John Stevens, CEO, Hosting Facts

Having your e-commerce website compromised can have devastating consequences for your brand and business. Research shows that 40 percent of people will completely stop doing business with a compromised e-commerce site, and, irrespective of size and magnitude, no e-commerce business is immune. After the 2014 eBay hack that resulted in 145 million user accounts being compromised, eBay CEO John Donahoe reported a drop in transactions and activities among users who were compromised.

In most cases, e-commerce websites are compromised due to the carelessness of the administrators managing the e-commerce site. That was what happened with eBay. The log-in credentials of three key employees were compromised, and that resulted in user data of 145 million eBay users being stolen.

If you don’t want your e-commerce website compromised, you should avoid the following careless actions:

Taking Compliance Lightly: Many e-commerce websites are prone to being easily compromised due to taking compliance lightly. If you haven’t taken steps to ensure your e-commerce site is PCI-compliant, you’re significantly increasing your risks of being compromised. Some of the PCI DSS compliance requirements include installing and maintaining a firewall configuration, avoiding using vendor-supplied security parameters, encrypting transmission of cardholder data and maintaining secure systems and applications. There are other requirements, which are explained here, but taking these requirements lightly could have serious implications for your e-commerce business.

Not Using Multi-Party Authorization: One of the most careless mistakes you can make with your e-commerce site is not requiring multi-party authorization for administrators, especially when it comes to making key changes.

Multi-party authorization is a security process that, when put in place, requires more than one administrator to initiate a change; when a user initiates a change, it has to be approved by one or more authorized user before it takes place. The advantage of having this in place for your e-commerce site is that even if a hacker compromises the security of one of your employees, the hacker will still be able to do little with the compromised account.

It will also ensure that you are safe should a rogue employee decide to act against you. This brings to mind the story of a rogue Hostgator employee, Eric Gunnar Gisse, who installed a backdoor that gave him access to more than 2,700 Hostgator servers. Gisse was just a medium-level administrator at Hostgator, yet he could pull this off. If multi-party authorization had been set up, this could have been avoided.

Ignoring Security Basics When Accessing Key Sections of Your E-commerce Site: As basic as it sounds, ignoring security basics—especially when accessing key administrative sectors of your e-commerce site—can put you at needless security risks. Ensuring that the theft of one key employee’s credentials does not put the site in jeopardy is one important principle.

Basic security steps you can take to ensure it is difficult to compromise your e-commerce site when login credentials of an employee is compromised include:

• Making it impossible, or difficult, to access key admin sections of your e-commerce site outside of your corporate network. If possible, avoid a BYOD [bring your own device] policy and have administrators access the site only through corporate devices.
• In the case where you can’t restrict access to your network, emphasize that employees use a reliable VPN [virtual private network] service when trying to connect to your e-commerce site. This will come in really handy when they have to access your e-commerce site on a public network. A VPN encrypts their connection, making it impossible to intercept data transmitted over a public network. Some reliable VPN options include Private Internet Access and HotSpot Shield.
• Do not overlook basic security software on employee devices—these include antivirus software, antimalware software and a firewall. “Devices” go beyond just computers. There are good security software for tablet and mobile devices, too. Any device that will be used to access your network should have security software installed.

Not Implementing Additional Steps of Authentication: It is important to know that hackers have gotten so sophisticated that even the most basic security measures are easily bypassed these days. Simply relying on having a secure password won’t do you much good; there are numerous techniques that allow your password to be intercepted (use of a keylogger, phishing or a bruteforce attack). Instead, you can give your e-commerce site an additional level of security by making it impossible to access key parts of your site without multiple layers of authentication. You could implement two-factor authentication in which administrators have to confirm their login using a code generated on their mobile devices even after their login credentials have been verified.

John Stevens is the founder and CEO of Hosting Facts, which provides reviews on website hosting companies.