Online shop security
A topic that usually only comes up when there is a problem. However, it should be thought about from the beginning. How many stories you hear about hacked websites or lost data as a result of a software or employee error. Imagine if your site is down tomorrow or the day after that. Calculate the losses and lost profits. But all of this can be avoided if you make backups and think of recovery scenarios for emergencies. And the greater the number of your risks, the more serious measures you need to take. In some cases, you may want to keep a fully updated copy at all, i.e. another fully functional server. After all, in addition to software problems, there can also be a simple hardware failure. And it is almost impossible to insure against it.
Either way, your online shop database should be backed up daily. Why? Imagine having a failure at the end of the day. If you try to restore your data, how much time would your employees have to spend to put everything back in order? Usually a few hours. Assuming, of course, that backups are saved every day.
The worst part is something else. Sometimes the backups you create are unrecoverable. Give your IT staff the task of deploying the backup on a nearby or test virtual server and check for functionality. You need to periodically verify that this data will actually help in case of need. And this is no joke. Periodic checks of various emergency preparedness services are the norm. So why might it seem that this doesn’t concern us?
Another important security consideration is the storage of passwords. Many employees still write them down on paper and keep them in public places. Some people do not lock their computers when they go out to lunch.
People often completely fail to assess the risks when they leave their computers with their access to information unprotected. After all, someone passing by can do things you can’t even imagine. Not even out of malice. Just for the sake of “fun”.
Next. I strongly advise making a list of resources to which employees have been given access. So that when they leave you, you won’t have to remember where to change the password or take away account access. From time to time you see stories on the web when a terminated employee who still has access has done something nasty. And I’m not talking about his responsibility here. It might be worth taking the case to court. I am talking about losses for the business, which, even if a court were to take place and order them to be compensated, are unlikely to be recovered in full.
Another problem is hacking. There are a lot of automated software products out there that do nothing but try to hack into certain websites. Therefore, if you have a self-written or heavily modified online shop engine, make sure you check all the fields where unauthorized people can enter anything for vulnerabilities. There are a lot of unauthorized ways to access your database. And the result can be more than just some nasty stuff, attackers can get hold of your data for a long time, steal your customer information, and more. For automated vulnerability analysis, there are also many out-of-the-box solutions available.
Another thing attackers often do is to target your site with a targeted attack to stop it from functioning properly. The most common attacks are DoS (Denial of Service) or DDoS (essentially the same thing, but attacked from a large number of computers in different locations). Typically, this type of trouble is orchestrated via common user computers that are infected with viruses. Attackers remotely control this entire network and, in the appropriate order (yes, yes, this is the kind of business), can shut down a particular site within a paid time frame. The other variable of this “service” is the capacity of your server and the width of the Internet channel to which it is connected.
But there is another approach when an attacker finds contacts of an administrator or a top manager of a company and, at the moment when the attack on the site starts, sends him an instant messenger saying that you have to pay a certain amount of money and the attack will stop.
Paying is useless. If you paid once, what prevents the attacker from repeating it when you need the money again?
So you have to protect yourself in advance.
Last but not least is the domain name of your website. Who does it belong to? Where and how is it registered? Is it definitely under your control? Surprisingly, there are so many examples of companies losing their domain after a successful launch. How is that possible? The reason is usually simple. The domain administrator (in this case, it means “owner”) is not the company’s founder or a legal entity, but… the IT guy who helped launch the project or the web studio that designed and implemented the site. There can be many examples. The main thing is that you must have a direct contract with the domain registrar. And you (if you are the founder) or your company must be the domain administrator of your website.
Even if the process of working on your website has already started and the domain is unfortunately not registered in your name, hurry up with the transfer. Even if the web studio assures you that this is the way things are done, that the domain, which does not belong to you, but to them — ok, do not agree. At any convenient moment, such a company can stop the work of your site, even if the contract with them has long expired. Domain — primary and should be 100% under the control of the business. I recommend registering a domain first and then go to any contractor. Transferring a domain is not easy. If it is registered to an individual, the same person must go to the registrar in person with a request to transfer the domain to another administrator. Or, alternatively, send a notarized letter by mail. If the domain is registered to the wrong company, the representative of the company with a power of attorney, copies of founding documents, and application for the transfer must also personally appear to the registrar.
If this happens to you, do not pull, demand to transfer the domain immediately. Literally, take by the hand and take the right person there. Then it may be too late. You will have to start all over again.
As a result, the checklist for a modern company paying attention to information security will not be that long.
1. Backups are created regularly.
2. Backups are checked periodically to see if they can be recovered.
3. Users’ computers are locked down while they are away and users who ignore this requirement are fined.
4. Vulnerability tests are conducted periodically.
5. The list of employee accesses is kept up to date.
6. The domain name of your site is under your control.