Report finds security tools add software vulnerabilities of their own

Security products appear to be creating greater insecurity.

That's the conclusion of a recent survey of vulnerability trends in security products, released by iViZ Security Inc. The vulnerability testing company, based in Sudbury, Mass., found that overall vulnerabilities in security products introduced in 2012 rose sharply at a compound annual growth rate of nearly 37.3% over the last three years.

Antivirus products led the way, accounting for 49% of the software vulnerabilities reported in security products surveyed by iViZ. At the other end of the vulnerability scale, SQL injection was least common.

In surveying the various weak points in security products, iViZ said it defined a weakness as a bug or flaw in product code that could lead to security software vulnerabilities. Based on that approach, it found the two major weaknesses in security products are access control and input validation. Compared to 2011, it found "a sharp increase in access control vulnerabilities."

Since hackers increasingly target security products as soon as they hit the market, it's perhaps not surprising that major security vendors like McAfee, Cisco and Symantec accounted for the most vulnerabilities found in products released in 2012.

The survey also noted that similar vulnerability trends can be seen in other commercial and open source products.

"This is not just a call to action for [security] vendors," said Dan Cornell, a principal analyst with San Antonio, Texas-based Denim Group. "This is a call to action for [independent software vendors] that build software that is widely deployed."

Ubiquity of software like Java and hosted services like Adobe Reader present particular challenges for vendors, Cornell added, because they provide a platform for security exploits to spread. Based on the results of iViZ's survey and others, Cornell said he sees a growing mandate from the security market for vendors to produce and deploy secure code.

The upshot, iViZ predicted in its survey conclusions, will be an increasing number of attacks on security products while the majority of vulnerabilities found will remain undisclosed. That also means these weaknesses could still be exploited as advanced persistent threats grow against commercial networks and various security products.

According to the iViZ survey, the number of vulnerabilities found in security products had been declining since 2007, bottoming out in 2011. Along with antivirus vulnerabilities, firewall breaches and intrusion detection and protection products accounted for most of the security gaps last year.

After listing a series of high-level attacks during 2012 on U.S. security companies like Symantec, Panda Security and Barracuda Networks, the survey concluded that "compromising a security company may lead to some kind of chain of security breaches all around the world."

Through its own penetration testing, iViZ said it had discovered remote code execution and data-stealing vulnerabilities in various antivirus products.

The company used widely accepted vulnerability standards and databases in its survey, including Common Vulnerability Enumeration, Common Product Enumeration and the National Vulnerability Database (NVD), the U.S. government's repository of vulnerability management data. (According to reports, the NVD itself was hacked in March, bringing down a public website and other services after a malware attack on two servers.)

As for combating vulnerabilities in security products, iViZ recommended buyers request security product certifications and independent penetration tests. It also recommended proactive measures, like an efficient detection and response mechanism when a vulnerability is exploited.

Despite growing insecurity, Cornell said he sees some progress toward securing code in ubiquitous hosted services like Adobe. He pointed to Adobe's appointment in April of Brad Arkin as chief security officer.

"Adobe has some of the most widely deployed software in the world and we are keenly aware that this makes us a target," Arkin said in a recent blog post, adding that he would "continue to manage and foster two-way communication with the broader security community, a vital part of the central security function."

Cornell concluded that companies like "Adobe have made progress, but they have a hard problem," namely, securing millions of lines of code while keeping pace in fast-moving markets. Ultimately, these vendors must focus on the "security of their features," Cornell added.

HIPAA Omnibus Rule, PPACA challenge enterprise compliance management

WELLESLEY, Mass. -- For information security professionals, compliance-related tasks have often proved to be a trying yet necessary part of the job. However, Thursday at the MassBay Community College Information Security Summit, a panel of information security experts said new compliance mandates are making practitioners' jobs even harder.

One thing I've learned is you can't storm into the CIO's office with a print out of legislation and say, 'This is something we need to do.'

Steven Beaudrot,
director of regulatory management and compliance, Fresenius Medical Care

During a discussion on compliance and risk management, Natalie Kmit, an IT security services consultant with Framingham, Mass.-based consultancy Towerwall Inc., said the most recent compliance game-changer is the new Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule. Released in January, the rule stipulates that as of Sept. 23, not only will more stringent requirements for "business associates" of HIPAA-compliant organizations take effect, but it will also require breach notification when a covered entity or business associate experiences an impermissible use or disclosure of protected health information.

Kmit said the HIPAA Omnibus Rule has broadened the definition of a business associate, encompassing a variety of subcontractor organizations that weren't previously included. She said this has created more work for subcontractors, as well as for the covered entities managing them.

"Many of my clients are small and midsized businesses, and so it's about finding a way to stay within budget to do what's necessary," Kmit said. "Even to understand the 563-page piece of legislation is, I would say, very challenging."

Kevin Burns, the chief information security officer for the Commonwealth of Massachusetts, said his newest compliance headache is the Patient Protection and Affordable Care Act (PPACA), commonly known as Obamacare. His organization is involved with the state's preparations for the looming Oct. 1, 2013 launch of the state-based health care exchanges, through which individuals can seek to purchase subsidized health insurance.

"We have had a number of auditors coming in to ensure our [data security] controls are in place so all that private health care data doesn't get lost," Burns said.

He said the state has already been subject to two PPACA audits, and additional audits are underway.

"There's a large challenge with trying to keep up with the timeframe of having the systems in place by Oct. 1 and making sure all our controls are robust," Burns added.

Burns also said the Payment Card Industry Data Security Standard (PCI DSS) has become a top compliance challenge for the many state agencies he supports. Since so many of them accept payment cards, he said PCI DSS compliance assessments must be conducted annually, and managing that process with a limited staff is an ongoing challenge.

"How we're saving some funds is by internally developing [our] staff" to support PCI compliance, Burns said, "and [we're] challenging the vendors that do the reviews to bring their prices down."

Beyond the complexities of complying with any particular mandate, arguably the biggest compliance-related burden is the sheer number of regulations and standards organizations now deal with. Kmit said many of her customers operate globally, and hence must comply with hundreds of laws, regulations and even cultural expectations regarding security and privacy.

"The U.S. takes a more siloed approach to regulations; there are 46 states that have their own regulations" that touch information security, Kmit said. When working with clients, she said she recommends they adopt an information security framework that's flexible enough to address multiple compliance regulations with one standardized set of controls.

Steven Beaudrot, director of regulatory management and compliance for Waltham, Mass.-based Fresenius Medical Care, said compliance success requires buy-in among business managers and stakeholders. However, he stressed the importance of a careful approach as opposed to using fear, uncertainty and doubt.

"One thing I've learned is you can't storm into the CIO's office with a print out of legislation and say, 'This is something we need to do,'" Beaudrot said. "You need to break it down and apply it to the organization you're in, and put it in the perspective of your customers."

Fortunately, the panelists agreed that key business stakeholders today understand the importance of enterprise compliance management much more than they generally did just a few years ago, thanks in part to the numerous high-profile security incidents that have taken place in recent years.

Burns said the recent South Carolina Department of Revenue breach got the attention of data owners in the Massachusetts state government. However, he said many officials feel torn between the need to secure data and provide citizens with better online data access.

"Constituents want faster access to data online, but want it secured," Burns said. "Those same constituents have no problems sharing login info with significant others who use those credentials to access benefits. The challenges are ridiculous, but we have to understand the dynamics of what's going on."

Despite the many challenges, Kmit said it's important to remember that compliance is an ongoing journey, not a destination.

"You're never 100% compliant on everything, or secure, but as long as you understand what you need to do and where you stand in terms of achieving those goals, and have a plan in place to move toward compliance, that makes a huge difference with auditors," Kmit said. "It's important to show that due diligence and due care."

Co-Founder of CNET Goes Bankrupt

Halsey Minor, who co-founded CNET, has filed for Chapter 7 bankruptcy.  Minor was a mega-millionaire who once was pegged by Fortune magazine, back in 1999, as having a net worth of $350 million.  Now his net worth could be negative $90 million, according to a Wall Street Journal blog post.  He even owes money to his former executive assistant.

CNET was sold to CBS in 2008 for $1.8 Billion, although he had left years earlier before the DotCom bust of 2000.  Minor, is a descendant on his mother’s side to Admiral Halsey, also was a tech investor who picked some winners.  One was acquired by Google and became Google Voice. Minor was also an investor in Salesforce.com.

CNET, Salesforce, Google Voice â€" clearly the man is a tech genius who knows how to identify tech’s next big thing. He made a fortune by the time he was in his thirties. So what went wrong?

Minor’s financial troubles seem to stem from expenditures and investments that later proved disastrous.

He bought expensive real estate. Case in point: A house in posh Bel Air that he bought for $20 million and put back on the market a year later for $12.9 million.

Then there was the house in Presidio Heights, San Francisco, that he bought for another $22 million â€" and claims to have put in another $15 million in improvements.  There was other real estate, too, including the Landmark Hotel, Charlottesville, Virginia, that he was developing for $31 million â€" among other properties.

Let’s not forget the race horse. He paid $3 million for a Kentucky Derby contender that went lame before the big race.

And then there was the expensive artwork. He bought millions of dollars of artwork at Sotheby’s auction house, and then was sued for not paying for it.  One of the paintings in question was Peaceable Kingdom (pictured above), by artist Edward Hicks.  Minor ended up in litigation, lost and paid $6.6. million to Sotheby’s.

And now he’s bankrupt.

I don’t write about Minor to gloat about someone else’s misfortune. On the contrary, “there but for the grace of God go I” is more of my sentiment in such situations.

But it does suggest two points for entrepreneurs to take away from this sage of “tech millionaire goes bankrupt:”

• You can be a genius in one area and be a huge success â€" but get out of your element and it could be a completely different story.  When it comes to diversifying, walk carefully.  On the one hand, diversifying can reduce risks inherent in over-relying on a single area. But get too far afield from what you know best in your business, and it increases different kinds of risks.
• Financial independence is not so much about how much you make â€" it’s about how you spend it.  Even multimillionaires can spend it all foolishly.  Cost control in business, in government and in your personal finances is important. Don’t be the one who goes bankrupt.

Image: Peaceable Kingdom

Co-Founder of CNET Goes Bankrupt

Halsey Minor, who co-founded CNET, has filed for Chapter 7 bankruptcy.  Minor was a mega-millionaire who once was pegged by Fortune magazine, back in 1999, as having a net worth of $350 million.  Now his net worth could be negative $90 million, according to a Wall Street Journal blog post.  He even owes money to his former executive assistant.

CNET was sold to CBS in 2008 for $1.8 Billion, although he had left years earlier before the DotCom bust of 2000.  Minor, is a descendant on his mother’s side to Admiral Halsey, also was a tech investor who picked some winners.  One was acquired by Google and became Google Voice. Minor was also an investor in Salesforce.com.

CNET, Salesforce, Google Voice â€" clearly the man is a tech genius who knows how to identify tech’s next big thing. He made a fortune by the time he was in his thirties. So what went wrong?

Minor’s financial troubles seem to stem from expenditures and investments that later proved disastrous.

He bought expensive real estate. Case in point: A house in posh Bel Air that he bought for $20 million and put back on the market a year later for $12.9 million.

Then there was the house in Presidio Heights, San Francisco, that he bought for another $22 million â€" and claims to have put in another $15 million in improvements.  There was other real estate, too, including the Landmark Hotel, Charlottesville, Virginia, that he was developing for $31 million â€" among other properties.

Let’s not forget the race horse. He paid $3 million for a Kentucky Derby contender that went lame before the big race.

And then there was the expensive artwork. He bought millions of dollars of artwork at Sotheby’s auction house, and then was sued for not paying for it.  One of the paintings in question was Peaceable Kingdom (pictured above), by artist Edward Hicks.  Minor ended up in litigation, lost and paid $6.6. million to Sotheby’s.

And now he’s bankrupt.

I don’t write about Minor to gloat about someone else’s misfortune. On the contrary, “there but for the grace of God go I” is more of my sentiment in such situations.

But it does suggest two points for entrepreneurs to take away from this sage of “tech millionaire goes bankrupt:”

• You can be a genius in one area and be a huge success â€" but get out of your element and it could be a completely different story.  When it comes to diversifying, walk carefully.  On the one hand, diversifying can reduce risks inherent in over-relying on a single area. But get too far afield from what you know best in your business, and it increases different kinds of risks.
• Financial independence is not so much about how much you make â€" it’s about how you spend it.  Even multimillionaires can spend it all foolishly.  Cost control in business, in government and in your personal finances is important. Don’t be the one who goes bankrupt.

Image: Peaceable Kingdom

A New ‘Simple Choice’ In Wireless Service Plans From T-Mobile

Going wireless is an expensive undertaking. If you own a small business, chances are that you’re already flooded with tons of other expenses and don’t really have the budget to commit to a plan that gives you unlimited high-speed connectivity on your mobile phone. You’re not alone. The Gerson Lehrman Group conducted a survey in December last year where it concluded that 90 percent of businesses believe that the costs associated with wireless mobility are too high.

Now, T-Mobile is hoping to capture your attention with an offer that is relatively transparent, known as the “Simple Choice” plan. It has had success as a consumer product, and now they would like to cater to small businesses by allowing you to have a plan that matches your needs. Here are the highlights:

• Your first line is $50 a month, and you get unlimited talking, texting, and web (up to 500 MB on a high-speed connection).
• The second line will cost $30 a month with the same benefits as the first one.
• Each additional line will cost an additional $10 per month. Given these numbers, the plan is most beneficial in situations where you have more than 2 employees. T-Mobile’s small print shows that this is limited to 5 lines, with a two-line minimum.
• To get 2 GB (instead of 500 MB) on T-Mobile’s 4G network, you can do this by adding $10 to the cost of each line. Another $10, and you have unlimited 4G connectivity.

Because of the lack of caps, you won’t get charged for overuse of the network (as is the case with many other carriers across the US). The billing process is more transparent, giving you more leverage over your finances and making accounting a sweet and easy process (at least on the telecom end).

As far as devices are concerned, you can use an unlocked device or purchase your own from T-Mobile through monthly installments.

T-Mobile is also offering a special perk for small businesses opting into their Simple Choice plan: You get 24/7 remote IT support and document management services for free. This offer is only valid until September 30, 2013.

If you feel like this is your kind of thing, don’t miss out on it. Deals just keep getting better as carriers start implementing new technologies that make them more capable of delivering services at affordable rates. If you’ve spotted something noteworthy from another carrier, join the discussion and leave a comment!

A New ‘Simple Choice’ In Wireless Service Plans From T-Mobile

Going wireless is an expensive undertaking. If you own a small business, chances are that you’re already flooded with tons of other expenses and don’t really have the budget to commit to a plan that gives you unlimited high-speed connectivity on your mobile phone. You’re not alone. The Gerson Lehrman Group conducted a survey in December last year where it concluded that 90 percent of businesses believe that the costs associated with wireless mobility are too high.

Now, T-Mobile is hoping to capture your attention with an offer that is relatively transparent, known as the “Simple Choice” plan. It has had success as a consumer product, and now they would like to cater to small businesses by allowing you to have a plan that matches your needs. Here are the highlights:

• Your first line is $50 a month, and you get unlimited talking, texting, and web (up to 500 MB on a high-speed connection).
• The second line will cost $30 a month with the same benefits as the first one.
• Each additional line will cost an additional $10 per month. Given these numbers, the plan is most beneficial in situations where you have more than 2 employees. T-Mobile’s small print shows that this is limited to 5 lines, with a two-line minimum.
• To get 2 GB (instead of 500 MB) on T-Mobile’s 4G network, you can do this by adding $10 to the cost of each line. Another $10, and you have unlimited 4G connectivity.

Because of the lack of caps, you won’t get charged for overuse of the network (as is the case with many other carriers across the US). The billing process is more transparent, giving you more leverage over your finances and making accounting a sweet and easy process (at least on the telecom end).

As far as devices are concerned, you can use an unlocked device or purchase your own from T-Mobile through monthly installments.

T-Mobile is also offering a special perk for small businesses opting into their Simple Choice plan: You get 24/7 remote IT support and document management services for free. This offer is only valid until September 30, 2013.

If you feel like this is your kind of thing, don’t miss out on it. Deals just keep getting better as carriers start implementing new technologies that make them more capable of delivering services at affordable rates. If you’ve spotted something noteworthy from another carrier, join the discussion and leave a comment!

HP to Introduce Another Tablet Laptop Hybrid, Using Windows

“Hybrids” is a hot category in 2013. Hybrids are tablets that double as laptops or desktops. They are still portable like a tablet, but larger than traditional tablets and come with keyboards.  Hewlett-Packard is introducing its third tablet laptop hybrid.

HP plans release in August of a 13.3-inch tablet laptop hybrid based on Windows â€" called the Split x2.

At about 9 x 13 inches, the device offers a 13.3 inch display screen.   Obviously, it is going to be heavier than smaller tablets. With the keyboard it weighs under 4.85 pounds, but weighs “only” 2.3 pounds as a tablet. Still, that’s light enough to carry around with one hand.

Like many newer tablets, it comes with two cameras: an 8-megapixel rear camera and a 1080 pixel front-facing camera.

You can connect with WiFi. Bluetooth, MicroSD reader, USB and audio jacks make for this device ‘s diversity and usefulness.

The Split x2 is an upgrade to the ENVY x2, HP’s first Windows tablet laptop hybrid introduced last year, reports NDTV Gadgets. The Split x2 replaces the Atom processor of the ENVY x2 with a choice of a 3rd Generation Intel Core i3 or i5 processor. The screen is larger, too, with 1366 x 768 resolution.   The additional functionality also costs more. Cost of the new tablet laptop hybrid is $799.99 MSRP compared with $649.99 for the ENVY x2.

This hybrid tablet â€" HP calls them a “2-in-1″ â€" comes out of the HP Consumer products group, but we’ve noticed that hybrids tend to get a second look from business users. Professionals want the mobility and fun of a tablet but really need a keyboard to make the device functional for work purposes. Also, Windows 8 systems hold special appeal for business users who may need to work on PowerPoint, Excel or Word files. That can be difficult if not impossible on a traditional touch tablet using a non-Windows operating system.

“What we’ve done this time is take that whole x2 approach and adapted it to something that gives you even more performance and more capability,” said David Conrad, Director of Product Management at Hewlett-Packard in a video about the new device.

“But then we’ve also added one more thing, which is storage,” he said.

The earlier ENVY x2 offered 128 GB of solid state drive storage in the tablet. The Split x2 includes that memory plus an additional 500 GB of hard drive storage in the keyboard dock, said Conrad.

HP also recently introduced a 10.1″ Android hybrid, the SlateBook x2, priced to rival the iPad. Other brands have introduced tablet and laptop/desktop combinations to the market, too.

After some struggles in recent years, HP, one of the largest computer companies, has experienced a bit of a turnaround with sales higher than expected in the second quarter of 2013.

Image: HP

HP to Introduce Another Tablet Laptop Hybrid, Using Windows

“Hybrids” is a hot category in 2013. Hybrids are tablets that double as laptops or desktops. They are still portable like a tablet, but larger than traditional tablets and come with keyboards.  Hewlett-Packard is introducing its third tablet laptop hybrid.

HP plans release in August of a 13.3-inch tablet laptop hybrid based on Windows â€" called the Split x2.

At about 9 x 13 inches, the device offers a 13.3 inch display screen.   Obviously, it is going to be heavier than smaller tablets. With the keyboard it weighs under 4.85 pounds, but weighs “only” 2.3 pounds as a tablet. Still, that’s light enough to carry around with one hand.

Like many newer tablets, it comes with two cameras: an 8-megapixel rear camera and a 1080 pixel front-facing camera.

You can connect with WiFi. Bluetooth, MicroSD reader, USB and audio jacks make for this device ‘s diversity and usefulness.

The Split x2 is an upgrade to the ENVY x2, HP’s first Windows tablet laptop hybrid introduced last year, reports NDTV Gadgets. The Split x2 replaces the Atom processor of the ENVY x2 with a choice of a 3rd Generation Intel Core i3 or i5 processor. The screen is larger, too, with 1366 x 768 resolution.   The additional functionality also costs more. Cost of the new tablet laptop hybrid is $799.99 MSRP compared with $649.99 for the ENVY x2.

This hybrid tablet â€" HP calls them a “2-in-1″ â€" comes out of the HP Consumer products group, but we’ve noticed that hybrids tend to get a second look from business users. Professionals want the mobility and fun of a tablet but really need a keyboard to make the device functional for work purposes. Also, Windows 8 systems hold special appeal for business users who may need to work on PowerPoint, Excel or Word files. That can be difficult if not impossible on a traditional touch tablet using a non-Windows operating system.

“What we’ve done this time is take that whole x2 approach and adapted it to something that gives you even more performance and more capability,” said David Conrad, Director of Product Management at Hewlett-Packard in a video about the new device.

“But then we’ve also added one more thing, which is storage,” he said.

The earlier ENVY x2 offered 128 GB of solid state drive storage in the tablet. The Split x2 includes that memory plus an additional 500 GB of hard drive storage in the keyboard dock, said Conrad.

HP also recently introduced a 10.1″ Android hybrid, the SlateBook x2, priced to rival the iPad. Other brands have introduced tablet and laptop/desktop combinations to the market, too.

After some struggles in recent years, HP, one of the largest computer companies, has experienced a bit of a turnaround with sales higher than expected in the second quarter of 2013.

Image: HP

4 Travel Apps From The Concur App Center That Make Travel Easier

Concur recently announced that their useres will now have access to more than 30 Concur partner apps that address an array of travel and expense-based solutions
including compliance, finance/IT and traveler services. If you’re using their services, this is great news for you!

With Concur, you can book business travel from a broad selection of in-policy options, credit card charges are automatically captured and categorized, Concur’s mobile app combines with TripIt Pro to manage trips and itineraries, and capture receipts - all from your smartphone.

Let’s look at how Concur plus other apps can save you time and maybe even money!

Avis

With Concur, enrolling in Avis Preferred takes no time. Concur fills out the form for you and then you’re in. When you’re Avis Preferred, you’ll skip the line and paperwork, and drive off in your car the way you want it. An Avis Wizard number is created instantly and inserted into Concur for travel bookings. Pretty handy.

Lemon Wallet

Every forgotten your wallet? Lemon Wallet allows you to store a digital copy of all of your cardsâ€"ID, insurance, loyalty and payment cardsâ€"so you can access them whenever you need. You can make your wallet interactive, with real-time balance updates and transaction details.

TravelText

Add expense entries fast, through SMS. When you text in your expenses through TravelText, it’s five times faster than using a smartphone app, according to TravelText. With this service you can add new expenses and attach images, for better recording.

Park N’ Fly

Park ‘N Fly offers off-airport parking at more than 100 locations in 60 US cities. Parking off-airport is convenient and costs on average 50% less than parking at the airport. The Park ‘N Fly network gives Concur users the ability to reserve off-airport parking the same way that air, car, and hotel are reserved.

-

The integration of these new applications to Concur’s expense management solutions, helps to keep the busy business traveler more organized while on the go. Check out our other list of must-have travel apps!

Let us know in the comments which travel apps you swear by!

4 Travel Apps From The Concur App Center That Make Travel Easier

Concur recently announced that their useres will now have access to more than 30 Concur partner apps that address an array of travel and expense-based solutions
including compliance, finance/IT and traveler services. If you’re using their services, this is great news for you!

With Concur, you can book business travel from a broad selection of in-policy options, credit card charges are automatically captured and categorized, Concur’s mobile app combines with TripIt Pro to manage trips and itineraries, and capture receipts - all from your smartphone.

Let’s look at how Concur plus other apps can save you time and maybe even money!

Avis

With Concur, enrolling in Avis Preferred takes no time. Concur fills out the form for you and then you’re in. When you’re Avis Preferred, you’ll skip the line and paperwork, and drive off in your car the way you want it. An Avis Wizard number is created instantly and inserted into Concur for travel bookings. Pretty handy.

Lemon Wallet

Every forgotten your wallet? Lemon Wallet allows you to store a digital copy of all of your cardsâ€"ID, insurance, loyalty and payment cardsâ€"so you can access them whenever you need. You can make your wallet interactive, with real-time balance updates and transaction details.

TravelText

Add expense entries fast, through SMS. When you text in your expenses through TravelText, it’s five times faster than using a smartphone app, according to TravelText. With this service you can add new expenses and attach images, for better recording.

Park N’ Fly

Park ‘N Fly offers off-airport parking at more than 100 locations in 60 US cities. Parking off-airport is convenient and costs on average 50% less than parking at the airport. The Park ‘N Fly network gives Concur users the ability to reserve off-airport parking the same way that air, car, and hotel are reserved.

-

The integration of these new applications to Concur’s expense management solutions, helps to keep the busy business traveler more organized while on the go. Check out our other list of must-have travel apps!

Let us know in the comments which travel apps you swear by!

Mari Smith on How Small Businesses Can Use the 80/20 Rule in Facebook

Did you know that your Facebook updates are never going to be seen by 100% of your fans in your newsfeed? Instead, only 2% to 48% will see them.  Yet, Mari Smith, who has been called the Queen of Facebook, still says Facebook has value for small businesses. She offers several highly specific tips in this interview about Facebook for small businesses.

* * * * *

Small Business Trends:  Can you tell us a bit about your background and how you got to be what a lot of people call the ‘Queen of Facebook?’

Mari Smith: Throughout my entire career, I’ve had a deep passion for people and technology. Since 1999, I’ve been deeply immersed in the world of eCommerce, Internet marketing. I was an online marketing consultant for a long number of years. Then, in 2007, Facebook just fell into my lap. I was chosen to be on the data team of an app. It was really a defining moment in my life. I just fell in love with Facebook. Within weeks I became an evangelist.

Small Business Trends:  When did you know Facebook was going to be important for small businesses?  

Mari Smith: From a small business marketing standpoint, to me, it’s all about relationships. One of my blogs is called The New Relationship Marketing. Relationship marketing is about fostering those relationships which you can start through social media, through Facebook, through Twitter, and then ultimately - you might meet people in person.

It’s really a matter of strategically thinking through what content you are posting through your personal profile and your public fan page in a manner that people are - top of mind. They may think, ‘Gosh, I really need to go and buy a new dress or a wedding cake or whatever different people do.’  You are top of their mind because they have built this relationship with you and you’re in their news feed, sharing valuable content and sparking interest with little personal goodies.

Small Business Trends: Can you rate, on a scale of one to ten, how successful small businesses have been when it comes to leveraging the power of Facebook to help grow their business?

Mari Smith: I would say the vast majority of small businesses are probably somewhere around a three or a four on that scale, unfortunately. I think the main reason is that Facebook is in a ‘pay to play’ mode. They have to make money; that’s just the way it is. It’s just the algorithm that’s at play. You might buy ads in order to build a fan base, which is a terrific use of your advertising dollars, but then people are like, ‘Well, we’re only going to display and post to a percentage of fans.’ Your posts are never going to be seen by 100% of your fans in your newsfeed. It could be anywhere from 2% to 48%. I think at one time years ago, it was at 16%.

One thing to keep in mind as a small business owner is that just because you have 1,000 fans, all 1,000 of those people are not seeing your posts. It could be a fraction of those. You have promoted posts and there are sponsored posts. There are just a lot of complex features in there that you can buy. But unless you know what you’re doing, you might be wasting your money. You might not be getting a good ROI - return on investment.

I think where people struggle is that there’s these complex features and there’s a lot of change. Facebook is always changing their features. If we can back up a second and take complexity out of the picture and look at the fundamentals of small business success, you see that a lot of it comes with not really knowing, ‘Why am I on Facebook in the first place?’  What am I trying to do here? Am I trying to just generate fans and get better sentiment for my brand or actually sell product or improve customer service or just get visibility?’

I would recommend that most small businesses approach Facebook marketing from the standpoint of generating email leads and gently guiding people to cross into your funnel, your e-mail list, your blog, your website and looking into your offers.

Small Business Trends:  What percentage of small businesses are actually able to do direct commerce on Facebook? Is that even in the equation for most businesses?

Mari Smith: It is. In fact, there’s a whole factor of online commerce, called Facebook Commerce. There are new sites and there are services and platforms that are popping up all the time. I just came across a new one recently called Bionic and they have an app that you can add an IQ Offer. You can put up an offer that’s maybe 50% off for the next 24 hours. Then you can drive people there through an ad, for example. People can click on that and purchase right away through PayPal. So, for the small business owner, that’s a way to instantly monetize an offer.

Facebook actually has an offers feature. You click the button and you claim it. Just because somebody’s claimed it doesn’t mean that money has actually passed hands, not yet.

Commerce is still in its infancy. I think we’ve got another couple of years yet where people are really starting to feel more comfortable getting their credit card out. With PayPal, there’s a trust already existing there, which is great. Someone getting their credit card out and saying, ‘I feel happy to buy this right off of Facebook’ is in it’s early days yet.

Small Business Trends: Do you feel that small businesses are leveraging Facebook with the right expectations?

Mari Smith: A lot of people that I talk to, a lot of small business owners, come to Facebook as the Holy Grail. They think that they’ve got over a billion members and there are stories of people making millions of dollars through Facebook marketing. Many of them are spending money to make that money with ads, which is quite frankly the most incredible targeted demographics that your money can buy; far better than any other advertising product and I don’t have any agenda saying that. It’s just a fact.

One thing that small business owners could do with Facebook is build up their email list. Put up your email list with 1,000 people, and they’re from other sources, not necessarily through Facebook. You can take that database and upload it to Facebook using what’s called the Power Editor. Upload their own data base and Facebook is going to go and search their site and match profiles with your database. Maybe only half of them will match and that’s okay.

Now you have this set of almost 500 people and you can find out lots more information. You can actually segment your database and get a ton of information as a result of matching them. You can place ads. You can advertise to people on your own database. It’s called Custom Audience. Then you can do something that’s called Look Alike Audience, which means that Facebook will then gather up an audience of people that you can advertise to that would have never known about you, are not on your list, are not your fan, but they look similar to your current database. That’s cool, right?

Small Business Trends:  If you were a small business going on Facebook to build a list, what kind of content may work best when you’re trying to do it from that perspective?

Mari Smith: I have this rule, basically 80/20. So, talk to the fans with no agenda value, the 80%. When I say no agenda value, that means OPC - other people’s content. You’re sharing a mix of your content, articles, resources, tools and then 20% of the time, you’re going to ask for the sale. You’re going to ask for the lead.

One of my favorite ways is through a webinar. I gather my fans and drag them over to an option page, where I capture the email address and that’s where I’m going to periodically do that, I don’t do that all the time. I do it maybe once a quarter. I’ll do an initiative, where I’m gathering up, where I’m doing an offer. So, that’s just something to keep in mind is that you don’t have to be asking for the sale all the time. But you have to have it strategically mapped out in your marketing calendar for the year, as to when you are going to do offers and promotions and do them in spurts.

That will add tons of value on a regular basis; ideally once a day. Even if it’s just one post a day or maybe two posts a day on Facebook; on your fan page. That would be plenty; that would be sufficient.

Small Business Trends: You mentioned something about a webinar?

Mari Smith: It’s coming up on Tuesday, June 4th. It’s called Seven Steps to Facebook Success. It’s 90 minutes, a live stream webinar. I’m going to be on camera and broadcasting from a studio in San Diego, live and interactive. We will record it in case folks can’t make it and they can just find links to that at MariSmith.com.

This interview on Facebook for small businesses is part of the One on One interview series with thought-provoking entrepreneurs, authors and experts in business today. This transcript has been edited for publication.  

Mari Smith on How Small Businesses Can Use the 80/20 Rule in Facebook

Did you know that your Facebook updates are never going to be seen by 100% of your fans in your newsfeed? Instead, only 2% to 48% will see them.  Yet, Mari Smith, who has been called the Queen of Facebook, still says Facebook has value for small businesses. She offers several highly specific tips in this interview about Facebook for small businesses.

* * * * *

Small Business Trends:  Can you tell us a bit about your background and how you got to be what a lot of people call the ‘Queen of Facebook?’

Mari Smith: Throughout my entire career, I’ve had a deep passion for people and technology. Since 1999, I’ve been deeply immersed in the world of eCommerce, Internet marketing. I was an online marketing consultant for a long number of years. Then, in 2007, Facebook just fell into my lap. I was chosen to be on the data team of an app. It was really a defining moment in my life. I just fell in love with Facebook. Within weeks I became an evangelist.

Small Business Trends:  When did you know Facebook was going to be important for small businesses?  

Mari Smith: From a small business marketing standpoint, to me, it’s all about relationships. One of my blogs is called The New Relationship Marketing. Relationship marketing is about fostering those relationships which you can start through social media, through Facebook, through Twitter, and then ultimately - you might meet people in person.

It’s really a matter of strategically thinking through what content you are posting through your personal profile and your public fan page in a manner that people are - top of mind. They may think, ‘Gosh, I really need to go and buy a new dress or a wedding cake or whatever different people do.’  You are top of their mind because they have built this relationship with you and you’re in their news feed, sharing valuable content and sparking interest with little personal goodies.

Small Business Trends: Can you rate, on a scale of one to ten, how successful small businesses have been when it comes to leveraging the power of Facebook to help grow their business?

Mari Smith: I would say the vast majority of small businesses are probably somewhere around a three or a four on that scale, unfortunately. I think the main reason is that Facebook is in a ‘pay to play’ mode. They have to make money; that’s just the way it is. It’s just the algorithm that’s at play. You might buy ads in order to build a fan base, which is a terrific use of your advertising dollars, but then people are like, ‘Well, we’re only going to display and post to a percentage of fans.’ Your posts are never going to be seen by 100% of your fans in your newsfeed. It could be anywhere from 2% to 48%. I think at one time years ago, it was at 16%.

One thing to keep in mind as a small business owner is that just because you have 1,000 fans, all 1,000 of those people are not seeing your posts. It could be a fraction of those. You have promoted posts and there are sponsored posts. There are just a lot of complex features in there that you can buy. But unless you know what you’re doing, you might be wasting your money. You might not be getting a good ROI - return on investment.

I think where people struggle is that there’s these complex features and there’s a lot of change. Facebook is always changing their features. If we can back up a second and take complexity out of the picture and look at the fundamentals of small business success, you see that a lot of it comes with not really knowing, ‘Why am I on Facebook in the first place?’  What am I trying to do here? Am I trying to just generate fans and get better sentiment for my brand or actually sell product or improve customer service or just get visibility?’

I would recommend that most small businesses approach Facebook marketing from the standpoint of generating email leads and gently guiding people to cross into your funnel, your e-mail list, your blog, your website and looking into your offers.

Small Business Trends:  What percentage of small businesses are actually able to do direct commerce on Facebook? Is that even in the equation for most businesses?

Mari Smith: It is. In fact, there’s a whole factor of online commerce, called Facebook Commerce. There are new sites and there are services and platforms that are popping up all the time. I just came across a new one recently called Bionic and they have an app that you can add an IQ Offer. You can put up an offer that’s maybe 50% off for the next 24 hours. Then you can drive people there through an ad, for example. People can click on that and purchase right away through PayPal. So, for the small business owner, that’s a way to instantly monetize an offer.

Facebook actually has an offers feature. You click the button and you claim it. Just because somebody’s claimed it doesn’t mean that money has actually passed hands, not yet.

Commerce is still in its infancy. I think we’ve got another couple of years yet where people are really starting to feel more comfortable getting their credit card out. With PayPal, there’s a trust already existing there, which is great. Someone getting their credit card out and saying, ‘I feel happy to buy this right off of Facebook’ is in it’s early days yet.

Small Business Trends: Do you feel that small businesses are leveraging Facebook with the right expectations?

Mari Smith: A lot of people that I talk to, a lot of small business owners, come to Facebook as the Holy Grail. They think that they’ve got over a billion members and there are stories of people making millions of dollars through Facebook marketing. Many of them are spending money to make that money with ads, which is quite frankly the most incredible targeted demographics that your money can buy; far better than any other advertising product and I don’t have any agenda saying that. It’s just a fact.

One thing that small business owners could do with Facebook is build up their email list. Put up your email list with 1,000 people, and they’re from other sources, not necessarily through Facebook. You can take that database and upload it to Facebook using what’s called the Power Editor. Upload their own data base and Facebook is going to go and search their site and match profiles with your database. Maybe only half of them will match and that’s okay.

Now you have this set of almost 500 people and you can find out lots more information. You can actually segment your database and get a ton of information as a result of matching them. You can place ads. You can advertise to people on your own database. It’s called Custom Audience. Then you can do something that’s called Look Alike Audience, which means that Facebook will then gather up an audience of people that you can advertise to that would have never known about you, are not on your list, are not your fan, but they look similar to your current database. That’s cool, right?

Small Business Trends:  If you were a small business going on Facebook to build a list, what kind of content may work best when you’re trying to do it from that perspective?

Mari Smith: I have this rule, basically 80/20. So, talk to the fans with no agenda value, the 80%. When I say no agenda value, that means OPC - other people’s content. You’re sharing a mix of your content, articles, resources, tools and then 20% of the time, you’re going to ask for the sale. You’re going to ask for the lead.

One of my favorite ways is through a webinar. I gather my fans and drag them over to an option page, where I capture the email address and that’s where I’m going to periodically do that, I don’t do that all the time. I do it maybe once a quarter. I’ll do an initiative, where I’m gathering up, where I’m doing an offer. So, that’s just something to keep in mind is that you don’t have to be asking for the sale all the time. But you have to have it strategically mapped out in your marketing calendar for the year, as to when you are going to do offers and promotions and do them in spurts.

That will add tons of value on a regular basis; ideally once a day. Even if it’s just one post a day or maybe two posts a day on Facebook; on your fan page. That would be plenty; that would be sufficient.

Small Business Trends: You mentioned something about a webinar?

Mari Smith: It’s coming up on Tuesday, June 4th. It’s called Seven Steps to Facebook Success. It’s 90 minutes, a live stream webinar. I’m going to be on camera and broadcasting from a studio in San Diego, live and interactive. We will record it in case folks can’t make it and they can just find links to that at MariSmith.com.

This interview on Facebook for small businesses is part of the One on One interview series with thought-provoking entrepreneurs, authors and experts in business today. This transcript has been edited for publication.  

Drupal confirms credential breach following third party application vulnerability

Hackers have hit the open source content management platform Drupal and captured nearly one million accounts.

According to a blog post by Holly Ross, executive director of the Drupal Association, the non-profit organisation that supports the open source CMS project, the problem was a known vulnerability in third-party software installed on company servers. Drupal acknowledged that it had worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed

She confirmed that the information exposed included user names, email addresses and country information, as well as hashed passwords.

“However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly,” she said.

“As a precautionary measure, we've reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt. All Drupal.org passwords are both hashed and salted, although some older passwords on some sub-sites were not salted.”

Ross said that at the moment, Drupal had not found any additional malicious or dangerous files, and it was making scanning a routine job in its process.

Commenting, Chris Wysopal, CTO of Veracode, said that this is a "clear example of how vulnerabilities in third-party applications can be exploited by malicious hackers".

He said: “In this case, the attack is believed to have exposed user names, country information, email addresses and cryptographically hashed passwords of almost a million users.

“This incident underscores the need for organisations to fully audit and understand all of their application perimeter, including often ignored third-party apps to safeguard the data and privacy of their users.”

Speaking to SC Magazine about protecting the passwords by salting and hashing, security researcher Troy Hunt said: “In short, no cryptography is terrible - encryption only is bad. Hashing with no salting is woeful, hashing once with a salt is almost useless and hashing about 1,000 times with a salt is where the password games now start.

He said: “Salting is a bit hard to get wrong; it's just random bytes of sufficient length. Both salt and the choice of modern hashing algorithm (SHAx) are almost always not the problem, it's the iterations. Using PBKDF2 to increase the rounds of hashing is critical or go to something like bcrypt, which allows for the hash workload to be exponentially increased.”

Asked what the best ways were to manage third-party applications and vulnerabilities inside them, Hunt said: “Third-party apps are tricky, as short of auditing them yourself, you're really accepting that the developer has done a sufficient job.

“Breaches through these happen all the time though - it was the same thing that recently caught out Adobe with its forum software. It's the same old sage advice really: try and use well-renowned broadly used products (if there's a vulnerability, hopefully someone else will find it first) and definitely keep them up to date (how often do we see unpatched versions where risks were fixed years ago?).”

Luis Corrons, technical director of PandaLabs, added that these days, most infections come from vulnerabilities, and managing all patches for all software applications used in a business is one of the biggest challenges that IT departments have to face nowadays.

He said: “Now with all these vulnerabilities, plus the ‘bring your own device' phenomenon, the only way a company can deal with it is having some solution that allows to have a real control over all the devices that connect to your network, what software they are running, automate the deployment of updates and patches for software installed, etc.”

The Future Is ‘Cashless’. Is Your Small Business Ready?

Customers losing their wallets may well be the best thing to happen to your business! Surprised? PayPal, the leading global provider of payment solutions for consumers and businesses, says that with customers being increasingly inclined towards carrying ‘digital wallets’, the humble wallet may soon be assigned to the annals of history. And this will inevitably present a great opportunity for businesses to sell more! The future is ‘Cashless’ - is your small business ready?

PayPal Global Consumer Survey 2013

PayPal, which billed $14 billion in mobile payments last year (more than any other service provider and an increase of 250 percent over its previous year’s volumes), has recently published the findings of a global survey conducted across 5 major countries - the United States, United Kingdom, Australia, Canada and Germany - on the future of the wallet. Whether its going to the gym, the laundromat, grocery store, restaurants or even to the beach, 83% of the 1000 respondents surveyed expressed the desire of being able to go without a wallet. The figure for U.S consumers wanting to go ‘wallet-less’, was even higher at 86%.  

The business side of this story is lost sales opportunities, with a large section of American consumers reporting that they have been unable to pay for something because they simply didn’t have enough cash on them.

PayPal’s Cash for Register Offer for Growing Businesses

The Survey clearly shows that consumers are wanting to do away with keeping cards in their wallets, carry around cash or having to deal with spare change that is often handed over after a transaction.  To help growing businesses address this, PayPal has introduced the offer to encourage smaller businesses to migrate from the old cash registers to modern day payment solutions such as PayPal Here (which enables card/ check acceptance and PayPal processing over iOS and Android mobile devices) or any of its payment processing partners such as ShopKeep, Vend, ERPLY, NCR Silver. Business owners looking to enable the entire gamut of non-cash payment methods for their business can, thanks to this offer, do so at nil transaction processing fee on these systems for remainder of the year.

And so what does the future of payment processing hold? David Marcus, President of PayPal, in a recent blog aptly called ‘Lets lose our wallets’ had this to say, “I don’t know about you, but I’m looking forward to the day where I can lose my wallet altogether - both the word and the physical object”. As per David, his company is focusing on developing technologies that can simplify people’s lives and not just act as facilitators of currency exchange. PayPal’s Check In and Order Ahead app for instance allows users to identify themselves online and pre-order before walking in to collect their items (available at select locations in the U.S). So imagine that you make your monthly visit to the local stationery shop and the moment you are there, the store attendant knows who you are and what you want. 

Clearly, growing businesses aiming at a bigger chunk of the market must enable non-cash acceptance methods  for their clients. And the cash-for-register free trail offer may just be the perfect opportunity for many small businesses to consider doing so.

The Future Is ‘Cashless’. Is Your Small Business Ready?

Customers losing their wallets may well be the best thing to happen to your business! Surprised? PayPal, the leading global provider of payment solutions for consumers and businesses, says that with customers being increasingly inclined towards carrying ‘digital wallets’, the humble wallet may soon be assigned to the annals of history. And this will inevitably present a great opportunity for businesses to sell more! The future is ‘Cashless’ - is your small business ready?

PayPal Global Consumer Survey 2013

PayPal, which billed $14 billion in mobile payments last year (more than any other service provider and an increase of 250 percent over its previous year’s volumes), has recently published the findings of a global survey conducted across 5 major countries - the United States, United Kingdom, Australia, Canada and Germany - on the future of the wallet. Whether its going to the gym, the laundromat, grocery store, restaurants or even to the beach, 83% of the 1000 respondents surveyed expressed the desire of being able to go without a wallet. The figure for U.S consumers wanting to go ‘wallet-less’, was even higher at 86%.  

The business side of this story is lost sales opportunities, with a large section of American consumers reporting that they have been unable to pay for something because they simply didn’t have enough cash on them.

PayPal’s Cash for Register Offer for Growing Businesses

The Survey clearly shows that consumers are wanting to do away with keeping cards in their wallets, carry around cash or having to deal with spare change that is often handed over after a transaction.  To help growing businesses address this, PayPal has introduced the offer to encourage smaller businesses to migrate from the old cash registers to modern day payment solutions such as PayPal Here (which enables card/ check acceptance and PayPal processing over iOS and Android mobile devices) or any of its payment processing partners such as ShopKeep, Vend, ERPLY, NCR Silver. Business owners looking to enable the entire gamut of non-cash payment methods for their business can, thanks to this offer, do so at nil transaction processing fee on these systems for remainder of the year.

And so what does the future of payment processing hold? David Marcus, President of PayPal, in a recent blog aptly called ‘Lets lose our wallets’ had this to say, “I don’t know about you, but I’m looking forward to the day where I can lose my wallet altogether - both the word and the physical object”. As per David, his company is focusing on developing technologies that can simplify people’s lives and not just act as facilitators of currency exchange. PayPal’s Check In and Order Ahead app for instance allows users to identify themselves online and pre-order before walking in to collect their items (available at select locations in the U.S). So imagine that you make your monthly visit to the local stationery shop and the moment you are there, the store attendant knows who you are and what you want. 

Clearly, growing businesses aiming at a bigger chunk of the market must enable non-cash acceptance methods  for their clients. And the cash-for-register free trail offer may just be the perfect opportunity for many small businesses to consider doing so.

Ahead of the Curve? Watch Out

You know, when you think about it, being in front can be downright dangerous.

Cutting edge?

Great. But have some band-aids handy just in case.

Pioneering?

OK, but if the Oregon Trail taught us anything, it’s that pioneer life isn’t all fun an games. (Measles, snakebite, dysentery…)

And of course…

Ahead of the curve?

Awesome. Just maybe give a glance behind you every so often.

Ahead of the Curve? Watch Out

You know, when you think about it, being in front can be downright dangerous.

Cutting edge?

Great. But have some band-aids handy just in case.

Pioneering?

OK, but if the Oregon Trail taught us anything, it’s that pioneer life isn’t all fun an games. (Measles, snakebite, dysentery…)

And of course…

Ahead of the curve?

Awesome. Just maybe give a glance behind you every so often.

Google believes zero-day vulnerabilities should be responded to within a week

Google researchers have announced a significantly shortened vendor response deadline that they hope others will adopt to spur quicker fixes.

Three years ago a group of Google engineers proposed that vendors should have 60 days to repair security vulnerabilities rated ‘critical' in widely deployed software - or the researchers who privately tipped them off about the issue could go public with their findings.

However this week, Google engineers Chris Evans and Drew Hintz wrote on the company's Online Security blog that seven days is more appropriate for critical vulnerabilities under active exploitation.

“The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” they said.

While the researchers conceded that a seven-day deadline may be too short for software makers to push out a permanent patch, they did say that it should provide enough time for them to offer tips on mitigating the threat.

“As a result, after seven days elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves,” the post said.

“By holding ourselves to the same standard, we hope to improve the state of web security and the coordination of vulnerability management.”