Why You Should Consider Building Business Credit

Building business credit is both highly misunderstood and becoming more and more important all the time for business owners.

Consider this. In the business credit reporting space, there are the big 3 who sell business credit reports, Dun & Bradstreet, Equifax Commercial and Experian Business Credit.  In the first 6 months of 2013, according to Creditera, D & B had 45 million business credit report requests and Equifax Commercial had 35 million. I do not have data on Experian Business Credit.

I have heard some people say that building business credit doesn’t matter. I say, then why are a lot of business credit reports being pulled if business credit doesn’t matter?

According to the 2012 NSBA Small Business Access to Capital Study (PDF), 20% of small business loans are denied due to business credit. The world is changing. I agree that 10 years ago business credit didn’t matter too much. But today, it does clearly matter.

Suppliers pull business credit on manufacturers to know that they pay their bills. Manufacturers pull business credit on suppliers to know they are dependable and reliable. Retailers and distributors often pull business credit to decide if they will issue trade credit to you when you want to purchase their products or services. The business credit report will likely influence the amount of credit granted and also the terms.

Trade Credit is a Common Form of Business Credit

It used to be that Harry’s Plumbing Supply Company would let Joe from Joe The Plumber Inc. take $5,000 worth of plumbing supplies to get his job done over at the local high school. Harry knew Joe was good for it so he issued an invoice, usually with Net 30 terms, and then trusted Joe to get it repaid in “about 30 days.”

That’s a great thing but it’s also not a very “scalable” model. Harry can’t meet everyone and give a handshake deal to them if he wanted to have 10,000 or 100,000 customers.

Enter business credit. Now, places like Dell, Staples and Home Depot, among many others, can pull a business credit report and score. This shows the repayment history and behavior of each company and make a data-driven decision on whether to extend credit to that company or not. It’s not only scalable, but would you rather make your credit decisions with data to support it or do you want to always depend on your hunch? I think I’m pretty good at reading people, but I’ll go with the data option myself.

That may be a simplified version of how business credit works, but it’s only going to continue to grow. In fact, one of the more popular business credit scoring models is the FICO LiquidCredit Score. Fair Isaac Company, where we get the term FICO, has long been the dominant player in the credit scoring and risk assessment space for lenders. With their FICO LiquidCredit Scores they combine data from a variety of sources (including the big 3 business credit bureaus and the personal credit of the business owner applying for the credit) and issue a score to lenders that ranges from 0 to 300.

Still Not Sure About the Importance of Building Business Credit?

Consider this. Starting this year, on Jan. 1, the SBA requires all SBA 7(a) loans of $350,000 and under to use the FICO LiquidCredit reports as part of their loan approval process. Currently, the SBA requires a minimum score of 140 although that number could change and adjust over time.  A Boefly.com analysis of previous years loan data suggests that this new rule requiring the business FICO scores would impact approximately 33,000 loans, based on last years volume.

These have been the “secret scores” being used by lenders for the past several years.  Large banks like PNC Bank, Huntington National Bank, Sovereign Bank and Zions Bank have been using FICO LiquidCredit Scores as have many smaller regjonal banks like Associated Bank, Bank of Idaho and Union Bank of California. Those are only a small number of lenders using the FICO business scores.

The problem has long been that there was no way for a business owner to know how he “ranked” on this “secret score” because the reports were not available at the consumer level.  I can’t go out today and decide to buy my company’s FICO LiquidCredit Score. Fortuntely, that’s about to change.  I expect others to follow, but the first to offer this report to business owners will be Creditera when they make it available early in 2014, according to a recent press release.

Building business credit, a portfolio, should be something that business owners look to do. It can become an asset for your company if you are building your business to sell it. Clearly, if a business has good business credit alone that is attractive and should matter to buyers. I realize that it probably has not been something that has mattered in the past but, again, things have changed as it relates to small business lending and this is an area that should no longer be ignored or neglected.

Additionally, if a business has existing funding or business lines of credit that do not have personal guarantees attached to them, then those are often transferable to new ownership. It is important to note that, in most circumstances, these transferable lines of credit - if you’re a small business owner with revenues under $10 million/year - are normally NOT going to be your “cash” lines of credit since those are normally always going to have Personal Guarantees associated with them. The transferable business lines of credit, if they were properly established, will normally be established lines at places like Staples, Office Depot, Dell Computers, Home Depot or a fuel line of credit at places like Shell, Exxon, etc.

One Last Caution

Beware of some of the sales tactics used by companies and individuals who sell “business credit building” programs and services. I do think this is hard to do without some professional assistance but check out whoever you work with closely. When I started my company, I hired someone to help us build our business credit. We provide working capital to companies and I wanted to have good business credit but I knew enough about business credit that I knew I didn’t want to try it myself.

Many people in the business credit building space “over sell” or exaggerate the benefits. Do your due diligence:

• See how long they’ve been in business.
• Check out their Better Business Bureau rating.
• Look at their website, does it have clear contact information so you know where the business is physically located?
• Does the owner or leadership team share who they are and perhaps have bio’s on their website?
• Are they active on social media?

Do business with someone you can trust, who has experience, who is accessible and who isn’t a faceless, nameless person behind a well designed website.

Lastly, consider the alternative of not building business credit. Do you want your business to either have bad business credit or no business credit? It matters now more than ever that you have a good business credit profile and report. Eighty million business credit pulls from two bureaus in just 6 months is not something to ignore.

What impression are you giving people when a manufacturer, a supplier, a distributor, a retailer or a lender looks up your business credit prior to working with you or to decide if they should work with you - and they find nothing? Is that the impression you want to send others about your business and your brand?

Credit Photo via Shutterstock

AOL Hopes To Personalize Content Better With Acquisition Of Startup Gravity

Imagine if every visitor that landed on your site was shown content especially geared toward their interests. That’s been the aim of Gravity, a startup that AOL has announced it plans to acquire for $90 million.

Gravity has already been working with some of AOL’s properties including TechCrunch to customize content for individual users as well as companies like NBC and Disney. The company works with websites to deliver personalized front pages, depending on each visitor’s interests.

In an interview with Kara Swisher of Recode, Gravity CEO Amit Kapur says the company’s technology uses the behavior of individual users determining what they most often read and share to customize their experience on a website. He explains:

“So you go to a home page instead of seeing a thousand links on the page, it’s what’s the best stuff for this individual user. And it’s done by leveraging implicit signal. Which means that you don’t have to ask the user what they are interested in. You can actually just look at what they’re reading, look at what they’re sharing and linking, and build what we call an interest graph.”

So when you show an interest in a particular topic, Gravity will show those relevant stories to you. This is done either by a Chrome extension, or by a widget placed at the bottom of each post on a site, in the form of “Recommended For You” or “What You Missed.”

Gravity claims to index more than 1 billion pageviews each month, and that its personalized sites increase engagement by 240 percent compared to non-personalized Web properties. The company has also launched an API which gives anybody the ability to personalize their site.

AOL CEO Tim Armstrong told Swisher:

“We think we can get a clearer signal with content with personalization to improve our results and better monetize what we offer. AOL is going to be a super-customer of Gravity. But this is about extending those capabilities even further as personal becomes the most important signal for publishers and advertisers.”

Armstrong said Gravity will continue to operate as an individual brand based in Santa Monica, Calif.

Images: Gravity

Chained To A Cubicle All Day? Here 6 Smart Ways You Can Freshen Your Mind, Muscles and Bones

Jamie Russo, chief of work + wellness at Enerspace (a co-working space in Palo Alto and Chicago devoted to incorporating wellness in the workplace) and turnstone have teamed up to offer this advice for desk bound workers to stay mentally “fresh” throughout the day.

• Diversify your posture throughout the day to stay active, offsetting some of the damage done by sitting all day. Swap out your task chair for an active seat like the Buoy or even a yoga ball for a few hours to get a little moving and grooving while sitting; spend portion of the work day standing or working at height-adjusted desks; let your next conference call become a walking call. In fact, Jamie takes conference calls walking the halls or even just pacing a conference room for a physical and mental change of pace.
• Every few hours, get out of your desk, walk around and talk to a different person for 10-15 minutes. Not only will these short breaks improve circulation and reduce eyestrain and buildup of muscle tension, they’ll help you foster better relationships with employees but also might spark fresh ideas.
• Bring your furry friend to work from time to time. Dogs have long been regarded as man’s best friend but they are also increasingly seen as a way to limit occupational stress. Jamie takes her dog (Mini Golden Doodle named Miles) to work because he won’t let her forget to get up and take breaks. “What we might forget to do for ourselves, we will not forget to do for dogs or kids!”
• Purposely leave your brown bag at home. Even though it seems counter-intuitive, Jamie doesn’t pack her DIY healthy lunch sometimes because she wants to force herself to take a walk to get lunch.
• Carve out time to run errands during your work day. Jamie saves pesky errands, like depositing a check at the bank, to do during the work hours with her running shoes. Why? Not only does she get some fresh air and a mental break from the task at hand, but she also crosses errands and mini-workout off her list all at once.
• And if nothing else, close your eyes and breathe! Meditation is becoming a more popular way to stay focused and reduce stress at work. Sneak in 10 deep breaths while you’re getting your morning coffee or even at your desk. Take a deep breath and recite a daily intention to yourself every time you put the phone down after a call.

The Case for Cash Advance Companies

It is easy to criticize cash advance companies. As in almost any industry, there are certainly unscrupulous players in the marketplace who charge interest rates that can approach 60% or higher APR (annual percentage rate) since many advances have a six-month payback period or shorter.

However, it is undeniable that these companies fill a void in the credit marketplace. We saw this in October as small business bank loans stalled during the government shutdown.

Small bank approval rates dipped below 50% to 44.3% for the first time in months during the shutdown, according to the most recent Biz2Credit Small Business Lending Index (Oct. 2013). SBA loans were not processed because the agency was closed. Even non-SBA loans came to a halt because lenders could not get IRS income verification information. October’s approval rates for small banks were the lowest since the summer of 2011, when the credit crunch was still near its height. Moreover, big banks approved only 14.3% of loan applications, reversing the steady gains from the early part of 2013.

While traditional lenders were not granting funding requests, small business owners still needed money. They turned to alternative lenders, which are also known as cash advance lenders, accounts receivable financers and factors. Chief among the advantages of alternative lenders is speed. They typically do not do extensive background checks and often make funding decisions in less than three days. Some of them will make funding available on the same day.

These companies will provide cash in advance of expected revenue, and the money is repaid as a percentage of upcoming credit card transactions. Interest rates generally are higher with this type of lending. However, in fairness, the lenders are assuming a higher level of risk and are providing the money quickly and without the substantial amount of paperwork involved in filling out an SBA loan. Basically, the borrowers pay a premium for being able to get money rapidly.

Sometimes entrepreneurs need the money because they may not have managed their cash flow wisely. Seasonal business owners may need an infusion of funding during slow periods of the year. In other instances, vital equipment may need to be replaced. There are times when deals come up and small business owners are able to get a break on inventory that will generate a substantial profit, but perhaps at the time the entrepreneur does not have the cash to pay for it. Getting a cash advance can help close the deal. These occurrences are fairly common.

There are some high profile commentators in the credit marketplace who spend a lot of time criticizing cash advance companies. It is easy to sit behind a keyboard and criticize the practice while not offering a viable solution. I agree that some advance companies have tried to charge interest rates that are too high, and the danger is that the small business owner could get caught in a vicious cycle of having to borrow more money to pay off debts. However, this is not happening frequently. In fact, some companies have entered the marketplace and offered interest rates of as low as 6.5 percent on cash advances.

When players in the marketplace begin to offer lower cost capital, others have to be mindful about the interest rates they charge. Biz2Credit enables companies to lower their acquisition costs and pass the savings onto borrowers in the form of lower rates and helped some lenders develop hybrid products that are almost like a business line of credit. This has enabled numerous small business owners - who, for one reason or another, could not secure a traditional small business loan from a bank - obtain capital at more reasonable rates when they search for matches on our platform.

The small business credit markets have eased since the darkest days of the recession, but it would be inaccurate to say that easy money is available. Banks still are not approving a high level of loan requests, despite what their marketing literature says. With the SBA still backlogged, the approval process has elongated. Any small business owner caught in a cash crunch needs to find capital and many times does not have the luxury to wait weeks or months for money.

Fortunately, entrepreneurs have learned that quick case is available. Frequently, it can be had at reasonable rates. Technology has enabled them to shop around and get the best deals (in the same way that Amazon enables people to find the best prices on consumer goods.) Increasingly, funding transactions are being conducted on smart phones or tablets.

Conducting business in the 21st century is often about speed and convenience, and there is no denying that cash advance lenders are part of it.

Money Photo via Shutterstock

5 Office Management Tools to Help You Get Organized

I am blogging on behalf of Visa Business and received compensation for my time from Visa for sharing my views in this post, but the views expressed here are solely mine, not Visa’s. Visit their reinvented Facebook Page: Well Sourced by Visa Business. The Page serves as a space where small business owners can access educational resources, read success stories from other business owners, engage with peers, and find tips to help businesses run more efficiently. Every month, the Page will introduce a new theme that will focus on a topic important to a small business owner’s success. For additional tips and advice, and information about Visa’s small business solutions, follow @VisaSmallBiz and visit http://visa.com/business.

5 Office Management Tools to Help You Get Organized

Professionals often begin each year with a goal to get more organized. But with so much to do in a given day, it’s almost impossible to set time aside to make lists and sort through piles of clutter. While an app can’t help with the mess in your office, it can help you be more efficient and productive.

As someone who firmly embraces technology, there are a few apps I can recommend that can make life easier for professionals. These tools may even help you squeeze a few extra minutes into your day to sort through those stacks of paper on your desk.

• Evernoteâ€" If you’ve ever had a great idea while you were in line at the post office or struggled to remember the name of someone you met last week, Evernote can help. Residing on your smartphone or tablet, Evernote lets you take notes, snap pictures, and save websites in one app. It’s also great for organizing your next conference. You can save your agendas and itineraries in the app for use once you arrive.
• Wunderlistâ€" This app supercharges the to-do list concept, making it easy to not only make a list, but to delegate items to other team members. Once items are added, they can be sorted using a variety of criteria, with items moved to a separate area once they’ve been completed.
• Clearâ€" Made exclusively for iOS devices, Clear allows user to make lists and move items around using screen swipes. The app’s attractive design makes it stand out among the many list-making apps available for mobile devices. To create an item, you pull down on the bar at the top of the list. Once an item is completed, simply swipe over that item and it’s marked as complete.
• Basecampâ€" Today’s teams are rarely gathered in one place, with members traveling, working from home, and moving from one meeting to another. Basecamp creates a central location for employees to meet, providing a place to share documents, post quick updates, and provide to-do lists. Tasks can be created and assigned directly in the software, with accessibility from anywhere.
• Remember the Milkâ€" With the exception of its attention-getting name, Remember the Milk looks like many other list-making apps on the surface. But one thing that sets this app apart is that items can be sent to the app from a wide range of places, including Outlook, Gmail, Twitter, and Bookmarklet. Bookmarklet is another great app that can help with organization, allowing webpages to be saved without ads and other clutter for easy reading at your convenience.

These great tools are only as helpful as the person using them. Setting time aside throughout the day to update lists and create new items can make a big difference. At the very least, you’ll feel as though you’re taking control of the clutter. You’ll also set a great example for your co-workers, who will notice the difference in your productivity and may even be inspired to try out a few of these apps themselves.

Third time\'s a charm for reborn Asprox botnet

January 23, 2014

Shades of Red October says security analyst

The Asprox botnet has been through another fade-and-resurface cycle, this time generating a raft of infected spam posing as an invitation to a funeral.

The botnet first surfaced in 2007 before disappearing in 2011, and then burst back into life in 2012. Now,  reports suggest that botnet-using criminals have now moved back to Asprox once more as part of a new scam.

In March of last year, Trend Micro researchers Nart Villeneuve, Jessa dela Torre and David Sancho wrote an in in-depth analysis of the Asprox spam botnet, after it resurfaced for a second time.

In their `Asprox Reborn' analysis, the researchers said that Asprox was notable for generating malware-riddled spam that allowed it to grow and use compromised computers to perform tasks - and so keep it operational.

The Trend Micro report noted that, although Asprox had been analysed by the security community in its first five years of operation, it had largely flown under the radar because its spamming component had been incorporated as a `second-stage' plug-in.

As a result, the researchers concluded that Asprox's continued operation proved that spam botnets remain a crucial component of the malware ecosystem, with cybercriminals always looking for new methods to adopt in response to security defences.

Fast forward to this week and Fred Touchette, a senior security analyst with AppRiver, says that botnet-using cybercriminals have jumped ship from Blackhole - following the arrest of the exploit kit's author last October - and moved back to Asprox.

He says that the latest ploy poses as a funeral invite which, while failing to mention the name of the deceased, details the time, date and fictitious funeral home of Eubank Funeral Home & Cremation Services. Further details can be found, predictably, via a web link.

Touchette says that, as has also been the case in the past, the malicious host utilizes IP geo-location to customise the malicious payload to appear to be local to the recipient.

“The file that I received is named `FuneralCeremony_Gulf_Breeze_32561.zip' - which is the city and zip code that I am currently in," he says in his analysis.

"After all of the initial formalities the malware invites all of its other friends to the party and they start going through all of the victim's things stealing things like browsing histories and cookies, account credentials and passwords and whatever else that catches their attention," he adds.

According to veteran security analyst Kevin Bailey, now with security vendor Clearswift, the spam generated by this latest incarnation of Asprox is smarter than seen previously, as it switches away from the lure of `you have won £1,000' over to an invite to a funeral.

"This means that people's emotions take over and they read the email, then click through to discover who the person was and where the funeral is taking place," he told SCMagazineUK.com.

"This type of dialogue clearly takes a more psychological approach to the task of luring the visitor. Most people, especially at this time of the year, are under pressure at work, so they will rapidly click through and infect themselves.”

Former IDC analyst Bailey added this hybrid approach to infection is similar to other malware such as Red October, first seen in October 2012.

"With Red October, the malware was polymorphic in nature, with data being sent to multiple command-and-control (C&C) servers, which then work as proxies," he said, adding that trying to keep ahead of the Web of technology used by cybercriminals has become a far more complex task with threats such as Asprox and Red October around.

Beats Music Launches: The End of Download Business Models?

The new digital music subscription service Beats Music launched this week for iPhone, Android and Windows Phone. The new service’s greatest distinction from competitor Spotify may be that there is no free version (all subscriptions are $9.99 a month) beyond a brief trial period.

But the launch of yet another of these services may also mean the streaming music model is beginning to replace music downloads. (Think Apple’s iTune store, for example.)

It may be too early to call it a trend. But, last year in the U.S., downloads of single tracks were down six percent and downloads of albums were flat. It’s the first time digital download sales have decreased, Recode observed.

Meanwhile, the streaming of music was up by 32 percent â€" presumably from sites as different as Spotify and YouTube.

The big question may be whether or not customers are willing to pay for the service, something artists and entrepreneurs will need to make the business model work.

As tech guru Walt Mossberg explains:

“For years and years, people have predicted that subscription streaming music services would eventually overtake paid download services in the hearts of average consumers. The theory was that people would rather pay monthly for access to all the music they could want, than pay song by song or album by album to own particular music.”

But the new music service is also committed to making sure independent artists get paid. In an official press release, Beats Music Chief Creative Officer Trent Reznor, also front man for the rock band Nine Inch Nails, states (PDF):

“Beats Music is based on the belief that all music has value and this concept was instilled in every step of its development. We want it to be just as meaningful for artists as it is for fans. We’re committed to providing revenue to artists, while helping to strengthen the connection with their fans.”

The service already seems to be a hit with users. The site has already been overwhelmed with traffic in its first week.

Image: Beats Music

First Bluetooth card skimming arrest case in US

January 23, 2014

"It's so lucrative that you arrest a couple of people - then there are a couple of people right behind them that do the same thing."

More than a year after the first Bluetooth-enabled card skimmers started causing problems for petrol stations - and drivers - on the West Coast of America, the first arrest of a gang alleged to have been involved in the growing practice of Bluetooth-enabled petrol pump skimming has taken place.

According to leading security researcher Brian Krebs, New York officials yesterday announced the arrest and indictment of 13 men accused of running "a multi-million dollar fraud ring that allegedly installed Bluetooth-enabled wireless gas pump skimmers at filling stations throughout the southern US."

Krebs says that the 13-strong gang reportedly generated more than $2.1m (£1.25 million) from their activities. 

The accused then allegedly used the credentials and PINs to create counterfeit payment cards, which were then used to draw cash from ATMs and fed into legitimate bank accounts.

The first Bluetooth-enabled card skimmers started appearing in US petrol stations, where unmanned card-operated pumps are now the norm, in the fourth quarter of 2012.

In a report on a spate of incidents at the time, KRCA News revealed that criminals were using standard pump keys to install the skimmers, which interfaced with the pump's power supply, and harvested the card credentials - including PIN codes - before relaying them to cyber criminals using a laptop up to 100 yards away.

In the KRCA news report, Detective Eric Pahlberg of the Sacramento High-Tech Crimes Force said:

"These guys will install the skimmer in a pump stay on for a few days and take it off. You would never know it was there.

"Its so lucrative that you arrest a couple of people then there are a couple of people right behind them that do the same thing.”

Krebs says that the attacks seem to take place at weekends and in the early hours of the morning, presumably to minimise the chance of detection.

Although the Bluetooth-enabled card skimming petrol pump problem is confined to the US, the criminal modus operandi could be used in the UK.

Since UK-issued cards must still feature the legacy three-track magnetic stripe technology which is commonplace on North American cards, this means that a cloned card - without a smart card chipset - can easily be counterfeited and then used by criminals in stores and automated vending machines, including certain 24-hour petrol forecourts.

Commenting on the emerging US court case, Professor John Walker, a Visiting Professor with the Nottingham-Trent University Faculty of Engineering, said that the fundamentals of this scam is the promiscuous nature of 'air-based' trusted communications.

Professor Walker - who is also CTO of IT security consultancy Integral Security Xssurance - says that the issue of promiscuous protocols is not just limited to Bluetooth, but almost all air-bound and close-proximity 'trusted' protocols upon which we all rely.

"Of course this is also about the ingenuity of the criminal mind, looking for those gaps which have entered into the security planning stage, which may allow the injection of their malicious attack, circumvention of, say card-based security, which in turn delivers a profitable outcome to the miscreant acts," he said, adding that promiscuous protocols also offer that special opportunity which allows the external attacker to intercept and view the operability, and the associated interlaced interfaces.

This, he told SCMagazineUK.com, is unlike the wired environments which are protected by perimeter devices and applications.

Citing an example of an audit on global security company in Central London, Walker says that, when the firm's security manager was invited to identify the localised 802.x footprints, the manager listed a rogue Access Point that the Professor had installed earlier.

"After a very quick audit, I discovered the network was completely infiltrated with malicious programmes, back door access, and a whole host of trojanised applications, tools, and malware, running from TCP/IP and UDP Port 1, right up to the very top of the scale," he said.

10 Website Features That Are Scaring Your Customers Away

A customer recently warned me that he was scared away by something on my website. What are some other website features I should eliminate / modify to avoid scaring away potential buyers?

The Young Entrepreneur Council (YEC) is an invite-only organization comprised of the world’s most promising young entrepreneurs. In partnership with Citi, YEC recently launched StartupCollective, a free virtual mentorship program that helps millions of entrepreneurs start and grow businesses.

1. Pop-Up Ads

By far, the biggest turn off (and a bad scare tactic) on any business website is being too pushy way too soon. Let your potential buyers first get to know what your business and products are about. Don’t blast them with a sales pop-up immediately upon their arrival and before you raise their interest. Don’t come across as desperate. Earn their trust first.
- Juha Liikala, Stripped Bare Media

2. Offensive Additions

Trying to sell to everyone often means you’re not selling to anyone. Something offensive should go â€" as should any annoying processes â€" but don’t worry about making everyone happy because you’ll never win.
- Alexis Wolfer, The Beauty Bean

3. Bad Photography

Customers want to feel that they’re making a wise investment when they use your product or service. Bad photography, whether it is of products, staff or your office, screams, “Don’t trust me.” If you don’t care enough to invest in your own business, how can you be trusted to take care of your customers?
- Dustin Lee, Playbook

4. Unclear Return Policies

Your return policy is one of the first things savvy consumers will want to know about, and if yours is confusing or missing, you could lose out on potential sales.
- Andrew Schrage, Money Crashers Personal Finance

5. Outdated Information

I always cringe when I see copy on a company’s homepage about forthcoming endeavors in 2009. If your text isn’t evergreen, make sure it’s up to date. If it’s not, you’re broadcasting a portrait of oversight and obsolescence.
- Sam Saxton, Salter Spiral Stair and Mylen Stairs

6. Hidden Contact Information

Make contact information easy to find on every page. You don’t want customers to think you’re hiding behind your product, but instead that you’re readily available and legitimate.
- Sarah Schupp, UniversityParent

7. Intrusive Questions

Trust is at an all-time low, according to recent studies. People are very cautious on the Internet, especially when dealing with the unknown. The best way to get people comfortable with your business is to slowly ease them into it. To do this, you should only ask for the information you need during customer requests, and clearly explain why you need it and what you’ll do with it.
- Andy Karuza, Brandbuddee

8. Price Tiers

It’s become fashionable to list a lot of price tiers on websites to show buyers there will be a feature set that is ideal for them. Be careful not to have too many pricing tiers because it may overwhelm a prospective buyer. Too many choices can paralyze a potential buyer in making a decision, so make sure to streamline your pricing options shown online.
- Doreen Bloch, Poshly Inc.

9. Long Loading-Times

Page load time directly affects page abandonment rate, so when it comes to loading time, every second counts! Consumers have come to expect increasingly faster load times on both desktop and mobile, and meeting those expectations is extremely important as it ultimately affects your bottom line.
- Katie Finnegan, Hukkster

10. Stock Photos

Stock photos make you look cheesy, outdated, and unrealistic. It makes people think that you couldn’t get any “real” people to stand behind your product and smile. When landing on a page, the user wants to think they belong there. I don’t know a single person who sees a model in a stock photo and says, “that person is just like me!”
- Heidi Allstop, Spill

Stay Interviews: Hold On To Your Best Employees for Less

As the economy improves, employees are feeling more comfortable with their career prospects. A new Glassdoor survey found that two in five employees expect a pay raise in 2014 and their fear of layoffs is at an all-time low since 2008. Though this speaks to a healthy economy, perhaps most distressingly for small business owners, one in five employees also plan to search for a new job in the coming year.

So, what can you do to retain your top employees? Many small businesses don’t have the funds for lavish benefit packages, but there are cheap ways to improve your employees’ satisfaction and morale.

Stay Interviews

Most employers conduct exit interviews to find out why employees are leaving, often at a moment in time seen as “too little too late.” But stay interviews can be a great way to check in with your top employees and make them feel valued even midst their tenure.

Ask your employees what they love about their job, and what they could do without. Do they feel that they are doing the “best work of their life.” Are they treated fairly by their managers? Do they feel that their work makes a difference to the company? All of these questions are viable and not only a great tool for helping an employee feel valued, but equally great for encouraging an open company culture.

If done effectively, stay interviews are a cost-effective way to boost employee engagement. Interviews are informal, you won’t have to train your interviewers, and limiting the interviews to only your most essential employees will save you time and effort. In turn, the employees will appreciate the personalized attention that a stay interview offers. In fact, Webroot Software enjoyed a noticeable decrease in turnover rates after implementing stay interviews.

Additionally, once you’ve conducted a round of these interviews, you will have specific, actionable insights on how to make your company a better place for your employees.

Offer Flexibility

Most employees struggle to balance their career with their life outside work. According to recent study by Accenture, more than half of employees value a work-life balance more than their salary or their specific position. This balance can be especially important to parents who have major outside obligations that often interfere with work.

Make your employees feel like they can always ask for time off if something comes up unexpectedly. These emergencies will most likely be rare, and your employees will really appreciate it. Additionally, consider allowing your employees to work from home, at least part-time. In a recent survey, 94 percent of respondents believe that working from home is an important option for new parents.

As an extra bonus, at-home workers are actually more productive than their in-office counterparts. In one study (PDF), home workers had fewer breaks and sick days than office workers, and there was a 13 percent increase in their performance.

Another great way to give your employees flexibility? Let them take their lunch. According to a recent study in the Academy of Management Journal, about 30 percent of employees feel pressured to work through their lunch break. Instead, employees should have the choice over how they spend that time. This autonomy decreases their end-of-work fatigue, and presumably increases their satisfaction with work in general.

Perks, Perks, Perks!

Can’t afford to give your employees a comprehensive health care plan or a month-long vacation? Don’t worry. According a recent survey, more than a fifth of employees rank perks among the top office benefits. These include easy and cost-efficient perks like allowing your employees to dress casually or to bring pets to the office. You can also provide free drinks and food on special days.

The survey also found that these perks are especially valuable to women and to those living in the South and the Midwest, so know your company’s demographic makeup before implementing any changes. It is also a good idea to send out a survey to your employees to see what perks they’d like to have in the office. For more ideas, check out what sort of perks the top companies offer.

Employees have more career options these days, so you want to make sure your company remains the best option. Conducting stay interviews, allowing your employees flexibility, and offering fun office perks will help to maintain a positive working environment. You employees will do anything they can to stay.

Employee Photo via Shutterstock

Smartphone touchscreen keylogging becomes reality

January 23, 2014

Installing Touchlogger malware on Android handset or a jailbroken Apple iPhone is relatively easy

A Trustwave researcher has developed a `Touchlogger' attack methodology that allows a hacker to log the X-Y coordinates of a smartphone's touchscreen, as well as the screen icon being `touched', in order to bypass the latest generation of virtual keypad login procedures used for online financial services,

Because of the risk of keyloggers on regular PCs, a growing number of international banks are now using smartphones as an out-of-band authentication process to boost security for their online banking, SCMagazineUK.com notes.

Neil Hindocha, a senior security consultant with Trustwave, will reveal his methodology, and proof-of-concept malware, in full at next month's RSA Security conference in San Francisco.

Hindocha, who has been in the security space since the 1990s and was previously with Symantec and Verizon Business, specialises in penetration testing, reverse engineering and secure source code analysis.

He claims that the banks cannot easily counter his smartphone touchscreen logging procedure and other interested parties, as it is a structural security issue, rather than a software problem. 

SCMagazineUK.com caught up with Hindocha on Wednesday to discuss his findings and he said that, since a lot of Trustwave's clients are in the financial services industry, they asked him to look at the smartphone touchscreen security issue.

"We discussed the problem and, whilst there have been proof-of-concept keyboard bypasses in the past, this is the first time that the security of a virtual keypad has been beaten," he said.

"Most banking software - whether on the desktop or the smartphone - now supports some form of virtual keypad, but the reality is that the keypad is actually a series of pictures. I reasoned that, if you could capture the pictures being displayed on the screen, as well as X-Y co-ordinates from the touchscreen, I could bypass this security protection system. And I was right," he added.

His latest security bypass approach, he explained, can even beat the latest generation of mixed pictures that a number of players have been touting as a means of adding an extra layer of authentication to a login process.

"It's a fascinating area of security. I started work on this in July of last year and will be revealing my methodology at the RSA event at the end of February," he said, adding that installing the malware remotely on an Android handset or a jailbroken Apple iPhone is a relatively easy task.

With a standard iPhone, he says, the task becomes more complex and would require around 30 minutes of physical access to the handset in order to install the malware and ensure it logs the touchscreen X-Y coordinate touches and swipes.

"I haven't made it work on Windows-driven smartphones yet, as my main focus has been on Android and iPhones," he said.

The $64,000 question is what the security industry and the banks can do to solve the problem of Hindocha's security bypass research - which could also be applied to Windows 8 touchscreens as well.

In December 2012, Naven Jones, a US researcher, revealed that he had been looking at this security mechanism, which was added to the Windows 8 kernel code in October of that year. He concluded it could be cracked using screen-smudging analysis. This is made possible because the human skin constantly sheds oil and skin fragments, and so causes smudges on most smartphones, tablets and desktop touchscreens, SCMagazineUK.com notes.

This approach was first discussed by Nigel Stanley, a security analyst with Incoming Thought, at the Counter Terror Expo event in April 2011 but Jones - of Uncoveror.com - said that a smudging analysis approach dramatically reduces the number of key sequences required to brute force crack a Windows 8 desktop or laptop.

Stanley's fellow analyst Sarb Sembhi, meanwhile, said in an online conference in November 2012 that it was likely that the smudging analysis technique would eventually die off on smartphones owing to the introduction of hardened glass on smartphones.

Windows 8, however, is a desktop/laptop operating system and Microsoft portrays the pictorial password option as a powerful security option.

Snowden effect could see change in privacy law

January 23, 2014

Former CIA contractor Edward Snowden may be holed up in Russia, but his actions could yet see changes on privacy law and the funding of certain data protection agencies.

LILLE, FRANCE:

Privacy and surveillance were inseparable - and hotly-debated - trends at the annual International Cybersecurity Forum in Lille, France this week, with one panel of experts in particular believing that the actions of Edward Snowden could yet result in the change of privacy laws and in the funding of data protection agencies, such as the ICO in the UK.

A stellar panel comprising Neira Jones, formerly the director of payment security & fraud at Barclaycard but now a consultant at Accourt (as well as chairman of the Cybercrime Advisory Board at the Centre for Strategic Cyberspace and Security Science), York Advisory director Arwaa Jones and Bird & Bird lawyer Gabriel Voisin tackled issue of privacy and surveillance in business, and admitted that perceptions around both will have to change.

Jones said that the debate is a “cultural and environmental issue” and while not completely attributing this to the wide-scale NSA and GCHQ surveillance - she also fingered the emerging Internet of Things trend - she said that change is likely to be implemented through the next generation of business workers.

“Generation Y will constitute 75 percent of the workforce in the years to come, and they have a very different profile,” said Jones. “Generation Y are more concerned about geography flexibility, and up-to-date technology. They're technically savvy, use the newest devices and want BYOD, tablets and the Internet of Things.”

 “They've got a very different issue on privacy. Gen Y are publicly available on social networks, they're more likely to disclose personal info and are happy to do that for the privilege of using a service. But actually not secure at all.”

Jones added that technology is generally “eroding privacy” and pointed out - as SC Magazine has reported - that some European companies are withdrawing their services from being hosted in the US.

Arwaa Jones added that the definition of privacy is likely to change, especially as public sector and private companies approach with caution the issue of balancing employee surveillance with end-user privacy.

 “Citizens expect privacy and I think we can set a reasonable expectation that the data we hold in relation to citizens is not misused or stolen from the public sector. Then there are some issues on clarification - when we agreed [terms] with the citizen and how”.

Voisin, a lawyer with Bird & Bird, said that change is necessary, if only because companies will likely be asked to be more transparent than ever before, as a result of the PRISM leak.

“The good news for employers is that they can do what they want under French law,” said Voisin, who added that firms can easily monitor email, web access and other things by logging security events.

But he urged companies to explain this surveillance to the employee, file this with the appropriate judicial bodies and get the workers' representatives involved too. Failing to do this could result in administrative or even criminal proceedings, and could have other repercussions too. “It also means that any disciplinary action against an employee would be invalidated.”

Arwaa Jones, Gabriel Voisin, Claire Levallois-Barth (moderator; lecturer at Telecom Paris) and Neira Jones talk about privacy at FIC 2014

Changes in the law

Gabriel Voisin, a lawyer for Bird & Bird (and not the French aviation pioneer in the 20th century), foresees changes to the privacy law in Europe, but doesn't hold much hope for US counterparts.

Naming the EU Privacy Directive originating from 1985 and France's own Data Privacy Act from 1978, Voisin still urged reform on both continents: “The US, I am afraid to say, is not a privacy-friendly country. It's fair to say that the EU has a much more mature notion of privacy than the US.

“Is the Europe framework still valid? No, it needs to catch up on technology. The 1985 directive was created before Google [existed] and must be revised.”

But despite proposals for the European Union's General Data Protection Regulation to be agreed in 2014 and enforced by 2016, Voisin was not sure such law change will come into effect. “The question remains if it becomes positive law,” he said, adding that some member state are yet to agree to the change.

The law proposes various sanctions, says that the data controller must notify the DPA on learning of a data breach, that personal data be deleted if the individual withdraws consent, and that the user can request a copy of personal data to be transmitted electronically to another service.

ICO and other data authorities need more money

The increasing focus on data privacy and surveillance is likely to result not only in possible new law, but could also put pressure on local data authorities who are already under-staffed and under-resourced.

“It's good to have these authorities but the capabilities of these offices are limited by resource,” said Arwaa Jones, who added that such agencies more likely target the public sector. “Larger scale breaches and issues around privacy are not governed by the ICO.

“Much activity goes unnoticed but its still necessary to have them there.” Other panel members agreed that the DPA, ICO in the UK and CNIEL in France have some authority, but Voisin urged for greater funding from the European Union.

“At the moment, there are small data protection authorities in Europe and they are struggling to get enough people and resources to reinforce privacy and data protection requirements by the EU directive,” he said. “They only have 10 to 20 certified people.

“My message to Brussels is to give money to these authorities so that they can do their work.”

Cyber security \'failure\' could result in next major terrorism attack

January 22, 2014

Compliance, standards, a shortage in IT security skills and budgets are reasons behind the 'failure' of cyber security, experts conclude at French information security conference

LILLE, FRANCE:

Severeal industry experts labelled cyber security as a ‘failure' and a ‘challenge' at a leading conference in Lille, France on Tuesday.

Speaking at the sixth International Forum on Cyber Security, a panel comprising futurologists, former police investigators, industry vendors and privacy advocates looked at the state of cyber security and the challenges facing CIOs, CISOs and other IT managers.

The topic was ‘Is cyber security a failure?' and the initial question drew a mixed reaction from the panel of experts; Marc Watin-Augouard, a former Inspector General of the Armed Police in France but now general of the 2S Gendarmerie Nationale, and ANSII director general Patrick Pailloux were more adamant than others that the answer to this question is ‘no'.

“Cyber security is always going to be built on respective failures; you always have to have failures to make for reliable cyber security,” said Watin-Augouard.

Pailloux, who heads the French national security agency ANSSI, compared the state of cyber security to 19th century medicine. “We are still progressing; it's exactly the same situation.” Jean-Michel Orozco, CEO of Cassidian Cybersecurity added that it is a “challenge” brought about by the growing number of digital devices and said that budgets and technological solutions will be key going forward.

Other experts at the annual convention were, however, more damming on the challenge ahead, at least in light of the growing number of attacks against governments and organisations like Target.

‘Snowden did more for cyber security than all of us in this room'

Asked, like the others, if cyber security was a failure, futurologist David Lacey of IOActive delivered the most damming statement. “Yes, it has failed at all levels,” said Lacey, mentioning compliance and regulations as two attributing factors.

Lacey, the former Director of Security and Risk Management for the Royal Mail Group, added that IT managers are not managing compliance appropriately, said that the regulation itself doesn't encourage technological innovation and branded the current cyber security standards in place as “old school”.

And with attackers able to change the method of their attack in a moment, Lacey said that businesses would ideally need to replace the “Deming loop” - a four-stage management method entailing ‘plan, do, check, act' and often used in business to continually improve processes and products -- with the "BOYD loop" (‘observe, orient, decide and act'), which is more often used by fighter pilots and special forces.

“There needs to be new attitudes, new skills and new technologies,” Lacey told the 3,000-strong conference audience. Should such changes be bypassed, the futurologist worries that the next big terrorism attack could well be in the cyber world. 

“Nothing will change until there's a 9/11 incident in enterprise or society,” he added. His comments coincided with a new report from CrowdStrike, which has identified five state-sponsored espionage groups, including actors from China, Iran and Russia.

Jeremie Zimmermann, the outspoken co-founder of La Quadrature du Net, a citizen advocacy group fighting for rights online, was in similar agreement about the cyber security ‘failure' and said that turning this around will be reliant on involving citizens, especially in light of the scale of NSA and GCHQ surveillance.

“We've chosen the wrong path and forgotten a main perimeter - that the citizen is at the heart of cyber security,” he told the conference. “The trust has been broken now. Snowden did more for cyber security than all of us in this room.”

Zimmermann, a friend of WikiLeaks founder Julian Assange, took a quick poll of the room to discover who used products or services from Apple, Microsoft, Google or Facebook - companies that have been associated with the NSA scandal. On finding out that approximately 70 percent of the room did use these products or services, Zimmermann said: “You put your trust in those companies; you handed the keys to someone who looked pleasant, but they raided the fridge, slept with your wife and changed the locks.”

Standards, products and skills must change

Investigating the way forward for cyber security, the panel concluded that there needs to be improvements across the board, from appeasing people on privacy and surveillance and introducing newer technologies to finding ways to improve cyber security skills, standards and C-level understanding.

Lacey, though, urged companies to get away from the “mono-culture” where all companies use the same products.

“I don't think there are any best practises,” said Lacey. “Best practises create a mono attitude where everyone copies each other.  There must be a greater choice of technologies”.

“There are going to be some spectacular attacks [in 2014] for political and criminal motives.”

Panellists also urged for a rethink on standards and compliance, with Jean-Michael Crozco and Lacey in particular keen for businesses to seek ways around compliance quicker in the event of a cyber crisis.

“On the issue of compliance, must there be times when the CEO is always informed?” questioned Crozco. “What matters to the CEO are the pennies and how much it's going to cost if they're under attack.” Lacey added that boards must also “trust” CIOs to push ahead with crisis response solutions even if it means “there are no guarantees on ROI”.

But the biggest concern for the experts was notably a lack of skills - an area that has been reported a lot on SCMagazineUK.com - and Lacey said that there is no easy fix.

“There's still a serious shortage in cyber security skills,” said Lacey, who later added that there was a 60 percent increase in cyber crime in the UK last year, costing the economy approximately £81 billion. “It's a special type of person [to be a cyber security professional] and they can't be manufactured.”

He noted too that the rewards are much higher in the criminal world, and pointed to the example of the ‘Iceman' in the US, a former security consultant who became a black hat. “It's a young man's game but there's a choice between crime and security,” he said.

Potentially major XSS/JavaScript flaw found in Office 365

January 23, 2014

Microsoft Office 365's security outlook: cloudy

Minor security flaws in Microsoft Office 365 - the cloud version of the popular Office suite of business software - are nothing new, but a researcher claims to have spotted a potentially serious XSS (Cross Site Scripting) vulnerability in the software/service.

According to Alan Byrne, managing director of Cogmotive, the London-based Office 365 reporting firm, he and his team discovered the flaw when conducting a security audit of the company's own Microsoft Office 365 reporting application.

Any person with a mailbox in a company using Office 365, he says in his latest security posting, could exploit this vulnerability to obtain full Administrative permissions over their entire company's Office 365 environment using just a few lines of JavaScript.

"The malicious employee would now have access to the Email and SharePoint content of every employee in the company as well as the ability to make any configuration changes to the environment," he said, adding that he reported the problem to Microsoft in October, since when it has been patched.

Posting a video of his findings to YouTube  Byrne notes that Web developers are used to correctly handling direct user input, but often incorrectly assume that information retrieved from a third party service is “safe” to be directly output to the browser.

"It is worth noting that this weakness seems to have been introduced recently within the new Wave 15 version of Office 365. If it existed in the earlier Wave 14 version we would have noticed it during one of our previous tests. At its core the exploit uses a simple Cross Site Scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information which it read out of Windows Azure Active Directory," he says in his analysis .

"The Office 365 Web portal is just like any other Web application and even uses the jQuery library. This made it relatively easy to craft an XSS string that loaded a JavaScript file from a remote web server and executed its contents," he adds.

By the time the administrator sees the XSS payload, he goes on to say, it is too late and the code has already been executed.

Malicious use?

"This is a perfect example of a very simple exploit which has a huge possibility to cause billions of dollars' worth of damage. As we move further and further into the cloud we need to be more and more aware of the potential security risks. There are some large, high profile companies now using Microsoft Office 365 and I know that they will be very concerned to hear about these types of exploits," he says.

"No-one knows if someone much more malicious discovered this bug before I did and has used it for profit by extracting sensitive information," he adds.

Commenting on the flaw - and the fact that the XSS/JavaScript issue has been fixed - Professor John Walker, a Visiting Professor with the Nottingham-Trent University Faculty of Engineering, said that it demonstrates just how vulnerable trusted services can be, where they are taken out of the organisation, and which are fully dependent on a third party service.

"It's also, of course, about the smartness, and complexities of these types of implementations that, by inference can increase their exposure," he said, adding that 'cleverness' always tends to arrive with an increased opportunity of compromise.

Professor Walker, who is also CTO of IT security consultancy Integral Security Xssurance, went on to say that this type of security event also serves to reinforces the fact that, even when the business outsources and subscribe to some remote service - or provision of applications - security is still very much a matter of internal interest, and ownership.

"The bottom line here is that security can never be truly outsourced if you care about your business," he concluded.

According to Fran Howarth, a senior security analyst with Bloor Research, Cross-Site Scripting remains a serious security risk and is consistently singled out as one of the most important vulnerabilities - including the OWASP list of the top 10 vulnerabilities - to guard against.

"The extent of this vulnerability found indicates just how serious it is as any company using Office 365 could potentially see a highly damaging data loss as a result of this vulnerability being exploited. This also shows the importance of ensuring that security patches issued by vendors are applied in a timely manner," she said.

Radek Dymacz, Head of R&D with secure hosting provider Databarracks, told SCMagazineUK.com that Microsoft has a long history of security vulnerabilities - so this latest report does not come as a surprise.

“The knee-jerk reaction is to treat this as ‘another cloud security problem' but really, it's the same problem we've always seen. This vulnerability didn't affect all customers across the Office 365 platform so it was just like an old problem like you would see with on-premise IT,” he said.