How One Chocolate Retailer Increased Holiday E-commerce Sales 40%

Lake Champlain Chocolates has three brick and mortar retail locations in Vermont. So this small business knows how to sell chocolates to shoppers in person.

But the chocolatier has also learned how to sell online.  And when it comes to holidays, Lake Champlain Chocolates knows how to capitalize on them to increase sales.

Lake Champlain Chocolates was founded by Jim Lampman, originally as a wholesale truffle maker 30 years ago.  Customers soon tracked them down directly, and customer demand led to the company opening up retail stores.

Fast forward to today, and the company has expanded beyond their local area in Vermont.  In addition to its 3 chocolate shops, the company now engages in mail order and online sales â€" and says those represent the  fastest-growing segment.  The company now ships confections to all 50 states.

How to Increase Holiday E-Commerce Sales

For a chocolate vendor, certain holidays are peak times.  According to Greg Tickle, E-Commerce Manager for Lake Champlain Chocolates, the year-end Christmas holiday is the biggest time. But Valentine’s Day and Easter are also big holidays for the company.  So getting as many sales as possible during holiday periods is important.

This year the Valentine’s Day season provided lessons about how to use online advertising to increase holiday e-commerce sales.

Lake Champlain Chocolates increased its Google AdWords spend by 14%, but saw a 40% increase in website sales this Valentine’s season.

The company’s experience shows that executing intelligently makes the difference in getting a good ROI from advertising.  Lake Champlain’s Tickle points out how important it is to collect data, be flexible and adjust â€" on a near-daily basis during holidays.  With holidays you have a limited number of days to capture the opportunity. You must stay on top of things.  ”Monitor Google AdWords campaigns closely,” he says.  ”Change your ad text.  Drop keywords that aren’t producing sales, and bid on other keywords.”

And it’s not just AdWords you want to monitor.  You also should look at your site performance as a whole, to see how well the traffic you are drawing in from your ads is turning into actual sales. “Monitor your analytics. Then adjust as you see where visitors are coming from, when they come, and where they go once they are in the site.  You need data to know what’s working and what isn’t,” Tickle emphasizes.

Keeping a close eye on Google Analytics is what led Lake Champlain Chocolates to optimize landing pages and its AdWords ads for mobile devices.  Traffic from visitors using mobile devices has been growing steadily and now constitutes roughly 30%.  Even the company’s email newsletter gets opened on mobile devices.  With evidence of mobile growth, the company made it a point to work on improving the mobile visitor’s experience, and increased mobile sales as a result. 

Another of Tickle’s advertising tips is to “speak to” the shopper’s needs.  He says it is important to make sure the words in your ad and in your website work together to help the searcher find what he or she is looking for.  The ad text and the landing page copy should match closely.

Optimize AdWords Campaigns and Optimize The Website

Robert Brady, a per-per-click advertising expert with Righteous Marketing, agrees that Google Adwords can be very effective to increase holiday e-commerce sales volume.  “Holidays present an opportunity to obtain additional traffic by adding holiday-themed keyword variations.  If you normally sell knitted sweaters before Christmas it would be wise to also bid on keywords such as ‘Christmas sweaters’ or ‘knitted sweaters for Christmas.’ Your ads should speak to the Christmas theme and then send these visitors directly to your Christmas-themed landing pages where you would expect them to convert at a higher rate.”

It really breaks down into two activities that work hand in hand, Brady emphasizes.  For best results, e-commerce sellers must optimize their pay-per-click advertising campaigns to get better-qualified visitors to their sites. They must also engage in “conversion optimization” on their websites to get more sales from those who in fact end up visiting,  he adds.

Lake Champlain Chocolates’ Tickle sums it up this way, ”Increasing traffic to your website may not always result in increased sales and may likely result in higher advertising costs; however, by improving your website conversion optimization and the user experience, you will increase your return on ad spend … your ROI.”

More in:

Top Story, SBA Nominee’s Confirmation Hearing Held

Here are the stories most important to small business owners today, from the Small Business Trends editorial team:

SBA nominee has confirmation hearing. President Barack Obama’s recent appointment Maria Contreras-Sweet seemed to do well before the Senate Committee on Small Business and Entrepreneurship. It’s uncertain when she might finally be confirmed.

Policy

The IRS will start enforcing new rules on gratuities. The new rules require any automatic gratuity at a restaurant be treated as part of regular wages. Here’s a look at what that would mean to both small restaurants and servers.

Obamacare gets delayed again. Delays and snags in the new healthcare law seem to have become almost commonplace. Here Small Business Trends, CEO and publisher Anita Campbell, has the latest on a delay that may push things back for small businesses until at least January 2016.

The Affordable Care Act may reduce small business employment. That’s according to data provided by the Congressional Budget Office. The office concluded fewer people would be employed in 2017 than would be without the new law.

Web

Yelp’s local business listings will soon appear in Yahoo search. Google actually tried to buy Yelp for $500 million back in 2009. The deal means Yelp results will show up prominently on yet another search engine.

Imgur launches new analytics service. The photo sharing site traces the popularity of images as they go viral online. The new analytics service gives you more information on how that happens. There’s a paid tier and some opportunity for sponsorship, too.

AT&T believes not all Internet use is equal. A filing by the company proposes a means of monitoring customers and charging them extra or even discontinuing their services in instances where it determines that use was not permitted.

A local attorney sees his ad go viral. Though personal injury attorney Jamie Casino, a.k.a. Jamie Biancosino, did pay for Super Bowl advertising, it was only in his local market. But what YouTube did for his video had a much greater impact.

Acquisition

Imperva plans to acquire Incapsula. The database security company was an early investor in Incapsula. Now Imperva says it is trying to acquire both Incapsula and Skyfence in pursuit of an estimated $115 billion cloud security market.

LinkedIn will acquire Bright for $120 million. The two social sites could be a good match. LinkedIn is a networking site for professionals while Bright matches prospective employees with the jobs they fit best. LinkedIn also has a similar feature but may be trying to enhance it.

Yahoo shuts down Donna. The Internet giant plans to acquire Incredible Labs and eliminate a virtual personal assistant and productivity app called Donna. The purchase is apparently largely a talent acquisition. But it will leave Donna fans disappointed.

Sony to sell PC, laptop business. The company is apparently doing extremely well with smartphones, but not so much with its desktop and laptop products. Sony is expected to sell that PC business to a Japanese firm.

Branding

Illy CEO makes Fair Trade remarks. Readers commenting on this post have already taken issue with criticism of Illycaffe CEO Andrea Illy’s remarks on Fair Trade recently. While it’s certainly true that any label has its limits, some issues are very important to consumers. And brands must have some sensitivity to how their customers may react.

Canadian comic launches “Dumb Starbucks.” It’s difficult to gauge how the real Starbucks would have reacted to Nathan Fielder’s “Dumb Starbucks” stunt, if the health department hadn’t shut him down first.

Security

Adobe announces a Flash vulnerability. The company says the problem could allow hackers to take over your computer. Fortunately, protecting your system seems to be simple. Here are some things to consider if you’re worried.

Reading Photo via Shutterstock



What Small Businesses Can Learn From Barcoding At The Olympics

The Winter Olympics opened in Sochi on Friday, and with it came a logistics challenge of nightmare proportions. Fifty one billion was spent on this Olympic Games, so it is vitally important that things arrive on time in the right place.

How is this achieved?

Barcoding at the Olympics

Using barcoding technology where everything is tracked from its point of origin all the way to its point of destination.

But it isn’t just huge venues and businesses like the Olympics which can take advantage of barcoding. Small businesses are in a position to have virtually the same system, for a surprisingly low price.

Have you ever wanted to be able to inventory or track your stock with a barcode system, but thought the price of setting up such a system was out of your reach? Well think again. A barcoding system can be as little as a few thousand dollars complete with phone support and training, says Brian Sutter of Wasp Barcode Technologies.

And such a system could save up to $30,000 a year in lost, broken or stolen inventory or equipment.

So what are the benefits of having such a barcoding system? Well, apart from that $30,000 that you could be saving each year, here are some other reasons why an initial $3,000 investment might be worth it.

Tracking Your Inventory

Equipment is flying in from all over the world for the Olympic athletes. It is essential that things turn up in the right place at the right time. It is a monumental logistics effort which requires a huge amount of organization.

Can it be done by wrapping that bobsleigh in brown paper, slapping stamps on it, sending it to Russia, and hoping for the best? Of course not. Instead, it gets a barcode, and every step of the way, the system is updated with the item’s status, so its exact location can be confirmed in seconds.

Now consider this system in the setting of a typical small business (albeit on a much smaller scale). Imagine you have a company of 100 employees. That’s also probably 100 computers, 100 telephones, 100 software licenses and also things like furniture, copy machines, stationary, etc.

Now consider the following scenario. Your printer breaks down, but it is still under warranty. Nobody immediately realizes that. So someone from the company then goes out and buys a replacement printer. But if that equipment had been barcoded, it could have been scanned to show that the warranty was still valid. So the company has now wasted money on a new printer when it wasn’t actually needed.

Or say you are looking high and low for that overhead projector. Eventually you sigh in frustration and give up, putting on your jacket and going out to the shop to buy a new one. But all the time, Fred in accounts upstairs had it. If that overhead projector had been barcoded, a quick query would have showed that Fred checked it out from the storage room last week for a presentation.

Again, a new projector is bought for no reason at all. More wasted money for your business.

A Complete Audit Of Your Inventory

The Olympics will have a huge amount of equipment in various places. How do they know where everything is, how much of something has been used, when something is running out fast and needs to be replaced, and so on? That’s right - slap a barcode on everything to help you keep track.

Now back to our small business scenario. Do you have merchandise sitting in a warehouse somewhere or in the back of a shop? Do you know exactly what you have and where you have it? If necessary, could you lay your hands on a particular item right away? If the answer to those questions is no, or “eventually, but it would take time,” then you need to start barcoding everything.

The barcode system is tied to a database. That database identifies where each item is based on its code. Locations are coded, too, to match the item to be found there. A place for eveything and everything in its place.

Sutter calls this system “asset tracking,” and says it improves the organization and productivity of a company to a huge degree.

Tracking People

The Olympics in Sochi will have issued a huge number of tickets for all of the events, relying on barcoding to coordinate who goes in and out of the stadiums (and to cut down on fraud). But small businesses can also take advantage of barcoding technology to manage their ticketing systems.

Say you are the owner of a small bar, or nightclub. You want to sell tickets to an event but need to control the number of people. How do you make sure that fake tickets are not made? How do you know if everyone has arrived to start the show? That’s right - barcode the tickets.

With barcodes, you will know which tickets are genuine. Just one swipe with the barcode scanner will tell you in seconds. You can scan each ticket as people arrive, so you can finally see that all tickets have been accounted for and the show can start.

Promotions and Marketing

This involves a whole new kind of barcode â€" the QR code. Although there has been recent chatter that QR codes are on the way out, Sutter insists they remain as popular as ever in the States.

So what is a QR code? A barcode is something tied to a database, which requires a barcode scanner to read it. A QR code on the other hand is tied to a website, and can be read by a barcode scanner on your smartphone.

This is what a QR code looks like :

If you scan that QR code with a barcode scanner on your smartphone (available for free from the app store for your phone), it will take you to Small Business Trends.

QR codes are extremely easy to make. Just by searching “make QR code,” you will get countless websites that will make them for you.

Now imagine if your website was in that QR code. You could have a special page for a promotion you are running right now. Leave your QR code around town on printed materials and invite people to scan it. Curiosity will do the rest.

Sutter concludes:

“The assets of a small company are just as valuable as what the Olympics have got going back and forth.”

Never think that certain technologies are out of your reach by virtue of your small size.

Sochi Photo via Shutterstock



5 Easy Ways to Improve Your Social Media Marketing 

It seems like every company is interested in how to become better at social media marketing, whether they’re just testing the waters of social media for the first time, or whether they have been on Twitter and Facebook for years and are trying to hone their process of social media lead generation.

No matter where your company stands on the spectrum of social media marketing, below are a few easy ways that you can get better results and improve your lead generation on social media.

1. Listen First, Then Talk

One of the great things about social media is that it makes it possible to proactively find out what problems and concerns are already being discussed by your audience.

For example, you can go on Twitter and search for keywords related to your industry or to the solution you sell, and immediately find out what people are saying. Are people complaining about a competitor, asking for ideas or referrals, asking for price quotes, or expressing frustration with some aspect of their current service provider?

Find out what people are saying, and be ready to respond with offers of assistance.

2. Build Relationships with People Who Have Bigger Audiences

Even if you are relatively new to social media, don’t be afraid to find ways to jump into conversations. Don’t be afraid to strike up conversations with experts in your field, even if they have big audiences. That’s the best way to expand your audience, by getting retweeted and mentioned by people who can introduce you to their followers.

If you offer productive contributions to conversations and share your expertise, you’ll be likely to develop a reputation of your own as someone who is worth following.

3. Start Your Own “Tribes”

Look for opportunities to start conversations related to topics that affect your industry or that respond to questions posed by your customers and prospects.

If your industry doesn’t already have an active LinkedIn group, start your own or start a group that is based on your local geography. Be a leader of conversations on social media, and people will start to look to you for real-life leadership.

Leadership is, in itself, a powerful form of marketing.

4. Don’t Spam People

This should go without saying, but too many companies are still making the mistake of bombarding people with canned, insincere messages.

Remember, you’re talking with real people - act like it.

5. Make Your Social Media Activities More Automatic - and More Personal

That said, there is a place for automated social media messages. Use tools like Hootsuite or Tweetdeck to schedule messages in advance, in bulk. Then use a dedicated 20-30 minutes per day to respond personally to questions, inquiries and to pose questions to people you follow on social media.

Social media is a promising tool because it enables us to put a human face on our companies and interact with customers in real time, with more focus and precision than ever before.

But make sure to do it the right way - with genuine authenticity and constructive contributions to the discussion.

Marketing Photo via Shutterstock



PCI compliance: The slow road to progress

PCI DSS 3.0 may be on the horizon, but a new study suggests that companies are not only slow in updating, but also approaching compliance in the wrong way.

Verizon's 2014 Compliance report comes ahead of some significant milestones set for the year ahead. PCI DSS turns ten years old, version 2.0 expires on December 31st and, the following day, DSS 3.0 becomes effective, mandatory and validation assessments begin.

But this latest report found that compliance numbers remain in the double digits, at least when judged against the 12 requirements, and revealed that less compliant organisations are more likely to be breached. This is clearly a big trend given the data breaches suffered by Target, Neiman Marcus and Michaels Stores in the US, while a dated report from Nilson last August found that global card fraud losses reached £6 million (US$ 10 billion) in 2012.

Given these aforementioned instances, the Verizon report makes for an eye-opening read. It reveals that just 11.2 percent of organisations passed all 12 PCI 2.0 requirements - up slightly from 7.2 percent the year before - and says that companies are on average compliant with 85.2 percent of controls. Over half (51.1 percent) passed over half of PCI requirements.

The report details the key areas where companies fall down; namely vulnerability scanning, pen testing and auditing of network resources (requirement 11) as well as a tendency to “opt for the cheapest, quickest and most superficial testing that will allow them to ‘check to box'." European companies seemed worse than most, with just 31.3 percent adhering to 80 percent of DSS 2.0 controls, compared to 56 percent in North America and 75 percent in Asia Pacific.

‘Card security can't be a once a year event'

Kim Haverblad, one of the co-authors of the report and Northern Europe Professional Services Manager for PCI Practise at Verizon Enterprise Solutions, told SCMagazineUK.com that improvements are being made - “at least PCI is pushing organisations in the right way” - but concurs with the study that the majority of organisations are going about implementation the wrong way, and often without C-level support.

“A lot of companies lack the proper support for integrating PCI. [They] need to look at this at a much high level, and it's clear that there must be support from C-level.”

Haverblad said that simplified terminology, among other things, had helped companies implement PCI compliance in the “proper way” more recently, but - despite version 3.0 being just 10 months away - claims that further improvements are unlikely so long as businesses approach PCI as a one-off project.

“It should be a continuous operation, not a one-off programme. It's an ongoing project - and it's the only way to survive. Otherwise, [businesses] often start to fall back into old habits and they then need to review the PCI compliance from scratch again.”

Tim Holman (pictured right), CEO of pen testing consultancy 2-sec and president of ISSA UK, went one step further suggesting that companies may never get PCI compliance right.

“There will always be a lack of business focus on PCI DSS Compliance - it's just the way businesses are run,” he told SCMagazineUK.com.  “If you're lucky, you might get a company to focus on PCI DSS for a few months, just to get to an audit-ready state, and sometimes companies learn the hard way, get breached, and are forced to undergo an in-depth PCI DSS analysis.

“Business focus can also be gained by waving a very big stick, but to date, the non-compliance fines issued by the card schemes are peanuts to the larger merchants that can simply afford to absorb these costs - besides the fines are still cheaper than having to gain full PCI DSS Compliance.”

Bob Russo, general manager for the PCI Security Standards Council, and Dell SecureWorks' Gavin Weir agreed with Holman that this type of compliance often comes about on a sporadic basis. In an email exchange with SCMagazineUK.com, Russo urged firms to build PCI into “business as usual” practice - something which is likely be more achievable when version 3.0 goes live.

“These findings, coupled with recent breach incidents, highlight the need for businesses to build security into their ‘business as usual' practices, and the need for a layered approach to securing data - one that focuses on security not compliance,” said Russo.

“Card security can't be a once a year event, when a compliance assessment is due, but rather must be a daily occurrence. The changes introduced with the  latest version of the PCI DSS and PA-DSS (version 3.0) focus on helping organisations do this better by adding increased flexibility in the requirements, and an emphasis on greater education and awareness.

“Ongoing deployment and maintenance of PCI Standards as business-as-usual is the best way to protect payment card data.  

Weir, principal security consultant at Dell SecureWorks, added that too many PCI compliance cases are treated on an annual basis and by project teams that are soon disbanded.

“Project teams are formed but once compliant, the people disappear and everything goes back to business as usual.” He added that this was truer of first time re-assessments, but noted that this method was “still happening” with companies into the third or fourth PCI reassessment.

Verizon too revealed in the report that the PCI problems stem from poor sustainability by organisations.

“Our research also shows that the vast majority of organisations are still not sufficiently mature in their ability to implement and maintain a quality, sustainable PCI Security compliance programme, and they continue to struggle to provide the required compliance evidence at the time of the annual compliance validation assessment,” the report reads.

“There's significant variation across the individual requirements, controls, and sub-controls; as well as across industries and regions. Despite a decade of discussion, clarification, and education, there are fundamental disagreements and misunderstandings around critical areas of security and compliance, including how to define the scope of compliance itself, and how compliance is assessed.

“Some even regard the DSS, even in its latest 3.0 guise, as taking fundamentally the wrong approach to security.”

This is something which struck a cord with Forrester analyst Andrew Rose (pictured left), who believes that PCI compliance can get too hung up on ensuring minimum standards.

“Many times a breach is caused not by a failure to comply with the basic requirements of PCI, but more around a failure of imagination,” he told SCMagazineUK.com.

“The Target breach, for example; I'm sure that would have successfully breached the vast majority of PCI compliant firms.  It's not that the standard is fundamentally flawed, as no formal standard can keep pace with technological change, it's that it's implementation is often too focussed on compliance, and achieving minimum standards of control to achieve compliance rather than seeking real control rigor.”   

“If compliance is all the firm seeks, then 'compliant' is the best they can achieve. If, however, they seek to be secure, then compliance can be a by-product of that.”

QSA issues muddy the water

But aside from calls for continued assessment, C-level input and a need for greater education and integrating security as “business as usual”, there are also calls for greater clarity on the QSA side of things. QSAs -  qualified security assessors - typically work with companies to ensure their PCI compliance is up to scratch.

2-Sec CEO Tim Holman, a QSA himself, admitted that QSA hands are tied when it comes to monitoring businesses.

“As a QSA, we can only assess a limited sample of business systems at a given point in time,” he told SCMagazineUK.com.  We can't go back in time, or forward in time and comment on how a business was run, or how a business will be run, and if we do see a business has "fallen out" of compliance since we last paid a visit then the advice they get from the card schemes is to "make sure they are compliant moving forwards".

“Perhaps if companies were penalised for lapses in compliance then this wouldn't happen, but again, how does one enforce this?  How can you make sure a company is in continual compliance without employing a team of QSAs full-time to sit there and hinder their business?  You can't.  You leave it in the hands of the business to manage their own compliance and the card schemes and banks trust that companies are doing so properly.”

Weir added that some companies often indulge in “QSA hopping”, a dangerous game as some compliance requirements can differ on interpretation.

“Sometimes choosing a QSA becomes a cost issue - choosing the cheapest - but this has not been born out in practise. QSAs can interpret things differently. There are 289 requirements and as many as 30 to 40 of those are subject to interpretation.”

Verizon's report also details that QSAs are unable to provide 100 percent validation because they're assessing a small selected sample -- which are often subject to interpretation.

Espion senior consultant John Hetherton, also a PCI QSA himself, urged QSA to “challenge the data” in order to stop firms from failing to maintain the PCI DSS standard on a continuous basis.

“The role of a PCI QSA is to challenge the data, look for evidence beyond the day of assessment that demonstrates all 12 requirements are adhered to all the time.  In some cases, particularly in larger environments, auditors will recommend periodic health checks to ensure that compliance is being met throughout the year, thereby avoiding a shock come audit time.  While PCI DSS must be achieved by organisations it is equally important to maintain it, a good assessor will advise, consult and promote getting it right.”

Verizon was keen to stress that moves are being made to improve DCI DSS compliance. Indeed, one finding from the study revealed that 60 percent of all companies had met requirement 10 - to track and monitor all access to network resources and cardholder data, up from 39.2 percent in 2012, while DCI DSS 3.0 is expected to herald better tracking of cardholder data, improved authentication and greater awareness of malware threats. The changes should also see stronger enforcement around penetration testing, and better password implementation too.

But reports like these illustrate that PCI DSS compliance is by no means straightforward - or easy.

*SC UK is holding a webinar on PCI security issues in May.  Further details to be announced on the website, newswire and in the magazine.



Criminals use new zero-day bug to \'target military and defence\'

Security researchers have uncovered a new Internet Explorer zero-day bug that they believe has been used to target the US military and French arms suppliers in what's feared to be the start of a cyber espionage campaign.

Revelations from FireEye, Websense, Symantec and Malwarebytes show that the malware, dubbed ‘Operation SnowMan', is being used to hijack victims' computers in a ‘watering hole' attack being waged by the same criminals whose earlier DeputyDog and EphemeralHydra campaigns targeted US government agencies, defence, IT and mining companies and law firms.

SnowMan (aka zero-day bug CVE-2014-0322) was first revealed by FireEye in a 13 February blog post. The company said the malware exploits a previously unknown ‘use-after-free' bug in Internet Explorer 10 and was deployed on 11 February to attack the US Veterans of Foreign Wars (VFW) website in a possible bid to steal military intelligence.

FireEye said that the attack redirected unsuspecting VFW users to a false site, then used the Adobe Flash Player to plant the ZxShell backdoor on them. It could not confirm the number infected, but said it was likely to be around 100 to 1,000 people.

One day later, Symantec confirmed the ultimate purpose of the attack by saying that by exploiting Windows 7, IE10 and Adobe Flash, the malware “takes screenshots of the victim's desktop and allows the attacker to take control of the victim's computer”.

FireEye - which chose the name ‘Operation SnowMan' after the attack happened during a paralysing snowstorm in the US - said: “A possible objective is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website.”

FireEye highlighted the cyber spies involved, saying: “The ZxShell backdoor is a widely used and publicly available tool used by multiple threat actors linked to cyber espionage operations. We believe the actors behind this campaign are associated with two previously identified campaigns - Operation DeputyDog and Operation Ephemeral Hydra.”

These campaigns targeted US government agencies, Japanese firms, non-governmental organisations (NGOs) and defence, IT and mining companies, as well as law firms.

Darien Kindlund, manager of threat intelligence at FireEye, told SCMagazineUK.com via email: “We can confirm that the attackers are a threat actor believed to be backed by a nation state, whose goals and objectives appear to be broad-scale intelligence gathering.”

FireEye warned that more attacks are likely, saying: “The proven ability to successfully deploy a number of different private and public remote access Trojans using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term.”

Following FireEye's revelations, Websense pitched in to say that on 20 January the same exploit was likely being readied to target the website of GIFAS, the French aerospace industries association whose 300 members include suppliers of civil and military aircraft and helicopters, missiles, armaments, satellites and launch vehicles and other defence and security systems.

Websense said in a 13 February blog that the malware was using the URL ‘hxxp://gifas.assso.net', similar to the ‘gifas.asso.fr' address of GIFAS.

Jason Hill, lead security researcher at Websense, told SCMagzineUK.com: “This exploit may be targeting organisations associated with GIFAS as there's a big similarity between the domain names used. Rather than a typical typosquat, where the malware actors tend to add or transpose characters to the original URL and wait for someone to mistype, this looks like it has been crafted specifically for use as a lure.”

In its blog, Websense agreed that CVE-2014-0322 resembles the DeputyDog and EphemeralHydra operations, saying: “The similarities in the exploit, delivery and search for the EMET.DLL indicate that the same group of threat actors is most likely behind the malicious URL above and the attacks that have been discovered by FireEye.”

Meanwhile, FireEye's Kindlund said: “This is the same exploit used to target the French aerospace industries Association GIFAS, but it is a different group using it.”

Security expert Brian Honan of BH Consulting said the perpetrators are using a classic and effective ‘watering hole' approach.

“The waterhole technique is an attack vector that is widely used when running targeted attacks and can be very successful in compromising selected groups. This technique will most definitely be used again.”

But Honan said it will be difficult to identify the criminals behind SnowMan, DeputyDog and Ephemeral Hydra. “Due to the nature of the internet it is extremely difficult to attribute an attack to a particular party or group. So while we may suspect certain groups, or nations, based on their motives and also on the sophistication of the techniques, it will be difficult to prove it conclusively.”

FireEye said that the attack fails if users have Microsoft's Experience Migration Toolkit (EMET) or have updated to Internet Explorer version 11.

Microsoft advised doing this in a statement issued to journalists, whilst also confirming the bug affects IE version 9: "Microsoft is aware of limited, targeted attacks against Internet Explorer 9 and 10. As our investigation continues, we recommend customers upgrade to Internet Explorer 11 for added protection.”

Jason Hill advised: “As well as having protection against the early stages of the attack chain, companies need to ensure that if they are compromised by an advanced threat they have layered security defences in place to detect and prevent the exfiltration of sensitive intellectual property.”

Meanwhile, Jerome Segura of Malwarebytes said in a 14 February blog post that: “Now that the information has been made public, it is a race between the bad guys and Microsoft - the latter working on a fix and release for its massive user base.”

Segura said Malwarebytes' Anti-Exploit BETA proactively blocks the exploit, requiring no signature or update to its engine. The company has posted a YouTube video clip of the malware being stopped.

Kindlund told SC: “Some antivirus products can detect the remote access Trojan installed, but we do not believe that most of them can detect or prevent the inbound exploits.”



300,000 internal security breaches in UK last year

Beware of disgruntled employees - a new report reveals that UK businesses are being hit by over 1,000 internal security breaches every day.

Security software vendor IS Decisions came to these findings as a result of a new study, entitled ‘The Insider Threat Security Manifesto: Beating the threat within', which surveyed 250 IT decision makers.

The study found that more than 300,000 internal security breaches took place in UK businesses over the last 12 months - an average of 1,190 per working day.

The insider threat, perhaps best highlighted by former CIA contractor Edward Snowden, is also big problem in the US where there were 660,000 internal security breaches in the last year.

However, an altogether bigger problem for businesses is that monitoring and reacting to internal breaches doesn't appear to be high on the agenda for CISOs and IT managers. The report found that only 25 percent of IT managers consider insider threats to be in their top three security priorities, with this figure at 17.5 percent for their American counterparts. Furthermore, only 12 percent of respondents were more aware of the insider threat after Snowden's revelations.

Insider threat was trumped by viruses (67 percent), data loss (47 percent) and hacking (39 percent) as the biggest security concerns.

“It is human nature to see external sources as your greatest threat, and that, coupled with the fact that insider threat is a complex issue to manage, has led to IT professionals seemingly turning a blind eye to the issue,” said  Francois Amigorena, CEO of IS Decisions, in a statement.

“These numbers, and the impact that the Edward Snowden case had last year, show clearly that internal security should be higher up the IT agenda. The reality is that it is a very considerable problem, but the good news is that there is a lot that IT departments can do to mitigate the risks. It's a technology issue as well as a cultural one, and can be addressed from both of these angles.”

This report comes one month after a contractor in South Korea accessed, stole and sold sensitive banking data including customer names, social security numbers, credit card numbers and expiry dates. The leak was said to have affected at least 20 million users in a country of around 50 million people.

Speaking to SCMagazineUK.com recently, Tim Ryan, MD and cyber investigations practice leader at risk mitigation and response firm Kroll, said that the insider threat is very real and said that most may never be undiscovered.

“There's a tremendous amount of data compromised today where the act is never discovered or disclosed.

"People discount the insider threat because it doesn't make the news. The insider threat is insidious and complex. Thwarting it requires collaboration by general counsel, information security, and human resources."

In an SC UK vendor webinar, 'The Enemy Within: Managing Insider Threats', from Guidance Software, due to go live February 18, Mitchell Bezzina, Senior Solution Consultant at Guidance Software, quotes the 2013 Verizon Data Breach Investigations report as showing that 69 percent of confirmed data breaches are due to insiders, even if most are due to acting carelessly rather than maliciously.



Jamie Sutherland of Xero: Modern Cloud Accounting Services

The cloud has always been about promotion, marketing, content and communication. But in order to create modern business, you also need to look at how the role the cloud can play in managing less glamorous areas just as important to a business’ success, like accounting.

Jamie Sutherland, President of cloud-base accounting service Xero US, talks about how cloud-based accounting solutions are impacting small businesses today. He shares his take on how these kinds of services can help small businesses understand their customers, and help companies make better, more efficient decisions leading to better results. Below is an edited transcript of the conversation. The full interview can be heard by clicking on the player below.

* * * * *

cloud accounting servicesSmall Business Trends: Before we jump in, can you tell us a little bit about your personal background?

Jamie Sutherland: My career in software started with Sage. I ran a division that had small business accounting and some HR tools. But it was desktop software, and I saw the writing on the wall for that software and then came across Xero.

They were looking for someone to lead up the expansion in the US, and we hit it off. I believe in the way Xero is approaching the market, solving the needs of small businesses as well as accountants. Having them be able to collaborate easily is a winning model, and that was an easy decision for me to jump on board.

Small Business Trends: So for folks that may not be familiar with what Xero is and what you guys do, can you fill us in?

Jamie Sutherland: Xero is online accounting software for small businesses. We take the premise of design and usability to the next level and have built the application from the ground up for the Web. Not only that, we focus in on making sure every single feature that we deliver to the market goes through a very rigorous process around design and ability.

It’s not just look and feel. We call it beautiful accounting software. It’s more about the workflow. Rethinking the old paradigms of desktop software and how a small business operates in today’s world, and designing features that just make sense for the modern small business.

Small Business Trends: How does a service like yours help an accountant build a modern accounting practice today?

Jamie Sutherland: We have a number of accountants in our network that have built their businesses on the back of Xero’s model, which is a really rewarding thing to see.

You can subscribe to Xero and see these online applications in a flash. Not only that, we provide a program to help you develop your business. What we are seeing is a number of partners of ours have gone from not having any clients up to over 100 in under a year. They can do that because the software is obviously easy.

Because we partner closely with accounting professionals, we list them on our website. What happens is, a small business that’s looking to get their taxes done, or some bookkeeping done, or some mechanic services, will come to our site and look up these accounting firms. I guess essentially driving them leads.

So a number of reasons are why being part of the Xero eco system is helpful to getting your accounting practice up and going.

Small Business Trends: Lets look beyond the accountants. How does a service like yours help a company who’s not an accounting based company, but still needs accounting services?

Jamie Sutherland: We focus on simplicity and ease of use. We’ve won some awards around our software being just that. We hear from small businesses time and time again that accounting can be complicated. So what we do is strip out all the accounting jargon for a small business so they understand the critical pieces of their business - which comes back to cash flow. It’s a clear line of site into what money is coming into the business and what money is going out.

Historically small businesses don’t keep their books up to date, and what we are seeing with Xero is that we make it easy to get information into the software through our partners. If you have a bank account and you authorize that bank account with Xero, back information will automatically appear inside Xero. So you eliminated that step around data entry, which is the bane of a lot of small businesses and bookkeepers.

Getting that information in on an automated basis and then keeping it up to date allows that small business or their advisers to help them make decisions in real time.

So the small business can save time and money, not only from the processing that needs to happen to get the data in and allocate it into the appropriate accounts, but you’ve got better information and insights into your account so you can make business decisions that are going to improve your business.

Small Business Trends: How has a service like yours given small businesses the ability to look at business a little differently, focus on customer engagement and less on important functionality, but functionality not core to their business?

Jamie Sutherland: We really see the Web as this open platform where connectivity and data flow should be seamless. I think that becomes the evolution of this.

So when you’ve got that ease of data flowing back, whether it’s your eCommerce engine, or accounting software, or CRM, point of sale, you’ve got not only real time information. But you’ve got the capability with a solid reporting tool to bring up information to make those decisions that can be key to your business. Many of those decisions revolve around the customer insight you get.

Small Business Trends: As an example with some of the stories you hear from your customers, how has that information impacted the way they view the business? Or the way they view customers?

Jamie Sutherland: From an accounting perspective, that visibility into the money owed to you and the money you owe - you can see where you’re spending your money throughout the month, and in real time so you can manage your cash flow.

Then looking at the payments that need to be made. And then looking at payments you were receiving, you can see who the outstanding debtors are and be able to keep up with that in real time.

I think it does come back from an accounting perspective, at least, because its a real time cash flow, and how you manage that. Money coming in is very, very visible inside Xero.

Small Business Trends: So where can people learn more about Xero and the services that you guys offer?

Jamie Sutherland: Xero.com, spelled with an X.

This interview on cloud accounting services is part of the One on One interview series with thought-provoking entrepreneurs, authors and experts in business today. This transcript has been edited for publication. To hear audio of the full interview, click on the player above. 



Book Review: Get Advice from 50 New Jersey Business Women in “Big Bold Business Advice”

If you’ve ever been to New Jersey, then you know that most everything here is big and bold. So it makes sense that a book sharing business insights by 50 New Jersey Women Business owners would be called “Big Bold Business Advice”.

This business advice book is filled with useful tips and “how-to’s” for small business owners and professionals who want to grow their business. Published by Woodpecker Press, a New Jersey woman-owned publishing company, each of the 72 easy-to-read chapters is authored by a different women entrepreneur who shares insider insight about her area of expertise to help you profit in your business. From finance to marketing to health - there is something for everyone!

Check out my full video review here, or watch below:

;



Honeypot Valentine

From being drawn in by a honypot, through to being compromised, lessons from life can have parallels with what happens online suggests Calum MacLeod.

Several years I was compromised by a targeted attack which has had lasting effects; it has also taught me valuable - but extremely expensive - lessons.

I was just  “browsing” when I was lured into a completely innocent-looking  “honeypot”.  In retrospect I realised that I had been singled out as an attacker, so the plan was put in place to lure me in.  Afterwards I also realised that a botnet had been set up to get me. And several friends had fallen victim to the same botnet.

Completely oblivious to what was happening, a spear-phishing attack was initiated against me. Once you've been lured, the spear phishing attack becomes relatively easy.

Without being aware of what was happening, I had been infected by the “ILoveYou” virus, and once access had been gained, the escalation started. The virus actually attacked tens of millions of computers and did damage on the machine, overwriting image files, and sent a copy of itself to the first 50 names in the Microsoft Outlook Address Book.

Many of us fall victim to a similar attack, and generally it is too late before we understand that we have been compromised!

Understanding The Enemy

An attack requires careful planning to succeed. And the most successful attacks go undetected under the radar. Breaches such Target, TK Maxx, and the recent “Mask”, “Chewbacca”, etc, have all taken months to prepare, and years to discover. Attacks are usually executed using similar steps.

1.       Reconnaissance

Before commencement an attacker first identifies the target to understand how best to lure them in. Any and all information sources are used, whether family, friends or business associates. The Gh0st RAT trojan is, to many, the poster child of using selected recipients to distribute the malware using email.

2.       Scanning

Once the target is identified, the weak points are identified to gain access. In the recent attack of POS systems at Target, according to cybersecurity expert Brian Krebs, started using a malware-injecting phishing attack sent to employees of the third party firm by email, which had business relationships with Target.

Their response to enquiries was that their ‘IT system and security measures are in "full compliance" with industry practices', which is all that needs saying about industry practices! In my own case I have to admit that there were clearly weaknesses in my security because it didn't take much scanning to be breached.

3.       Access and Escalation

Once the weakness is identified, the next step is to gain access and then escalate. Cyber-Attackers do not advertise their intentions, and those who are most successful are always going to use subtlety.  In almost all cases the access is privileged, which allows the attacker to move freely within the environment. In my own case, the attacker gained access to the “domain controller” and once that was achieved there was complete freedom of movement within the infrastructure.

4.       Exfiltration

With the freedom to move around, the attacker is now able to get access to the “crown jewels” and at that point you are defenceless. In the case of AMSC and Sinovel, Sinovel were indicted for the theft of AMSC's source code, software, equipment designs and technical drawings. Although AMSC had taken “reasonable measures to maintain the confidentiality of its trade secrets and proprietary information such as restricting access to authorised personnel only”, it was a victim of an unethical insider. And this is a recurring theme. In my own case, much of the information gained by the attacker came from “insiders”.

5.       Sustainment

Once an attacker has gained access, sustainment or staying in place is very important. In the case of the TJX breach in 2006, the attackers installed new accounts using their already elevated privileges, so that they were no longer dependent on a single access point. Effectively the attacker was able to come and go as they pleased. In my own case, in hindsight it is clear that the attacker no longer needed to use me to get access to the whole environment.

6.       Assault

The assault is where it can become particularly nasty because the attacker may decide that they want to leave an indelible mark on their victim. Breaches such as Stuxnet, and Shamoon which damaged thirty thousand machines at Aramco are well known examples. And today there are serious concerns regarding the ability of attackers to target any infrastructure,  including energy, financial and health care. And the problem with the assault is that it is generally too late to defend yourself, because the attacker has effectively taken control of your environment and is anticipating your every move.

7.       Obfuscation

In many cases the attacker may want to hide the origins of the attack, using various methods to cover their tracks but this is not always the case. At Aramco the attackers choose to leave a calling card and often the victim is too embarrassed to admit that they have been breached. Failure to disclose breaches means others are unable to benefit from someone else's misfortune.

Is There Any Defence?

Every one of us is vulnerable, and the best defences on offer give little or no real protection. The key is to ensure that you have strong and managed Access Control. If you have the ability to control Privileged Access then the likelihood of a serious breach is reduced.

In my own case, as my wife told me many years later, once I had gone for the “honeypot” on Valentine 's Day many years ago, I was defenceless. The targeted attack started and before I knew it I was a granddad. Having got access to my mother, and become friends with my sisters, the inevitable assault was easy.  Mind you not all attacks are bad!

Contributed by Calum MacLeod,VP EMEA, Lieberman Software Corporation.



2,000 Tesco customers hacked because they re-used passwords

The danger of people relying on one single password online has been highlighted after more than 2,000 Tesco Clubcard customers had their account details stolen because they had used the same name-and-password combination before.

The names and passwords of 2,239 Clubcard loyalty card customers were published on a text-sharing website on 13 February, and were used to steal a small number of Tesco vouchers. The supermarket subsequently launched an “urgent” investigation into the incident, but believes the data was compiled by hackers taking the password-and-email details stolen from previous security breaches, trying them on the Tesco site, and getting 2,239 hits where the same credentials were used.

Tesco says it has closed all the accounts affected and informed the customers involved. It has also beefed up its security and now requires customers to use their unique Clubcard number to login. The supermarket emphasised that none of its own systems had been breached in the incident.

A company spokesperson told SCMagazineUK.com: “All of the accounts published have been deactivated. A handful of people had their accounts compromised - and really it's very few. Any vouchers or anything that was affected will be replaced.”

“Extra security measures have been put in place which mean it can't happen again. You now need to put in your Clubcard number too. This is not a cyber attack on Tesco systems, no Tesco systems have been compromised, it was other sites where the details were hacked, and from which they were applied to people's Clubcard accounts.”

But the leak has led to a flood of warnings for people not to take the easy option and re-use the same name, email and password across their different online accounts.

Charles Sweeney, CEO of Bloxx, said in an email: "Our natural instinct is to simplify and use the same password and username combination for everything. But this is very risky as attacks like these demonstrate. Whilst it might be convenient for you, it also makes it easier for hackers to steal your details from the multiple sites that you've signed up too.

“Companies obviously have duty of care to protect customer information, but customers also have a role to play in protecting themselves by not using the same password combinations or using passwords that are easy to second guess, like their address or birth date."

Damballa global technical consultant, Adrian Culley, warned there is a thriving trade in stolen personal details among cyber criminals.

“Known hashes (mathematical versions of passwords) and account names harvested from breaches are traded on numerous darknet sites, or un-indexed parts of the web,” he told SCMagazineUK.com.

Culley said that individuals need to strengthen their passwords as well as use multiple ones. “Consider using pass-phrases rather than passwords. Lower case, upper case, numbers, special symbols and the thinking of phrases rather than words will help you increase length and complexity whilst still being able to remember it.”

Culley also advised people to test the strength of their password via Google and other search engines. “Many search engines now provide ‘hash veils' as responses to searches. Try Googling your own password and either ‘MD5' or ‘SHA' (hash algorithms). If a search engine knows the hash of any password you use, you probably need to strengthen it.”

George Anderson, director of product marketing for Webroot, said of the hack: “In today's ‘always online' world, customers should make sure they've done anything they can to protect their data - and having a unique password is the place to start.

“Once they've done this, it really is down to the businesses storing data to make sure they add the necessary layers of defence to protect the information they are being trusted with. The only effective defence against cyber crime is a multi-layered one starting with the consumer and supported by the business.”

Trey Ford, global security strategist at Rapid7, added: “It's essential to learn the lesson from this incident before the cost becomes greater. We all know it's a pain to deal with multiple complex passwords across all the various sites and services we use, but there are solutions to help with that, encrypted password vaults like LastPass, 1Password, KeePassX and others.”

Last year, Tesco was a direct victim when hundreds of its customers had their Clubcard accounts hacked.



Cupids are Going for a Share of the Leprechaun Market

valentine cartoon

Cupid is a pain to draw.

You’ve got the wings, the bow, the quiver, the arrow, the diaper… there’s a lot to get across in a character that’s tiny by design.

So for me to draw five of them in a meeting takes a really, really good idea. Turns out that Cupids trying to steal business away from Leprechauns before St. Patrick’s Day is one of those really good ideas.

I’d also considered throwing hiding Easter eggs into the mix, but then the caption was getting to be more of an essay instead of a few sentences.

Still, that bunny should watch his back.



UK Information Commissioner: Fines too low for data theft

The UK's Information Commissioner Christopher Graham has told MPs that some of the fines imposed on companies that steal personal data are "embarrassingly small".

In comments first reported by The Independent, Graham said that there is a “weakness” in the sanctions available to the courts, mainly because the Government has failed to ensure law changes that would see custodial sentences and heavy fines for the most severe breaches of data protection law.

The Data Protection Act stipulates an unlimited fine for a criminal offence and a £500,000 fine for a civil breach, although these fines are often substantially lower in practise.

In his address to MPs at the House of Commons' House of Affairs Select Committee earlier this week, Graham cited one example where a company, which had “blagged” the home addresses of members of public, had been fined just £4,000. The Information Commissioner said that this “embarrassingly small” fine had come after a four-year investigation costing in the region of £200,000.

“The penalty doesn't fit the crime,” said Graham, whose comments come weeks after an EY report found that half of businesses (48 percent) thought online customer activity - such as previous purchases, ad clicks and browsing activity - was the most valuable source of customer insight.

The ICO also confirmed this week that it has started action against four out of 10 British firms where it has found “significant” documentary evidence of potential breaches of the Data Protection Act.

On learning the news, 451Research analyst Javvad Malik told SCMagazineUK.com that while it could be argued that the current laws are weak and slow to change, he said that there are also blurred lines about what is personal data.

“There is a lack of clarity around what is personal data and what would constitute the fact that it has been illegally obtained. We've seen definitions change and open to interpretation over time," he said.

"For example, when Google collected the Wi-Fi SSID's were they breaking any laws? This is something where people have different opinions. Gathering a single SSID maybe isn't so bad - but when aggregated with thousands - it begins to look a bit scary so then people want legislation around collecting publicly available data on SSID's. This kind of reactionary legislation ends up hurting the common citizen more than ‘criminals'.”

Malik also said that bigger fines are not necessarily a ‘clear cut black and white issue' and instead believes that a greater transparency is needed on how companies secure personal data.

“I think what would help go a long way is greater transparency by companies disclosing how they secure information, what they use it for and when they will remove it,” said Malik. “At the moment companies either do not provide that information or it's buried on page 50 of a 100 page terms and conditions list.”

“Also bearing in mind it's not just a single place which may contain all the information - criminals may aggregate information from different sources. Information is akin to chemical elements in that regard; on its own a piece of information may be inert; but combined with another bit of information and it becomes dangerous.”

BH Consulting founder and analyst Brian Honan told SCMagazineUK.com that he agreed with the ICO, and urged for greater law enforcement to get the message across.

“I would agree with the ICO,” he said. “People's personal data is not a commodity that can be bought and sold. It is their personal data which has been entrusted to third parties who should ensure it is protected properly. Companies should not see these data as a resource that they can use without the knowledge or permission on the people involved.

‎”The remedy is for more enforcement of the law so that a message is sent to companies that this behaviour is not acceptable. This should be also reinforced by education and awareness of companies' obligations under the DPA.”



Coffee Company CEOs Should Watch What They Say About Fair Trade

What happens when a business owner dismisses a common standard for quality and fairness in their industry?

Andrea Illy, CEO of Illycaffe, makers of the well-known Illy brand, recently told Quartz that his company would never sell fair trade coffee. Fair trade is a popular standard for coffee that ensures growers receive a higher price for their product. But Illy said it’s unsustainable:

“People buy fair trade products as a way of showing ‘solidarity’ with coffee bean farmers, to pay more for a product than it is worth on the market for the sake of fighting against poverty. They drink fair trade products occasionally for the sake of feeling right, not necessarily regularly.”

He went on to explain that his company employs its own set of sustainability efforts, which he said go beyond fair trade standards. But by effectively dissing a popular standard for the coffee industry, he may have already done some irreversible damage to his company’s reputation.

People who buy fair trade coffee do so for a number of reasons. According to the Fairtrade America’s website:

“The international FAIRTRADE Mark is your assurance that products bearing it have met the internationally-agreed social, economic and environmental Fairtrade Standards.”

Social and environmentally conscious customers like having that assurance every time they make a purchase. But Illy claims that fair trade buyers are less likely to become loyal customers because they just buy these products on occasion to feel good about their purchases. Even if there’s any truth to his statements, customers who care about this standard and buy accordingly might not like seeing their buying habits classified as such.

In fact Lloyd Alter, managing editor of Treehugger says because Illy’s Fair Trade policies he and many he knows won’t be buying the coffee again.

The company’s own environmental and social policies might be enough to satisfy some customers. But not everyone will do the research to learn about such policies. That’s one of the reasons that certifications like fair trade exist in the first place.

So even if it doesn’t make sense for his company to identify with this standard right now, dismissing it altogether may not be a good move either.

Fair Trade Photo via Shutterstock