Minerva

Trolling through the news this evening I found an interesting article on how Whole Foods got scammed. Okay - Whole Foods wasn't exactly scammed - but their loyal customers where. You can read the article here from CNN.

Just how easy was it for some one to setup a fake page, direct people to fill out a form to gather sensitive information (all for a chance at $500 in free groceries) and then slink away with data on who-knows-how-many people (worth $$$ on the black market)? A simple operation using social engineering on a social network. How long was it there before it was discovered? How many people were affected? and to what extent? Would it have happened IF Whole Foods hadn't had a Facebook page?

 There are no controls to prevent anyone from setting up a business style page (or a fan page of one for that matter) - I could set up Sears or a local church and still garner a good bit of nefarious information. So what is a firm to do? How does a company maintain its integrity online? I am sure this event will not be the last of its kind. Who will get hit next?

I did a quick check and 10 hours after the article was posted to see what kind of damage control Whole Foods was setting up. I was rather dismayed, a simple single Wallpost (almost buried by useless banter) advising consumers that only THIS page would provide valid offers and nothing was even mentioned on the official main web site. So I am left to wonder, if the people who where scammed even know the difference between an 'official' company facebook page and a fan page. Why should one take note of a seemingly simple look-like-the-rest posts? I can almost bet that at least one reader saw their 'warning' post and actually looked for the page so he or she could apply for that free food! (yes it really is THAT crazy out there)

While I am not privy to the kind of data elicited from people, I can pretty much assume something of value was asked for. Bank numbers? Credit card? Address and/or social security info? Passwords?

I was going to originally write this article to discuss how much it potentially cost Whole Foods for damage control. Media releases, internal follow ups, legal obiligations, and the like - but seeing a minimal response to such a scam enlightened me that perhaps in light of it all - Whole Foods has no obiligation to do so. Could they have prevented it from happening? Doubtful at best. Should they assist those scammed? Probably, but to what extent? Therein my friends (and readers) lays the heart of the matter - should some one be responsible?

The fallout of such a scam has potential to affect 1000s of people either financially or with identity theft or both. Are people so easily mislead on the web? Yes, sadly, but admittedly even the best and the brightest can fall victim to any number of scams at some point. I recall a few years ago a local web firm was praised for an award in the local media. Turns out the 'award' was paid for by the business, which in turn, was scammed out of a fair amount of money in return for a cheap plastic award and not a small amount of of humility more than likely. From simple Facebook scams to complex hoaxes. its human nature to get suckered once.

So what happens to the people affected? Apparently each is on their own. No guidence on how to navigate the horrible world of trying to recover. It may takes years for many to recover, if ever. No support, no class action suite, no special legislation investigations. The hard part is, some may not even know it right away.

So back to how should a company react? It will be a test of moral and ethical approaches to balance with the bottom line dollar figure. If it was your company that had customers scammed by a fake setup, what would you do?

 

 

 

Cloud computing is a long ways from reaching its zenith. Its not a solution for everyone, and unless you're dealing with terabytes of data or logic or have a really high number of users (hundreds of thousands+) the cloud is probably not a good fit.

Along side of the complexities to determine the need to go to a 'cloud' environment are the even more complex engineering tasks of databases and security compliance.

Yes there databases in the cloud, yes there are successful implementations of data layers being stored across hundreds or thousands of servers BUT ensuring continuity and that the software is well maintained (including patching as needed) is a virtual (and real) nightmare. Compound this with not being able to test patches before they are applied is a logistical crisis. Whether it is on OS or a database update, the actual integration is out of your hands (remember you're in a cloud now). No programmer or engineer wants updates rolled out without their knowledge, so stuff can be tested to ensure nothing breaks or to fix it before its actually live. So just how does one ensure their content, data, or logic will perform as intended with updates? Ah, let me know when you can answer that.

Then there is the issue of security, namely HIPPA compliance and/or other mandated regulations. Do you really want your medical data flying around in the cloud? A lot of discussion is currently surrounding this very issue. Lots of pros and cons out there. Privacy versus access to accurate information by medical providers is the key pivot point in many of the arguments. We're talking way more than simple SSL encryption here. SSL is only good for the transport of the data, it doesn't affect the actual encryption of the data. Image 1 medical record, where almost every data point is stored on a different server in the cloud - thats lotsa data and lotsa servers. Now extend this to thousands or millions of records. The cloud just isn't THAT specialized yet.

 

I'm sure many readers have seen the headlines where social networking is getting a bad rap - and with good cause. Its TRUE! I will be keeping this entry updated with national news headlines and links so you can see for yourself.

Oct 20 2009
Cyberthieves targeting Facebook, Twitter (link) from CNN

Oct 6 2009
Facebook imposter scams (link) from MSNBC

Sept 30 2009
Social media an inviting target for cybercriminals (link) from CNN

Unknown Date
Twitter: A Growing Security Minefield (link) from MSN

Of late I am seeing NEW web sites still being designed with replicant text menus at the footer of some sites. Marketing and hybrid agencies will say these are for search engines. I have to laugh, because THOSE links were originally designed for browsers that didn't use images OR for designation as section 508 compliant alternative to a graphical menu.

See, back in the day when the first browser wars were just starting (circa 1998-2000) web sites were just coming into the equivalent of their 'teenage' years. No real standards existed but some general ideas were in place. The use of a text based altenate menu below the main site was used quite often for Mosaic style browsers or for visually impaired users. People also deisgned some fancy javascript menus, but since javascript wasn't fully supported and alternate text only menu was also sometimes used to overcome this issue.

Today marketing and hybrid agencies will tell you the footer menus are for search engines. Not so. They are just another set of links and are treated as such by search engines. Continuing to utilize such design attributes is basically 'old school' now. Search engines really do not know what those links are, and could care less if the are in the content or elsewhere of your website. Internal linking is more or less neutral, and generally doesn't improve your overall rankings - but it doesn't hurt either.

Not to mention, a well designed main menu system will use text instead of images anyway - so the duplication for screen readers (re: visually impaired) are also now a moot point. Modern screen readers coupled with good best practice design overcome many of the frustrations visually impaired users experienced at the turn of the century. The redundant text menu is only needed if the site is in Flash or uses images for its menu system.

Another common design myth is the design shouldn't exceed 800 pixels in width. This was true back in the 1990s when monitors were set up for the average user at 800x600 pixel resolution. Today, the most common resolution is 1024x768 as more and more wide screen monitors pervade the market this will probably expand to 1200 pixels wide in the very near future. Web sites designed for 800px are no longer the norm and can be a hinderence to the user in terms of content text site and textual real estate.

SPF is used to determine if an email domain name is valid or not. Only 1 SPF record can be used for any given domain. This is helpful in stopping 'spoofed' emails.

To check a SPF record go to http://www.kitterman.com/spf/validate.html 

Having recently attended a seminar on data security, one of the key topics of discussion was the fact that instant messaging, social network sites, and even business networking sites can be a source for compromising business computers and networks.

So this leads one to ask, which predicate should prevail? Is marketing your company via potentially dangerous methods worth it? Another way to ask this is: What cost to bolster security is too much for utilizing these marketing avenues? As in real life, the murkier the neighborhood, the more likely you are to increase your own personal safety.

Examine any given Facebook or MySpace page and you are sure to see "apps", or small embedded programs that do specific things. Do you KNOW what data they are collecting about you when they load? Where is that data being recorded at? Is that "app" potentially dangerous? Both of these sites have been in the news for compromising user computers.

This is a real challenge - with the prevalence and proliferation of social networking sites, apps, plugins, and the like being used as 'business marketing' we have to ask - are companies inviting nefarious consequences into their network just to keep up with the Joneses? Small businesses probably cannot swing the $4-10k hardware appliance to monitor network traffic and potect them as most struggled to just keep anti-virus software updated a challenge. Oh, you'll probaly need an expert to operate that equipment in most cases (salary $45k+/-). The logical way to reduce the risk of being compromised and without the cost is to just NOT do that via company computers or devices. Suddently free marketing avenues aren't quite all that after all.

Its hard to convince people that something isn't good when millions are doing it. Keep in mind that that MAJORITY of those users are not concerned with security or protecting your data/network. ((Some may actually use social engineering to garner information!) Sooner or later you'll be invited to do something from some one's Facebook or MYSpace page - click this link, check this out, join my ____, or whatever. Stop and ask if that REALLY has a business need.

Security can get expensive very quickly - bouncing back from a security compromise can be VERY expensive but with some easy common rules of what is or is not accessed on your network, the costs can be minmized to a certain extent.

If you have more than 5 computers in your business - you SHOULD have a computer use policy. It should address the appropriateness of visiting certain sites or types of sites. That decision should be based on the level of security you can invest in. Good computing practices and policies can go a LONG way (but that is still no substitution for quality security hardware and software designed to protect your business).

 

 

Content Management Systems - Updates and Custom Features.

Disclaimer: Digital Beckley does not use any commercial (free or otherwise) CMS products. We use our custom TDCMS to allow customers full editing capabilities.

If the company you are using created your site using a CMS, ensure the software is updated!! This is something YOU should be doing and that is watching the CMS softare of choice's web site for update releases. So say your web firm is using Joomla, you should be monitoring the Joomla web site when new versions (or updates) are released. Drupal's site is here.

Responsible web firms should be updating the CMS verions as new ones are released. This is something that you should discuss with the firm of your choice.

Keep in mind that this needs to be done perpetually for the life-cycle of your web site. Is this a bad thing? I guess that depends on WHO is monitoring for the updates and is the web company being proactive about ensuring updates are performed at release date or are they being reactive waiting on you to request an update. This is probably something you should see in writting.

As for custom features, there are a LOT of possibilities. Joomla and Drupal both have extensive capabilities to be expanded via the use of modules. But even these modules will have their own set of restrictions. Some may be free, others may have a cost associated with them. Oh, they probably have specific licensing criteria too. Ask if your site uses any modules and if so, ask to see the license for each one. And again, find out if there are updates for each module.

We're waiting on an update.
Ever heard those words? No? Sometimes its just not so obvious. Are there delays when you request updates to your site? If you've ever had to ask for the same update for more than a week or so, do inquire as to why. Sometimes web companies are backedup with update requests and sometimes they are just waiting on a CMS or module update.

Depending on the type of custom feature you need, the web company can either make the code changes theirselves (fastest) OR they can request the module's working group to make the changes (most stable). However, there usually is a caveat with the web company making any code changes. In many cases, if they change the underlaying source code they may be required to release the code base to everyone. For example, if the make changes to the core Joomla code, they are NOT required to distribute the code (but they can), but a module license may require that any changes be sent back to the module's owner or working group. Thats why its important to read (and understand) those licenses!

So when you request changes or custom features be sure to ask if this change is just for you or if you will be paying for everyone in the world to have the same update.

These are just some of the 'cons' of using off the shelf CMS applications. There are benefits to using these types of CMSs, they can save development time and usually can be deployed very quickly. But sadly in too many cases companies shopping for web sites are not aware of these issues. Its complicated, its technical and can have broad reaching legal requirements.

Open source CMSs have come a long way and they provide a great way for companies to get on the web. They are used for a broad range of organizations from individuals to Fortune 500 to Federal sites. Just like many companies prefer to have their sites custom designed, many will choose an Open Source CMS. There is no right or wrong, it just boils down to the intimate needs of the customer. Your web firm should take time and explain EVERY detail to your satisfaction.

 

 

 

 

http://www.websiteoptimization.com/services/analyze/ is a handy little tool for calculating web site load times for dialup and base broadband user experiences. Does a nice job of breaking down the page parts showing sizes and speed.

Content management systems or CMS is the key to a real-time data driven web site. There are over 2,000 CMS applications, some free some cost big bucks.

But I'd like to kinda focus on just a few. Particulary Joomla! and Drupal. These are 'good' free CMS apps that can work with some really nice designs. Of course, taking a template and plugging the CMS into it is not rocket science, its barely even web development.

Lets examine all this for a minute. A "template" is a graphical user interface (GUI) that is pre-made and are sold by the thousands online for around $25-50. There are some that cost more, but most template shops are pretty inexpensive. It usually has the orginal graphic files so it can be somewhat customized. Oh one more note on GUI templates - the vast majority are made offshore. India, China, etc - places where people get paid very cheap wages to produce high-volume cookiecutter designs. But these things are sold and resold on the Internet, it would be difficult to find out the actual origin of who designed it. 

Template sites are pretty easy for an experience internet user to identify right off the bat. (psst - they all look the same).

Next are the popular FREE CMS apps. All designed to show a web site in a particular format, sometimes with a good bit of customization possible through the use of "modules" or "plugins" for that particular CMS. THese modules/plugins are usually designed for a specific use such as displaying weather, or getting some kind of Federal data, or providing a level of social networking - the possibilities are very creative.

So far we have a GUI that is under $100 (conservatively) and a FREE CMS that is going to be the basis of your web site.

Now for the hard core part - check your contract or proposal, if the web company is charging you money for or selling you the CMS application, ask to see the full license for it - it MOST likely has to be given away free of charge for any commercial use. Okay, to be fair, the web company CAN charge for the time they work on it - this is probably at best a few hours or days.

Now, I'm not knocking good companies that can take a GOOD template and creatively add a free CMS into it and deliver a good product to the client. It takes talent and experience to do that. What I am trying to drive home is what are/were you being charged? A couple thousand maybe? Thats reasonable, and maybe a little low in some cases. Did you or are you planning to drop oh say 15k or more on a web site - I would finding out what PRECISELY am I being charged for.

There is no real standard for how a web proposal is quoted. This creates its own set of problems. Potential clients are comparing apples to oranges when assessing web comapnies in most cases. The important thing is disclosure. Find out if your site is custom designed or a purchased template. Find out if your CMS is custom coded or if it uses a off the shelf CMS.

Custom designed web sites are just that. Fully custom designed and based off of the clients NEEDS. These are not 1-size-fits-all premade programming. Dedicated professionals design and develop a custom site from the ground up. Every element, every feature specifically tailored for the client. When you see a Digital Beckley logo, you KNOW that site was custom designed.

The analogy I would use is it takes craftsmen and artisians to create a masterpiece but anyone can paint-by-number.

Stay tuned for Part II where I take a hard look at updates and custom features.

 

It struck me the other day as I was watching a new emerging trend happen right before my eyes.

If you're normally spending more than 10k/week, you're excluded from this conversation - but for the smaller organization that has a limited marketing expense budget it becomes rather critical.  

The "twitternation" is contributing to higher costs in business. Its free, how can this be? Simple math. 1 employee using up to 30 minutes a day to read/post tweets by 240 days is 120 hours LOST PRODUCTION a year! 120 hours is pretty much 3 full weeks.

Oh wait, ah you ARE the marketing director/new business development coordinator/your title here. Lets lok at another angle shall we?

Lets say you're making oh say $8.00/hour and then this cost is around 960 bucks for a year! Most companies would want to know how to CUT costs by that much per employee (some will spend twice that to learn how). So - what does $1000 buy in marketing today? How many new customers would one expect from that outlay?

Search engines will also end up frsutrating users as well. Say they see a link to one of your "tweets" only to discover its so old its not even in your recent logs - so seeing everything thats NOT relevant to what they were looking for - they move on instead of spending time searching through your tweets. Oh some DO take the time to actually hunt for a certain one - hence the conservative 30 minutes mentioned above LOL. Additionally, its deemed by the searchee that search for 140 characters of topic matter is MORE important than actually checking a routinely updated web site. (This is not the time for a dissertation on deeming what is appropriate use of the web when one is on the clock)

Ask yourself when you post: "Is this the same information that goes in the newsletter, online news, email blasts, and the like?" Is it duplication of effort OR is it actually having a positive result?

By decentralizing your media stream you begin to expend a higher number of resources to maintain each and every outlet of information.

 I am still on the fence on this trend BUT if its working for you, thats great - but step back and take a look at the true cost versus return (new customer/member/etc).

 

You just hired a web company to do your web site and they also interest you in 'enhancing' your "findability" by offering to include social networking sites as part of your marketing package. Dude, you're gonna be everywhere on the net! Alrighty then.

Someone does a web search and found your myspace, facebook, livesite (insert social network here) landing page. Hurray. Oh wait it looks childish, not all there, something just doesn't stand out. OMG who is in my friends list? The person that JUST did the search for you, returns to the search engine and trys again. What happened? Read on. (see 1)

Let’s look at another angle before I tie all this in together. You paid a SEO company (or some one) some big money to get you high rankings in search engines. This means you pay ‘x’ dollars to some firm to make sure your official web site is highly ranked. Anywhere from a few hundred to a few thousand dollars a month is typical. (see 2)

(1) OK when someone views a site based off of a search result, the first page they see they decide if that is what they were looking AND if it is a trustworthy site. Social networking sites are NOT trustworthy. The bad design, overly friendly under substance, branded in a box look really didn't help build that CRITICAL level of trust a web user needs from a business. More than likely, a business customer will NOT initiate contact from a social networking site first - they will attempt to find a 'better' web site - then if all else fails (i.e.; they’ve exhausted all other resources) they may come back.

TRUST is established by the web site viewer in 1/20th of a second. That is pretty dang fast. If they don't land on your official exceptionally well designed site first - guess what? You lost that chance for trust.

(2) Additionally, all that serious moola you gave a company for search engine rankings was probably based off of significant use of keywords and content relevancy to get your web site ranked. Sad thing is social networking pages do show up in searches. If your official company site statistics show a lot of traffic from social networking sites, WHY then did you pay someone for all the SEO work? For every visit from your social networking site to your official site - you lost valuable traffic information. (Your site statistics software doesn't know what keywords the user entered to get there.)

Hold on, how much traffic is coming from that social networking site? Dang the social networking site is getting more/better/different rankings than the official corporate site. You HAVE to ask yourself – why am I paying someone to keep my web site ranked when that SAME person is encouraging the use of social media? The objectives are not mutually compatible.  

Not convinced? A good business web site costs anywhere from 6-7 thousand to many tens of thousands of dollars, WHY do you want traffic on FREE social sites? Don’t you think that potential customer would be more impressed (and appreciative) with your official site?  

 

SEO or Search Engine Optimization is a complex theory, but it has some common elements that are easy to understand. These include elements such as meta data - keywords, titles, description and content. (Content is the textual part of your web site). All these elements form the basis for ORGANIC searches.

So lets look at some interesting topics:

High rankings in Google.
Don't focus totally on Google. Google is averaging around only 40-65% of the search engine market share, depending on where you look or who you ask. Any firm that pushes Google rankings (or any other single engine like Yahoo) is not performing SEO to its fullest potential. Other engines like Yahoo, MSN, AOL, Ask, Alta Vista are still leading engines widely used on the net. Experienced internet users will use more than one engine when doing research.

High Rankings on 1 Engine can damage rankings on other engines.
Thats why some firms will push just one engine like only Google or only Yahoo. For example, Google and Yahoo have different recommendations for the use of keywords. The ordering of, number of, and relevency relationships - all are utilized differently by EACH search engine. This WILL introduce conflict on the 'proper' way to do keywords - and there is no proper way. It is still a guessing game in the end.

The basic organic search optimization CAN be done in-house by the web site owner if they have the tools or capabilities to update their site. Its not rocket science and how-to information abounds (www.searchenginewatch.com is a good starting point).

What IS it worth?
Well that depends. The organic techniques YOU can do for free. There isn't a large learning curve to it. Common sense will go a long way here. So do you want to pay a web design or SEO shop a $1000 a month (and at an average of $75/hr that comes to about 13 hours of work) OR do you want pay some one on staff for a LOT less hourly cost?

Oh so you signed a year contract? Opps. Do you get a refund if your ranking drops? (remember you're paying for HIGHER rankings not LOWER ones).

Another 'gotcha' is the good ole "in bound link campaign" or referring links from other sites. Be careful here. Link farms are a BIG no-no. If your SEO 'expert' wants to add your link to other sites make dang sure that the site holding your link is industry related otherwise it may bring down your overall ranking.

 

One of perhaps the GREATEST myths in having a web site is that it is for MARKETING purposes only. Well that is what marketing companies want you to believe - thats what they do.

A business web site is for BUSINESS - part of that business is marketing. Once you understand that a well developed business site can support ALL marketing efforts PLUS conduct business online then you will also understand that a site made for 'marketing' purposes is not going to enable you to conduct business in a cost effective manner.

What GOOGLE Says: Design for people NOT for search engines.
Apparently most marketing firms miss this very important piece of information. They will tell you that you MUST design for search engines. (I'm sorry, the last time a search engine bought something from you was?)

A well designed and developed web site by default should have ALL the basic SEO information. Metadata (keywords and description and then some), proper content text, and essential business information in a textual format.

A web site designed by marketing firms may not allow you to actually do business online such as customer service, customer intake, e-commerce, inventory management, or Human Resource functions. THIS is where companies can save money - streamlined and uniform processes.