Shopify is a brilliant e-commerce marketplace which has grown from a relatively obscure and small marketplace in 2006 to a $1.578B USD annual revenue giant through the end of 2019. Some Shopify stores sell just a few items, whereas others are full blown e-commerce stores with thousands of items in stock.
If you are thinking about setting up your own Shopify store, already have a beginner-level Shopify account, or if you are running a Shopify account as your full-time gig, this article will provide some helpful security tips that you can use to secure your business operations. Nothing is worse that waking up in the morning to find that your data has been stolen, your accounts have been taken over, or your funds have been cleaned out. At a higher level, we aren’t just talking about securing your Shopify store, we’re talking about securing your livelihood. Let’s roll up our sleeves and get to work.
TLDR (Too Long, Didn't Read) Version
4 Tips to Secure your Shopify Store
Secure all Accounts with Strong Passwords & Two-Factor Authentication
- Email Accounts
- Bank Accounts
- Website Logins
- Social Media Accounts
Update Underlying Website & Apps
Data Backup & Retention
- Computer Systems
- Confidential Documents
- Your Inventory
Securing All Accounts with Strong Passwords and 2FA
You will undoubtedly have quite a few accounts that will need to be secured against unauthorized access. In fact, you probably have more accounts to secure than you are currently aware of. Make a list of accounts that might be associated with your Shopify store. Aside from the Shopify account, you’ll have an email, bank or PayPal account, social media accounts, and a branded website login. Every account that is used in connection with your Shopify store should have a strong & unique password and should also have a secondary factor for authentication. Having a strong password means:
Your password is long (use a passphrase)
Your password is complex (include numbers, special characters, capitals, lowercase)
Your password is not easily guessed – Don’t use your favorite baseball team or travel destination
Your password is unique – don’t use the same password for any of your accounts
After you have confirmed that you have a strong password on all of your accounts, you will need to ensure that you have a secondary factor (2FA) enabled for every account that will support it. Enabling 2FA will afford your accounts much-needed protection against criminals that often use publicly available website data dumps to access your email and web accounts. With 2FA, you’ll have the option to use App-based authentication, SMS, phone call, or hardware token.
Your Website, Apps and APIs
If you are using Shopify as your web storefront within your main website, you will need depend on Shopify to provide security services within their platform. But don’t forget, you will still have to ensure that you have adequate security associated with main website as well. If you are using WordPress, Joomla, or Drupal, it is vitally important that you update the content management system (CMS) on a regular basis. There are a multitude of threats that could aid in the utter destruction of your website if you do not update your website and all of its components on a regular basis. Remote code execution, cross site scripting, and other vulnerabilities can get your business into trouble pretty fast if the right (or wrong) person decides to take aim at your website. Using all the tips in this article, along with updating your components that make up your Shopify store will prevent you from having to Google “My site got hacked, what do I do?”
Backup, Recovery, & Data Retention
The technology that you have selected to utilize in your business operations is not guaranteed to work without a bump in the road from time to time. In the event that an individual component in your tech stack becomes unstable, comes offline, becomes inoperable, you will want to recover from that event as quickly as possible. Downtime will be translated to a decrease in revenue, which will undoubtedly get in the way of your worldwide Shopify store domination plans! Schedule a regular back up your website configurations, mobile devices, and laptops on a regular basis. In case you have a total technology-related meltdown, having a current backup will ease your recovery efforts. A bit of planning from a disaster recovery standpoint will go a long way. Consider storing your backups in a cloud repository like Dropbox or Microsoft OneDrive. If you’d rather back up your data locally, use an external hard drive that is only connected to systems during the data backup process. If you leave your external hard drive connected to your computer or laptop, your backup will be toast if you are hit with ransomware.
Physical security is another topic that you must take into consideration when you are running a Shopify store. You will need to tally the physical assets and inventory, then you should identify any security precautions that should be taken to secure your identified assets and inventory. Remember, you should secure your inventory in-line with the value of the inventory. Avoid putting a $1000 lock on a $100 bicycle!
Inventory – Where is the inventory stored? How is your inventory being delivered? Are you tracking your inventory? Is your inventory vulnerable? Could someone just walk into your garage or onto your porch and steal your inventory? Is it locked away? Do you have/need CCTV? Do you have/need an alarm system? If your annual revenue is $5,000 or less you probably won’t have the capital to invest in a robust security system, but as your business grows, you will want to do everything you can to protect your investment.
Laptops – Are your laptops vulnerable to theft? Keep your laptops secured at all times. Do not store laptops in places that they might be stolen. Criminals often liberate laptops from their rightful owners when they are being stored in a personal automobile or when an individual is traveling. Avoid the following situations:
- Storing in the underbody compartment of a bus
- Storing in the trunk of a taxi
- Storing in an Airplane seat front pocket
- Storing under the seat or in the trunk of your car
- Bringing laptop to restaurants and social gatherings
Hire a Consultant
If you have achieved a significant amount of revenue from your Shopify store, you should consider hiring a security consultant on a contract basis. The security consultant will examine the technology that you utilize, the business processes that are in place, and will recommend specific security controls that will reduce your information security risk profile. For a small business making less than $100,000 a year in revenue, a one to two-day engagement should be sufficient.
Chief Security Officer Sheppard Mullin Richter & Hampton LLP