3 Valuable Business Lessons from ICON14 to Help Thrive In Today’s Small Business Landscape

There is something  absolutely phenomenal that happens when you pile over 3000 passionate and ‘pumped up’ small business owners into an auditorium - and that is exactly what’s happening this week in Phoenix, AZ at ICON14 - the annual Infusionsoft small business conference. We are half way through day two of this three day event and already there has been more valuable information shared with attendees to justify the cost of the event times five.  With a line up that includes Simon Sinek, Leadership expert and author of ‘Start with Why’, Peter Shankman, CEO, angel investor and networking expert, Seth Godin, best-selling author and entrepreneur and JJ Ramberg, MSNBC Anchor of ‘Your Business’, there is no shortage of valuable business advice. Here are three valuable business lessons we’ve learned so far that will help your small business to thrive, not just survive, in today’s small business landscape.

Last year, small businesses in the U.S. generated over 10 Billion dollars in revenue. But as many of us small business owners and entrepreneurs know, running a small business is not for the faint of heart. As Clate Mask, Co-Founder and CEO of Infusionsoft, has pointed out many times here at #ICON14, there is a dark side to small business; a dark side that if you are not smart, committed and passionate will devour you until there is just nothing left. This may explain why 8 out of 10 businesses fail within the first 18 months. But, if you are a smart entrepreneur and small business owner and understand the ever-changing landscape and how to zig, when all others zag, you will find the light at the end of the tunnel and leave that dark side behind.

Have A Vision Statement

Whether you are one or one-hundred, you have to have a vision statement, and I’m not talking about one that says, “To Rule the World”. You need to make sure it is specific and that it can been seen. As Simon Sinek told us yesterday, ”Humans are very visual animals and if you can’t see what you are trying to achieve then you simply won’t achieve it”. Infusionsoft understands this concept and throughout their corporate office you will see their company purpose, values and quarterly priorities hanging on (or painted on) the walls so that everyone can see them. While I cannot directly attribute their 100% growth from 2012 to 2013 to this, I’m quite sure that it played a significant part.

Be A Helper, Not A Seller

“The difference between selling and helping is two letters”, said Jay Baer during his breakout session on ‘Why Smart Companies Sell More by Selling Less’. In 2011 the average American consumer needed 10.4 sources of information before making a purchasing decision. Your job as a small business is to ensure that you are the one that provides the most information to them, but not just in the form of sales pages and advertisement. By providing educational and informative information about your area of expertise, you will set yourself apart as an expert and the ‘go-to’ in that field, which will translate into more people coming to your site and eventually more sales. Simply put, if you teach better you will sell more.

Be One Level Above ‘Crap’

Sadly, as Peter Shankman pointed out in his keynote address, we are a society that has come to expect horrible customer service.  While this is certainly a travesty, it does create a wonderful opportunity for those small businesses that are willing to go the extra mile to provide an exceptional customer experience. Some of Peter’s suggestions on how to go above and beyond include remembering your customers names and sending them hand written notes. The goal, as Peter put it is to “bring random amazement into normal situations”. By treating the customers you have wonderfully, they will bring you the customers you want and need.

While these three business lessons may seem simple, they are often forgotten by small business owners as they get caught in the hustle and bustle of running the business. But if you simply step back and take a few moments to develop these tips and then focus on making them a part of your business, you will have a better chance of being in the 20% of small businesses that succeed.



Google Analytics Smart Lists Feature Improves Remarketing Campaigns



Lessons Learned From Your 2013 Tax Return

With another tax filing deadline in the rearview mirror, most people don’t think about taxes until the next year.

However, take a few moments to review your return before you stock it away. This year’s return can provide valuable information on the financial health of your business, as well as show you ways to improve your tax situation in time for next year’s filing.

1. Do You Feel the Self-Employment Tax Pain?

Do you feel like you are paying too much in self-employment taxes? You’re not alone, especially considering the rate for 2013 is higher than it has been the past few years.

If you make self-employed income, there’s not a lot you can do to avoid this tax completely. However, you can check with your CPA or tax advisor to see if changing your business structure to a corporation or LLC that’s taxed like an S Corporation can help lower your SE taxes.

In addition, the most important strategy for dealing with self-employment taxes is making sure your prices reflect this increased cost of doing business. Employers and employees typically split Medicare and Social Security taxes. But when you’re self-employed, you are on the hook for the whole thing.

This higher cost needs to be factored into your pricing.

2. Did You Struggle With Your Documentation?

To make the most of your business tax deductions, you’ll need accurate, comprehensive records. If you don’t keep track of your business expenses throughout the year, trying to remember every expense and round up every receipt can be a major hassle. Some legitimate expenses are bound to slip through the cracks, meaning you’ll end up paying more in taxes than you should.

If you struggled to prepare your records, receipts, and other documents this year, make a plan to get organized for your 2014 return. Find a method for documenting expenses that works for you.

There are dedicated apps like Expensify for tracking expenses, Milebug for recording mileage, or Shoeboxed for capturing paper receipts. In addition, your accounting program, like Mint, QuickBooks, or FreshBooks will let you record and manage expenses.

You’ll be grateful come tax time next year.

3. Are You Saving Enough for Retirement?

Your tax return can tell you whether you’ve made the most of your retirement savings options. If you haven’t, it’s a good idea to change your habits. After all, when you are self-employed, you are fully responsible for your retirement savings.

For example, if you qualify for a SEP-IRA and didn’t make the full contribution last year, see if you can step up your savings this year. The same advice goes to employees who aren’t contributing their full share to an employer-sponsored retirement plan.

4. Are You Expensing Enough?

What does your Schedule C or 1120/1120-S look like? Does your balance sheet show mainly profit, with few expenses? While most business owners want to keep their company running in the black, it is possible that you are not strategically expensing your costs throughout the year to keep your tax bill down.

Discuss your options with a CPA. Perhaps you’ll need to make a few key technology or marketing investments this year, or expense more travel and entertaining costs.

5. Any Nasty Surprises?

Did you discover that you didn’t put away enough to cover your 2013 taxes? Did your estimated tax payments fall way short? Businesses, including self-employed sole proprietors, are required to pay taxes on a quarterly basis. While this may be the law, it’s also good practice as waiting to pay a year’s worth of taxes in one lump sum can be quite a shock.

If you had to write a big check with your 2013 return, you’ll need to be more disciplined this year. Get into the habit of automatically setting aside a percentage of each payment/revenue for your tax obligations. Then, take stock of your profit/loss statement at each quarter and pay your quarterly bill accordingly. A financial advisor can help you estimate these payments if you need some help.

Remember that paying taxes is a year-long obligation, not just something to think about once a year. Take some time to reflect on your 2013 taxes - the tax return lessons learned will help streamline the process, and potentially lower your tax bill for years to come.

Tax Photo via Shutterstock



What If Someone Stole Your Website?

stole my website

If you own a business, you probably also own a website. But what would you do if someone stole it? You probably don’t think this could ever happen to you. Blogger Jordan Reid didn’t think it could happen to her either - but it did.

It started when Reid received a YouTube notification that someone had signed in to her account using a different device. She thought nothing of it at the time. She assumed instead she had just signed in on a mobile device or that her husband had used her account. Then Reid received an email from someone who said they were interested in purchasing her website. Again, she disregarded the notice, this time assuming it was spam.

Then a friend of a friend told her he saw a listing for her website, RamshackleGlam, on an auction website. Reid didn’t immediately consider this to be a huge problem either. That is until she discovered that the ownership of her website had actually been transferred to someone else without her knowledge.

ramshackleglam

In a recent Mashable post, Reid explained why this theft was such a huge deal to her and her business:

“If you have a business that depends on a URL, you understand why this was such upsetting news: With control over my website’s domain name, a hacker would be able to take the site down, or redirect it elsewhere. Further, it was later verified that the hacker had control over all of the site’s content, as well; he could have just rerouted everything I’ve ever written to any location he wanted.”

Getting control of her site back wasn’t as easy as she thought it would be, either. She first tried going through her hosting and domain providers, but her attempts were not successful. She even got in touch with the FBI, since the theft qualified as an international cyber crime issue. The FBI opened an investigation and it is still ongoing.

She eventually got her website back by dealing directly with the seller. She asked the family friend who originally found the listing for her site to get in touch with the seller to negotiate a sale. They reached an agreement, and Reid authorized a wire transfer not knowing for sure whether she would actually get her site back. When she gained control of the site again, she cancelled the payment. And finally the nightmare was over.

So Reid did get her site back within a few days, but not without considerable drama. Of course, she would have preferred to avoid this situation altogether. So she offers some tips for website owners who want to avoid the same thing happening to them.

Reid warns business owners should choose a strong password and change it often. She also recommends using a separate computer, if possible, in case family members accidentally click bad links. Turn off your computer and other devices when not in use. Utilize anti-virus software and purchase CyberRisk insurance.

Your website is likely a very important part of your business. So website theft can be an absolutely devastating blow. It might not seem very likely that this could happen to you. But knowing how to avoid this situation can keep you from losing everything you’ve built online.

Thief Photo via Shutterstock



Apple criticised despite fixing iOS 7 and OS X flaws

Apple has been criticised despite correcting various security flaws on iOS 7 and OS X Lion and Mountain, with one such bug allowing hackers to intercept data via an SSL connection in a Man-in-the-Middle (MiTM) attack.

By rolling out iOS 7.1.1 and Mac OS X Security Update 2014-002 on Tuesday, the Cupertino giant looks to have corrected more than 19 flaws in total, including an HTTP vulnerability that allowed hackers with privileged access to obtain website credentials, and an SSL bug which could potentially be used by cyber-criminals to capture data, including passwords, and change operations. 

On OS X Maverick devices, there was a buffer overload flaw which could have led to remote code execution on iPhones and iPads. 

This news comes less than three months after Apple and its users faced the GoToFail bug - also related to a flaw in the SSL encryption - and weeks after the news  broke on the Heartbleed OpenSSL bug, believed to affect two in three websites and as many as 150 million downloaded Android apps (according to analysis from FireEye).

Prior to releasing the fix, Apple detailed the SSL vulnerability as follows in its advisory note: 

“In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other. 

“To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection,” it reads. 

The iOS 7.1.1 update also fixes other flaws such as memory corruption issues (there were 16 in total) on WebKit - the open-source browser engine used by Safari, Dashboard, Mail, and other OS X applications - which could lead to arbitrary code execution, while the iPhone 5s fingerprint sensor has been improved, after complaints that it was inaccurate and less responsive over time. 

The news, however, hasn't stopped respected infosec professionals from attacking Apple on the roll-out of these security updates. 

Kristin Paget, a white hat hacker who worked on Apple's security team for a year, slammed the company for fixing the same 16 iOS vulnerabilities that were addressed three weeks earlier in a separate update for OS X users. 

This, as some commentators have explained, could have given hackers the opportunity to reverse engineer the fixes for one platform or even develop potent exploits to use against bugs unpatched on iOS. 

She wrote: “Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don't see anything wrong with this? 

“Someone tell me I'm not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platformsâ€"but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?

"In what world is this acceptable?”

Chris Boyd, security researcher at Malwarebytes, agreed that it was a surprise that Apple didn't fix the flaws at the same time.  

“It's surprising that the lack of synchronicity in relation to security updates on Apple products is still taking place after a similar situation arose back in February,” he told SCMagazineUK.com. 

“Telling everybody "We've fixed it here, but not there" seems like a good way to invite attacks on the unpatched cousins living on the other side of town. Having a vulnerability like this out in the wild for any period of time can quickly become an open door for malware and it is something that all major technology providers should seek to avoid.  This is true for both consumer and enterprise platforms.”



5 Possible Outcomes in Franchise Ownership

It always helps to have a goal or two in mind when pursuing something big, like becoming the owner of a franchise business - any business. Do you have a specific goal in mind? Do you have your “end game” visualized? Have you thought about some of the possible outcomes? Or, are you thinking about becoming the owner of a franchise business just to escape a lousy career-related situation?

I hope not. That’s because buying a franchise, owning a franchise, is a long-term play. You need to think long-term.

Below are some possible long-term outcomes that can happen as the result of becoming the owner of a franchise business.

1. You Could End Up Building a Lot of Wealth

Most of the wealth in franchising comes by way of multi-unit ownership.

Fact: Multi-unit franchisees control 55% of all franchised units in the U.S.

Multi-unit franchise ownership involves choosing a franchise concept, and a franchisor, that encourages multi-unit ownership.

As a matter of fact some concepts, especially ones in the food sector, require new franchisees to sign multi-unit franchise agreements. These agreements may be for 3, 5, even 10 franchise units.  There’s usually a development schedule set up that franchisees must adhere to. For example, franchisees may have to commit to opening one new unit every 18 months.

Multi-unit franchise ownership can be quite a wealth creator. It’s simple math. If you own 10 franchise units each doing $1 million in annual sales, and you’re able to keep even 5% for yourself after royalties and expenses, you’re making $500k a year. That’s a lot of money. There are lots of franchises in the food sector that do quite a bit more than $1 million in annual sales.

Can you imagine owning 10 or 20 Dunkin’ Donuts franchises?

2. You’ll Never Have to Work for Anyone Else Again

Doesn’t that sentence have a nice ring to it?

For some, that outcome would suffice. Especially those who have had to become expert job interviewees because of the number of times they’ve been downsized. If you’re someone who has experienced multiple job losses, you know what I mean.

On the other hand, there are those of us who have had to work for real jerks and keep our jobs. Before I became my own boss, I had several bosses who were verbally abusive and felt that if enough people feared them, maybe their job production would increase to an acceptable level. Well, it never worked for me, and if you had a boss-or bosses like that - I doubt it worked for you either.

If you do decide to become your own boss, know that there’s a certain feeling of power that comes with it. If that power ends up looking good on you, you may never have to work for anyone again.  It’s a great outcome.

3. A Sense of Accomplishment

I’ve worked with dozens of people who have told me that their main reason for wanting to buy a franchise was to have a sense of accomplishment.

A lot of the people I work with have been downsized from their mid to high-level corporate jobs and usually more than once.  Some of them are so depressed, it’s heartbreaking.

Some of them have worked 14 hour days for months at a time, trying to accomplish the goals their higher-ups set for them, only to have their divisions shut down and their jobs eliminated through absolutely no fault of their own. These goal-oriented people missed out on reaching their goals because their jobs were eliminated.  No wonder they’re depressed. They don’t feel they accomplished anything.

Buying a franchise and then actually becoming a successful franchise owner can go a long way in the “feeling a sense of accomplishment” department.

You should try it sometime.

4.  Building a Legacy

I’ve talked to dozens of would-be franchise owners who have told me that they didn’t want their children to experience some of the things they’ve had to endure over the years. (Like getting downsized over and over again.)

I’ve had people tell me the only reason they wanted to buy a franchise was to make sure their kids were set. They wanted their kids to have an opportunity to learn the business and eventually take it over if they chose.

That’s pretty powerful stuff. It says a lot about what’s been happening over the years in corporate America.

Today’s corporate employees, the ones that are living in reality, know where they stand. They know that their jobs can be eliminated at any time, and always have an updated resume at the ready. In addition, they’ve cultivated a powerful network of like-minded people on LinkedIn, and know how to use it.

Would you like to help your children avoid the career pain that so many are experiencing these days by buying a franchise that they could get involved in? Would that be a good outcome for you?

5.  Retire in Style

Maybe you’d like to walk away from your business; the business you’ve built up for the last 10-15 years. Maybe you’re thinking of building it and cashing out.

A lot of people I talk to start with the end in mind. They plan on selling their franchise after their franchise contract is over.

Selling your franchise isn’t that complicated. Usually, the franchisor gets involved, and may even help you find a buyer. Most franchisors already have people in their sales pipeline looking to buy franchises, and if there are any candidates in your geographical area that are fairly serious, they could be introduced to you.

If there’s no luck on that front, you can hire a business broker. Business brokers list your franchise and present it to people that they’re working with who are looking for existing businesses. They receive a fee, usually a percentage of your selling price, if they sell it for you.

You can find business brokers in your area by going to IBBA.org, the official website of the International Business Brokers Association.

Owning a franchise business is a major commitment. You’ll work really hard. There will be times of stress. There will be bad days and good days. But, they’re your days because it’s your business.

You have a lot more control over your own destiny. And the outcome - who knows? Maybe you can control that, too.

Franchise Photo via Shutterstock



Square Acquisition Talk, If True, Leaves Fewer Merchant Options

square acquisition

There’s been some buzz lately that credit card reader Square could be shopping for someone to acquire the company.

Square is the popular credit card reader device that plugs into a smartphone or tablet. This technology has allowed the smallest companies to begin accepting credit cards and expanding their potential customer base. In addition to its card reader device, Square offers all its users a free eCommerce site through its Square Market service. So in addition to selling physically, retailers can sell their wares online, too.

More than a million merchants in the U.S. are using Square to accept credit cards from their customers. Despite its popularity though, Square has been losing money in its first five years. The Wall Street Journal reports the company saw a $100 million loss in 2013 alone. That was on the heels of poor 2012 performance, too. Last year, the company spent $110 million more in cash than it received.

Though those are bleak numbers, a possible sale could be in the billions of dollars. The Wall Street Journal adds that Square has been in talks since 2012 with Google about a possible sale. Before that, Square was allegedly discussing a possible takeover with eBay/PayPal and Apple.

Reports conflict, though. TechCrunch says that the talks between Square and Google were never anything serious.

Square is obviously struggling to assert dominance in a very competitive industry. The company put IPO ideas on hold and recently nailed down a $200 million line of credit.

This competition is good for small businesses. With more companies pitching for your business, you get better services at lower costs and better rates. If Square were to be consumed by a bigger company - especially competitors like eBay/PayPal - options for small businesses become fewer.

Right now there are plenty of options. Ecommerce giant Amazon offers myriad ways to accept payments. The company is also reportedly close to introducing its own credit card reader device that works on its Kindle tablets.

Smaller companies like Stripe are also available to small businesses. These companies can offer a competitive product and more options. Stripe recently upgraded its platform to optimize for mobile payments. The service also handles the storage of all your customers’ private banking information.

Image: Square



Dual-pronged social media attack vector discovered

Symantec researchers have spotted a dual-pronged social media engineering attack.

According to Lionel Payet, the firm's threat intelligence officer, the first iteration of the attack was seen in May of last year and involved businesses receiving direct phone calls and spear phishing emails impersonating a telecoms supplier, in a bid to install malware on the user's machine. 

This latest version, he says, has been seen targeting French language users and uses a more advanced version of the malware, with the attackers distributing a new payload from a number of freshly compromised domains, resulting in a sudden increase in infection numbers. 

However, he says in his analysis, the payload is different from that used previously (Blackshade), although the attackers are still using the same command-and-control server. The payload, he adds, has been named Trojan.Rokamal and is obfuscated with a DotNet packer.   

Tim Keanini, CTO with Lancope, said the dual-pronged attack vector comes down to exploiting human trust, something that is older than the Internet because most humans by default are trusting. 

"We have to work hard at being suspicious and most cultures consider this to be rude. Before the Internet, this all worked out because you were physically invested in the community and when you got up the next day, you would have to deal with your deeds of the day prior, these days, you can be a part of someone's life several time zones away," he explained. 

Back at Symantec, Payet said the most interesting aspect of the malware is that it uses a number of actions, including downloading and executing potentially malicious files, as well as staging a distributed denial-of-service (DDoS) attack to steal information and even mine crypto currency. 

"French speakers are concentrated not just in France, but also in wide areas of Africa, nearby European countries, Canada, and various islands around the world. As such, French speakers present a large pool of potential victims who may not have been targeted as heavily as English speakers," says Payet. 

Mike McLaughlin, technical team lead with pen-testing specialist First Base Technologies, said that the dual-pronged strategy has been used by cyber-criminals for some time, although the use of social media is an interesting new channel. 

"I've heard of users being sent new job information and then receiving another email five minutes later with an attachment or a link," he said, adding that the first email establishes credibility - and the second feeds the user the malware." 

The problem, says McLaughlin, is that these attacks are usually tailored, giving them a greater chance of success. Coupled with the fact that many companies not spending enough on staff awareness of threats like this, he adds that - without training - the attacks will succeed. 

"The [training requirement] issue is slowly filtering through to C-level executives, and people are become more ware of the human element involved in these types of attacks," he said. 

Sarb Sembhi, director of client services with Incoming Thought, the business and research analysis house, said that dual-pronged attacks are often seen against people working in the accounts departments of major companies, as they are used to opening attached invoices - even from people they have not dealt with before. 

"And if you follow up the email with a phone call requesting payment of the attached invoice, you can persuade people to click on the attachment," he explained. 

Sembhi, who is a leading light in ISACA, the not-for-profit IT security association, went on to say the attackers are now using a dual-prong approach as a business model, and are also taking their time to understand their targets and their businesses. 

"The attackers are clearly playing a numbers game with their targets. It's probably not worth their while to use a zero-day attack, as the numbers don't stack up - it's simply a sign of the ways that cyberattacks are going to progress in the future," he explained. 

Mark Teolis, general manager with DOSarrest, said that dual pronged attacks allow the botnet masters to now have a concentrated group of zombies -in this case all of them are in French-speaking countries, with the majority being in France. 

“Should this botnet be used later in a DDoS attack on, say, an English retailer or German school, these organisations that know the origin of their customer base can just block out any IPs coming from France very easily," he said. 

"But if it is used to attack a French newspaper based in Paris and it's a slow and low type of layer seven attack, it will be very hard to tell the difference between friend and foe. If you want to rent a botnet for a DDoS attack and your victim is based in France, then this particular botnet is your weapon of choice," he added. 

ForeScout's chief marketing officer, Scott Gordon, meanwhile says that advanced cyber threats - and especially those that leverage social engineering - highlight the value of both security awareness training and the use of continuous monitoring technology. 

"The attackers may gain entry by leveraging a user's credentials, but then perform `land and expand' techniques to pinpoint and compromise more worthy systems," he said, adding that security platforms which afford interoperability to leverage an enterprise's layered defence infrastructure - including anti-malware, email and Internet filtering, SIEM and NAC technologies - serve to better identify, pre-empt and contain these exposures.



Cybercriminals use online gaming sites to funnel fraudulent revenues

A new report from McAfee details how cyber-criminals are increasingly using online gaming and gambling sites to launder money.

Whilst cyber-crime is now a major business, one of the key challenges for cyber-criminals is how to legitimise the revenue stream from illegal activities in such a way that the authorities cannot confiscate the assets.

Security researcher Brian Krebs has reported on the use of so-called money mules - legitimate bank account users who allow accounts to be used as way-points as money is siphoned out of a given country - but almost all major banks on both sides of the Atlantic now have systems in place to spot such activity. 

It's against this backdrop that a report from McAfee claims to have identified the increasing use of online gaming and gambling sites as a means of money laundering from cyber-criminal activities. 

According to the study, which is entitled `Jackpot! Money Laundering Through Online Gambling', the high volumes of money flowing through some sites makes it relatively easy for cyber-criminals to `hide' their own transactions and effectively end up with legitimate and trackable money in their accounts after laundering the money through gaming websites.  

With a `house edge' (commission) of 2.7 per cent on European roulette and 5.26 per cent on American roulette, SCMagazineUK.com notes that if a criminal were to back every number on the table with their account, the commission is much less than when using other laundering processes, such as using corrupt banks or pre-paid debit cards to make purchases for later sale on auction websites. 

McAfee's analysis says that the sheer number of online casinos makes them hard to police, and with payouts being tax-free in most countries, the infrastructure for monitoring transactions is non-existent in most cases - and the anonymity afforded to online players again helps criminals evade arrest. 

"Given the growing and ever-changing landscape of online gambling players and enablers, those working to apprehend cyber-criminals must have a variety of skills and perspectives into this extensive money-laundering infrastructure,” says the report. 

“These actors must be able to leverage cross-sector/border and public-private partnerships, combining the capabilities of law enforcement, ISPs, Internet security companies, independent monitoring organisations, academia, and the financial institutions ultimately in receipt of suspicious fund transfers," it adds. 

The study concludes that the IT industry - including ISPs and government agencies - need to produce threat assessments, including trend analyses and forecasts, as well as new developments on cyber-criminal activity and functional processes. 

"Without a means to cash out, the volume of cyber-crime would decrease," says the report, adding that the anonymous online money-laundering marketplace today is growing rapidly with the volume of attacks. 

The good news is that the US Government is now investigating the problem, after a professional poker player wrote to the New Jersey Director of Gaming Enforcement back in January, warning that online poker is vulnerable to money-laundering and collusion, and requested the opportunity to show how it worked, if provided immunity from prosecution.

As a result of this letter and other concerns, the US Congress is now considering two bills that would either create an `Office of Internet Poker Oversight' in the Commerce Department or a broader `Office of Internet Gambling Oversight' in the US Treasury. 

Commenting on the report, digital forensics specialist Professor Peter Sommer, said the cyber-criminal use of casinos is not a new phenomenon - as back in 2006 he was acting as an expert witness in testing the evidence in the trial of a group of Eastern Europeans allegedly involved in money laundering. 

“They were organised by a Russian who fled to Moscow just before the UK authorities got on to him,” he said, adding that the money mules bought gambling chips at a succession of London casinos. 

Sommer - a Visiting Professor with de Montfort University - went onto say that the mules were using bank accounts that had been acquired using classic rogue mail and malware activities. 

“They then participated in modest gambling activity before claiming their winnings,” he said, noting that that the actual events in the case took place in 2004 - some ten years ago.



Major Twitter spam attack \'traced\' to fellow social media site

Photo-sharing website We Heart may have been hit by a stream hack, after it was cited as the source for thousands of spam messages being sent out on Twitter.

The dangers associated with allowing third-party websites - and apps - access to your social media streams was highlighted this week after We Heart It,  a social streaming service with around 25 million users, turned off its Twitter image sharing facility, following a possible stream hack. 

Since early yesterday, Twitter users have seen a steady stream of tweets saying `If I didn't try this my life wouldn't have changed' following by a link. Some posts reportedly included a tag referencing Weheartit.com. 

On Wednesday, We Heart It wrote on Twitter: “We've temporarily disabled sign-in and sharing via Twitter while we look into an issue. Please sign-in via email in the meantime.”

SCMagazineUK.com notes that the Twitter stream was enabled by We Heart It back in early January, using the Twitter extended API function also seen on services such as Hootsuite and Sensible. 

The problem with the API access, however, is that even when the password on the primary Twitter account is changed, API access normally continues since the app or third party service can still direct-access the Twitter API portal. 

Although both social media services are investigating the root cause of the spam security issue, We Heart It president Dave Williams told Ars Technica that any malicious activity has been blocked and the company is investigating further. 

"Unfortunately I don't have any other information I can share at this point. We Heart It representatives later took to Twitter to say sign-in and sharing over Twitter had been temporarily disabled," he said.  

Unconfirmed reports on some security forums suggest that the issue may be related to a phishing attack. 

Keith Bird, UK managing director with Check Point, said that targeted phishing campaigns continue to work, as it is something of a numbers game for criminals. 

"In 2013, Check Point's research found that spear-phishing campaigns are targeting a limited number of users within organisations,” he said. 

And, he went on to say, by using social media profiling to create emails that are more likely to be opened by the recipients, instead of blanketing the entire organisation with an easily-detected phishing emails. 

“This approach has led to more malware being planted on networks - and a 20 per cent increase in hosts accessing malicious sites compared to 2012,” he said. 

Independent security analyst Graham Cluley has been doing some research on the emerging We Heart It/Twitter security issue and said that - if Twitter users make the mistake of clicking on the link - they are taken to a fake Women's Health magazine site, promoting Garcinia Cambogia `miracle diet' pills. 

Many of the Twitter users sending the spammed tweets, he explained, are also members of the We Heart It social network and the tweets themselves were being sent via WeHeartIt.com. 

"In other words, We Heart It users can connect their accounts with their Twitter accounts, to share their `hearted' messages with their friends. It's a bit like sharing your favourite Pinterest pins I imagine," he said, adding that he looks forward to hearing more from We Heart It about what precisely went wrong. 

"We Heart It says it has now resolved the issue, and that it has not seen any evidence that users' personal data was exfiltrated during the exercise. However, there certainly wouldn't be any harm - in my opinion - if you changed your We Heart It password at the very least, and ensured that it wasn't the same as any other password you might use on the Internet," he noted.



Most UK Companies unaware of EU Data Protection law

The European Union's Data Protection Regulation reforms are edging ever closer to reality but, as a new study reveals, awareness among UK businesses is lower than expected.

The EU General Data Protection Regulation has been in the works since its initial draft was proposed at the start of 2012 and potentially has serious consequences for companies operating out of European member states, both on reporting data breaches and user privacy rights.

It stipulates data breach fines of up to five percent of global turnover (or €100 million) - significantly higher than the ICO in the UK is currently able to impose - as well as several privacy features too, including the right to be forgotten.

Viviane Reding, VP of the European Commission, has previously said that the EU is aiming to be a ‘one stop shop'. “We are creating one regulatory authority,” she said, some months ago.

However, despite this there have been several concerns. Privacy lawyers have accused the outgoing parliament of delaying the legislation, while there's been concern whether companies can meet the 72 hour timeline proposed to notify regulators and customers once they know they've lost data.

Worse still, a new report from Trend Micro and Vanson Bourne reveals that only half of UK businesses are aware of the forthcoming regulation, compared to 87 percent of firms in Germany and 65 percent in France.

The study - of 850 senior IT decision makers around Europe - revealed that 50 percent of the 250 British respondents were completely unaware of the impending legislation, with only 10 percent aware of what steps they needed to take to achieve compliance.

The majority of respondents - 85 percent - believe that their organisation faces ‘significant challenges' to comply with the regulation, and a quarter (25 percent) said they don't even think it's realistic to adhere to the incoming law.

Although this was largely due to a lack of employee awareness (44 percent) and restricted resources (31 percent), company structure appears to be an issue too, with nearly four in five placing responsibility on the company, and another quarter on a data protection officer - assuming they have one.

Both the study and the regulation - which was approved in March by the European Parliament- were discussed at length at a Trend Micro roundtable in London on Wednesday 23 April, with SCMagazineUK.com in attendance.

James Walker, solutions consultant at Trend Micro UK and Ireland, opened by saying that it is “noticeable the lack of knowledge on the forthcoming regulation” in his discussions with clients, and this was something that Vinod Bange, a partner at TaylorWessing, was only too keen to pick up on.

“A good collection of clients are saying ‘what are these regulations?'”, he said.

As a result, there is some exasperation over the lack of preparedness, not least because the changes are arguably an extension of existing laws already present in EU member states.

“The directive is not much further than the 1998 Data Protection Act in the UK. Data protection applies to everyone, and we've been doing it a long time,” said Mike David, principal analyst at MSMD Advisors, noting the earlier 1984 agreement.

“The directive is essentially best practices….don't keep data longer than you need to, build trust with clients - these are fairly basic things. It's not rocket science,” he added.

Despite the wait, Bange however sees some improvement in the way the European chambers (the Commission and Parliament) and working together, and in how the reforms are being regarded - “Some German regulators are now saying that they're quite comfortable with the regime”. 

Walker sees C-level interest growing accordingly: “The new regulations suddenly make the board care,” he said.

Compliance costs

However, while the regulators may be open to the proposed changes, businesses could still face problems, most significantly on the money to implement such changes.

Bange says that there's no obvious cost savings for companies by complying, but what with fines being so high, there is no alternative either.

“There's a clear cost for companies to put themselves in a position of compliance, but equally it costs money if you don't comply.”

Max Perkins, underwriter at specialist insurance business Beazley Group, meanwhile believes that all this development - and a lack of a concise framework from businesses - could fuel a cottage industry on data protection. 

“There's going to be a cottage industry around this,” he said noting the need for legal services, a company to manage breach response and even outsourced customer services.

Data breach response

SCMagazineUK.com asked if the data breach response time, currently set at 72 hours in the proposed regulation, is achievable and this prompted something of a debate.

Trend Micro's James Walker said that companies will have no choice but to conform, while Bange said that the 72-hour time-frame is realistic. But the issue could be, as Perkins said, when does the clock start ticking.

“At what point does that clock start ticking? Is it when you suspect something has happened?” he said, further commenting that this could result in a number of ‘false positives' reported to the regulator.

The speakers further agreed that, adding to this complexity, the short time-frame could result in hasty conclusions on the cause of a data breach.

As a result, they said that companies should employ basic steps to setting up for EU Data compliance, from designating a person to look into the matter and understanding where data is stored to staff education and ensuring DLP tools are installed correctly.



Who Wants to Unplug? Millennials, That’s Who!

Millennials are the always-on, always-connected generation. So your typical Millennial employee who’s multitasking away, managing social media on one window of the desktop computer, IM-ing on a second and surfing the Net on a third while texting on a smartphone and listening to headphones - is as happy as could be, right?

Wrong. According to a study (PDF) by Cornerstone, the average Millennial employee is just as stressed out by technology as any Gen X, Baby Boomer or senior. In fact, even more so.

The poll of more than 1,000 employees reports that Millennials are more likely than any other generation to say they have suffered from work overload (58 percent), information overload (41 percent) and technology overload (38 percent).

What gives? Is the generation that grew up texting while crossing busy streets suddenly having an allergic reaction to technology?

Part of Millennials’ stress may be due to their low position on the office totem pole. After all, while technology is second nature to them, the workplace is still a bit new - and integrating technology with the expectations of bosses and colleagues can be challenging.

So how can you get your stressed out Millennial employees to take a tech break?

Set Limits

This is the generation that sleeps with smartphones at its side. So if you email a Millennial at midnight, he or she will likely feel compelled to reply right then.

To preserve employees’ personal space (and sanity), set limits on non-emergency work-related communications, such as no work emails or texts after 10 p.m. You may need to vary this depending on what is reasonable for your business and the job duties of the people involved.

Consider a Back-to-Basics Day

Could your business do without internal email, IM or whatever communication is stressing employees out for one day or one afternoon a week?

Many large companies have no-email days to enable employees to get more focused work done. You can still communicate - just do it by picking up the phone or walking down the hall. Millennials aren’t the only ones who will appreciate it.

Get Together in Person

Millennials grew up collaborating on school projects and sports teams. While you might think this Skype generation is fine with virtual work teams and overseas collaborators in different time zones, in reality, 60 percent of Millennials say they prefer collaboration to take place in person.

Team bonding is important for young employees who are still finding their place in the workplace and bonding is better when it happens IRL (in real life). Provide opportunities for Millennial employees to collaborate in person, even if it means bringing remote workers into the office once a week or once a month.

Don’t Pile On

Millennial employees are often “assumed” to be tech-savvy, so they end up bearing the brunt of everyone’s casual requests for informal tech help. This can mean anything from taking charge of the business’s Facebook page to helping configure printer drivers, showing co-workers how to use their smartphones or creating a staff wiki. It can get to be too much.

Make sure your Millennials aren’t running themselves ragged trying to help the less knowledgeable. Instead of doing their jobs for them, have the Millennials show them how to do the tasks.

You know the saying, “Give a man a fish, and he eats for a day. Teach him to fish, and he eats for a lifetime.”

Offer Time Off and Honor It

When workers take a day off, treat it as such and don’t contact them about work issues. Make sure someone else at the office is equipped to answer questions.

Your employees will come back rested and recharged - ready to multitask again, just not quite as much. 

Millennials Photo via Shutterstock



OfferPipe: A New App For Retailers To Create Mobile Offers

As a small business owner, you know one of the best ways to attract new customers is through special promotions. Everyone loves something for free or at a bargain. It doesn’t have to be complicated. It can be something as simple as 20% off, or two for the price of one. Show your generous side ...

The post OfferPipe: A New App For Retailers To Create Mobile Offers appeared first on Small Business Trends.