There are 4 basic components that will seriously protect your ecommerce site from malware, ransom attacks and many others risks in the realm of cyber security. I am by no means an expert in eCommerce cyber security, and for this reason I have invited Mike Potter co-founder of Rewind to join us and talk about what he believes are the 4 guiding principles to keeping your site secure and safe from attacks.
Being from Rewind a backup specialist for Shopify stores you would obviously expect that he will cover having backups which he will and I will also attest to their importance, but he also identifies 3 other major components that are actually rather simple to implement and will save you a lot of stress, heartache and MONEY! Afterall an eCommerce store outage is not only damaging from the perspective of lost sales but affects you down the line as far as lost customers, lost trust and potentially impact your business to the degree of catastrophic business shutdowns.
If you start by looking at the worst case scenario, then your also looking at the fact that your site has been hacked, and all other principles we speak about today fail to protect your site. Believe me hackers are quite intelligent people and are always finding ways to break through these mechanisms, so your starting point is actually the end point of everything.
So today we are going to cover 4 basic steps you can take to protect your ecommerce site from attacks.
Make sure you’ve got a good backup system in place.
At some point, you need to make sure that you’ve got a backup. It’s kind of your last resort, but your ultimate defense to protect your ecommerce site. What we found with Rewind was that with SaaS solutions like Shopify and BigCommerce people assume that they were covered from a backup perspective. As it turns out, particular for Shopify and BigCommerce, they’re not. They do have backups at a system level, like at an aggregate level, um, they don’t have account level backups. So if something happens to your store, you can’t go into their backups and then recover that CRITICAL data.
For people using WooCommerce and Magento, backups are a critical part of their daily infrastructure, and part of their processes is to take regular backups of all the changes that are happening in this store. Making sure that they’ve got everything secured and stored in a separate place, separate from their main server.
This is done so that if something does happen to their main account and eCommerce site, they can recover that data easily. A lot of people assume that that’s the same thing for the SaaS eCommerce solutions, and it is possible with Rewind. But beware it’s not something that the platforms do, on their own.
They don’t provide that account level protection.
People purchase these low cost solutions because they are presented as an all in one solution, but may not have the technical understanding OR may just assume, as I would that this sort of coverage would be included natively as part of the package.
Don’t get me wrong, open source ecommerce solutions like WooCommerce and Magento do not have these sorts of things built into them either, so it is extremely important to check with your development team and/or IT department to ensure you have proper backups in place that are capturing your account level details and is stored off site (by this I mean a different server location). Ultimatly you are responsible for protecting your ecommerce site, so make sure you have these processes in place, and have discussed their importance with the team.
Also, Mike states “I would, I’d highly recommend that you test that solution out as well… Set up a staging server where you can test to make sure that the backup’s gonna work when you need it to.”
Password Protection, your single weakest link.
Something that needs to be taken seriously, is your company security from the perspective of passwords and two factor authentication. I will not lie I hate two-factor authentication, but what I hate more than anything is a client site being hacked because their password was password.
Companies that are serious about their security, like Rewind specifically use something called one password. It works across Windows and Mac and Linux, Android and iOS. So it’s covered on your devices. “We sort all of our passwords, for the company in one password, and we highly recommend that, and everybody who’s running anything online use a password manager.” – Mike Potter. There are also other options that work well like lastpass, and Dashlane which we at nadimo.com use.
The key is you want to make sure you’re using a random password on every site that you go to. There’s all sorts of attacks now hacking into online accounts, and if you’re using the same password on one online account as every other one, as soon as one account is compromised, every single account that you’ve got would be similarly compromised.
It’s really sort of your first line of defense, that password.
The only way you can reliably is to make sure that its unique and random and protected properly is that it’s stored in a password manager like dashlane and one password.
Two factor authentication.
Once you’ve got that enabled, uh, quite a few online accounts now allow you to do something called two factor authentication. Two factor authentication as an example tends to be something like this. A site sends you a text message or email typically a six digit code that you then need to enter after already entering your password information.
Two factor authentication means that even if somebody does get your username and password, they still can’t log in because after they enter your username and password, they’re prompted for this other code that’s going to be texted to your cell phone or email. So, you know, like a lot of the online banks, and credit card companies for instance, now offer/require two factor authentication.
Google, Apple and most large organizations offer it, and it becomes a second line of defence to ensure your eCommerce store is protected, regardless of platform.
It’s one of those things that as a development team, we hate because sometimes we just need to access a clients account and they have two factor verification and we need to make sure we coordinate all parties simultaneously. That said, if it makes our job difficult, it makes the job of the hacker that much more difficult so we strongly encourage this as well.
That said, the point I just raised, giving us access to your account, hits on another critical piece to security and the 4th point in today’s article and podcast, the principle of least privilege.
But before we talk about that I want to quickly deviate and cover some points about a Forester report by analyst Josh Eleanor Zonis. The single fact that I pull from this article is WHY you need to consider what you are doing to protect your eCommerce site. While we discuss a lot more of this in detail on the cast, some key insights I wanted to mention are:
70% of small business sites hit by cyber attacks are forced offline last year.
That’s absolutely horrible, especially if you consider 1 in 10 of those were forced to shut their doors for good. That’s not a very nice statistic to dwell on and I am generally a positive person, but when you consider facts like this, it’s important to take positive and proactive measures to prevent this sort of catastrophe. If you need help with this and your on an open source eCommerce platform reach out to us and we will be sure to take care of you.
The Principle of Least Privilege
If you want to protect your eCommerce site, you need to be sure to operate on what is referred to by Mike as the principle of least privilege. What this means is if you’re giving access to your accounts, or to your sites, which you really shouldn’t be doing, its best to create an account and give them ONLY the access they need.
For example, you have a team that is responsible for taking orders, don’t give them full admin privileges, just give them what they need to do their job. If they need more, make them ask. I mean I am always the one about trust, but it’s not about that, it’s about making sure that your site is secure, and if they know exactly what they are doing, and would never break anything, that’s one thing, but what if it’s their account gets hacked? That’s called the concept of least privilege and giving people only access to the minimum things that they need to do.
Not sharing your passwords or accounts, but rather giving individual people restricted access to it, could help you considerably to protect your ecommerce site.
“Make sure you’ve got a good backup of your system. Make sure your passwords are secure, make sure you’re only given access to the people that need it, and enable two factor authentication. If you follow those guiding principles, I think you’ll generally be doing better than most.” – Mike Potter
Once again I want to thank Mike Potter for his contributions towards the podcast interview and article. Check them out at Rewind if your looking for a backup soluion for your shopify or BigCommerce site. If you want to get some help on proper backup or tech solutions for your open source ecommerce sites reach out to us NOW.