- By: Ricky Hayes July 31, 2020
Easy Cybersecurity Tips To Protect Your Shopify Store From Hackers
As the COVID-19 pandemic spurs an increase in ecommerce, let’s take a detailed look at some of the major threat areas and offer cybersecurity tips to protect your business.
Running an online business often involves managing multiple accounts. These include email addresses, social media handles and several others. You can prevent hackers from gaining unauthorized access to them using the following methods:
Set Strong Passwords and Alter Them Every Once in a While
Set strong passwords which are not related to your birthday, relatives’ names, places of birth, or other info about you hackers could easily find.
Don’t write these passwords down, either. Consider using a central password manager like Dashlane, LastPass and Keeper only if you have too many passwords to keep up with.
Always change these passwords in case you’re alerted about a suspicious login attempt, or when you log into these accounts from devices that aren’t yours or from unsecure public networks..
Use 2-Factor Authentication (2FA) or SMS Authentication
Two-factor authentication (also known as 2FA) ensures no one but you can access your account. It relies on two login phases: first, you enter your main password. Then you receive an email or an SMS with a secret login code.
Since only you have access to your email account/phone, even if a hacker had your main password, they wouldn’t be able to pass the second phase.
(Sometimes in the second stage of 2FA you might be prompted to hit “Yes it’s me” or a similar button on the app you’re trying to log in, instead of receiving a login code.)
Many apps like Gmail, LinkedIn, Apple, Facebook, PayPal and more, offer 2FA. Shopify offers 2FA too, here is their manual on how you can secure your Shopify account using two-step authentication – with SMS text messages, an authenticator app or a security key.
Avoid Spam and Phishing Emails
Set robust spam filters
Ecommerce marketing often involves the use of emails to reach potential customers and also provide support for those using the business’ products/services, and so does business-to-business communication.
This breeds the problem of spam, which can be managed using filters to exclude certain emails with particular characteristics (sender address, subject, etc.) from reaching your inbox. Regularly adjust this list of criteria to keep your spam filtering up-to-date.
Supplement with Anti-Spam software
While the spam filters native to your email service provider may be helpful, they won’t always be a perfect sieve. These tools range from cloud-based to web-based and more, and they include SolarWinds, SpamTitan, Mailwasher and ZEROSPAM.
Some of the benefits of using these add-on tools include having spam filtered with reference to a larger database of messages previously flagged from multiple mailboxes and running filters for multiple email accounts, which saves you the work of creating filters for each email address.
Make use of alias email addresses and disposable emails
Some email service providers allow you to create a forward on your email address, or an alias email that resembles your real one (say email@example.com) that you can use to sign up for various online services.
With the original email associated to it being (say firstname.lastname@example.org), you can then receive emails sent to the alias in a well categorized manner, knowing that the senders do not have access to your actual email but rather a secondary pool.
Another option is to create burner/disposable email accounts that you use particularly for testing online services to avoid crowding your actual primary email addresses used for communication.
Securing Your Website
Websites tend to come under a wide array of attacks that threaten them in different ways like:
- Flooding servers with request in order to crash the site (Denial of Service [DDoS]).
- Targeting query submission forms by deploying malicious code in your database to collect and delete information (SQL injections)
- Malign code that targets your website visitors (XSS)
You can protect your website from such attacks and others like cross-scripting by using some of these methods:
Switch from HTTP to HTTPS
In comparison to the older HTTP protocols, HTTPS protocols protect sensitive information submitted by users, and any other data as well. They also display a security badge (green lock sign) alongside the website’s URL to let users know that it is secured.
Purchase an SSL certificate
This certificate is requisite for anyone who wants to get the HTTPS trustee green lock. Secure Sockets Layer certificates encrypt data to protect it while it is in transit and come in handy for any site handling purchase-related information such as credit card details, and even regular queries on other sites.
They also come with a certificate of ownership for your site, making it hard for hackers to use as a counterfeit in phishing attempts.
Consider installing additional security layers like the Content Delivery Network (CDN) which uses machine learning to differentiate between regular and malicious incoming traffic.
Another option that is usually offered by many domain registrars is Whols protection, which replaces your personal information with the registrar’s in the publically visible Whols online database to protect it from being scrapped by bots. You can also opt for a store on Shopify, which offers most of these tools as part of their service.
Security On Untrusted Networks
During the course of running an online business, you may often find yourself having to log into accounts from a restaurant’s Wi-Fi, or the network at another work organization or shared office space.
To guard against any threats that come with using such networks, employ any of the following tools:
Virtual Private Networks (VPNS)
Taking the form of an application that you can install on your devices, VPNs encrypt your internet connection, hence protecting information such as your log-in details from anyone who might be targeting you.
Always consider the number of servers and server locations, number of devices supported, DNS-leak protection, encryption types and proxy extension, not forgetting payment options. ExpressVPN, Surfshark, NordVPN, IPVanish & CyberGhost are some of the best on the market.
Operating systems usually come with built-in firewalls, but for an online business with a more complex network, it could help to have separate firewall software and router hardware (where required) to regulate incoming traffic. Some formidable solutions include Ubiquiti EdgeRouter, OPNSense and Cisco Meraki MX.
Anti-Spyware and Anti-Malware
Many sites on the internet are littered with software that can make its way onto your device with one wrong click, especially for those whose work involves downloading a lot of files.
While a strong anti-virus can protect you from viruses, it may be necessary to install additional software that is geared towards sweeping your device for any unknown programs that interfere with the normal operation of your systems or secretly collect data from your device.
Securing Devices And Backing Up
While having strong passwords protects your devices to a certain degree, their storage devices can still be accessed independently without the rest of the device, such as in cases of theft.
It is therefore important to encrypt your data using tools such as FileVault for Macs and BitLocker for PCs. Smartphones also come with inbuilt encryption options, whether iPhone or Android.
When it comes to the data you use in your online business on a regular basis, be it inventory records or some other information, it is important to create a backup schedule and make copies every time changes are made to this data.
Depending on how quickly you need to access your data in case of a crash or theft, your budget and other security concerns, consider having a good balance between copies on storage drives offsite, and soft copies on cloud-based storages like Dropbox, Google Drive, Sync etc.
Make sure the most important data is easier to retrieve and try not to have your backups in the same space with your primary copies.
Additionally, make use of imaging tools on your device like Time Machine that can help you restore your device to the exact state it was in on a given date.
Personnel Training and Client Sensitization
All this technology is ultimately operated by human beings and therefore, lapses in their judgment could render your technological measures useless.
Invest in training your team on how to identify fraudulent communication and transaction activity, use all the security tools in place, and foster work procedures that ensure employees never miss security steps during any work process.
It is also important to put in place small advisory information that is available to customers during the course of their use of your services.
Strive to inform them about any security marks and other data that prove the authenticity of your communications and materials, be it logos, signatures, official email addresses etc.
Put in place guides on how they can use your service securely on the end, such as not saving passwords in browsers, using 2FA where available etc.
Generally speaking, a good cybersecurity plan for your online business should encompass software, hardware, business personnel and customers in order to minimize any risks.
Cybersecurity has to stay front of mind for anyone running a Shopify store these days. Using the above methods, you can stay ahead of the hackers looking to catch you unaware.
Want a converting Shopify store? Download the free Debutify theme now!