IBM Study Shows CIOs Switching Focus To Engaging Customers

It seems CIOs are focusing on the most important element of business - customers. In a recent IBM CIO study, “Moving from the Back Office to the Front Lines - CIO Insights from the Global C-Suite,” IBM shares insights from face-to-face conversations with more than 1,600 CIOs from 70 countries and 20 industries worldwide.

Who Exactly Did IBM Survey?

They surveyed:

• 1,656 Chief Information Officers (CIOs)
• 884 Chief Executive Officers (CEOs)
• 576 Chief Finance Officers (CFOs)
• 342 Chief Human Resources Officers (CHROs)
• 524 Chief Marketing Officers (CMOs)
• 201 Chief Supply Chain Officers (CSCOs)

That’s a lot of chiefs - sharing vital insights for building better businesses.

According to the study, it appears leaders’ priorities are shifting from intra-enterprise efficiency and productivity to a new agenda led by the front office - focused on extra enterprise engagement, transparency, collaboration and dialogue with clients.

It seems today’s digitally enfranchised and empowered customers are leading CIOs on a new path, one that demands collaborative technologies designed for today’s 24/7 mobile workforce.

Highlights of the IBM Study Include:

• More than 80 percent of CIOs aim to digitize their front offices within the next few years to sync with customers more efficiently - signaling a great trend toward collaborative technologies.
• More than 80 percent of CIOs intend to focus on two key initiatives: Using analytics to create deep insights from structures and unstructured data and implementing leading-edge technologies, processes and tools in the front office to better understand and sync with customers.
• CIOs recognize that extracting meaningful, actionable insights from collected information will require a vastly robust information architecture to fully leverage big data.
• Over the next few years, 84 percent of CIOs plan to invest in mobility solutions, another 84 percent on business analytics and optimization, 64 percent on cloud computing and another 64 percent on internal collaboration and social networking.
• Nearly 70 percent of CIOs are planning to implement cloud technologies, chiefly to enhance collaborative processes.
• CIOs want to share the CMO’s territory - with more CIOs interested in customer experience management, sales and new business development, marketing and communications strategies, supplier/vendor management and, of course, IT operations. Traditional CMO responsibilities - customer experience management and sales and new business development - are creeping into the office of the CIO.
• Over the coming years, CIOs plan to implement technologies designed to drive client collaboration and improve the customer experience in today’s mobile business environment. Indeed, CIOs are looking outward to generate new value - with mobile technologies and advanced analytics top of mind.

Why the Focus on Cutting-Edge Technologies to Enhance the Customer Experience?

It appears, for today’s CIOs, the most important customer-related initiative is fully leveraging technology to understand the real needs of current and future customers.

With clients now more technologically astute and demanding mobile platforms, it will be the customer-engaged enterprise leading charge in utilization of cloud technologies, advanced business management software solutions and responsive, mobile platforms. 

Essentially, the IBM CIO study illustrates that CIOs are looking to satisfy a savvy new boss - the modern, mobile customer.

Customer Meeting Photo via Shutterstock

Report: People Complain About Debt Collection, Even If You Do It Right

Consumers complain about debt collection efforts, even when you’ve done everything right.

A report from the U.S. Consumer Financial Protection Bureau claims 200,000 consumer complaints were filed with the agency since the middle of last year. But the Association of Credit and Collection Professionals says complaints are so subjective, they don’t necessarily indicate wrongdoing by debt collectors.

In a phone conversation with Small Business Trends, Mark Schiffman, a spokesman for the trade organization, explains:

“If you’re talking about a small business that’s trying to collect a debt,you could easily get a complaint without having done anything wrong.”

Schiffman says the Fair Debt Collection Practices Act, which the CFPB enforces, does not apply to small businesses. The law currently applies only to “third person” debt collectors. Those are agencies that collect debt for others, including, potentially, small business clients.

But that’s no reason to celebrate, Schiffman says. Small businesses are governed by a bewildering assortment of state and local laws on debt collection.

He says these laws vary greatly in everything from the permissible ways to collect a debt to the amount of time a creditor has to collect.

Schiffman adds:

“What we would like to see is some kind of federal standard. Consumers would know what the rules are. Debt collectors would know what the rules are. Small businesses would know what the rules are.”

In a response to the CFPB report, the Association of Credit and Collection Professionals spells out some of the issues with these complaints.

Complaints from Consumers

In an official statement, the trade association explains:

“While a consumer may not like something (such as being contacted about a debt or receiving multiple calls) it does not mean that the collector actually did anything wrong. Neither the CFPB nor the FTC investigates these complaints as to whether a complaint actually violates the law. Painting the collection of consumer debts with a broad brush and then alluding it ties to bad behavior paints an inaccurate picture of an extremely necessary, yet sometimes uncomfortable, activity.”

Another issue raised is complaints over consumers being contacted about debts not owed. The association points out a contributing factor is the fact that consumers often will not speak to debt collectors. So they won’t have a conversation long enough to straighten out misunderstandings.

Finally, the association says debt collectors face a catch-22 when consumers complain they call too often. Debt collection companies must adhere to federal rules. Those rules require them not to disclose a debt to anyone but the person from whom they are trying to collect. This makes leaving voice mail tricky and requires more calling.

Tips for Small Businesses

So, what can small businesses do to make sure they steer clear of trouble when trying to collect a payment from a customer?

First, Schiffman recommends you learn everything you can about the rules in your state or city. Then, if you do business with someone in another city or state, you may also want to study up on debt collection practices there, too. This will prevent you from unknowingly violating the rules of another community.

Unhappy Photo via Shutterstock

5 Other Taxes for Small Business Owners

When you think of taxes for your business, likely you’re thinking about income taxes on your profits, especially at this time of the year. But your responsibilities for taxes don’t stop with income taxes. You may be obligated to pay other taxes related to your business.

Below are five other taxes you may have to deal with.

1. Self-Employment Tax

If you’re self-employed, you pay Social Security and Medicare taxes on your net earnings from self-employment (your profits). For 2014, the Social Security portion of the tax applies to profits up to $117,000. The Medicare tax applies to all of your profits; there is no dollar limit. If your profits are high enough, you’ll pay an additional 0.9% on profits over $250,000 if you’re married filing jointly, $200,000 if single, or $125,000 if married filing separately.

If you have a sideline business but also work for another company, your self-employment tax is reduced to the extent you pay Social Security tax on wages you receive from the job. But because all profits are subject to the Medicare tax, there’s no savings here.

If you’re married, each spouse pays Social Security and Medicare taxes separately on his/her share of wages and self-employment income. Spouses in community property states follow special rules to ensure that the spouse earning the business income is the one who pays self-employment tax (and earns the credit for Social Security and Medicare purposes).

If you weren’t profitable, you can choose to pay a minimal amount of self-employment tax. Why would you voluntarily pay this tax? So that you earn credits for Social Security purposes.

Find more details about figuring and paying self-employment tax in the instructions to Schedule SE of Form 1040 (PDF).

2. Employment Taxes Wages and Other Taxable Compensation

If you own a corporation (C or S), your salary and other taxable fringe benefits are subject to FICA in the same manner as compensation paid to other employees. There are no distinctions in the tax on payments to owners versus payments to rank-and-file employees.

Find details about employment taxes in IRS Publication 15 (PDF). Unless you’re in Alaska, Florida, New Hampshire, Nevada, South Dakota, Tennessee, Texas, Washington or Wyoming, check with your state tax department about income tax withholding responsibilities with respect to employee compensation.

3. Unemployment Taxes

This tax applies at both the federal and state level and the taxes go to fund unemployment benefits for workers who are laid off or fired (other than for a serious cause). Unemployment taxes are imposed only on employers; employees do not pay unemployment taxes.

Find details about FUTA, the federal unemployment tax, in the instructions to Form 940 (PDF). Also, check with your state tax and labor departments for details on state unemployment taxes.

4. Sales Taxes

Unless you’re in Alaska, Delaware, Montana, New Hampshire and Oregon, you may be required to collect sales taxes on the goods and services you sell and remit the funds to the state or states they’re due. If you sell online you may be required to collect taxes on remote sales, complicating your collection activities. Currently, there are nearly 10,000 sales tax jurisdictions (due to additional sales taxes imposed not only by states but counties and municipalities).

Check with your state about whether your goods and services are exempt from tax. If not, then learn about your collection responsibilities. If you sell online, consider using a service to help you with sales taxes. Certified service providers authorized under the Streamlined Sales Tax Governing Board for this purpose: AccurateTax; Avalara; CCH; Exactor; FedTax and Taxware.

5. Excise Taxes

Excise taxes are like a federal sales tax on certain items. Sometimes the payment is automatic (e.g., it’s rolled into the price of gasoline you pay at the pump) so there’s nothing for you to do. Other times your business must pay the tax separately to the federal government (e.g., a 10% tax on indoor tanning services if you own a tanning salon).

Learn more about excise taxes from the IRS.

Conclusion

During this tax season, think beyond your income taxes to make sure you’re addressing all of your tax responsibilities. Work with a great tax advisor so you’re not caught short and penalized for failing to pay what you’re supposed to.

Taxes Photo via Shutterstock

5 Other Taxes for Small Business Owners

When you think of taxes for your business, likely you’re thinking about income taxes on your profits, especially at this time of the year. But your responsibilities for taxes don’t stop with income taxes. You may be obligated to pay other taxes related to your business.

Below are five other taxes you may have to deal with.

1. Self-Employment Tax

If you’re self-employed, you pay Social Security and Medicare taxes on your net earnings from self-employment (your profits). For 2014, the Social Security portion of the tax applies to profits up to $117,000. The Medicare tax applies to all of your profits; there is no dollar limit. If your profits are high enough, you’ll pay an additional 0.9% on profits over $250,000 if you’re married filing jointly, $200,000 if single, or $125,000 if married filing separately.

If you have a sideline business but also work for another company, your self-employment tax is reduced to the extent you pay Social Security tax on wages you receive from the job. But because all profits are subject to the Medicare tax, there’s no savings here.

If you’re married, each spouse pays Social Security and Medicare taxes separately on his/her share of wages and self-employment income. Spouses in community property states follow special rules to ensure that the spouse earning the business income is the one who pays self-employment tax (and earns the credit for Social Security and Medicare purposes).

If you weren’t profitable, you can choose to pay a minimal amount of self-employment tax. Why would you voluntarily pay this tax? So that you earn credits for Social Security purposes.

Find more details about figuring and paying self-employment tax in the instructions to Schedule SE of Form 1040 (PDF).

2. Employment Taxes Wages and Other Taxable Compensation

If you own a corporation (C or S), your salary and other taxable fringe benefits are subject to FICA in the same manner as compensation paid to other employees. There are no distinctions in the tax on payments to owners versus payments to rank-and-file employees.

Find details about employment taxes in IRS Publication 15 (PDF). Unless you’re in Alaska, Florida, New Hampshire, Nevada, South Dakota, Tennessee, Texas, Washington or Wyoming, check with your state tax department about income tax withholding responsibilities with respect to employee compensation.

3. Unemployment Taxes

This tax applies at both the federal and state level and the taxes go to fund unemployment benefits for workers who are laid off or fired (other than for a serious cause). Unemployment taxes are imposed only on employers; employees do not pay unemployment taxes.

Find details about FUTA, the federal unemployment tax, in the instructions to Form 940 (PDF). Also, check with your state tax and labor departments for details on state unemployment taxes.

4. Sales Taxes

Unless you’re in Alaska, Delaware, Montana, New Hampshire and Oregon, you may be required to collect sales taxes on the goods and services you sell and remit the funds to the state or states they’re due. If you sell online you may be required to collect taxes on remote sales, complicating your collection activities. Currently, there are nearly 10,000 sales tax jurisdictions (due to additional sales taxes imposed not only by states but counties and municipalities).

Check with your state about whether your goods and services are exempt from tax. If not, then learn about your collection responsibilities. If you sell online, consider using a service to help you with sales taxes. Certified service providers authorized under the Streamlined Sales Tax Governing Board for this purpose: AccurateTax; Avalara; CCH; Exactor; FedTax and Taxware.

5. Excise Taxes

Excise taxes are like a federal sales tax on certain items. Sometimes the payment is automatic (e.g., it’s rolled into the price of gasoline you pay at the pump) so there’s nothing for you to do. Other times your business must pay the tax separately to the federal government (e.g., a 10% tax on indoor tanning services if you own a tanning salon).

Learn more about excise taxes from the IRS.

Conclusion

During this tax season, think beyond your income taxes to make sure you’re addressing all of your tax responsibilities. Work with a great tax advisor so you’re not caught short and penalized for failing to pay what you’re supposed to.

Taxes Photo via Shutterstock

Smaller banks under fire from phishing attacks

April 03, 2014

A US government financial agency has warned smaller banks and financial institutions in the US to be aware of the heightened risk of their systems being phished by cyber-criminals.

The Federal Financial Institutions Examination Council (FFIEC)  agency says that cyber-criminals are phishing the banks with the specific aim of increasing the daily withdrawal limits of account holders - allowing them to drain a card account in one or two days, rather than being limited by the normal daily ATM Limit.

The FFIEC adds that the hackers are looking for access to the web-based ATM control panels used by bank staff, which are used to set the amount of money customers can withdraw, and the geographies where they can take money out. 

SCMagazineUK.com understands that pre-paid debit cards are especially susceptible to this type of attack. 

The cyber-criminals use debit or credit card information obtained through other attacks to make their withdrawals, usually on holidays and weekends when monitoring by banks is more limited. 

“The cash-out phase of the attack involves criminals organising simultaneous withdrawals of large amounts of cash from multiple ATMs over a short time period, usually four hours to two days,” says the FFIEC. 

The attack methodology is far from theoretical, SCMagazineUK.com notes, as Oman's Bank of Muscat and RakBank, the UAE-based  National Bank of Ras Al-Khaimah, were hit by this type of attack around 15 months ago. 

RakBank reportedly lost $5 million (approximately £3 million) to fraudsters after around 4,500 ATM withdrawals were made in 20 countries around the world on December 22, 2012. The Bank of Muscat, meanwhile then lost $40 million (£24.1 million) in just 10 hours in February 2013. 

In both incidents, cyber-criminals dramatically increased the limits on prepaid debit cards after also breaking into card issuer computers in the US and India. Authorities later arrested people in the US, Germany and Spain in association with the banking fraud. 

Commenting on the raised threat to banks from phishing attacks, Phil Robins, a director with Encode UK, said that, as cyber defences improve, so the criminals will rise to the challenge. 

"People are the weakest link in all security and are therefore very susceptible to this type of Advanced Persistent Threat (APT)," he said. 

"This joint statement [from the FFIEC] defines good cyber security practice including both the testing and monitoring of the safeguards," he added. 

Colin Miles, CTO of Pirean, an employee security consultancy, said that smaller financial institutions can protect themselves against this kind of phishing attack by adopting stronger authentication mechanisms to protect key applications. 

"Where any organisation has digital assets which could be compromised to cause reputational or financial damage - to itself or its customers - it is vital that they have higher levels of assurance regarding who is accessing the service than knowledge of a username/password alone," he said. 

"With the right technology these institutions can lower the risk profile for sensitive applications safe in the knowledge that a basic credential theft will not compromise access to a control panel application," he added. 

Miles went on to say that financial institutions exposed to this kind of risk should also consider implementing controls for advanced threat prevention and detection. 

"These security controls offer capabilities to offer protection against zero-day application exploits by preventing malware from ever reaching the network even when otherwise trusted employees have been compromised through so called spear-phishing scams," he explained. 

The same approach, he says, will also then a further layer of protection by monitoring the network for signs of unwanted data exfiltration - effectively stopping sensitive data from ever leaving the network and reaching the bad guys. 

Tim Keanini, CTO with security vendor Lancope, said that it is interesting to note that prepaid card systems were targeted because prepaid cards do not enjoy the same protection under the law as debit or credit cards. 

Prepaid debit cards, he explained, may carry fewer consumer protections in the event of loss or a disputed charge than debit cards and this may have been a factor in why they were targeted. 

The same approach, he says, will also then a further layer of protection by monitoring the network for signs of unwanted data exfiltration - effectively stopping sensitive data from ever leaving the network and reaching the bad guys. 

Tim Keanini, CTO with security vendor Lancope, said that it is interesting to note that prepaid card systems were targeted because prepaid cards do not enjoy the same protection under the law as debit or credit cards. 

Prepaid debit cards, he explained, may carry fewer consumer protections in the event of loss or a disputed charge than debit cards and this may have been a factor in why they were targeted.

Smaller banks under fire from phishing attacks

April 03, 2014

A US government financial agency has warned smaller banks and financial institutions in the US to be aware of the heightened risk of their systems being phished by cyber-criminals.

The Federal Financial Institutions Examination Council (FFIEC)  agency says that cyber-criminals are phishing the banks with the specific aim of increasing the daily withdrawal limits of account holders - allowing them to drain a card account in one or two days, rather than being limited by the normal daily ATM Limit.

The FFIEC adds that the hackers are looking for access to the web-based ATM control panels used by bank staff, which are used to set the amount of money customers can withdraw, and the geographies where they can take money out. 

SCMagazineUK.com understands that pre-paid debit cards are especially susceptible to this type of attack. 

The cyber-criminals use debit or credit card information obtained through other attacks to make their withdrawals, usually on holidays and weekends when monitoring by banks is more limited. 

“The cash-out phase of the attack involves criminals organising simultaneous withdrawals of large amounts of cash from multiple ATMs over a short time period, usually four hours to two days,” says the FFIEC. 

The attack methodology is far from theoretical, SCMagazineUK.com notes, as Oman's Bank of Muscat and RakBank, the UAE-based  National Bank of Ras Al-Khaimah, were hit by this type of attack around 15 months ago. 

RakBank reportedly lost $5 million (approximately £3 million) to fraudsters after around 4,500 ATM withdrawals were made in 20 countries around the world on December 22, 2012. The Bank of Muscat, meanwhile then lost $40 million (£24.1 million) in just 10 hours in February 2013. 

In both incidents, cyber-criminals dramatically increased the limits on prepaid debit cards after also breaking into card issuer computers in the US and India. Authorities later arrested people in the US, Germany and Spain in association with the banking fraud. 

Commenting on the raised threat to banks from phishing attacks, Phil Robins, a director with Encode UK, said that, as cyber defences improve, so the criminals will rise to the challenge. 

"People are the weakest link in all security and are therefore very susceptible to this type of Advanced Persistent Threat (APT)," he said. 

"This joint statement [from the FFIEC] defines good cyber security practice including both the testing and monitoring of the safeguards," he added. 

Colin Miles, CTO of Pirean, an employee security consultancy, said that smaller financial institutions can protect themselves against this kind of phishing attack by adopting stronger authentication mechanisms to protect key applications. 

"Where any organisation has digital assets which could be compromised to cause reputational or financial damage - to itself or its customers - it is vital that they have higher levels of assurance regarding who is accessing the service than knowledge of a username/password alone," he said. 

"With the right technology these institutions can lower the risk profile for sensitive applications safe in the knowledge that a basic credential theft will not compromise access to a control panel application," he added. 

Miles went on to say that financial institutions exposed to this kind of risk should also consider implementing controls for advanced threat prevention and detection. 

"These security controls offer capabilities to offer protection against zero-day application exploits by preventing malware from ever reaching the network even when otherwise trusted employees have been compromised through so called spear-phishing scams," he explained. 

The same approach, he says, will also then a further layer of protection by monitoring the network for signs of unwanted data exfiltration - effectively stopping sensitive data from ever leaving the network and reaching the bad guys. 

Tim Keanini, CTO with security vendor Lancope, said that it is interesting to note that prepaid card systems were targeted because prepaid cards do not enjoy the same protection under the law as debit or credit cards. 

Prepaid debit cards, he explained, may carry fewer consumer protections in the event of loss or a disputed charge than debit cards and this may have been a factor in why they were targeted. 

The same approach, he says, will also then a further layer of protection by monitoring the network for signs of unwanted data exfiltration - effectively stopping sensitive data from ever leaving the network and reaching the bad guys. 

Tim Keanini, CTO with security vendor Lancope, said that it is interesting to note that prepaid card systems were targeted because prepaid cards do not enjoy the same protection under the law as debit or credit cards. 

Prepaid debit cards, he explained, may carry fewer consumer protections in the event of loss or a disputed charge than debit cards and this may have been a factor in why they were targeted.

New malware component changes router\'s DNS settings remotely

April 03, 2014

Routers from Cisco, D-Link, Huawei, TP-Link and ZTE have been identified as vulnerable.

New malware research from ESET has spotted a potentially nasty variant of Win32Sality, a trojan-driven botnet that has been around for around 11 years. 

The new version, says analyst Benjamin Vanheuverzwijn, continues the modular approach to darkware coding - and since the code is digitally signed, it is both resilient to protocol manipulation, and likely to be treated as legitimate in a corporate environment. 

So what's changed with the new version of the malware? 

Because the trojan is modular, like the infamous Zeus financial malware, cyber-criminals can add to, and even change the direction of, the darkware. 

Just recently, says Vanheuverzwijn, a new component has been seen in the trojan, one that has the ability to change a home/small business broadband gateway router's primary DNS address. So far, he adds that routers from Cisco, D-Link, Huawei, TP-Link and ZTE have been identified as vulnerable to the malware attack vector. 

Vanheuverzwijn  says that this component builds on the success of the IP address scanner component - Win32/Brute - that was first spotted in October of last year by Russia's Dr Web security consultancy, and updated this February.

The ESET researcher hints that Win32Saility may feature a very large set of botnets, as his team's' research suggests that there are more than 115,000 IP addresses being used as super-peers that are used by cybercriminals to keep the botnet alive, and propagate commands to regular peers. 

Methodology

Sality's approach to changing a router's DNS is to scan the internet for router admin pages.

The trojan can then change the router's DNS settings using a brute force attack vector - a step that Vanheuverzwijn says allows for everything from the theft of bank credentials to blocking communications with security vendors. 

Bob Tarzey, an analyst and director with Quocirca, says that the new attack vector used by Win32Sality is a key one, as, if there any candidate for outsourcing to a third party expert provider, it is the DNS infrastructure. 

"It is a utility, but a critical one. It is obvious that the DNS infrastructure is becoming more and more of an attack target,” he said. 

Fellow analyst Sarb Sembhi, meanwhile, said that the evolution of Win32Sality highlights the challenge that lies ahead with the ‘Internet of Everything', as the rising number of devices in a home or office all tend to route through a single internet gateway, the main router. 

"Any point at which we connect to the Internet is potentially vulnerable," he said, adding that, in order to reduce the risk surface, router vendors - and the ISPs that issue routers, usually free-of-charge, to their customers, need to raise their security game. 

"This is because the role of the router is becoming more and more important. As the Internet of Everything takes off, so the available attack surface in a home or office starts to increase. There are already a lot of devices that can use a router as a gateway, and that number will only increase as the Internet of Everything starts to become widespread," he explained. 

Sembhi went on to say that the router security situation caused by Win32Sality is made far worse by the fact that only a small number of users ever bother to update the firmware on their routers, even though the regularly patch and update many other IT systems in the home and/or office. 

"It's clear to me that the router vendors and ISPs need to clean their act up. A router has become the single point of failure for wide range of Internet-linked devices. ISPs and vendors need to develop an auto-updating system for the routers, as well as improve security around the modem itself," he said.

Jon-Marc Wilkinson, distribution manager with WatchGuard, said that the situation with small office and home routers - which are widely used in business - is that ISPs often use standard wireless routers with a legacy built-in firewall for home users.

"These devices are easily compromised by even the simplest attacks," he said. 

"We would recommend using an appliance with pre-configured settings which protect against DNS attacks, straight out of the box. This is extremely important for companies and organisations that adopt distributed enterprise networks, which cater for high levels of home working," he added.

Idea for Infographics: On the Sidewalk in Front of Your Store?

Infographics can be a powerful tool for presenting information. Businesses often use infographics to share research and information about their industry or their company’s offerings. They almost always include professional graphics and a variety of comprehensive stats.

But researchers in Cambridge, England recently thought up a different way to use infographics.

Lisa Koeman, Vaiva Kalnikaite and Yvonne Rogers, students at University College London wanted to explore the attitudes of people in the nearby community of Mill Road. It’s a neighborhood split in half by a bridge. Area residents tend to stay on their own side and don’t always have a favorable outlook on what lies beyond the bridge.

To accomplish their task, the group placed simple voting machines in local shops. So customers could answer questions about the community and their perceptions of it while waiting in line. They were asked to evaluate their community for qualities like happiness, neighborliness and social ties. Then the group created simple chalk drawings to reveal the data on sidewalks up and down the street.

The goal of the project was not just to collect or display information. It was also to encourage conversation among residents. That’s why the venue and format of these infographics was so important.

Speaking to Fast Company, one of the students explained:

“Our aim was not only motivating individuals to reflect on their own and other people’s perceptions-we also wanted to get people talking about the different issues relating to Mill Road…By displaying the data in the public environment, it acted as a talking point. We observed people sharing anecdotes and opinions.”

Thanks in part to platforms like Instagram and Pinterest, you likely already understand the impact that visuals can have. But aside from just using visuals to convey a message, it’s also important to consider how and where to present that information. The idea is to reach the right people and garner the right reaction.

The researchers in Cambridge had a specific goal in mind for their project. If they had released more of a traditional infographic online, people might have still seen the results. But they knew they wanted to get people talking. So they decided instead to rethink the venue, and that’s why the project worked.

That’s not to say that infographics are always more powerful when displayed in public. But when displaying visuals or information to an audience, it is important to decide what it is you want to accomplish. Then choose the format and venue that make the most sense for your goals.

Imagine an infographic on the sidewalk outside your business telling passersby what your customers think.

Images: Fast Company

Russian trojan spotted attacking Middle Eastern banks

April 03, 2014

Security researcher Brian Krebs has spotted a Russian-controlled botnet being used to target banks in the Middle East.

The campaign follows on from the use of the `Sandroid' malware - which is designed to look like a banking two-factor authentication (2FA) app - against banks and financial institutions in Australia.

Unlike in the UK and US, where two factor authentication (2FA) security is still in its infancy, banks in Australia, Central and Eastern Europe, and the Middle East, make extensive use of mobile phones as a 2FA security channel.

Around two years ago, cyber-criminals in India started subverting this channel by requesting a replacement SIM from the cellular networks, so gaining access to the user's mobile and authentication channel, without their knowledge. 

Today, SCMagazineUK.com notes, almost all cellcos are aware of this scam, and impose a number of security safeguards - including sending over-the-air updates to replacement SIMs - only when they have confirmed the identity of the new SIM card user. 

This appears to be why cyber-criminals have changed their tactics, and are now actively subverting Android apps with the addition of bundled malware designed to look like 2FA applications from several Middle Eastern banks - including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank. 

Krebs says that banking trojans like Sandroid create a pop-up box that asks the user to download a `security application' on their mobile phones. 

"Those apps are instead phony programs that merely intercept and then relay the victim's incoming SMS messages to the botnet master, who can then use the code along with the victim's banking username and password to log in as the victim," he says in his latest security posting. 

The security researcher claims to have traced control of the botnet swarm to a Mobile Telesystems SIM card used in Moscow. The Sandroid malware - used to infect users' Android smartphones - has been active use in Australia and now the Middle East, over the last year, he notes. 

The good news, Krebs goes on to say, is that Sandroid's signature is detected by a wide range of free and paid-for Android security software. 

Although those UK banks that use 2FA have tended to use their own authentication devices - HSBC and Barclays fall into this category, the use of 2FA using a mobile phone is a lot cheaper for banks to implement, as it saves them issuing their own tokens. 

HSBC in particular, has now started offering an Android and iOS-based `full blown' mobile banking app that uses cellular authentication channels to confirm the user. 

According to Keith Bird, UK MD of Check Point, the Sandroid trojan's methodology may not be that new, as he said it sounds very similar to the summer 2012 ‘Eurograbber' attack, which stole over €36 million (£30 million) from 30,000 customers of 30 banks in Italy, Spain, Germany and the Netherlands. 

"This used a variant of the Zitmo [Zeus in the mobile] trojan to compromise mobile banking customers' phones and intercept the SMS-based authentication used by banks," he said, adding that, from the banks' perspective, the transactions in Eurograbber appeared to be legitimate. 

"This enabled the Eurograbber thefts to continue for weeks. Attackers will always try to focus on the weakest link - which is the people using the devices - but these attacks are becoming very sophisticated in their techniques,” he explained. 

As reported at the time, online identity theft protection provider Versafe identified the Eurograbber multi-staged attack in August of 2012 and began investigating the trojan's methodology with the assistance of Check Point. 

Check Point concluded that Eurograbber initially infected a user's desktop PC. The attack then quickly compromised the mobile device, when the connection between the online account and the mobile number was established via the entry of the texted one-time passcode. 

Business Ethics 101: Care, Deliver and Do The Right Thing

“A man without ethics is a wild beast loosed upon this world.” ~ Albert Camus

I have always enjoyed his thinking and writing. He makes so much sense to me when it comes to - for every action, there is a reaction.

A French Nobel Prize winning author, journalist and philosopher, Camus contributed to the rise of the philosophy known as existentialism, which proposes that human beings, through their own consciousness, create their own values and determine a meaning to their life.

This meaning starts with our personal fundamentals, values and ethics. This is the foundation for a solid brand and reputation in the business space. If you want to be respected, taken seriously, referred and enjoy long term success, high business ethics must be our priority. Ethics are the values, company morals and culture in all your interactions and relationships. It’s your moral compass.

It saddens me to still see so much disrespect for this in business, but it goes with the territory and usually the smart public flushes it out. There are also much better filters now being used in the online space. But, it is up to us to filter this for ourselves and not become part of the problem.

Your Values Versus Dangling Carrots

Everything starts at the top and trickles down from there. We set the standards for ourselves, our employees, customers and communities. Highly ethical companies have a dedicated, conscious plan and strategy that is regularly monitored, tweaked and taken very seriously. It permeates all aspects of the business.

Turning down or “firing” employees, businesses, opportunities and activities that do not align with our values and ethics may impact the bottom line short term but bolster it long term. This translates into customer retention, employee loyalty and increased credibility.

Build a Strong, Open Company Culture

Relationships with employees that start with honesty, caring, acknowledgement and reward will always prosper. Train and educate your employees to be the “best of” in your business and that will translate to the customer.

Encourage employees to speak up, with an open door policy about safety, mistakes, and customer conflicts. Encourage feedback, suggestions and ideas that can make relationships better, and processes smoother. They are your eyes and ears in the trenches and want to feel they have skin in the game.

Create an Ethics Checklist and Standards

Saying you have ethics is one thing, showing your “Ethics Checklist” in writing, posting it where people can see it and living it is another. This keeps everyone more committed and accountable. It doesn’t have to be complicated, long or wordy, just stated clearly. It can include areas like billing and payments, accepting new clients, conflicts of interest, behavior, treating people respectfully and hiring.

Strong Ethics Do Equate Into Better Profits

Sticking to, monitoring and changing ethical standards as they are needed may cost more in the short term, but are key factors in sustainability, loyalty and repeat business. Consistency in ethics builds stronger relationships and gives you a way to deliver your promise to employees and your public.

The online world has exposed relentless spam and unethical companies and practices. We are getting smarter and savvier about spotting this quickly, but it will never go away completely.  Businesses that lack an ethical  consistency throughout the sales process are not going to gain new customers. Businesses that do not treat people right after the sales are not going to survive. Put as much time into retaining as you do recruiting and you will win.

One blog post or social media message can go viral in less than 24 hours and sometimes in one hour.  This can be a brand killer, as the public now has the power. Don’t think you can hide bad motives in seemingly good intentions. Bad idea.

Here are some excellent resources for articles on business ethics from Santa Clara University Markkula Center for Applied Ethics.

Respect your customer, your public, be ethical from the start and build the right culture that keeps you and your business around for a long time.

Why wouldn’t you?

Beast Photo via Shutterstock

Snowden effect: Insider threat grips European companies

April 03, 2014

Just nine percent of European organisations feel safe from insider threat, according to a new study by Vormetric and Ovum, and that could get worse once the new EU data protection legislation comes into effect.

The ‘2014 Vormetric Insider Threat Report - European Edition' reveals that more than a quarter (26 percent) of businesses in UK, France and Germany feel vulnerable to the threat of insiders leaking data - either intentionally or unintentionally - with close to half (46 percent) feeling more vulnerable than in 2012. A further 36 percent believe that things have not become easier to manage.

The study, which surveyed 540 senior IT professionals and business decision makers, followed on from a similar study by the companies in the US last year and its findings were discussed in full at a roundtable in central London earlier this week.

The executive summary from the report seemed to suggest that the actions of former CIA contractor Edward Snowden, who continues to leak damaging reports on the level of surveillance employed by the NSA and GCHQ, combined with news of data breaches and government-sponsored APTs, was having a detrimental effect on employers trust of their employees.

“As large-scale breaches, APTs and Snowden-related discussions dominate the news cycle, it is clear that insider threats are among the most prominent IT security issues facing organisations today, a feeling which is reflected within the findings of our report.”

But at an event in London on Tuesday, Andrew Kellett, principal analyst at Ovum, was keen to point out that data breaches, innocuous or otherwise, can often be down to employee mistakes, or even malicious intentions by contractors or suppliers.

“Suppliers, contractors…anyone you don't control properly, will fall under the area of insider threat,” he said. Noting the Target breach he added: “If you set up [credentials] correctly, the business partner wouldn't get a look at that data.”

“Think about administrators, privileged users, and the fact that organisations make data available to contractors and suppliers. You have to think about the bigger picture.

“There are also a lot of concerns about third parties in terms of data compliance, and where the data is held.”

Indeed, the report indicates that sending sensitive data and IT assets to non-technical employees was the biggest risk (49 percent) of insider threat, followed - more surprisingly - by the CFO and CEO (29 percent).

Cloud storage, a topical issue in light of the move to services like Amazon Web Services - was also highlighted as a big concern by 62 percent of businesses, with another 52 percent worried about big data repositories containing sensitive material.

‘Snowden informed their thinking'

What caught our eye on the report was the finding that almost half (46 percent) of businesses now feel more at risk from the insider threat, with another third (36 percent) feeling as though ‘things had not become easier'.  

How much had Edward Snowden played a part - considering his leaks came halfway through 2013 - and the growing number of data breaches, and even employee devices.

Ovum's Andrew Kellet admitted that it could be all three but said that Snowden's revelations had, in particular, had a shocking effect on businesses based in the US.

“Overall, and certainly because of the focus on Snowden, US organisations certainly do appear to be more nervous [about insider threat] than in Europe,” he told SCMagazineUK.com. The report seems to back this up, showing that 47 percent of US firms ‘feel vulnerable to the insider threat', compared to 25 percent in Europe.

Alan Kessler, CEO of Vormetric, agreed saying that Edward Snowden has opened their eyes to the dangers not only of the insider, but the insider with the required privileged-user access rights: “Snowden informed their thinking.” 

Spending on the rise 

The positive in all of this is that European companies are at least prepared to spend to mitigate against the risk - 66 percent plan to increase their IT budgets as a direct response.

Perhaps this should come as little surprise - Target's margins have reportedly dropped by 50 percent since the data breach late last year, while a recent study by Semafone shows that 86 percent of consumers shun brands who have had an incident like this.

Both Vormetric and Ovum speakers weren't overly clear on where this spend is going - be it big data or SIEM solutions for logging, or to security awareness training for educating staff - but stressed that encryption and identity management is the key going forward.

On the matter of logging, Kellet said that there must be easier ways to manage what's going on.

“European companies are fairly sophisticated in monitoring via logs at the security operations centre, but there is more room for improvement as far as insider threat is concerned.

“[They've] got to make it a lot easier to analyse the data, seeing the bigger picture of what is going on. The average time for detecting data breaches is quite long.” 

Fears heightened with new EU DPA

On the subject of breaches and fines, Kellet admitted that fears over insider threat are likely to rise should the EU's proposed Data Protection Act reform become reality.

The draft bill proposes fines of up to five percent of global turnover (or €100 million) as well as regulatory reporting within 72 hours.

Kellet admitted that DPA will make people more worried. “Yep…it will tighten up rules, and introduce heavier fines,” he said of his belief that business decision makers will worry more of this kind of threat in future.

Speaking prior to the results of the study, Stewart Room, privacy lawyer and partner in Field Fisher Waterhouse's Technology and Outsourcing Group, said that insider threat is a culmination of a number of issues.

“Clearly, compliance requirements, privacy regulations and ongoing data breaches are having a strong effect on organisations,” said Room.

“With 66 percent planning to expand IT security spending to offset insider threats, and the challenges they are seeing with protecting data within cloud, mobile and big data environments, enterprises are seeing that their security posture needs to be updated, and are taking steps to do so.”

IRS: Don’t Fall Victim To Tax Advocacy Scam

The Internal Revenue Service is warning of a scam that involves fake emails sent to gain personal information from unwary taxpayers, including small businesses.

It’s another thing to watch for especially if you’ve already filed this tax season. The IRS says the emails include a bogus case number and information claiming the recipient’s reported income for 2013 has been “flagged.”

An official release from the IRS warns such fraudulent emails might include the following:

“Your reported 2013 income is flagged for review due to a document processing error. Your case has been forwarded to the Taxpayer Advocate Service for resolution assistance. To avoid delays processing your 2013 filing contact the Taxpayer Advocate Service for resolution assistance.”

The email further says that the recipient’s case has been referred to a tax advocate. Intended victims are then directed to click on links that supposedly give further information on the advocate and their reported 2013 income. But, in reality, the links lead to Web pages which solicit personal information.

The IRS says the Taxpayer Advocate Service is a real IRS organization providing assistance to taxpayers unable to resolve issues involving their federal return through normal agency channels.

But they say the group doesn’t make contact with the public through email, social media or texting.

So taxpayers are advised not to respond or click on any links in such emails. Instead, the IRS suggests forwarding them to phishing@irs.gov. The agency’s also set up a special Web page with more information about similar scams.

Around tax time, it’s a good idea to lookout for a variety of email scamming tactics all aimed at gaining money, information or both.

Here are some important tips to avoid being a victim:

• Make sure your system has up-to-date security software.
• Have a backup of all your data in case an attack crashes your computer.
• Never file taxes or other sensitive information over a public network.
• Be suspicious of any email claiming to come from the IRS.
• Choose passwords carefully avoiding obvious words or phrases that are easy to guess.
• Always remember to sign out of any application that requires personal information to access.

Most of these are good security tips not just during tax time, but all year round.

Scam Photo via Shutterstock