then we have Zoom, with its Unified Meeting Experience (UMX), which offers a cloud-based video conferencing platform that only requires a camera to work (it also works on mobile devices). They also have a hybrid cloud solution which provides in-house conferencing managed by the cloud. The conference can be initiated on your machines while accounts and meeting schedules are handled by their cloud.

There’s still a long way to go, and all of these companies each have their own unique challenges.

To make sure you have a proper web conferencing software, you’ll need to find one that:

  • is affordable,
  • operates on every device a participant might use,
  • offers HD conferencing wherever possible,
  • doesn’t require special hardware or software to run,
  • has a significantly powerful connection quality across different geographical locations,
  • allows as many participants as possible, and
  • is easily usable for people who are not very technologically literate.

Finding such a solution is like trying to find the perfect chocolate. Each company offers its own flavor. But, in all sincerity, Zoom comes closest to meeting the requirements for conferencing Nirvana. Bluejeans also comes in second, but only because its services have exorbitant price tags ($300 per seat, per month). Compare that to Zoom’s $9.99 per month for a UMX meeting room that includes up to 25 participants for an unlimited time. In both services, you get HD conferencing, clear connection quality, and a high-security environment.

Web conferencing is still a difficult game to play, and it’s not exactly for every business. But if you believe you could certainly use an affordable solution, rest assured that there are at least three companies that you can choose from. Perhaps in the future, more choices will present themselves. For now, the future is certainly looking bright!



Texas Tops List of Best Small Business Tax Systems, California At Bottom

best-small-business-tax

If you were to choose a state to do business in based solely on state tax systems, Texas and North Dakota would be at the top of the list. And at the bottom?  Try California, Hawaii and New Jersey.

The Small Business and Entrepreneurship Council has released its annual Business Tax Index 2013.  The Index ranks the 10 best and worst states in which to do business from a tax system perspective, especially for small business owners.

Topping the list this year for states offering the best tax climate for small businesses are:

1) Texas

2) South Dakota

3) Nevada

4) Wyoming

5) Washington

6) Florida

7) Alabama

8) Colorado

9) Ohio

10) Alaska

The top 10 are unchanged from last year’s SBE ranking, according to our report of it. The only changes concern the order.  The most notable shifts were South Dakota and Texas switching between the top and second spots (although there’s little difference in point scores). Alaska dropped 3 places from seventh to tenth.

At the bottom of the list, the worst states in 2013 according to the SBE ranking methodology, include:

(41) Connecticut

(42) Oregon

(43) Minnesota

(44) New York

(45) Maine

(46) Vermont

(47) Iowa

(48) New Jersey

(49) Hawaii

(50) California

All ten bottom states were the same from last year. Only their order changed. Last year in 2012, Minnesota was ranked last in state small-business tax friendliness, but improved its position by seven places.

In the report, lead author and chief economist for the SBE Raymond J. Keating said, “At the federal level, businesses, investors and entrepreneurship have been hit hard in 2013 by big tax increases. But taxes matter for business at the state and local level as well. In the states, tax burdens vary widely, with competitiveness affected accordingly.”

States need to remain competitive to attract and retain small businesses.  The state tax environment is one consideration that makes one state more attractive than another. SBE Council President Karen Kerrigan says, “Competition for investment and business relocation is fierce, and state leaders who understand this dynamic are reshaping tax policies to enable capital formation and entrepreneurship.”

Kerrigan adds that Texas continues to be a benchmark for creating a small business tax environment favorable to small business owners. Other states are currently making changes to their tax laws that could alter next year’s rankings.  ”Louisiana, Indiana, North Carolina and Nebraska have put forward bold tax reform proposals that will dramatically improve their competitive positions if enacted. Also, state efforts directed at tax reform are pushing Congress to act,” Kerrigan adds, according to a statement from the SBE accompanying the study.

The Small Business & Entrepreneurship Council issues its tax index annually.   The methodology in 2013 looked at 21 measures.  The measures include state personal income tax rates, capital gains tax rates, corporate income tax, death taxes, unemployment taxes, gas taxes, wireless taxes, and even whether the state has an “Amazon” tax.

To further explore, there’s an interactive map (pictured above). You can click on each state and see its point score, and highlights of ranking details. Go here for the interactive map.




Texas Tops List of Best Small Business Tax Systems, California At Bottom

best-small-business-tax

If you were to choose a state to do business in based solely on state tax systems, Texas and North Dakota would be at the top of the list. And at the bottom?  Try California, Hawaii and New Jersey.

The Small Business and Entrepreneurship Council has released its annual Business Tax Index 2013.  The Index ranks the 10 best and worst states in which to do business from a tax system perspective, especially for small business owners.

Topping the list this year for states offering the best tax climate for small businesses are:

1) Texas

2) South Dakota

3) Nevada

4) Wyoming

5) Washington

6) Florida

7) Alabama

8) Colorado

9) Ohio

10) Alaska

The top 10 are unchanged from last year’s SBE ranking, according to our report of it. The only changes concern the order.  The most notable shifts were South Dakota and Texas switching between the top and second spots (although there’s little difference in point scores). Alaska dropped 3 places from seventh to tenth.

At the bottom of the list, the worst states in 2013 according to the SBE ranking methodology, include:

(41) Connecticut

(42) Oregon

(43) Minnesota

(44) New York

(45) Maine

(46) Vermont

(47) Iowa

(48) New Jersey

(49) Hawaii

(50) California

All ten bottom states were the same from last year. Only their order changed. Last year in 2012, Minnesota was ranked last in state small-business tax friendliness, but improved its position by seven places.

In the report, lead author and chief economist for the SBE Raymond J. Keating said, “At the federal level, businesses, investors and entrepreneurship have been hit hard in 2013 by big tax increases. But taxes matter for business at the state and local level as well. In the states, tax burdens vary widely, with competitiveness affected accordingly.”

States need to remain competitive to attract and retain small businesses.  The state tax environment is one consideration that makes one state more attractive than another. SBE Council President Karen Kerrigan says, “Competition for investment and business relocation is fierce, and state leaders who understand this dynamic are reshaping tax policies to enable capital formation and entrepreneurship.”

Kerrigan adds that Texas continues to be a benchmark for creating a small business tax environment favorable to small business owners. Other states are currently making changes to their tax laws that could alter next year’s rankings.  ”Louisiana, Indiana, North Carolina and Nebraska have put forward bold tax reform proposals that will dramatically improve their competitive positions if enacted. Also, state efforts directed at tax reform are pushing Congress to act,” Kerrigan adds, according to a statement from the SBE accompanying the study.

The Small Business & Entrepreneurship Council issues its tax index annually.   The methodology in 2013 looked at 21 measures.  The measures include state personal income tax rates, capital gains tax rates, corporate income tax, death taxes, unemployment taxes, gas taxes, wireless taxes, and even whether the state has an “Amazon” tax.

To further explore, there’s an interactive map (pictured above). You can click on each state and see its point score, and highlights of ranking details. Go here for the interactive map.




Executive Spotlight: Janine Popick, CEO and Founder of VerticalResponse - Bringing Easy Marketing Solutions To Small Business

After more than 20 years of experience leading direct and online marketing programs for some of the biggest companies in tech and entertainment such as NBC Internet, XOOM.com, Claris Corp (a wholly owned subsidiary of Apple Inc) and Symantec Corporation, Janine Popick struck out on her own and started VerticalResponse in 2001. VerticalResponse, which was started as an email marketing service provider, today offers a full suite of tools including social media marketing, online event marketing, online surveys and postcard marketing.  

Janine started VerticalResponse in an effort to help small businesses and non-profits grow by offering them affordable self-service marketing tools. Her proudest moment as the founder of VerticalResponse has been the day the company became profitable seven years ago and the fact that they’ve really never looked back.

Helping Small Businesses Implement Effective Internet Marketing Strategies

The entire gamut of internet marketing tools can be puzzling, especially for small businesses with relatively smaller budgets. As per Janine, “The biggest challenge I hear from small businesses is that they don’t have enough time to spend on their marketing. You’ve got your website, blog, email marketing, maybe search engine advertising and search engine optimization … Combine that with all the different social media platforms you ‘must’ be on like Facebook, Twitter, Google+, Yelp, LinkedIn, Pinterest, Instagram, Tumblr and now Vine, and it’s no wonder that many small businesses are so overwhelmed, especially when they have all the day-to-day responsibilities of running a company on their shoulders, too.”

This is why Janine has focused her company on developing marketing tools that are super easy to use right away, even for those who are not tech-savvy. The company also offers pay-as-you-go pricing, where businesses can buy email credits in advance, like postage stamps, so they only pay for what they actually use.

VerticalResponse is known for its efforts in trying to educate small businesses on how to make the most of their marketing and how to prioritize. They crank out tons of guides, webinars, tips and how-to’s on everything from email marketing to social media to SEO. Their award-winning marketing blog is very popular, too. Another unique offering is their non-profit email marketing program, where 501(c)3 organizations can send up to 10,000 emails every month through VerticalResponse, absolutely free.

Janine warns that before small businesses start shopping around for tools, they need to set some goals for their online marketing initiatives. For example, if site traffic is a big deal for you, you definitely need to get hooked up to Google Analytics, which will tell you were your website visitors are coming from. A social media publishing and management tool is great if your goal is to generate more overall awareness of your company. And email marketing is perfect for building relationships and generating sales.

Key internet marketing trends for the next few years

As per Janine, keeping an eye on social media and your engagement with your customers and prospects is going to be huge. You need to keep communicating with your customers in the way they want to be communicated to. If your customers are reading your emails, then make sure you’re testing the best possible subject lines and content that your recipients are looking for. Are they looking for you on Facebook or Twitter? Be there! And if your business is local, make sure your local page on Google+ is the best that it can be.

Building Winning Teams

Here’s Janine’s take on leading a team, “As long as you are clear about who your customer is and your vision, smart people can execute their way to success”. She admits that thanks to an amazing team, she has been able to take a backseat in the day to day running of the business. Instead she focuses her energies on to figuring out what’s next in technology for the business and concentrates on growth.

She is a firm believer in facilitating communication, education and mentorship. A monthly email to staff contains not only departmental updates, but also whether the company is on track to achieving business goals. Employees are encouraged to participate in workshops and tradeshows to show that VerticalResponse is invested in their professional growth.

Advice for other women entrepreneurs

Janine grew up on the East Coast and graduated from Hofstra University with a bachelor’s degree in Communications and English. She concedes that not having an engineering degree and working in a male dominated industry can be challenging. That’s where tenacity comes into play. She says, “If you believe in your dream and your idea, just make it happen, any way you can”.

When not in the office, Janine can be found playing with her adorable pup Dwight, hanging out with her husband on Lake Tahoe or cheering on the Giants!  Janine also uses her spare time to contribute as a columnist for Inc.com, the Huffington Post and American Express OPEN Forum.



Big Data awareness week further highlights challenges

Businesses across the UK are failing to turn the data at their disposal into a competitive advantage.

In ‘Big Data awareness week', Eddie Short, KPMG's head of data and analytics, said that businesses across the UK are unsure on how to make the move from being ‘collectors of information' to ‘users of insight'. 

In a blog post, he said that leadership in many organisations is increasingly demanding that data collection extends beyond customer and competitor intelligence.

He said: “Collecting information for its own sake increases the risk of organisations drowning under a sea of information. The real test of a healthy analytics capability is whether it keeps an organisation focused.

“In other words, in the current environment - where cash-flow is tight - only if data analytics highlights what products and services need to be stopped or improved to delight customers and consumers, is it doing a good job.”

He argued that three years ago, some commentators suggested that data would become the new currency of business and since then, information has clearly moved to the core of most organisations. In his view, three years from now it will be the businesses combining their hunger for data with an appetite to match it with the needs of their business who will succeed "and become masters of their own data".

Writing on the Securosis blog, researcher and principle Adrian Lane said that Big Data is being touted as a ‘transformative' technology for security event analysis.

He said: “Many customers are asking ‘Wait, don't I already have security incident and event management (SIEM) for event analysis?' Yes, you do, and SIEM is designed and built to solve the same problems - but seven-to-eight years ago - and it is failing to keep up with current problems.

“It's not just that we're trying to scale up to a much larger set of data, but we also need to react to events in an order of magnitude faster than before. Still more troubling is that we are collecting multiple types of data, each requiring new and different analysis techniques to detect advanced attacks. Oh, and while all that slows down SIEM and log management systems, you are under the gun to identify attacks faster than before.”

He went on to say that rather than being all theory and speculation, Big Data is currently being employed to detect security threats, address new requirements for IT security, and even help gauge the effectiveness of other security investments.

“Big Data natively addresses ever-increasing event volume and the rate at which we need to examine new events. There is no question that it holds promise for security intelligence, both in the numerous ways it can parse information and through its native capabilities to sift proverbial needles from monstrous haystacks,” Lane said.

In February, RSA chief security officer Eddie Schwartz told SC Magazine that security needs to become more Big Data aware, saying that the Big Data challenge "won't be fixed in 2013, but we will see it explode in the enterprise as some will say they are not ready yet".

There is also the challenge of a lack of data analysts, as highlighted by Splunk and by the ‘Big Data London' group, who found that 77.9 per cent of its 131 respondents believed there is a shortage.



Three Features Of The Latest Relase From Evernote: Evernote Business

The note-taking and archiving app, Evernote, is oft-recommended and used by business users. Apparently 2/3 of Evernote’s users are using the app for workplace productivity. So what is this Evernote Business? What’s different about it and why do we need it?

Well, Evernote Business maintains everything that we love about Evernote, but adds a host of extended and enhanced features for business users.

Let’s take a look at the features:

Share With All Employees: Publish notes, ideas and research to your company’s Business Library, where it can be viewed by any user that is joined to the same Evernote Business account.

Store More: Store more notes and attachments so you can collect and find everything you need. You’ll get 2GB each month to use towards Personal Notes, plus your company gets 2 additional gigabytes per employee for content placed in Business Notebooks.

Search All Notes: Find what you need to know when you need to know it. Browse and search your own notes, as well as those of your co-workers in Shared Business Notebooks and the Business Library to get the information you need fast.

All Evernote Business members also have access to a high level of support from a business support team. Companies with ten or more users can also schedule phone support with Evernote’s Business Success team.

It costs $10.00/user/month, but you can see a live demo before you go for it. There are dates for this month and next month here.

For more on Evernote, see our archives.

Let us know what you think of this new product in the comments! Is it worth it, or is the free app all you need?



Three Features Of The Latest Relase From Evernote: Evernote Business

The note-taking and archiving app, Evernote, is oft-recommended and used by business users. Apparently 2/3 of Evernote’s users are using the app for workplace productivity. So what is this Evernote Business? What’s different about it and why do we need it?

Well, Evernote Business maintains everything that we love about Evernote, but adds a host of extended and enhanced features for business users.

Let’s take a look at the features:

Share With All Employees: Publish notes, ideas and research to your company’s Business Library, where it can be viewed by any user that is joined to the same Evernote Business account.

Store More: Store more notes and attachments so you can collect and find everything you need. You’ll get 2GB each month to use towards Personal Notes, plus your company gets 2 additional gigabytes per employee for content placed in Business Notebooks.

Search All Notes: Find what you need to know when you need to know it. Browse and search your own notes, as well as those of your co-workers in Shared Business Notebooks and the Business Library to get the information you need fast.

All Evernote Business members also have access to a high level of support from a business support team. Companies with ten or more users can also schedule phone support with Evernote’s Business Success team.

It costs $10.00/user/month, but you can see a live demo before you go for it. There are dates for this month and next month here.

For more on Evernote, see our archives.

Let us know what you think of this new product in the comments! Is it worth it, or is the free app all you need?



How to Get a Startup Visa Act Passed

visa

For the past few years, a number of prominent U.S. venture capitalists have been trying to convince Congress to modify the U.S. UB-5 visa program. Currently, the program allows foreigners who invest $1 million in a U.S. business and create 10 or more jobs to get a visa; the investors want Washington to include those entrepreneurs who attract funds from venture capitalists or business angels. While the bill’s advocates have gotten it introduced into the House and Senate, the effort has stalled.

Recently, Canada announced that it will launch a “start-up visa” program this spring. For the next five years, our neighbor to the north will make 2,750 visas available annually to entrepreneurs who have received a $200,000 funding commitment from an approved venture capitalist or $75,000 from an approved business angel.

The Canadian government’s announcement has gotten U.S. start-up visa advocates upset. In a recent online column, Brad Feld, one of the advocates of a similar program in the United States, expressed frustration that Canada had beaten the U.S. to the punch.

Rather than bemoan their political difficulties, however, advocates of the law should change their strategy. They should replace their “we-need-immigrant-entrepreneurs-to-save-America” argument with the following approach: Giving out visas is a better and cheaper way to get small companies to move here than than offering tax breaks.

The advocates’ current argument is economically suspect and politically problematic. Proponents of a start-up visa argue that immigrants are better entrepreneurs than non-immigrants. But, as I have explained here and here, there’s plenty of evidence that the native born are as good, if not better, at entrepreneurship than immigrants.

More importantly, the immigrants-are-better argument is a political nightmare. What Congressman wants to tell his constituents that he needs to support a start-up visa bill because the voters who elected him aren’t as good at entrepreneurship as foreigners?

The best argument for a start-up visa is the same argument for giving foreign companies tax breaks to start or expand their U.S. operations: it shifts wealth and jobs from overseas to the United States. If venture capitalists fund a start-up in San Paolo, for example, most of the jobs created and taxes paid by the new company occur there. But if the investors fund the same new business in San Francisco, most of the jobs and taxes end up in the United States.

Even if the entrepreneurs would create more jobs and wealth if they established their businesses in their home countries, the law would make sense for the United States. Creating 1000 American jobs is better for those who live here than creating 2000 foreign ones.

Offering the entrepreneurs visas as a way to get them to start companies here is a cheap and effective way to attract companies. Unlike the case with big companies considering locating a plant elsewhere, U.S. tax breaks aren’t much of an attraction to foreign entrepreneurs. But American residency is.

Framed as a program to get foreign businesses to move to America, a start-up visa is a political “no brainer” for Congress. Without spending a cent of taxpayers’ money, we get non-U.S. companies to set up shop here. If the businesses succeed, create jobs and pay taxes, then American voters win. The only “losers” in the deal are people in the entrepreneurs’ native lands who don’t get the jobs and tax revenue from the successful businesses. However, those people don’t vote in American elections, so their welfare matters little to those in Congress.