6 Marketing Collaboration Tools For Your Online Strategy

There are so many tools for everything in marketing, sometimes to the point that it’s overwhelming. However, using these tools is a necessary evil. It’s all about finding the marketing collaboration tools that are right for each aspect of your marketing efforts. What many forget, however, is that there are more tools than just those that help your actual marketing work. There are lots of tools out there that can help a marketing team run smoothlyâ€"behind the scenes tools, essentially.

Collaboration is a huge part of marketing and making sure that your online strategies are running smoothly because there are so many different factors you have to keep organized. Because of all these factors you have to have a lot of people and because of all these people, collaboration is inevitable. Using a few marketing collaboration tools might be just what you’re missing.

The best part about these tools is that collaboration doesn’t really change. You’re used to marketing evolving constantly and therefore having to change some of the tools you use, but collaboration is always going to be important. Below are some of the most popular marketing collaboration tools for online marketers to help you stay organized:

1. Google Drive

Free for anyone who uses Gmail (particularly companies that have a Gmail address for all employees).

2. Co-op

This works well for smaller companies who just need marketing collaboration tools for small, simple tasks.

This is a really cool tool that allows a team to communicate all in one place. Most people use it for smaller tasks such as asking questions, posting an agenda for the day, or including news from around the office. It might not be the place where you post breaking news or assignments, but it’s a good interface for people to just go in once a day in the morning and check things out.

3. Basecamp

This tool is all about project management.

This is probably one of the most popular tools out there today for managing different projects. I personally use this tool to send out assignments to different people in our department. The team will see the assignments and be able to turn them in right there on the tool, which avoids a lot of back and forth emails. You also have plenty of space to leave comments or ask questions, and you can request that your comment be sent to certain people via email so that they get the message faster. If you have a content team, this is a must-have tool.

4. Skype

Great if you have team members away from the office.

Skype works particularly well if you have different employees telecommuting, but even if not it can still be very useful. When most people think of Skype they think of simply calling someone and talking with them face to face, and while this type of collaboration and communication is great, the tool offers much more. You can share files, leave video messages, use the tool on your phone, and chat just as you would chat on a platform like Gmail. Did I mention it was free?

5. Join.me

This is a free screen-sharing tool.

Again, this tool is great if you have people from different offices needing to collaborate. All you need to do is hop on a call and then you can actually show the other party what you’re seeing on your screen and what exactly you’re doing on that screen. In other words, it’s as if the other party is staring at your screen and watching your every move. The coolest part about this is you can actually hand over the controls to the other party so that they can start showing you how something is done and you can sit and watch. This works great for designers or for different projects that involve a lot of teaching-by-showing.

6. Dropbox

Basically a tool used to share big files.

This isn’t a tool that is talked about much for business (it’s popular for picture sharing), but it has proven to work great for sharing big files of information. If you want to send a project over to your team quickly, you can just drag the file you want to share into a Dropbox folder that you set up for certain team members. Your whole team not only receives the large file, but they can edit and/or download it.

For a list of even more collaborative tools for online marketers I recommend checking out this article. Once you find a marketing collaboration tool that works well for you, let us know in the comments below how it works and why you love it.

Collaboration Photo via Shutterstock



Powerful Mobile Video Editing App Comes To The iPhone from Corel’s Pinnacle Studio

I’ve done video editing on a computer for many years. The three tools I’ve used are Pinnacle Studio, Windows Movie Maker and my favorite Adobe Premier.

Putting together good video, on just a smart phone is doable, but not as feature rich as what video editing software on a computer can do.

Corel released Pinnacle Studio for the iPhone which enables iPhone users to do awesome video editing - I guess competing head to head with Apple’s own iMovie.

Pinnacle Studio is pretty feature rich and has these features:

  • Work with any media on your deviceâ€"video, audio and photos
  • Swiftly arrange clips in the Storyboard
  • Make precise edits and trim individual frames in the Timeline
  • Get creative with montage templates to create 3D animations, high-quality transitions, motion titles and graphics, picture-in-picture, fast and slow motion, and more
  • Take advantage of 3 audio tracks + AV sync audio, trim audio to any length, modify the speed, set levels and fade, and add voiceover
  • Enjoy full 1080p HD quality
  • Share directly to YouTube, Facebook and Box or export projects to Pinnacle Studio on your iPad or Windows
  • Learn how to get the most out of Pinnacle Studio with video tutorials and pop-up help
Whether you publish video on an iPhone, Android device or your computer - video publishing is a powerful way to build engagement and boost content marketing for your products and services.


Voting Now Open for the 6th Annual Small Business Book Awards!

The nomination process is over and now it’s time to vote! Voting officially began today and will continue through May 28, 2014 at 11:59 PM PST.

This is the 6th year for the contest, and regular readers know it’s dedicated to showcasing the kinds of books entrepreneurs, small business owners, CEOs, managers, and their staff just can’t wait to get their hands on.

Have a look at your favorites in each of the seven book categories and in the resource category. Competition should be intense. In the past, as many as 100,000 votes have been cast.

Voting is easy. Find the nominations of your choice located in each category section. Click on the “VOTE” button and you’re done. Vote for as many different nominees as you like, one vote per person, per nominee. The winners of the popular  community vote will receive the “Community Choice” winners designation.

The 2014 Small Business Awards are Web based. That means anyone can vote and you too can have an impact on the outcome. A judging panel will also be looking over the entries independent of online votes to choose the top Overall and Category winners.

What You’ll Get

So what do the winners receive?

You’ll get the publicity that comes with winning the contest including the right to display a Winners insignia on your book(s), website, brochures and elsewhere. Here’s more on the contest rules.

More Details

Who: Anyone may vote for their favorite book or resource. Vote for as many nominees as you wish, one vote per person, per nominee.

What: 2014 Small Business Book Awards

When: May 1, 2014 through May 28, 2014 at 11:59 PM PST

How: It just takes one-click â€" no registering! Voting is easy and takes less than 10 seconds.

Where: Visit the 2014 Small Business Book Awards website to get started. To vote for your favorite book or non-book resource, visit the list of nominees.



5 Ways Creativity and Productivity Can Blossom In The Office

In our offices, home office or corporate cubicle, we stare at computer screens all day long. However, it’s the creativity, passion and strategic actions we take that move our business forward.

I’ve asked Peter Mahoney, Chief Marketing Officer, Nuance Communications, to give his insight on creativity in the office.

Large companies like Google and Facebook have become famous for their creative and productive work environments, with practices such as Google’s “20 Percent Time” and Facebook’s informal office culture. But these innovative work environments, which also bring awesome competitive advantages, are not simply reserved for the Goliaths of the tech industry.  Smaller businesses can create their own unique office culture with creative yet practical solutions, especially when the practices increase efficiency while minimizing costs. Below are five great ways to infuse creativity and productivity into your workplace.

1.       Stand Tall

Numerous medical studies over the past few years have shed light on a growing concern in today’s office environment:  Sitting is the new smoking. Harvard Business Review says the average person spends 9.3 hours sitting at work each day. Sitting for more than six hours a day can make you 18 percent more likely to develop diabetes, heart disease and obesity, compared to people who sit less than three hours each day. The research is so compelling that the American Medical Association just recently adopted a new policy recognizing the potential risks of prolonged sitting, and is encouraging employers to make available alternatives to sitting, such as standing workstations. Not only do standing workstations help create a healthier workforce, but also a happier and more productive one. Products such as Ergotron’s Sit-Stand Workstations are ergonomic, minimalist stations that enable people to easily alternate between sitting and standing while working. Medical and ergonomics research has consistently shown that sit-stand workstations can result in productivity increases (up to 18 percent) and improved employee energy levels and mood states. By incorporating such equipment into a work environment, you can expect healthier, more productive and active employees.

2.       Talk, Don’t Type.

Everyone wishes to be more productive and type faster. But what might not be commonly known is that voice dictationâ€"speaking to a computer and having your words understood and translated to the screenâ€"is up to three times faster than typing. Many businesses are using voice recognition software to get more done, faster. Not only can it help employees be more productive at their desks, but it also can assist with accurate note taking. Some studies suggest that we lose, on average, about 25 percent of the details of a meeting within as little as one day. Companies with greater resources can afford to bring a staff person into the meeting to capture those notes, freeing the employer up to focus on the client, rather than try to take notes and listen at the same time. But for many businesses, this may not be an affordable or feasible solution. With up to 99 percent accuracy, voice recognition software like Dragon NaturallySpeaking for PC and Dragon Dictate for Mac can help employees quickly and accurately jot down notes from a meeting, so important details aren’t missed. Not only is voice recognition software an easier, more convenient way to take notes and compose documents, it also relieves the strains of constant typing, which can lead to the development of repetitive stress injuries like carpel tunnel syndrome and arthritis.

3.  Creative Space for Collaboration and Others for Focus

According to a recent Forrester report, 29 percent of the global workforce uses multiple devices from multiple locations to complete their daily work tasks. The report also mentioned that 37 percent of information workers start a project in one location and finish in another. This mobility promotes collaboration, and creates easy opportunities to work with other people. The tech news website Re/code advises that people spend time in a lounge area with coworkers, or gather together in a bullpen-style area “where they can feed off each other’s energy and determination.” At the same time, it’s also possible to withdraw to a secluded area or conference room in order to focus and work alone. The advancing technology, constant connectivity and mobile devices in the workplace make these practices possible.

4. Embrace Mobility

With new technologies (such as tablets and wearable devices) coming out every day, combined with the growing bring-your-own-device (BYOD) trend, businesses need to ensure that their office structure is equipped to handle our increasingly mobile and global workforce. Bump and connect can no longer just be about running into people in the hallway - we have to find a better way to connect with experts who may be halfway across the globe. Employees need mobile technology that allows them to be as productive on the go as they would be in the office. The new trend of micro-collaboration apps are headed in the right direction to make this happen, including DropBox, Evernote and Collaborate.com. These examples demonstrate the idea that emerging technologies can’t simply be advanced and efficient, they must also promote collaboration and personal interaction. The best technology will be effective in connecting people to each other.

5. Foster Creativity by Design

Cubicles lined up in a dimly-lit, blandly-colored windowless office are a thing of the past. For example, Facebook designed a revolutionary office that features angled walls, curved desks and an uninterrupted floor plan in which employees can walk from one end of the building to the other without passing through a door. Indeed, the company may be onto something with its curved designsâ€"Fast Company recently outlined why our brains are more receptive to objects and designs that are rounded rather than linear. Whether it’s a curved desk, vibrant colors or other unique design features, employees should design their workspaces in ways that best bring out their own personal creativity.

Today’s work practices are very different from those seen ten years ago, last year or even last month. Whatever new trends emerge, it’s crucial that businesses and employees adapt their work habits to unleash the best possible innovation in the workplace.



Items Your Business Can’t Deduct on Taxes

While most business expenses can be written off, the tax law contains some pesky limits or bans on deducting legitimate business-related costs. Trying to write these items off may attract unwanted IRS attention, so don’t do it!

Below are five examples of expenditures that are on you. You can’t share their cost with the government via a tax write-off.

1.    Fines and Penalties

Unfortunately a business can incur a government fine or penalty for an infraction or failing to do something that’s required of you. The tax law says it’s nondeductible. Thus, if you’re a trucker and violate state highway weight laws, the penalty for this violation cannot be written off. This rule applies to parking and speeding tickets, even while using your vehicle for business.

You can deduct penalties arising from private contracts. For example, if you’re in construction but fail to complete the job on time, you may have to pay a penalty; it’s deductible.

2.    50% of Meals and Entertainment Costs

Costs you incur to wine and dine clients, customers, vendors, and other business associates are only half deductible. The other half cannot be written off, even though they are legitimate business expenditures.

Fortunately, not every meal and entertainment cost is subject to the 50% limit. Here are some meal and entertainment costs that are fully deductible:

  • Cost of company picnics
  • Snacks you provide in the company kitchen or meeting room
  • Costs for a hospitality suite at a trade show or convention

3.    Repayment of Loan Principal

If you borrow money to start your business, carry inventory, or for any other business purpose, you can deduct the interest on the loan.

However, the portion of each payment representing principal can’t be deducted. Paying off a loan is a considerable drain on cash flow.

4.    Dividends

If your business is incorporated and you want to pay dividends to investors, the corporation can’t deduct these dividend payments. That’s why C corporations usually produce a double tax â€" once on the corporations when they earn the income and again when they distribute earnings to shareholders who then pay tax on the dividends.

5.    Interest on Tax Deficiencies

If you get behind on your taxes, you’ll owe interest to the government. While the IRS interest rate on individuals currently is modest (3% for the second quarter of 2014), it can mount up if the delinquency isn’t paid off soon.

The interest on taxes related to Schedule C, E, or F â€" your business income from a sole proprietorship, partnership, limited liability company, or S corporation â€" is not deductible as a business expense. It is viewed as interest on your personal income taxes, which is not deductible. Remember, personal interest, other than home mortgage interest and student loan interest within limits, is not deductible.

C corporations that pay interest to the government on their back taxes can deduct the expense.

Conclusion

The fact that these five examples highlight nondeductible business-related items doesn’t imply that most business expenses are treated harshly for tax purposes. They are not.

Most items you pay for in your business can be written off â€" by a deduction or a tax credit. Just watch out for limitations that may affect the timing or amount of a write-off … and in the limited situations in which something is not deductible at all.

When in doubt, consult with your tax professional.

Accounting Photo via Shutterstock



Minimum Wage Bill Fails in Senate, Small Business Groups Respond

A Senate bill that would have raised the federal minimum wage from $7.25 to $10.10 failed in the Senate Wednesday. But President Obama and other supporters have vowed to make it an issue in the 2014 elections.

Small business leaders want elected officials to know they consider it an important issue too. The International Franchise Association, which supports franchise owners worldwide, thanked Senate leaders who opposed the bill yesterday.

In an official response to the Senate decision yesterday, International Franchise Association President & CEO Steve Caldeira explained:

“We commend the Senate’s decision to reject legislation to drastically raise the minimum wage, and thank the Senators who took a stand to protect our nation’s small business franchise owners. Congress’ own economists at the Congressional Budget Office have said that an increase in the minimum wage would reduce employment, and thankfully enough Senators heeded this dire warning in a sluggish and still fragile economy.”

While supporters of a minimum wage increase have tried to make the debate about a conflict between wealthy and working Americans, Caldeira made it clear most franchise owners are hardly flush. He said the difference between the current minimum wage and a higher rate would likely be the difference between survival and failure for some:

“For many franchise businesses that are labor-intensive and already operate on thin profit margins, this legislation could have pushed some operators out of business. Businesses should be able to determine the most competitive starting wage and subsequent raises for their employees within their industry and local economy.”

The National Federation of Independent Businesses promised to make the bill a “Key Vote” with its membership, suggesting the vote would be used by the NFIB when scoring legislators on small business issues.

In an official statement leading up to the vote, NFIB Manager of Legislative Affairs Ashley Fingarson had this to say about the legislation:

“Yet again, lawmakers are targeting the nation’s economic engine - small business owners - with an anti-employer agenda. With increases to health care costs, higher taxes, more costly regulations, and now a dramatic minimum wage increase, small business owners simply can’t afford another excessive government mandate. It could not be clearer from our studies and the recent Congressional Budget Office report - raising the minimum wage will kill jobs and stifle economic output.”

In one example raised by the NFIB, a pizza parlor selling 100 pies for 360 days a year at $10 makes $360,000 a year.

If the business has 10 minimum wage employees at $7 per hour working 2,000 hours a year, then labor costs would be about $140,000. Add to this food costs, depreciation, insurance, supplies, licenses, rent, utilities and equipment for another $170,000.

Profits are now $50,000 annually, certainly far from the income of a “wealthy” person. Now raise the minimum wage by just $1, not the amount advocates want it to increase, and profits from our franchise owner are now just $30,000 a year.

The owner can try to raise prices, of course. But this may decrease the demand for the product, and perhaps result in layoffs.

Capitol Photo via Shutterstock



CT Expo: \'White van man\' adopts GPS jammers

Thieves and employees take assets off the network to avoid tracking

Once powered up, a typical GPS jammer can be fully operational in under 20 seconds. GPS jammers - devices that block signals for the Global Positioning System satellites that orbit the earth - have been around for many years, but just as their usage has soared thanks to the inclusion of GPS tracking technology in most modern smartphones, so the use of GPS jammers has also soared.

According to Professor Charles Curry, the managing director of Chronos Technology, a company which has carved out a successful niche in the GPS jamming remediation and analysis business, this surge in jamming is the direct result of the number of Web sites - mostly in China - that sell these devices for as little as £80.00.

In a recent analysis, he says, his team found more than 60 Web sites - mainly located in China - offering a wide variety of handheld multi-functional jammers, including units that can block GPS and cellular transmissions.

"One unit we bought recently for US$ 180 [about £120] was found to block all GPS signals for a range of several hundred metres," he told his audience at a presentation held this week at Counter Terror Expo.

"Back in 2004, we installed a 10 watt jammer in central London and were amazed to find out that there were GPS problems in Heathrow, Stansted and Gatwick airports," he explained.

Todays jammers - which operate at around half a watt and have a range of half a kilometre - are now being used for a wide variety of criminal and allied acts, ranging from `white van man who wants to `skive off without his company knowing, all the way through to higher-powered units used to help steal high-end cars and expensive lorries plus their cargo.

In the case of lorries, he says, the criminals will drive behind and close to the vehicle, and then follow it for several miles, before staging a hijack, confident in the knowledge that - when the company calls in the police to trace the vehicle - its last known position could be many miles off its real position.

"This is what we call JAC, short for Jamming Assisted Crime, and it is most definitely on the increase," he said, adding that, once powered up, a typical jammer can be fully operational in under 20 seconds.

Contrary to what many people think, he went on to say, GPS jammers are easily detectable by police and other IT professionals, as they shine out like a light in the middle of the countryside at night.

This is why, he explained, most criminals will only use the jammers when they have to, and will try to switch them off as quickly as possible, as they know they are standing out like a lighthouse on a dark night in the country.

Having said that, he says, their usage as a means of blocking asset tracking in industry is on the rise, as criminals latch on to the fact that quite complex pieces of kit can be stolen using a jammer, then their usage can only increase.

Most jammer detectors, Professor Curry says, vary in their capabilities. Lower-cost handheld units, he adds, are non-directional, whilst more complex - and expensive units - can be used to triangulate the offending user.

One of the growing trends in criminality, he told his audience, is the use of jammers to block the asset trackers used in high-value plant kit, such as large-sized plant lorries and steamrollers, as whilst these vehicles have on-board asset tracking system, a simple GPS jammer can allow the vehicle to be stolen outside of working hours with relative ease.

Is there a method of blocking GPS jammers?

Professor Curry replied that some work is being carried out in the field of null field transmissions, which can generate a signal lobe that coincides with the location from which the jammer is being used, but the signal power levels involved are quite significant, and a commercial solution is still some way off.

Given that it is not specifically illegal to have a GPS jammer in your possession, he predicts that the usage of GPS jamming technology is likely to continue to increase in the months ahead.



New Social Media Management App, Sparksfly, Amazing Authoring and Monitoring Features

There are many awesome tools which people are using to get the most out of their social media management. Few professionals use Twitter or Facebook directly, but instead use Tweet Deck, Hootsuite, or other tools to manage their social engagement. I’ve found that Dlvr.it is also a good tool for analytics and social media management.

I was recently clued to Sparksfly which provides a VERY unique and differentiating feature set of social media authoring and monitoring.

  • Let’s say you’re at a special conference and you want to bring together social feeds just for that conference - Sparksfly helps you easily do it.
  • See something interesting you want to save for later. Put it in a notebook. It’s waiting for you when you’re ready.
  • Share posts to Evernote, Dropbox, Box and more by using Share to email feature

There”s more that Sparksfly can do to help you manage your social networks and communicate clearly and effectively.

If you’re tired of logging into a handful of social networks and apps to keep on top of things and communicate - Sparksfly can help.



Red Teaming in the real world

Red teaming is a relatively new type of extended pen testing used to raise the security and governance bar in major corporates, most notably financial service organisations such as banks.

The vast majority of financial services organisations do not reveal the results of their red team exercises, due to the political sensitivity that is involved - so SCMagazineUK.com was keen to hear what Dan Soloman, head of cyber risk and security services with Optimal Risk Management had to say about a red team exercise he and his staff recently carried out against a major New York bank.

In a presentation at Counter Terror Expo this week Soloman explained that the main objective of a red team exercise is to stage a series of controlled attacks against the organisation concerned, to discuss the failures in all aspects of physical and electronic security, and prepare the business for a real world cyber attack.

"In the New York bank exercise, we looked at several areas, including how APTs work in the real world, the human attack issue and, of course, pen testing. We test attacked all of the banks Web, client ad mobile applications," he said.

On the human attack front Soloman and his team staged spear phishing attacks, as well as APTs and custom malware launches, DDoS attacks, and mobile device application tests.

War gaming

Next came the war game aspect, which involves physical infiltration, as well as Web access and WiFi network analysis plus interrogation.

A USB drive was planted in the banks comms room, and the team gained successful access to the businesses WiFi antenna - a step that could be `game over' for many organisations, especially since the team also successfully cloned the bank's WiFi, getting staff to log into the rogue access point.

"It was interesting that the bank had a silent alarm on its IT facilities, but we bypassed this, as our red team was in - and out - in under three minutes," he said, adding that this was not before they were able to plant a series of bugs and monitor staff Skype conversations.

Soloman also made the interesting claim that his team were able to crack the bank's WiFi password - encrypted to WPA-2 standards - in about four-and-a-half hours, a process that they repeated at second bank site, so proving the methodology.

"This is also allowed us to carry out a waterhole attack using a fake Web page," he said, adding that the process of inserting malware via the fake Web site is a relatively easy step to take.

Another avenue of successfully staging attacks against staff email accounts was the generation of personal emails to staff, offering them a reward in return for referrals to colleagues.

LinkedIn, he says, was also useful in this regard, as it allows the red team to gain information on the staff before launching personalised messages offering staff a US $50 (£30) reward for referring friends on LinkedIn.



CT Expo: indentifying terrorists with digital forensics

Digital forensics is still a relatively new science in the mainstream security space, but the intelligence services have been using the technique since the earliest days of computers against the perceived enemies of the day.

Today enemies of the state are often terrorists and specifically include Al Qaeda.

A key question when dealing with Al Qaeda, however, is what can be done on the tight budgets of government agencies, but, according to Gregor Stewart, director of product management with Basis Technology, quite a lot can be achieved through the use of advanced digital forensics.

In his presentation at Counter Terror Expo - entitled `Delivering Mission-Critical Answers for Today's Intelligence Community' - Stewart explained that, when data is extracted from a suspected terrorist's computer, it is a triage situation, with forensics staff duplicating the hard drive and then analysing the meta data that results.

Whilst a problem of dealing with Al Qaeda data in the West is that the text is usually in Arabic, Stewart says that the forensics process can be advanced by non-Arabic speakers using a technique called `gisting,' whereby English speakers allow computer software to highlight names in the data stream and then cross-referencing this against a known person's database.

"From there, full extraction of interesting text can be carried out, with the text translated and human enrichment techniques applied," he said, adding that by cataloguing data in the cloud, information can be added at high speed, preparing the stage for complete forensics analysis by linguistic analysts.

"Human enrichment of the data is a powerful step in the process of data analytics. It allows the intelligence services to home in on high quality data with minimal staff resources," he said.

"The end result is the computer-assisted analysis of names and contextual data allows a more refined analysis to be carried out and on a very tight budget," he added, noting that the use of gisting involves faster translations to be carried out - but without sacrificing any quality in the process.

So what can be learned from digital forensic linguistic analysis in the security space?

SCMagazineUK.com spoke to staff at Basis Technology's stand at the CT Expo event, where they explained that the firm's Rosette linguistics platform has been used as the main Asian linguistic technology needed to create Google's Chinese, Japanese and Korean search engine.

The Rosette platform is billed as using automated and state-of-the-art natural language processing techniques to improve information retrieval, text mining and other applications.

In use, Rosette provides capabilities such as identifying the language of incoming text, providing a normalised representation in Unicode, and locating names, places and other key concepts from a body of the unstructured text.



57% Of Professionals Are Doing This Bad Tech Habit. 4 Other Habits Can Cripple Small Business Network Security.

You hire an IT guy to help ensure your secure. You install awesome software on your mobile computers, servers and desktop computer, you have sticky notes in public areas reminding people to not write down their passwords.

But you know you are still NOT as secure as you can be.

TeamViewer did a study which found that company workers (and owners) are doing some pretty bad things which are making their networks much less secure.

The most common thing they see is the browsing of social media websites (82%) followed by:

  • Opening inappropriate email attachments - 57%
  • Downloading games - 52%
  • Plugging in unauthorized USB devices - 51%
  • Plugging in unauthorized personal devices - 50%
  • Illegal downloads (e.g. pirating movies, music or software) - 45%
  • Looking for other jobs - 39%

And these bad habits have their share of repercussions. 90% of IT administrators say that they’ve witnessed problems to company equipment because of these actions including:

  • Viruses - 77%
  • Slow computers - 74%
  • Crashed computers - 55%
  • Mass popups - 48%
  • Inability to open email - 33%

If you want to ensure your small (or large) network or individual computer are secure there’s several things you can do.

  • Be very careful in opening any email - in fact do it slowly and with great thought and care
  • Be careful in opening up emails - in fact have your images “off” by default
  • Ensure your email provider and Internet Service Provider have built in security to scan email and protect your network
  • Installed security software at all your end points - notebook, computer, mobile devices
  • Be careful when using public networks.
  • These are just a few things you can do to be more secure.


Security needs to look 10 years ahead

Security as an enabler was a major theme at Information Security Europe 2014 show in London this week as well as being the title of a dedicated panel session around supporting enterprise innovation and transformation.

One way for security to add value is by using innovative security solutions to enable new lines of business, and panelist  Michael Colao, Head of Security, AXA UK commented, “The only place we add value is if we allow the business to offer the services which they do, therefore security needs to be compared to a strategy unit which is looking at where the company will be in 2020 or 2030, what services it will buy or sell and what core activity will it retain. Then you need to figure out how you will be in a position to do that. Eg 10 years ago cloud services were known about and you could have put an app up and checked out what the security requirements might be so as to be ready when the business wants to innovate in that direction.

“New services take three to five years from the lab to market, and a further five years for wide usage, and seven to eight years for the court cased to come out - so we are now getting solid case law for email which was introduced in the 1980s. We need to prepare for the future court cases about the legal and regulatory issues.”

Barney adds, “We are part of the business and should be expect to innovate, for financial and efficiency reasons. So now is the time to look at the security of Google Glass and whether it can add value.“

Colao also saw this as a good example, commenting that his board had looked at the implications of Google Glass in the insurance industry, but that the senior IT people had not looked at it, even though the board were discussing it, hence there was a disconnect that needed to be bridged.”

But while enabling business is largely accepted as a good thing, Andy Jones, CISO Maersk Line questioned the value-add premise, asking, “Are we even tied up with adding value? A lot of what the security function does enables business to happen, but is not about adding value.”

Certainly it became clear that the success of the security function is measured by many things, and a financial contribution may not even apply in many cases, such as hospitals and military defence.

But moderator, Peter Wood, Security Advisory Group, ISACA London chapter emphasised how in retail, security has the ability to lead from the front “adding terrific value in business,”  though he too recognised that in sectors where the consequences of breach were more ‘dangerous than lost profit, there is a need to be safer independent of financial return. But as an example of how security can contribute to saving the company money, the introduction of log-in systems allowing a federated identity was cited, simplifying online shopping with one log in to multiple locations.

Lee Barney, head of Information Security, Home Retail Group said that commercially, retail demonstrated how security should be done - it was happy to provide a business case and implement security solutions to enable business, and not just if they are on a compliance list.

For David Cass, SVP, CISO, Elsevier the question is, what is the level of security needed to get a product out there without being vulnerable? - reconciling risk and opportunity - and that is the level of security required. Barney noted that in retail, customers vote with their feet and go elsewhere if you lose their data, so you need to get it right.

Jones pointed out that security capability can itself be a business differentiator, so, working with corporate organisation, if you can say you have invested more in security than your competitors, and are therefore safer as a result, its difficult for competitors to respond quickly, and this can be sold as a benefit. But this increased security needs to be measured and verified. Some panellists suggested follow-up spear-phishing spot checks can provide a metric of success, but Jones rejected this proposal commenting that it was too easy to rig a spear-phishing test to get the result you wanted, hence it was a false metric.

Also, raw spend was not seen as the best metric, if the money had not been spent well. Colao commented, “Companies need to ask, Whats more likely, someone sitting in Starbucks using social engineering to compromise staff, or a crack team of Belorussian crackers attacking their systems?  And where do you spend most of your budget tackling - the guy in Starbucks or the Belorussians?” The answer was often that the attacker was in Starbucks while budget concentrated on the Belorussians.

This brought discussion back to the perennial question of how to make boards understand risk based security. Jones said that risk is hard for business leaders outside security to understand, but added,”What they are more likely to understand is fraud and what level is acceptable as in shoplifting, therefore the same ‘overhead applies to security risk, and this analogy makes the issue easier to understand.”

Whether appropriate or not, all agreed that the board wants the level of risk to be financially qualified, thus put into terms they understand.

Colao cited a case of a salesman promoting a solution to block access to porn, as the companys existing systems did not guarantee blocking.  Taking a financial approach, it was evaluated that the risk of getting involved in a lawsuit due to staff accessing porn was very low, with perhaps one case every five years possible and none actually seen - with a consequent cost of about £50k, thus the annual risk was £10K, and 80 percent of that risk was covered, so the risk value was about £2k pa. Consequently it was not seen as worth spending the money on a £20k solution.

Valuing risk in money terms enables senior level conversations between the security leaders and the board.



Internet Explorer Vulnerability Could be Used to Launch Cyber Attack, Say Feds

Federal officials have issued a warning to users of Internet Explorer: Stop using the Web browser until Microsoft can mitigate a security threat.

The U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security, is issuing the warning. The government agency recommends avoiding use of Internet Explorer until Microsoft finds a fix to a flaw in the browser that hackers have already used to launch attacks. CERT said in a statement this week:

“US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could allow unauthorized remote code execution.”

Microsoft has provided some workarounds for staunch users of Internet Explorer, or those who cannot use another browser. But Windows XP users will not find these workarounds beneficial, CERT says. They definitely should find another Web browser until the security risk is managed.

In its own warning this week, Microsoft explained that the IE bug is classified as a remote code execution vulnerability. In a Security Advisory posted at the Microsoft website, the company says:

“The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

If you’re attacked through the Internet Explorer security vulnerability, a hacker could get the same administrative credentials you have on your computer. This could include access to sensitive information not only about yourself but your employees and customers or clients, too. Users with less access on a specific computer who are hacked would be less impacted by the security vulnerability, Microsoft notes.

For the attack to happen, a computer user would have to click a link to the attacker’s webpage sent via email or instant message. When the link is clicked, the website can exploit IE’s security glitch, allowing the cyberattack to proceed.

Microsoft says in its Security Advisory that any patch to mitigate this vulnerability with Internet Explorer would likely be issued in a monthly security update. However, depending on how soon a new patch is developed, Microsoft might elect to issue a special security update for most of its users.

Outside of Windows XP users, Microsoft says people can workaround the security flaws linked to its browser in several ways depending on the kind of Microsoft product being used.

For example, users operating on the Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 can enable the Enhanced Security Configuration mode. This should mitigate the security risk, Microsoft says.

Meanwhile Microsoft Outlook, Microsoft Outlook Express, and Windows Mail users should open HTML emails only in the Restricted Sites Zone. Clicking links in the ordinary email program could exploit your browser’s security flaw, Microsoft warns.

This is the first major security flaw with Windows and Internet Explorer since Microsoft discontinued support for the XP operating system. Microsoft announced earlier this month that it would no longer issue security and software updates for the once-popular operating system. So when Microsoft does issue an update to address this IE vulnerability, it will likely not be compatible with Windows XP.

Microsoft Photo via Shutterstock



Getting New Tech Is Great. How Do You Properly Throw Away Your Old Technology?

Throwing away your old technology is great - but it can be dangerous if you do not properly dispose of it. I’ve asked Shelley Zimmer, WW Environmental Leadership Program Manager, HP to share her insight about it.

This spring and summer, if you’re thinking about revamping your office or investing in new technology, remember to keep two things in mindâ€"the environment and your business’ security. If you’ve weighed your options and upgrading your current technology with new solutions isn’t a possibility, it’s essential that you remove sensitive data from devices and meet environmental goals when trading out the old for the new.

Why? Because technology hardware often contains customer account details, private records and proprietary dataâ€"sensitive information that, if handled inappropriately, could expose you to legal liability and other damages. Further, most technology hardware contains substances that can impact the environment, and their disposal should be handled responsibly.

With this in mind, here are three tips for securely and environmentally disposing of your office’s technology:

Think security first.

The first step in disposing of hardware: back up your data. Whether you’re letting go of a printer, laptop, PC or mobile phone, ensure that the data you’re about to destroy is easily accessible elsewhere if needed. This can be done through backup programs or a manual backup, like saving information to an external hard drive.

After backing up your data, there are several options for securely removing information from hardware. When working with PCs and laptops, there are some free programs for safely removing data, but you can also check with the technology manufacturer about safely removing information. Vendors and technology providers typically offer services such as shredding and degaussing.

Shredding is the most secure way to destroy hard drive information. This method actually destroys the equipment via a hard drive shredderâ€"if you choose this option, check to ensure that the service provider recycles the materials after destruction. Another option for securely removing data from hardware is through degaussing. Magnetic drives like hard drives are destroyed by this process, which removes and reduces the magnetic field of a drive, destroying the data on the device.

 Don’t forget about environmental impact.

When getting rid of technology, you should consider the environmental impact. If at all possible, avoid letting your old technology end up in a landfill. There are plenty of recycling options that technology manufacturers and environmental programs offer.

But remember: being conscious of the environment is more than just recycling your shredded or degaussed technology! There are other forms of recycling, like hardware buyback, trade-in and donation programs. Through these services, you can donate hardware like PCs, monitors, printers, cameras, smartphones and more to non-profit organizations and schools. Manufacturers and retailers also offer buyback programs for small-to medium-sized businesses, where you can get cash back for your old technology, and the technology will either be recycled or donated.

Lastly, remember to recycle the supplies that go along with technology, like paper and printer cartridges.

What’s next? After you’ve taken all the necessary steps to safely, securely and environmentally dispose of your old technology; consider investing in new hardware that will reduce your environmental impact. The green features of today’s technology will help you reach your environmental goals and save you money. Look for products that offer Energy-Star qualification. These ratings will give you an idea of a device’s environmental impact.

Shelley Zimmer is the worldwide environmental leadership program manager of printing supplies at Hewlett-Packard. Shelley’s projects include influencing product design for future environmental features and communicating environmental attributes of products to consumers. Her interest is to move consumers to purchase products that are better for the environment.



What One Old Uniform Company Knows…That You Don’t

Jim Wasserson thinks about uniforms all day long. More than 100,000 of them. As CEO and President of Clean Rental, Wasserson, whose grandfather founded the company in 1918, is a born-and-bred expert on what makes uniforms unique, memorable, functional, clean and comfortable.

Sounds simplistic? Not when you consider the fact that Wasserson are clothing professionals for more than 10,000 clients in industries ranging from pharmaceutical and industrial to medical and consumer, plus utility. Chances are, if you see a person on the job in the Philadelphia region, they may be sporting a Clean Rental uniform. In fact, Clean Rental supports clients within a 200-mile radius of its Center City headquarters, and partners in deals nationally and in Canada.

Originally providing coveralls to factory workers, Clean Rental has come a long way in its first century. Today, the company specializes in larger customers, mammoth businesses with sizable bases of employees wearing uniforms. For the past three decades, the size of Clean Rental has doubled every five to seven years, servicing many Fortune 500 businesses.

How has Clean Rental survived - and thrived - for nearly a century? Wasserson shares four growth strategies that have carried his once strictly coverall company since 1918.

Be Flexible. Be Proactive. Be Engaged

The company offers industry experience, fresh ideas and an open approach to customer service that asks clients ‘What are your uniform needs’ as opposed to saying ‘You must fit into our mold’ which, as Wasserson is quick to point out, is an important distinction.

Whether service, industrial or professional wear, Clean Rental’s hallmark is its fresh and flexible approach to delivering its services. Clean Rental serves a variety of industries, including food processing, chemical and safety, service industries, manufacturing, hospitality and gaming and healthcare. Wasserson shares:

“With the tremendous consolidation out there in the corporate world, we have had to adjust and be prepared for anything. To be proactive, we have to be very creative in our thinking and ready to take risks.  We have to be very agile and come up with plans to be ready to engage all scenarios all the time. We don’t run from situations that may require us to be extremely flexible. We engage those situations - 100 percent. As we all know, it is a very heavily changing business environment right now and has been for a while - the flexible, proactive and engaged business will survive.”

Establish & Maintain Customer Trust

Clean Rental prides itself on being the uniform rental and cleaning services leader with solutions that fit:

“We are in an industry where our main target accounts are large and, when working with large companies, Clean Rental is superior at remaining flexible and building true partnerships. We establish, early on, a trust level with our customers and that enables us to service them immediately and make adjustments as necessary - we are always focused on making clients happy by being flexible and delivering seamless transitions.”

What’s the biggest thing Wasserson can advise?

“Always, always listen to the needs of your customers and fulfill their needs. Always, always, always listen to your customers. “

Change With The Times

When Clean Rental was founded nearly 100 years ago, it was all about coveralls for factory workers. Today, a uniform is not a simply uniform anymore:

“A uniform can be a blue shirt with blue pants, scrubs or a tuxedo. When working with our clients, we often say to ourselves, ‘What would we want to wear to work every day’ if we worked here?’”

In many ways, Clean Rental is evolving to be more of a workplace clothing company versus a uniform company:

“That is where we are trending now. We are a flexible company, we change with the times and we change to meet and exceed the expectations of our customers, as well as their taste in workplace clothing.”

Changing with the times, Wassserson advises, means growing with the times.

Embrace Technology

Clean Rental relies on state-of-the-art water softeners, soil-release technology and extra-large water heaters to deliver a truly sanitized, hypoallergenic cleaning service to its diverse clients, many with careers in the hospital and biomedical fields.

When it comes to Clean Rental’s cleaning expertise, how important is technological adoption?

“Technology is extremely important, no matter what business you are in - you have to run to technology, not avoid it. In the uniform rental industry, I would like to think, with all of the merits and successes of Clean Rental since 1918, what we may be best known for is our technology. Regardless of your business or market, investigate how the latest technologies available to your business may boost productivity, improve customer service and leverage your business for the long haul. The business that fears technology is the business that gets overtaken by change.”

Uniform Photo via Shutterstock



60 Percent of Small Business Owners Report Revenue Increase

For the majority of small businesses, increased revenue is outpacing increases in taxes. That’s the consensus from a new survey by online payroll provider SurePayroll. SurePayroll recently unveiled its April 2014 Small Business Scorecard covering the previous tax year.

The survey showed that 60 percent of small business owners saw revenues increase during the previous year. Meanwhile only 57 percent saw increases in their taxes.

The survey also showed that slightly more than 33 percent of those small businesses saw revenue increases of 15 percent or more during the 2013 tax year. Meanwhile, only 20 percent of small business owners participating in the survey saw their taxes increase by that much over the same period.

But despite increase in revenue, most small business owners haven’t started hiring more employees yet. SurePayroll’s survey found that hiring has remained stagnant in most regions across the country. Hiring has actually fallen slightly in the Midwest and Northeast while other areas are relatively stable.

Instead of looking for permanent help, small businesses are turning to subcontractors to handle much of their extra work.

The use of Form 1099 for independent contractors by many small business owners has kept these companies running leaner. According to the SurePayroll Scorecard, 6.52 percent of all the paychecks issued last month went to 1099 workers. This figure has been on a steady rise since February, the survey data reveals.

In an official blog post commenting on the Scorecard, the company explains:

“It’s a bit of a double-edged sword, as increased hiring would obviously be a boost to the economy, yet strong revenues are a testament to small business ingenuity.”

SurePayroll also reports that small business owners are feeling more optimistic about the future. A total of 69 percent of small business owners surveyed said they have a positive outlook moving forward and that number has been rising steadily since February.

SurePayroll is a provider a payroll services to small businesses nationwide. The company’s Small Business Scorecard is provided monthly and surveys the nation’s smallest businesses with fewer than 10 employees.

Image: SurePayroll



The view from the ground: Managing BYOD

Bring your own device (BYOD) is in full swing, but most FTSE 100 and SMEs are only now realising that there's more to managing the deluge of personal smartphones and tablets coming into the office than brute force alone, reports Doug Drinkwater

Mention BYOD to different people across an organisation and you're likely to get many varied reactions. Some will say that it's boosted staff productivity and morale, enhanced business technology adoption and done all this quickly and with minimum cost. Others - most notably the IT managers - are probably tearing their hair out, uttering the words ‘unmanageable chaos' and bemoaning employees with lax risk-awareness.

The reality is that BYOD is something in-between. A by-product of the ‘consumerisation of IT', it has liberated employees, torn up the rule book on working hours and made agile companies work faster and better. But it is also  a big security risk - with the growing number of access points potentially vulnerable to insiders losing the device or data, or hackers stealing information by using malware or social engineering tactics.

And yet, there's clearly no stopping this trend. Gartner estimates that one in three mobile devices will be in enterprises by 2018 - that's around one billion units - while IT recruitment agency Robert Half Technology puts the current adoption around three in four of all UK companies.  Reputable sources tell SC Magazine UK that employees at some companies are even being hired on the premise that they bring certain types of technology with them to the workplace.

All of this means that IT departments have to react, and fast too. A study from Forrester shows that 70 percent of enterprises across Europe and North America are expecting to provide more mobile support to their staff over the next 12 months as a ‘high' or ‘critical' priority, and that should perhaps come as little surprise - these devices are not only holding confidential data but are also highly susceptible to spear phishing and malware attacks. They're also becoming increasingly powerful - as evidenced by the new 64-bit processor in the iPad Air and the biometric sensor on the iPhone 5S - making them difficult to manage.

“64-bit iPhones are just as powerful as PCs,” says Norton Rose Fulbright global CISO Paul Swarbrick, when speaking at the first SC Congress in London recently. “We need to consider risk the same way. Technology changes but the problems remain the same. I come across people moving old working practices onto new devices.”

Nonetheless, with IT staffs increasingly evaluating how to manage these personally-owned devices, SC Magazine UK sat down with various information security experts to get a handle on what methods businesses are using to get ahead. Their views varied but Ovum analyst Richard Absalom was keen to point out that with BYOD being driven by consumers, it is natural for the debate to start with employees.

“The first thing to recognise is that BYOD is a behavioural thing. You don't necessarily have to adopt policy,” Absalom said.

He added that most businesses are now enough on the ball with BYOD to recognise that management should perhaps start with acceptable use policies, perhaps leading on to some mobile device management (MDM) or mobile application management (MAM) solution.

“We think every business is now aware of the risks around this,” says Absalom. “Most people know they need to do something - although there are still some that think BYOD is too much hassle and so are not interested in what's going on anyway.”

Mark Brown, former CISO at SABMiller and now director of information security at the consultancy group EY, agrees that views are changing on BYOD and says that forward-thinking companies are starting to realise this is not an ‘IT-only' issue.

“Four years ago it was a brave new world,” he says, adding that a few companies embraced the technology, while some CISOs saw it as a distraction. “Two years ago, people started realising that if you're going to leverage BYOD, you're going to need to involve HR and legal too.”

Subsequently, the ICO has issued guidelines to help data controllers secure work data held on employees' smartphones and tablets, and that these devices are locked with strong passwords and managed with software that has data-wipe capabilities.

“Mobiles and tablets are at risk,” Simon Rice says. “They will get lost or stolen. Organisations have to recognise that and make sure there is a strategy in place to deal with it.”



Security of \'Things\' to be embedded

The exhibition and conference set a new record for attendance with more than 26,700 international trade visitors and 856 exhibitors from 35 countries with 1,500 participating in the conference. 

No matter where technical innovations arise nor what their electronic components may be, embedded systems now have a part to play, whether in medical technology, the automotive and aviation industries, household equipment or mobile devices. And as devices communicate, the information becomes vulnerable to interception.

The conference kicked off with a keynote speech from David Kleidermacher, CTO of Green Hills Software, addressing security in the Internet of Things (IoT). Despite seeing IoT as a natural evolution for embedded systems, Kleidermacher noted that the rapid assimilation of trillions of objects into the internet over the next decades poses an unprecedented privacy and security challenge that must be dealt with in advance.

In his paper, “Security in Cyber Physical Systems (CPS)” by Michael Wagner of the Nuremberg branch of Fraunhofer IIS (Institute of Integrated Circuits), security was described as an integral part of personal computing. There is always a talk about huge libraries containing numerous crypto algorithms, key agreement mechanisms, hash algorithms, etc., which leads to accumulation of software resources needed to establish a secure connection between any two PCs on the planet. 

Since embedded systems use the PC's operating system, they end up having the same software packages. Still there remains a reasonable doubt about how it can be proven that a system is secure. The proof for a standard PC system should involve all the modules and components accessible to an attacker. These include not only the network stacks from the hardware to the communication sockets (TCP/IP) but also the OS, its process separation, DMAs, interrupts and other modules. 

And security doesn't only mean the threat of hackers and viruses, but includes plagiarism or licence violations from accessing the local debug features, which is foreseeable for an embedded system, but totally unheard of in the PC world. Wagner showed how the necessary security level can be reached by dividing the system into three parts: first, the stacks connected to the outer world (black), second, a security bridge defence and third, the protected world of secrets (red) with its local interfaces. The proof of security now concentrates on the line of defence inside the security bridge and the separation of the red and black sectors. The bridge software can be concentrated to a few hundred lines of code, enabling a clear proof of security in a short duration. 

Finally, Wagner concluded by describing an architecture that combines cost efficiency, high security level and M2M features to form a new CPS platform. n

EXTRA: Three branches of security architectures

There are three branches of security architectures. They differ in their application, the risks of a successful attack and in the priorities of the customers. All three use different system designs, algorithms, measures and at times even a different vocabulary to describe common concepts.

The three branches are military security, embedded security (mainly used for mobile phones) and PC security. Cyber physical systems (CPS) are seen as the backbone of the future industry. They act without permanent human control, communicate with other CPS, order material and sell products world-wide and control locally-connected machinery. In the smart grid energy will be traded and generation, distribution, consumption and storage are controlled. The wide field of applications in this scenario includes high volume.




SC Congress exceeds expectations

In an excellent first SC Congress in the UK, held this spring, the ILEC Conference Centre in London played host to a raft of industry expert speakers and an audience of some 180 senior industry professionals, chewing the fat on everything from Edward Snowden and privacy, to BYOD, cyber-crime and boardroom security awareness.

Some discussions got the audience really hot and bothered - the panel on privacy expectations raised questions over NSA and GCHQ surveillance, while the fact that these details had been collected by Edward Snowden - a contractor for the CIA at the time - saw concerns over the insider threat increase. 

“Insider threats, I think, are actually one of the biggest problems,” said Frank Florentine, director of LilyCo, during the panel “Inside, outside, upside-down: Staying ahead of the threat”. He concluded, “At the end of the day you have to trust somebody - but its trust and verify.”

Elsewhere attendees packed out the main conference room for the talk on BYOD management, while the earlier keynote on security awareness for the boardroom drew a heated debate on the media's role in educating senior executives on cyber security dangers.

One audience member questioned whether the media is having a detrimental effect on security in the event of a data breach, but Channel 4 CISO Brian Brackenborough, formerly of the BBC, said that the media can have a positive role in getting C-level to talk with their IT department.

With the conference seemingly drawing to a close, the Met Police's Mark Jackson tore up the script by delivering a surprisingly honest assessment of the force's expertise with cyber-crime.

“Online is the high street that hasn't been policed,” he said during his keynote speech. He added that catching these criminals was hard enough - crimes often appear anonymous and come across via proxies from different countries - and are made harder by not having the right staff with the right skills.

 “We're still trying to train our people like its 1987 so we need to look how we train our people,” said Jackson who added that he needed people with  “multidisciplinary tech skills and a detective's investigative mentality.”

The next SC Congress London conference and exhibition is being held at the ILSEC Centre on June 3. Stay tuned to www.scmagazineuk.com for more details.



Cyber security: Speaking the CEO\'s Language

How do you educate the boardroom on the information security dangers the business is facing on a daily basis? That's a difficult question, and one that's done the rounds in the industry for many years.

Fortunately, it appears as though the tide is turning. Security awareness training is now high on the agenda, and security-conscious companies are trying to establish a deeper connection between the CEO and CISO (or IT manager).

The communication problem is perhaps getting easier, and justifiably so. A report from Trustwave reveals that six in 10 FTSE companies now name cyber security in their annual reports, while high-profile data breaches - and incoming EU legislation - make senior execs aware of the financial impact. However, for many companies, getting time alone with the CEO is one thing, but communicating with them in a way they understand is another thing altogether.

This issue came up at the recent SC Congress London, where Thomson Reuters' Daniel Schatz urged IT managers to establish concise communication, but to also stick to their ground on the issues that need resolving.
“Don't get totally stuck by what the executive team is saying in terms of threats,” he said.

Professor Edward Obeng, the founding director of Pentacle, believed to be the world's first virtual business school, says that simplicity is the key to driving boardroom change. “The key to driving change fast, and to keep brains [switched] ‘on' is to not surprise them with anything new. Change it into a story,” said Obeng, who was speaking at Gartner's IAM summit in Westminster this year. Obeng said that the second stage should be to remove fears and “keep them coming with you”, by narrating an easily digestible tale where you relate how the fears could affect them.

“The third thing is to engage people, get people excited…you need to engage thinking.” He urged CISOs to use “analogies that fit with your situation” to advise the board on imminent threats, but warned: “They're never going to understand technology, big data, the network - they won't get it - it's not their job. The reality with change is that you have to engage the human. We're all designed the same way - don't scare them, go on a journey, engage people.”

MWR Infosecurity director Alex Figden agreed that Obeng has ‘some interesting ideas' and while he agrees that simplicity in the message is important, the message should be in a language most interesting to the CEO - money.
“It's very simple. In the last year the impact of cyber attacks, studies have shown, has become a very important issue,” he told SC Magazine UK.

“There is a language barrier but the big issue that comes up time and time again is that you need to communicate in financial figures. In every single case it opens up a discussion, and then released budget for defence.” He added that examples of recent breaches should be given as everybody has an incident and the approximate costs involved.

“The beauty of talking in money is that they don't need to know the details. Focus on the costs and the remediation.”



A long, hot summer looms

If you are reading this on the first day of InfoSec, enjoy our SC Awards dinner tonight when the winners are announced. For everyone else, check out the winners and highly commended online at scmagazineuk.com as the high standard of entries makes this year's successes especially praiseworthy. 

It's just as well that the industry is upping its game. In this issue, we look at cyber-espionage, among the biggest buzzwords in the industry right now. We know it goes on, partly through the leaks from Edward Snowden, but also because everyone engaged in real-world espionage is involved online. 

Some claim all warfare is moving online. The US government is tripling its cyber warriors to 6,000 by the end of 2016, and both North and South Korea are spending heavily in this area. For all this, deniability remains a key attribute, so finger-pointing is difficult. 

In reality, cyber espionage is just another weapon and given its propensity to hit civilians, it's right that the Pentagon and its Chinese counterparts are working on “norms of behaviour.” Can others sign up too?

According to Daniel Shugrue, we should learn from warfare that a concerted joint effort will be needed to overcome the online adversary.

Yet these same organisations are increasingly embracing the BYOD trend, which is often difficult to manage.

Elsewhere Simon Saunders advocates cyber insurance as the way to both mitigate the financial impacts of breaches, but also as a means of getting standardised independent information risk assessments.

Finally, with 27 percent of Microsoft XP users failing to upgrade, and several organisations buying extended support, it looks likely that individuals and small business users will continue to use the OS, despite warnings on the security risks.




Viewpoint: Transferring the risk

Companies will have to get used to third-party assessments of their information security risk, says Simon Saunders

Cyber insurance is a fundamentally sound proposition: We're all told it's a matter of when we get breached, not if, and the bigger attacks can have a serious financial impact. Transferring the financial aspect of the risk through insurance is well worth considering. It's not always about the hard numbers, but the impact on the recipient. 

Organisations increasingly understand the value of information security and the likelihood and consequences of being targeted by an attacker, but management needs to understand that cyber insurance cannot be considered a substitute for appropriate information security. Just as organisations insure against fire, they do not stop taking precautions against it.

In this new market there are challenges for both the would-be insured and the underwriter. How does the would-be insured demonstrate that they are an insurable proposition - and a low-risk one at that? There must be considerable fear of being considered an uninsurable risk. It also opens up the risk of a damaging disclosure and subsequent reputational damage not dissimilar to those at the heart of the recent BBC story where power companies were deemed uninsurable. 

If the insurance sector declares a business an uninsurable risk and a significant attack subsequently occurs, there is then little opportunity to deny awareness of an information security problem. This underlying fear may present a challenging barrier for those considering cyber insurance.

For underwriters there is the obvious desire to sell new, profitable policies at an acceptable market rate and without undue risk. Assessing the suitability of an insurance candidate and setting an appropriate premium is difficult given the diversity between organisations. It never ceases to amaze how two similar competitors can fare so differently when their security is placed under scrutiny, let alone the diversity between sectors. Factor in the lack of historical information on the regularity of attacks, their impact, the hacker community wild card and the tendency for secrecy about organisations' information security profile, and the challenge is clear.

Information security assurance reflects the security posture of organisations, and this has primarily been a self-regulating proposition structured around meeting their own risk appetite. More recently the professional services sector has sought to make it easier to demonstrate that they operate an appropriate level of risk to their current and potential clients. But this fledgling concept is only adopted where there is a demanding, information-security aware client base.

Rather than operate information security as an internal proposition, organisations ought to consider making their position more readily presentable to external agents. It won't be entirely public, but it could be better presented for insurance reasons, for clients, for stakeholders, etc. This medium-term shift is not as challenging as it first appears, and as an interim step either the insurance candidate or the underwriter could commission a short external review to get an expert, third-party risk assessment which can support the actuarial risk-profiling of an organisation. This provides reliable evidence of an organisation's position. If it doesn't paint a rosy picture, expertise is available to manage the risk profile to an acceptable level.

Such reviews would focus on both the intended information security measures and the subsequent execution of these. What does the organisation aspire to achieve and do they actually get there in the real world? While the wider information security industry contemplates being more open regarding information security performance, these third-party assessments will continue to prove valuable to underwriters and the end client.




THREAT OF THE MONTH: Drive-by downloads

Debate: Is the EU Data Protection Act reform Necessary?

Brian Honan and Stewart Room debate whether the EU Protection Act reform is a good idea.

Movers and makers

The latest news on the people and companies at the forefront of information security.

SC Congress exceeds expectations

The ILEC Conference Centre in London played host to a raft of industry expert speakers and an audience of some 180 senior industry professionals at the first SC Congress in ...



Movers and makers

»SIEM solution provider LogPoint has appointed Gareth Leggett as its new country manager for the UK and Ireland. Based out of the firm's UK office in London, Leggett will be tasked with expanding the commercial and technical operations, with a particular view to “strengthening the partner-based approach to the market”.

»Capita Plc has acquired IT network services provider Update Infrastructure Ltd for a cash consideration of £80 million on a cash free, debt free basis. The companies have worked together on local authorities in Scotland since October 2011, and have recently worked on a framework for delivering a single public services network for use by all public service organisations within the country.

»Clearswift has appointed Ciaran Rafferty as its worldwide senior vice president of sales. Rafferty has previously held positions at Proofpoint, Sophos, HP and SAP.

»Richard Vines has become the new channel manager for the UK and Ireland at LogRythm. Prior to his appointment, Vines worked as senior channel development manager at Citrix and also held senior roles at encryption specialist IronKey as well as CA Technologies.

»FireEye has opened up a research and development centre in Dresden, Germany. The centre will initially host fifteen researchers and will see the firm's European R&D team work with local universities to test FireEye endpoint threat defence technology and research threat intelligence. The company already has R&D centres in Singapore and Bangalore (India).

»ValidSoft, a global provider of advanced telecommunications-based fraud prevention, authentication and! transaction verification systems, has announced Adrian Kelly as its new chief product officer.

Darren Hodder»Enterprise mobility management vendor Good Technology completed the acquisition of BoxTone, a company which specialises in helping IT departments to identify and solve mobile service issues. The deal was first announced in February and is the latest in a long-line of recent MDM acquisitions - Citrix bought Zenprise, VMware acquired AirWatch and Fiberlink became part of IBM

»ICT and security consultancy Auriga Consulting has appointed Darren Hodder as associate consultant and fraud expert. Hodder is a board member for The Centre for Strategic Cyberspace + Security Science (CSCSS), and is a regular speaker and contributor at a number of industry events, including the Data Risk Management in Financial Services Summit and Cyber Intelligence Europe.

»Sword Active Risk, a supplier of specialist risk management software and services, has appointed John Frain as its new head of global support. Frain was previously business analyst at the company.

»Information security and risk management consultancy NTT Com Security (formerly Integralis) has acquired Germany-based IT security company BDG GmbH & Co. KG for an undisclosed sum. BDG employees will be ‘seamlessly integrated' into NTT Com Security's DACH organisation, which is headquartered in Ismaning, Germany. BDG's executive partners, Helmut Honermann and Karl-Heinz Jaeger, will hold managerial positions at NTT Com Security, while BDG founder John von Simson remains with the company in an advisory capacity.

»Intel-owned McAfee (soon to change name to Intel Security) is to start supplying security solutions to Siemens Industry Sector, to help industrial c! ompanies ! bolster their security measures. The strategic partnership is designed to complement Siemens' service offerings by leveraging security solutions such as next generation firewall and global threat intelligence as part of its Managed Security Service as well as offering professional services. McAfee says that these offerings will provide better visibility and control at the factory level while reducing the risk of IP theft, said McAfee



Debate: Is the EU Data Protection Act reform Necessary?

Pro:
Brian Honan
,founder, BH Consulting

The EU Data Protection Directive dates back to the 1995 when the landscape was much different. With the advent of cloud computing, the explosion in social media networks, mobile computing technology and outsourcing of data processing, the limitations of legislation designed two decades ago are clear.

This overhaul of the EU Data Protection Directive is necessary for both individuals and businesses. Individuals need assurance from organisations that their personal data will not be misused or compromised.

Businesses looking to reap the benefits of modern technologies face a potential legal minefield in trying to ensure they comply with the EU Data Protection Directive. Not only are they legally obliged to ensure any personal data exported outside of the EU is done so in line with the legal requirements of the Directive, they may also need to ensure that even within the EU they comply with each individual member state's adoption of the principles of the EU Data Protection Directive.

In order to ensure the individual is protected in today's interconnected world and to enable companies to embrace new technology it is essential the Directive is brought into line with how technology and society has changed since it was first drafted in the last century.

 
Anti:
Stewart Room
, privacy lawyer and partner, Field Fisher Waterhouse

The sad fact is that the Parliament had an opportunity to nail this regulation a year ago, when the momentum was with the reform agenda. Instead, they got themselves trapped spending months and months on tiny points of detail, driving the reform agenda into a wall. Now, the momentum is with the Eurosceptics, who will be better represented after the election. The vote takes things nowhere. The best thing that the new leaders can do would be to scale back on the ambition and tackle some key points with more precision.

The proposed new regime will make it much easier for regulators to take enforcement action against companies and to impose very large fines. For instance, the breach disclosure regime - notifying security incidents to regulators - will cause a “financial penalty sausage factory” to exist at the heart of data protection law. The new rules will make it simpler for regulators to sanction mere technical breaches of the law.

The impression that Europe's preference for far reaching regulation means that Europe is becoming “anti-business,” which may harm inward investment and stifle innovation.

The regime will add considerable costs to the bottom line of business. Compliance costs money and there are lots of compliance tasks within the EU's model.” 



The Growing Risk

Large-scale cyber espionage is not new - it is the methods behind it which are becoming more complex and sophisticated, reports Kate O'Flaherty.

The ability to remain anonymous - or at least to raise doubt over the identity of the perpetrator - is seeing cyber attacks take increasing preference over physical means. One incident in March saw Ukraine reported to be under cyber attack following the initial physical takeover of the Autonomous Republic of Crimea.

Separately, a group of hackers calling themselves the Russian Cyber Command initiated a true domestic cyber war on Russian military enterprises, threatening that critical infrastructure would be next.

In February 2011, the then-director of the CIA was quoted saying that “the next Pearl Harbour could very well be a cyber attack”. And, in late 2012, Mike McConnell, George W Bush's director of national intelligence, said the nation was waiting “for the cyber equivalent of the collapse of the World Trade Centres”.

Closer to home, it emerged last year that Britain is seeing around 70 sophisticated cyber espionage operations a month against government or industry networks. GCHQ director Sir Iain Lobban told the BBC that business secrets were being stolen on an “industrial scale” and that foreign hackers have penetrated some firms for up to two years. Foreign intelligence services are behind many of these attacks, according to Britain's security service MI5.

A brief history 

Cyber espionage and state-sponsored attacks aim to steal secrets and gain knowledge, as well as to bring networks down. In 2007 and 2008, Russia launched cyber attacks against Estonia, pre-empting military intervention in Georgia with massive DDoS attacks.

In 2009, researchers unearthed a large-scale cyber spying operation associated with an advanced persistent threat attack originating from China, codenamed Ghostnet. It infiltrated more than a hundred countries, targeting high-value political, economic and media locations.

Then in 2010, Operation Aurora targeted Google and many other companies to steal intellectual property. Later in 2011, Operation Shady RAT attacked hundreds of governments and companies globally, with a special focus on defence contractors.

But recently, Snowden's revelations have shown that intelligence agencies are fighting back and, like their attackers, they are using malware. This is no surprise, says Calum Macleod, VP of EMEA at Lieberman Software. “You have the minor regional stuff, such as Israel, Hezbollah, Hamas and the Syrian Electronic Army, using botnets, compromised websites, DDoS and whatever they can lay their hands on to get at each other. Throw in Stuxnet, Duqu, Flame, Uroburos, Careto and the many other variants and revelations that the NSA was complicit in cyber espionage is not exactly a ground-breaking revelation.”

Espionage, whether cyber or otherwise, has been part of society for centuries. There is no doubt that cyber espionage hits state and industry; the two are closely aligned, says Andy Crocker, founder of Protect2020. He says China, which aims to be the world's leading economic power by 2020, is the “biggest threat”.

The industry has been predicting a move away from traditional warfare towards cyber for some time, says Jamal Elmellas, technical director at consultancy Auriga. “What's really driving this is China,” he says. “They are by far the biggest advocate for cyber espionage and clearly it's for economic purposes.”