That blanket approach to security caution is unfeasible, ZTE argues, given the predominance of China-based production of equipment from so many vendors. “Particularly given the severity of the Committee’s recommendations,  ZTE recommends that the Committee’s investigation be extended to include every company making equipment  in China, including the Western vendors” the company counters. “That is the only way to truly protect US equipment and US national security.”

ZTE and Huawei were singled out by the US committee over concerns that the Chinese government could use backdoor loopholes in telecoms hardware to access trade secrets among American companies as well as to commit acts of cyberterrorism. In a series of recommendations, the bipartisan group suggested that US companies should look to other suppliers for safer equipment, and called for greater oversight into international hardware orders along with a block on acquisition and merger attempts by either Chinese firm.

“Given ZTE’s cooperation and the facts ZTE has presented to the Committee, ZTE is disappointed that the Committee chose to narrowly focus its review on just the two largest Chinese companies and to exclude Western telecom vendors and their Chinese joint venture partners. Given that virtually all US telecom equipment is produced in China, in some measure, the Committee’s narrow focus addresses the overall issue of risk to US telecom infrastructure so narrowly that it omits from the Committee’s inquiry the suppliers of the vast majority of equipment used in the US market. ZTE is a relatively small US telecom infrastructure equipment supplier in comparison with most of the Western vendors. Sales of ZTE’s telecom infrastructure equipment in the US comprised less than $30 million in revenue last year. Two Western vendors, alone, last year provided the US market with $14 billion worth of equipment” ZTE

Huawei has already voiced its protest, accusing the committee of being “committed to a predetermined outcome” despite its best efforts at openness. ZTE has taken a slightly different approach, highlighting its existing work with the so-called “Trusted Delivery Model” that sees the company’s hardware, software, and firmware all reviewed “by a highly respected independent US threat assessment laboratory.”

You can find ZTE’s full statement here.

source: http://www.slashgear.com/zte-on-hack-allegations-ban-every-chinese-made-device-for-100-security-09250977/

After questioning over 7,000 IT executives and ordinary employees across North America and Europe, 31 percent cited simple loss or theft as the explanation for data breaches they had experienced, ahead of inadvertent misuse by an employee on 27 percent.

External attack was mentioned in 25 percent of cases with abuse by malicious insiders on 12 percent. The same selection of causes was cited at much lower levels for business partners.

“Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” said the authors. “Other common sources of breach include loss or theft of corporate assets, such as laptops or USB drives, and external attacks that target corporate servers or users.”

Predictably, the arrival of mobile devices and the consumerisation of IT hasn’t helped matters.

Most organisations formulate policies for securing mobile devices but, paradoxically, lack enough tools to enforce them.

Thirty-nine percent worried about a lack of data leak prevention on mobile devices, with half concerned about the consequences of old-fashioned theft. Thirty percent thought there wasn’t sufficient separation between consumer and corporate data on mobile devices.

The commonest form of mobile device security is password entry plus remote lock and wipe with almost a quarter admitting they haven’t started using any form of data protection at all.

“It’s not simply just a matter of having the appropriate tools and controls in place. It’s worth noting that only 56 percent of information workers in North America and Europe say that they are aware of their organisation’s current security policies,” said the authors.

When data is breached, personal (employee and customer) data accounted for 22 percent of cases reported, with IP not far behind with 19 percent and user credentials such as logins in 11 percent.

Forrester’s findings probably confirm a simple maxim that data breaches are often accidental rather than malicious. What it doesn’t speculate on is whether internal breaches are necessarily the most serious.

Source: http://www.pcworld.com/article/2010527/forrester-report-finds-most-data-breaches-are-caused-by-employees.html

However, 90% do not feel completely safe from hackers, viruses and malware while online.

“The threat to the safety of Americans online is growing every day and as the survey shows the fear of Americans has also grown to 90 percent,” said Gary Davis, vice president of global consumer marketing at McAfee. “It is our responsibility to make sure that consumers are aware of these growing threats so they can be best prepared to defend themselves against these hidden criminals.”

Last year 26% of Americans were notified by a business or online service provider that their personal information had been lost or compromised due to a data breach.

The survey of 1,000 adult Internet users found a disparity between online safety perceptions and actual practices involving smartphone security and password protection.

“The Internet is a shared resource for so many of our daily activities which is why protecting it is a shared responsibility,” said Michael Kaiser, executive director of the NCSA. “Everyone should take security measures, understand the consequences of their actions and behaviours and enjoy the benefits of the Internet.”

A recent study by McAfee revealed that nearly 20% of Americans browse the internet unprotected while another 12% have zero protection security and 7% have their security software installed but disabled.

“The need for consumers to stay educated is necessary now more than ever with nine in ten Americans using their computers for banking, stock trading or reviewing personal information,” said McAfee in a blog post.

The new study comes in the wake of several companies who have suffered data breaches in the past few months, including LinkedIn and Dropbox.

Source: http://www.cbronline.com/news/one-in-four-americans-suffered-security-breaches-last-year-021012

There is no evidence that data was taken in the incident, the official said, adding that the attack was identified early and did not spread.

The attack was described as “spear phishing,” the term for an attempted penetration using fake emails from a trusted sender, which the official said was “not infrequent.”

On Sunday, a report from a news website “Freebeacon,” that describes itself as an alternative to “the professional left,” said that Chinese hackers had breached a White House military system.

The White House would not identify the group responsible for the attack, or give specifics about its timing and target.

China has the world’s largest Internet user base, at 485 million users, and is believed to be responsible for a number of hacking attacks aimed at the U.S. government and companies.

“In this instance the attack was identified, the system was isolated, and there is no indication whatsoever” that any data was extracted, the official said.

“Moreover, there was never any impact or attempted breach of any classified system.”

The Obama administration is preparing to issue an executive order that would direct federal agencies to develop new guidelines to shield computer networks from cyber attacks. The White House undertook the new rules after Congress failed earlier this year to pass a comprehensive cybersecurity bill.

via http://www.chicagotribune.com/business/sns-rt-us-usa-whitehouse-cybersecuritybre89016o-20121001,0,5458775.story

Interested in attending? We have a limited number of seats available, and if you’d like to attend head over to our signup page ASAP.

To warm up for the coming discussion, I asked Delatorre for his thoughts about a few specific topics in mobile security.

Yin: First of all, what exactly do you do?

Delatorre: My responsibility at Verizon is to protect everything from the device, all the infrastructure that makes a phone call, to the network and all the data that moves through it.

I was hired by Coopers & Lybrand (now PriceWaterhouseCoopers) to do pen testing, mostly for banking clients. There weren’t many people doing that kind of work at the time, and you didn’t have to be a great hacker because banks just didn’t have much security. This gave me the experience of looking at things from the bad guy’s point of view.

Yin: What do you see as the greatest challenge to securing mobile devices today?

Delatorre: That’s one of the questions I ask myself every day. For us, there are people out there trying to hack into our customers’ devices every day. We look at security in two layers: the device layer and the network layer, and we put security controls in both places.

At the network layer we have several different technologies in place. The technology we use to monitor our network lets us see network-based attacks, like botnets, malware, viruses—we can see all these things directed towards our customers. We take this information, analyze it, add information from other sources, and put controls in place at the network layer to protect our customers, regardless of the device.

At the device level we just announced Verizon Mobile Security, a collaboration between McAfee, Verizon, and Asurian. It includes a free malware scanner and site advisor, which warns users of harmful websites before they click into them. These two things together already really reduces the threat of malware and Web-based threats. However the thing to keep in mind is the premium version, which includes the McAfee app alert that blocks malware coming in through apps. (Editor’s note: Click here to read more about how Verizon Mobile Security works and various rate plans.)

Yin: Interesting—on that note, who do you think is best suited to provide mobile security? The carrier? The anti-virus industry? The device manufacturer?

Delatorre: Security is an ecosystem. In July we gathered all the members in this ecosystem for a conference, and the goal of the conference was three-fold: one, for everyone to know what role what they played; two, to coordinate all the security intelligence gathering; three, to reduce the zero-day time horizon.

By gathering everyone together and adopting an ‘if you see something, say something’ approach with vendors immediately communicating threats they see, we can shrink the time for zero-days.

Yin: What threats do you expect you’ll be fighting in five years’ time?

Delatorre: Five years from now, I think we’ll see a lot more threats towards e-commerce, attacks on banking apps. The thing to keep in mind is that mobile devices are becoming so ingrained in our lives today. As we move forward with things like m-commerce and banking transactions over the phone, it’ll be a much richer landscape for hackers.

Yin: Thanks, Renato! We’ll see you at the SecurityWatch Summit later this month.

source: http://securitywatch.pcmag.com/none/302744-security-watch-interviews-verizon-s-head-of-security

The survey, conducted by UK web hosting company Heart Internet (http://www.heartinternet.co.uk), found that just 33% were employing anti-hacker software on their websites. In addition, only 36% of the survey said they had anti-phishing software installed whilst 14% admitted to having no security measures for their website whatsoever.

Many more businesses in the UK are making sales online, heightening the need to keep sensitive customer data safe and sites free from malicious intrusion attempts. The Financial Times recently reported that the UK is the world leader in ecommerce, predicting that the sector will contribute £225 billion to GDP by the year 2016. Further to this, small businesses that embraced the internet for sales and marketing were seen to grow by 12% per year. Despite this, a study by WorldPay found that over half of UK consumers still have concerns about security when buying online.

A recent survey conducted by Ponemon Research revealed that 90% of businesses said they have been hacked, showing the extent of hacker activity. Common methods of infiltrating sites include SQL injections which can result in confidential information being stolen for fraudulent activities, and cross site scripting which can result in visitor redirects, stolen account details and the spread of viruses.

Anti-virus software and firewalls were the most popular security measures amongst small businesses in the survey, methods which alone are not considered effective enough to protect against hackers. Whilst web hosting providers take steps to prevent malicious attempts to hack sites through measures such as deep packet inspection which monitors the traffic on a network to detect suspicious activity, the onus is on small businesses and all website owners to be personally vigilant to prevent attacks.

Steps such as installing regular software updates, employing strong and secure passwords, email previewing windows, regular website backups and effective anti-hacker software are all proven methods of defending a website against hack attacks.

“It’s extremely important for small businesses to protect themselves from malicious attacks to their website”, said Heart Internet director Jonathan Brealey. “Repairing damaged sites proves costly both financially and from a PR perspective as you may find you have to win back the trust of your customer base if you have been hacked. Security software such as StopTheHacker, which works with your anti-virus software and firewalls, should be a necessity for any small business website, whether you trade online or not.”

Heart Internet provide small businesses with a comprehensive range of website security services including StopTheHacker, online backup solutions, SSL Certificates, and Hosted Exchange. Full details can be found at http://www.heartinternet.co.uk

[ENDS]

The survey was conducted amongst 220 UK small businesses with a website via an electronic feedback form

About Heart Internet

Launched in 2004, Heart Internet has grown rapidly to become one of the UK’s leading web hosting and reseller hosting companies. Named one of the UK’s fastest growing Internet companies of 2010 by Deloitte, Heart Internet’s core values are based around high-quality products at competitive prices. Heart Internet is currently the UKs 5th largest web host as ranked by http://www.webhosting.info

Sources of additional data:

http://www.ft.com/cms/s/0/ef3e1a04-71b4-11e1-8497-00144feab49a.html#axzz25bS4Bs00 http://www.computerworld.com/s/article/9217853/90_of_companies_say_they_ve_been_hacked_Survey http://econsultancy.com/uk/blog/9434-uk-shoppers-abandoned-over-1bn-of-online-transactions-in-2011

More information For further information please contact Alex Kellett at Alex(dot)kellett(at)heartinternet(dot)co(dot)uk

Read the full story at http://www.prweb.com/releases/2012/9/prweb9885018.htm

Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. (JPM) and Wells Fargo & Co., have breached some of the nation’s most advanced computer defenses and exposed the vulnerability of its infrastructure, said cybersecurity specialists tracking the assaults.

The attack, which a U.S. official yesterday said was waged by a still-unidentified group outside the country, flooded bank websites with traffic, rendering them unavailable to consumers and disrupting transactions for hours at a time.

Such a sustained network attack ranks among the worst-case scenarios envisioned by the National Security Agency, according to the U.S. official, who asked not to be identified because he isn’t authorized to speak publicly. The extent of the damage may not be known for weeks or months, said the official, who has access to classified information.

“The nature of this attack is sophisticated enough or large enough that even the largest of the financial institutions would find it difficult to defend against,” Rodney Joffe, senior vice president at Sterling, Virginia-based security firm Neustar Inc. (NSR), said in a phone interview.

While the group is using a method known as distributed denial-of-service, or DDoS, to overwhelm financial-industry websites with traffic from hijacked computers, the attacks have taken control of commercial servers that have much more power, according to the specialists.

“The notable thing is the volume and the scale of the traffic that’s been directed at these sites, and that’s very rare,” Dmitri Alperovitch, co-founder and chief technology officer of Palo Alto, California-based security firm CrowdStrike Inc. (0192981D), said in a phone interview.

White House

The assault, which escalated this week, was the subject of closed-door White House meetings in the past few days, according to a private-security specialist who asked not to be identified because he’s helping to trace the attacks.

President Barack Obama’s administration is circulating a draft executive order that would create a program to shield vital computer networks from cyber attacks, two former U.S. officials with knowledge of the effort said earlier this month.

The U.S. Senate last month failed to advance comprehensive cybersecurity legislation and the administration is contemplating using the executive order because it’s not certain that Congress can pass a cybersecurity bill, the officials said.

Bank Attacks

The group started almost two weeks ago with test attacks that triggered multiple alerts. The assault on financial firms began last week, starting with JPMorgan, Citigroup Inc. and Charlotte, North Carolina-based Bank of America Corp. (BAC), moving successively this week to Wells Fargo (WFC), U.S. Bancorp (USB) and yesterday, PNC Financial Services Group Inc. (PNC)

The industry’s Financial Services Information Sharing and Analysis Center posted a warning on its website dated Sept. 19 that cited “recent credible intelligence regarding” potential cyber attacks.

U.S. Bancorp is working with federal law enforcement officials after the attacks caused delays for customers, Nicole Garrison-Sprenger, a spokeswoman for the Minneapolis-based company, said in an e-mailed statement. Customer data and funds are secure, she said.

PNC was experiencing a high volume of Internet traffic, causing disruptions for some clients, Fred Solomon, a spokesman for the Pittsburgh-based bank, said in an e-mailed statement.

Bridget Braxton at San Francisco-based Wells Fargo, Bank of America’s Mark Pipitone, Andrew Bernt of New York-based Citigroup and Kristin Lemkau at JPMorgan declined to comment.

Responsibility Claim

A group calling itself Izz ad-Din al-Quassam Cyber Fighters claimed responsibility for the assault in a statement posted to the website pastebin.com, saying it was in response to a video uploaded to Google Inc.’s YouTube, depicting the Prophet Muhammad in ways that offended some Muslims.

The initial planning for the assault pre-dated the video controversy, making it less likely that it inspired the attacks, according to Alperovitch and Joffe, both of whom have been tracking the incidents. A significant amount of planning and preparation went into the attacks, they said.

“The ground work was done to infect systems and produce an infrastructure capable of launching an attack when it was needed,” Joffe said.

Jenny Shearer, a spokeswoman for the Federal Bureau of Investigation, and Peter Boogaard at the U.S. Department of Homeland Security, declined to comment.

Premature Attribution

Senator Joe Lieberman, a Connecticut independent who heads the Senate Homeland Security and Governmental Affairs Committee, said last week he thought Iran was behind the attacks.

Alperovitch and Joffe said that while they think one group is behind the attacks, they didn’t have enough information to prove or disprove Lieberman’s assertion that Iran is responsible. The U.S. official with access to classified information said it’s premature to attribute the attacks to Iran’s government.

The attacks flooded the bank websites with 10 to 20 times more Internet traffic than the typical denial-of-service attack, Alperovitch said. He said that no data were stolen and no networks infiltrated by hackers.

The group claiming responsibility named the days it planned to attack and identified the banks it would target in a separate posting on pastebin.com.

Inadequate Defenses

That hackers telegraphed their intentions and targets shows the difficulty industries and governments face in keeping up with fast-moving network threats, said Atif Mushtaq, senior staff scientist with FireEye Inc., a Milipitas, California-based security firm.

“They had already declared they would hit these banks at these times, and still we are seeing that these banks are not able to handle these DDoS attacks,” Mushtaq said. “It’s clear that the current infrastructure under the control of these banks is not good enough.”

There’s no sign the attacks are going to stop, Alperovitch and Joffe said.

“I would not be surprised to see another pastebin posting that provides a new set of targets for this weekend and next week,” Joffe said.

A broader or more sustained denial of service attack could shake consumer confidence in the banking industry, Joffe said.

Bad Timing

“If banking infrastructure was affected in this way for an extended period of time, the natural outcome of that is a loss of faith,” he said. “If you can’t get to your banking site for three or four hours on a day when you have to do things, you start thinking about what are my alternatives because this might happen again.”

The banking industry worries about an organization with more resources launching attacks, said Ed Powers, head of security and private issues for U.S. financial firms at Deloitte & Touche LLP.

“This is coming toward the end of the month; it’s badly timed,” Joffe said. “People have to pay bills today and tomorrow.”

Previous denial-of-service attacks proved to have been cover for looting bank accounts and stealing customers’ or employees’ personal information, said another private cybersecurity analyst, who asked not to be identified to maintain client confidentiality. There’s no evidence so far that the latest attack has included theft.

If the financial industry, which spends more on Internet security than any other industry and has its largest and most extensive defenses, can’t handle this, it’s not clear whether any critical-infrastructure industry can, the analysts said.

Source: http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability#p2

Beginning on Monday, another brand named Fab will also be turning to TV to advertise.

The newcomer Fab is the social shopping Web site that has a focus on what it calls “everyday design.” Fab is working with the Arnold Worldwide agency to test whether a presence on television will further stimulate interest in, visits to and sales through fab.com.

If the test is deemed successful by Fab executives, they would add TV to a media schedule that until now has been dominated by social-media services like Facebook. Fab has used Facebook extensively, running Facebook ads, so-called sponsored stories and, most recently, buying ads on the Facebook log-out page.

The TV test, with a budget of $1 million, will run for three weeks on broadcast and cable outlets in six markets: Austin, Tex.; Baltimore; Denver; Nashville; San Diego; and West Palm Beach, Fla. A 30-second commercial created by Arnold, part of Havas, will be used for the test.

Fab becomes the second e-commerce firm in a week to start testing whether a traditional medium like television will help sell merchandise online. The first was Warby Parker, which sells discount prescription eyeglasses; Warby Parker’s test of TV began Thursday.

A major reason for new kinds of retailers experimenting with a tried-and-true medium like television is the so-called second-screen effect, which refers to how millions of people now watch TV with devices like cellphones and tablet computers on hand.

“Mobile is huge for us,” said Jason Goldberg, chief executive at Fab, who founded the company with Bradford Shellhammer, whose title is chief design officer. Thirty percent of Fab sales come from mobile devices, Mr. Goldberg said.

Fab has 7.5 million members, Mr. Goldberg said, an increase of 50 percent from five million on July 1. “We’re definitely starting to break into the mass market,” he said, which offers another reason to try TV as an ad medium.

Another reason for Fab’s interest in TV is that its audience is 70 percent women, who are heavy viewers of television.

If the test works, Mr. Goldberg said, “we’ll take the ad national and expand” the budget to “double-digit millions.”

The commercial is about a style-challenged young man who, when the spot begins, is asleep in bed. (Mr. Shellhammer joked that the original idea for the television test was “an infomercial with me as the star.”)

As the man wakes, he looks out the apartment window and sees a young woman arriving in a taxi cab.

Startled, he gets ready for her arrival. When he taps his unstylish alarm clock, it suddenly turns into a better one. He keeps tapping it until it becomes one he likes.

Inspired, the man spends the rest of the commercial running around his dowdy apartment, tapping the furniture, wall hangings, bric-a-brac and, finally, his clothes, until they are transformed into stylish trappings.

The spot ends with the woman entering the apartment and, pleased by what she sees, joining the man on the sofa, which a moment before had undergone its own style makeover. She taps the man and gives him a knit cap with a built-in face warmer known as a Beardo, one of the most popular items on fab.com.

Other items in the commercial in addition to the Beardo are “products we’ve sold on Fab,” Mr. Shellhammer said. “We want people to say, ‘What is that?’ and go to the site.”

Scott Ballantyne, chief marketing officer at Fab, said the goal of the commercial was to “bring the Fab color, energy, experience, to life.” He said he recommended Arnold Worldwide to work on the spot based on his previous experience working with the agency.

Source: NYTimes

http://mediadecoder.blogs.nytimes.com/2012/09/23/another-e-commerce-site-tests-advertising-on-tv/

The study, “Trend Report: Luxury Brands Online,” analyzes the state of luxury e-tail and predicts how emerging digital and social media trends will impact the industry. The report shows that successful luxury marketers are those who know how to translate the exclusive, authentic and indulgent in-store experience to an online environment.

Social networks, like Pinterest and Instagram, have been key to customer engagement, the study shows.

By having an integrated e-commerce strategy with both paid and organic search and a diverse social media presence, companies are better able to compete, Suzy Sandberg, President of PM Digital explained while discussing the study’s findings.

The study also found that consumers search more handbags and shoes via websites and mobile apps than any other type of clothing; findings that could be consistent with a younger demographic who is more likely to buy online.

Results were collected from a study of 46 luxury apparel and accessories brands (excluding jewelry) to serve as a benchmark for the sector. The study considered brand heritage, price point and dominant customer profile in choosing brands.

The report also determined the big winners in the luxury brand category, with heavy weights like Ralph Lauren, Gucci, Michael Kors, Louis Vuitton and Chanel capturing 75 percent of online luxury market share.

Most luxury brand websites now have online stores; 85 percent to be exact, and brands with online stores get 98 percent of all traffic to luxury brand sites.

Search engines however remain the largest source of traffic to luxury brand sites, accounting for 37 percent of all referrals, with Google alone accounting for 29 percent.

Luxury brands rely more on search engine traffic than average apparel and accessories sites, but with a smaller ratio of paid search. This is an area, luxury brands need to pay more attention to, as not investing more aggressively in paid search may mean that brands are potentially ceding click share for their trademarked terms to other sites.

In addition to search engines, social media accounted for a significant amount of traffic to luxury websites eight percent, with Facebook being the most significant player, referring four percent of total site visits.

Newbie Pinterest, was found to refer nearly as many visits as Twitter. The social discovery site has proven to be a significant source of incremental traffic that didn’t exist a year ago.

A growing number of luxury brands are also embracing Instagram, the fast-growing social photo app recently bought by Facebook.

Much of the data in this report, excluding data primarily gathered by PM Digital, has been sourced from Experian Hitwise North America.

Experian is a leading global online competitive intelligence service that helps clients protect and grow their market share through the application of Internet measurement data.

PM Digital is an award winning Digital Marketing Agency that specializes in Paid Search, SEO, Social Commerce, Display Advertising, and Shopping Feed Management. Through customized, high-touch campaigns, the company drives qualified traffic to client websites to grow their business online.

Source: Melodika.net

Holiday deals and discounts, especially free shipping offers, proved especially attractive last year. But what else can small retailers do to boost sales? First, get ready now: Hanukkah falls 11 days earlier than last year, so an early start to the season is expected. Here are 10 more things you can do before the holidays:

1. Go festive. It’s only September, but the superorganized are already making their lists. Get your website dressed up for those early birds, says Tallya Rabinovich, chief executive of ecommerce software provider IzzoNet.com. “Make some Special Holiday Offers banners or a Holiday Bestsellers section on your front page,” she advises, so customers don’t have to scour your site. Incorporating a holiday countdown clock on your home page instills a sense of urgency.

2. Think promos. “Free” will always be a powerful word, says Mark Valva, president of Morristown (N.J.) marketing agency Revolution Digital. “Last year we worked with a small cookie company, and one of their hottest sellers was a free, decorative holiday tin,” he says. “Couple free shipping with promotional discount codes and limited edition holiday products, and leverage social media properties to promote them.” Last year’s Free Shipping Day brought sales of $1.072 billion, comScore reports. Participate this year on Monday, Dec. 17.

3. Make things easy. Let your customers know how to contact you by telephone, e-mail, online chat, in person, or by mail. “It should be easy to leave the website to get direct contact with the company,” says Shep Hyken, a customer service expert at Shepard Presentations in St. Louis. Take a cue from brick-and-mortar retailers and offer extended holiday hours, staffing up to make sure you can handle customer service requests.

4. Engage Customers. Differentiate by piquing your customers’ interest: “Do you know why cashmere has been used in winter coats for 4,000 years? Why do you think professional dancers buy this $5.99 pair of socks? Curiosity is a key concept in buying,” says Andrew Sobel, author of Power Questions: Build Relationships, Win New Business, and Influence Others.

5. Speed up. Websites lose 10 percent of their audience for every second it takes them to load, says Alhan Keser, chief marketing officer at Blue Fountain Media in New York. A 3-second loading time is ideal; reduce image sizes, remove tracking codes, and tweak front-end coding to speed up your site. “It’s much better to go with simple and fast than complicated and slow,” he says.

6. Go mobile. Make sure your site is visible and functional on mobile phones and tablets. Highlight your telephone number and your physical address, if you have one, on your mobile website so shoppers looking you up can find your location quickly, Valva says. “It could be a real missed opportunity to convert a browser into a buyer if your website is not mobile-enabled.”

7. Remove barriers. More than 65 percent of online shoppers abandon purchases before checkout, according to this list compiled by Web researcher Baymard Institute. Look at your analytics and figure out where you are losing people, Kesser says. One major stumbling block is an account registration page; if you have one, remove it—or at least give buyers the option to make guest purchases. “People are tired of having to create another account and remember another password every time they try to buy something,” Keser says.

8. Use video. Combine video showcasing your products or services placed above the fold on your site with prominent calls to action, such as instructions for visitors to click to watch a video. Video encourages “holiday shoppers to be much more inclined to engage in your message and make a purchase,” says Kelly Ford, vice president for marketing at SundaySky, a New York video company.

9. Think global. An online market is not just domestic; accommodate international shoppers by getting good translations of your website copy as well as providing customer service support such as e-mail and chat in various languages. “Shopping cart interface, checkout information, terms and conditions, and return policies must all offer online shoppers a seamless, experience [in the language of the visitor] to prevent shopping-cart abandonment,” says Liz Elting, president and co-founder of TransPerfect, a provider of language translation services in New York.

10. Get feedback. Small retailers should also use the holiday season to measure customer satisfaction, says Sheri Petras, chief executive of business analytics company CFI Group in Ann Arbor, Mich. Give customers an incentive to fill out feedback surveys after they’ve placed orders and ask them to opt in to your newsletter or customer database. Measuring satisfaction will allow you to “better understand the experience your customers are looking for and [give you an] advantage next holiday season,” Petras says.