32 Million Important Records

Are you up on OPM? 18 Million personnel records breached in the Office of Personnel Management.  It’s the latest in a string of high-profile data breaches our government has suffered. There’s been some reporting on this, but not nearly enough.  The number was first reported around 4 million, then 18, and now, after a recent congressional hearing, the number may actually be as high as 32 million.  But there’s more…

Here’s what you need to know…

1. L. Gordon Crovitz, columnist for the Wall Street Journal writes, “The Chinese hackers managed to gain “administrator privileges,” allowing them full access to the computers …among other things, they were able to download confidential forms that list “close or continuous contacts,” including those overseas.” He goes on to report, “That’s not the worst of it. The administration disclosed a separate intrusion that gave Beijing full access to the confidential background-check information …that includes the 4.5 million Americans who currently have access to the country’s top secrets. The potential for blackmail is chilling.”

2. Much blame is being cast on the Chinese for this attack, however Crovitz points out that, given the opportunity, any government who has access to another government’s records is going to take them; the US included. It’s up to the US government to make sure our data isn’t available to other countries.  We saw fines and personnel changes when Home Depot and Target were hit – what happens when the Government, the ones who impose these fines on private sector companies, make the same mistakes?  It’s an interesting question…

3. The fallout is potentially big.  While a recent Wall Street article suggests that the US data has not shown up in online chat rooms yet, Crovitz calls this issue a much bigger problem than Edward Snowden’s breach. He writes, “Millions of patriotic Americans entrusted with national secrets are going to lose much of their privacy because their government was unable to protect their confidential personnel records…That loss of privacy dwarfs the hypothetical risks from the NSA that have dominated the headlines.”

4. Other reports discuss national security… These “hackers accessed not only personnel files but security-clearance forms, current and former U.S. officials said. Such forms contain information that foreign intelligence agencies could use to target espionage operations.” WSJ. Apparently the government officials announced the personnel attacks, but held back on the security-clearance theft for at least a week.

Stay on top – learn the sound bites… in my book, The House & the Cloud, chapter 6, I discuss the power of sound bites and how to effectively use them (and how not to use them) in a sales call.

© 2015, David Stelzl

httpsLogJam Is The New HeartBleed… ATM Theft Is Out Of Control

Cybercrime is Soaring – The Need For Qualified Security Providers is Great!

If you’re looking for the big technology growth areas – security is it.

Did you read the Wall Street Journal Yesterday? Several important articles. First, you’ll want to know what LogJam is. This SSL vulnerability is a result of the US 1990’s export restrictions on encryption. US Law limited encryption codes that could be generated by “international versions” of US-made software, mainly web browser applications.

These restrictions no longer exist, however the SSL weakness comes from something called a Diffie-Hellman key exchange, allowing a website to be compromised by a “man-in-the-middle” attack.  From my reading, this approach may have been used by the NSA in monitoring communications between some foreign countries – but could also be used to attack companies you work with.

The patch is coming – but the experts expect about 20 thousand websites will no longer be visible online once the patch is in.

Second, the ATM Crisis Is Mounting.

Two important soundbites were published yesterday on ATM security.  (1) Non-bank ATM skimming has grown over 350% in the past year.  Bank-owned ATMs saw more than 170% growth.  Between camera technology and skimmers mounted on the fronts of the ATM machines, our cards are being stolen at an alarming rate.  (2) While banks are scrambling to convert to chip and pin cards with merchants, ATMs will likely be vulnerable for at least another year.

While this might not be something your company deals with – small business owners should be aware that, while personal accounts are often covered when someone does gain access to their account, small business accounts may not be.

We covered this in detail in my recent SVLC Insider’s Circle Interview with John Sileo – ID Theft Expert.  If you don’t have John’s interview recording, you can join the Insider’s Circle and I’ll send you a copy of the interview (Read More Here).

Other recent articles talked about the urgency for businesses to move toward cloud and digitalization, and Google’s new approach to security. It’s all coming together – but in order to be in the game, your company will need to ramp up in certain areas. This is not managed services as you know it, and it’s not firewalls and firewall management either.

© 2015, David Stelzl

Ingram MicroAre You Getting Through To New Prospects?

Yesterday I posted some strategies to find new customers using LinkedIn.  Having used this method myself for several months, I’ve been amazed at how much easier this is than trying to reach out to someone I don’t know by phone or email. It does work.  However, there’s a catch…

On May 21st, Ingram Micro is sponsoring an online workshop (Click to Register) where I’ll be addressing effective messaging used for prospecting – where I will be covering this in detail. If you want more clients, you need three things:

Understanding Your Market.  

This is your people group.  It’s the person you are reaching out to.  But knowing they run a small business, or serve as the CISO for a Fortune 500 is not enough.  We all have a target market – if we don’t define it properly, we end up with nothing. In fact, I was meeting with a guy not too long ago with this problem. When we first connected by phone he claimed to know just about everything there is to know about technology.  From his point of view he could sell any technology solution to just about any size or industry prospect. But when I asked him how many active clients he had, his answer was in the single digits!  It turns out that having a broad view of the market often leads to a watered down message.

Second, you need a Message.

This is what I’ll be spending most of my time on in the upcoming workshop. Every company pretends to have a message – the problem is they all sound the same. Good messaging meets a person where they are right now – then takes them to the place you need them to go. If your message isn’t built for a specific people group, it won’t move anyone to action.

Finally, there’s your media.

On a coaching call yesterday, with a well seasoned enterprise rep, we were reviewing this final step. It was an ah-ha moment. The sales person I was working with is successful, has a a well defined people group, and knows their message. As we worked through these concepts there was a sudden awakening! The media discussion brought in a bunch of new ideas. Email and phone are not your only choices. And some people respond better to one media over another. Finding out which one is important.  It’s also helpful to see how to turn something we all have, like a website, into a marketing tool. The truth is, most of the reseller websites out there are nothing more than a datasheet online.

Remember, If it doesn’t convert, its not marketing.

© 2015, David Stelzl

P.S. Don’t forget to sign up for the Ingram Micro Workshop: (Click to register)  – May 21st, 1:00 PM ET.

linkedin_clothWe’re all on LinkedIn.  So Why Not Use LinkedIn To Prospect for New Business!

New Logos are hard to get. Cold calling is not really working, and it’s no wonder. The people we are calling are getting thousands of calls, and unlike email, calls take an incredible amount of time to make and return.  However, email is hard too. Getting noticed in email is a one-in-a-million chance. It’s easy to delete an email.  But LinkedIn seems to work.  The open-rate is actually higher than normal email. I know they say that in the ads, but based on my experience, it’s true.

Have you tried LinkedIn for active prospecting?  I thought I would provide a few tips here on how to make use of this great tool. It’s funny how many of us are on this cloud application. It’s the one hole in the great wall every business leader has surrounded themselves with.  And it does work. In fact, I just got off the phone with a VAR Business Owner. He can’t get his sales guy to make use of LinkedIn, however in the past week he’s landed 3 sizable deals himself, simply by spending an hour each day reaching out to people.  Meanwhile his sales guy is pounding the phones with little to show for it. Blog Subscribe Ad

Here’s One Way to Use LinkedIn to Find New Business

1. First, you will need an upgraded account. I use the Business Account for $23.99/month.  This gives me more access to see people’s profiles before connecting, and unlimited use of the advanced search capabilities.

2. Next, you need a way of getting around the InMail limitation. You only get 5 InMails (Emailing within LinkedIn) in the business level account. But the next level up only gives you 8, and the top level is 15. If you’re in sales, none of these options will work.  So here’s what you do…

  • Use the advanced search function to find the people you are looking for. Consider searching titles, companies, or types of businesses.  I find that setting a block of time, such as an hour, and then focusing my search on something that will give me a few hundred hits works well. I’ll then spend that hour contacting people from that one search.  This saves time.
  • You can try connecting.  One person I spoke with will contact someone they know, who is connected to the prospect they’re after, and get permission to name them. They are not asking for an intro – that takes too long. Instead, just to name them. This increases the likelihood of connecting.  A Connect request does not use an InMail.  The only problem here is that waiting for your contact to respond might be too cumbersome.
  • Another option is to use the groups. If that prospect is in a group that you belong to (if not, just join a group they are in), you can click on the number of members in that group, which will display all group members. Search for their name and click MESSAGE.  This message will not count against your InMails either.

3. Offer them something.  I like to offer content – a free copy of one of my books or a special report on some topic that seems relevant.  Cloud security has been a good one.  Adam Witty, in his book Book The Business, does a great job explaining how to connect with people using books and reports. It’s much easier to connect with content than to connect trying to sell something.  (Note: I will be interviewing Adam Witty in June on my Insider’s Circle Program!)

4. Follow up.  Try offering your content 3 times, one time per week. I get about a 50% acceptance on this. Usually it’s the 2nd email that does it.  For some reason people respond to a message that refers back to the first message more often than replying to the initial try.

5. Don’t give up.  It’s important to know your product or offering is valuable. Like any prospecting effort, there will be those who respond negatively.  In fact I had one today.  The thing that amuses me here is that I am reaching out to sale people and sales managers. So today I sent my third and final email offering my book – it was sent to a vendor you would recognize in the security space; he’s the regional sales manager.  His reply simply said, “Leave me alone.”  I was tempted to email back asking him how he would counsel his sales team with this type of response.  But I resisted the urge.  There’s no reason to get into it with people…just move on, continue spreading your value until someone responds with a need.  Remember, it’s their loss not yours…

© David Stelzl, 2015

My latest promo video – educating businesses on the need to secure their data…it’s funny how many sales people are coming back to me, telling me their prospects still claim, “They have it covered!”  Read my book, The House & the Cloud, 2nd Edition to see how I respond to this claim…

The Future of IT - Trying to manage mobile devices they don't own.

The Future of IT – Trying to manage mobile devices they don’t own.

Managed Services is Quickly Commoditizing

Yesterday I met with Bob Howard, founder of Contact Science (a firm specializing in telephone prospecting productivity). We were exchanging ideas on prospecting – specifically in the SMB managed services business. The SMB managed services business is quickly commoditizing – becoming a price per box sale just like the PC business a decade ago.

That’s bad news for those who have been working to build this economic engine over the past decade.

But it’s not over – it’s just changing.

What Does The Future Managed Services Provider Look Like?

I guess there are many answers to this question, but undoubtably, security is central to the long term SMB business requirement. There are some offerings that are pure security management – but I don’t see the SMB company hiring multiple companies to manage their systems.  They need one – and it will include both the commodity and the security.

SMB Security is extremely relevant.  Note, I am not talking about firewall management – that too is a commodity. Anyone can provide this.

Last week I spoke to 24 business owners in Tennessee. One single sales rep was able to pull in 24 lunch & learn executive-level attendees – mostly new logos, for a single event. The results? 100% of them moved to the assessment stage. This was not a product dog and pony – it was an educational event put on for the benefit of small business owners.  The hosting company ended the session by offering an assessment; every business owner saw the need and jumped on it.  Security is in high demand – when presented correctly.

The Future Security OfferingBlog Subscribe Ad

So what does the future MSSP offering look like? If you look at what’s happening in the enterprise space, it’s significant. CISOs are recognizing that they can’t really keep the hacker out. They also see IT control fading as end-users bring their own computers to work (iPads and phones), accessing thousands of unapproved apps. Corporate data is everywhere – and in many cases, stored and transmitted in clear text.

New technologies are popping up to manage this new intractable world. Companies like RiskIQ are searching the web to analyze a company’s attack surface – finding anything online related to that company, and discovering data outside the firewall. They can also look for rogue apps sporting a company’s logo – apps that are not necessarily part of that company’s program.

Yesterday, WSJ Reporter, Rachael King wrote a piece on cloud apps and security brokers entitled, Companies Sniff Out Employees’ Cloud Habits. Interesting article. This technology helps companies find the apps their end-users are using, and enforces policies around them such as blocking or encrypting data destined for the cloud.

In my latest version of The House & The Cloud (2nd Edition) I invited guest author, Steve Rutkovitz (Founder and President of Choice Technologies) to write a chapter on managed security services he is offering through small resellers to provide compliance and event correlation.

All of these are growing needs. As Mike McConnell, former Director of National Intelligence under George Bush, put it, “We need predictive security” intelligence. He talks about having the people who possess the trade-craft to analyze the data and respond accordingly. The SMB can’t afford this. The programs I’ve referenced above are targeting large companies with big security budgets. But through cloud and managed offerings, the SMB can have it. Just as CRM, before cloud apps like Salesforce, was once an enterprise thing (remember using Act installed on a DOS computer), the new MSSP for the SMB will bring enterprise class services downstream at an affordable price.

Not Everyone Will Make The Leap

There’s definitely new business to be had. But not all will make the leap. Just this week I was talking with a colleague over breakfast at Starbucks. We’ve both had opportunity to work locally with a Charlotte-based SMB reseller. My one and only engagement with this company was about 5 years ago. Even then I could see this day coming. Their offerings were behind the times. They hired me for 2 days to help them outline a growth plan. At the end of two days they agreed to move forward with it. However, I was never able to get back in touch with the owner.

My colleague reported a similar experience with this same company.  The owner of that SMB reseller had made the investment to get a plan – twice. Yet, he was not taking action to implement. At some point over breakfast, as we shared ideas, that SMB reseller name came up – they’re going out of business.  Why? My guess is they were too busy to consider the future. Now it’s too late.

© 2015, David Stelzl

P.S. Keep up with the trends – join us for month interviews with industry experts with the SVLC Insider’s Circle (CLICK TO LEARN MORE)

Ruths-ChrisYesterday I met with 24 business leaders in Chattanooga to talk about today’s security challenges for small business.

Thanks for NetGain and Silver Sky – now part of BEA, for sponsoring this event – small business leaders need more education on how to secure their data. As we discussed yesterday, the more companies are compromised, the more government will impose expensive security regulations on them.

Unfortunately, compliance regulations are not always the best steps to take when it comes to securing data.

Take for instance the pen test. Many of the regulations out there call for pen testing – the thought is, if you can’t get through with an automated pen test, you’re okay. That’s not the case.

The Wall Street Journal published a great article on Social Engineering, Inc. yesterday – The Man Who Hacks Your Employees. Here’s just one simple example – Chris Hadnagy does a sort of pen testing for a living. Only, it’s not the kind HIPAA mandates. He uses social engineering to trick employees into giving over their credentials. It’s amazing how quickly people will give up passwords, and just about anything you ask for. All you have to do is sound like someone who should be calling, and ask.  If you have access to the WSJ article above, it’s worth the read. Once he’s tricked them, he has their attention, and can provide meaningful input on what not to do in the future.

100% Sign Up...

NetGain did offer this group a complementary assessment to check some of the issues I discussed

They’ll be following up to help these business leaders understand what they should be considering for security as they look at cloud services, mobile devices, and move closer the the Digitization Megatrend we keep reading about. Every business leader saw the need for this – 100% of them signed up to see where they might be at risk!  This is the first step in keeping data safe, and avoiding unnecessary bureaucracy.

© 2015, David Stelzl

P.S. In a few weeks I will be launching a new website dedicated to corporate security user awareness and helping executives and business leaders understand how they can start taking the right steps to secure their data.