Skip to main content

Securing your online store and protecting your customers are important and ongoing tasks. Take a look at some steps to consider when setting up and running an online business.

1. Basic hygiene

  • Keep your devices and software up to date.

  • Use strong and unique passwords for your accounts. A strong password might be three memorable and random words.

  • Make sure you have antimalware software and a web application firewall installed, running and up to date on all your systems and devices.

  • Set up multi-factor authentication (MFA) on your accounts wherever available.

2. Remain aware and vigilant

  • Stay up to date on any security advice, vulnerabilities and patches for the hardware and software that you use to operate your business.

  • If you use a service provider, make sure you get assurances that they will keep your system and services up to date and operational.

  • Use monitoring tools to detect and respond to any suspicious activity on your website, such as unauthorised access attempts or unusual traffic patterns.

3. Choose robust and reputable providers

  • Enquire about any cyber security assurance exercises your providers may have in place, and how often they do it.

  • Acquire any technical reports that highlight evidence of their annual or frequent security assessments.

  • Do the developers follow secure coding practices and what standards do they adhere to during development?

4. Recovery planning and backups

  • Have incident management, recovery and continuity plans in place. Be prepared for incidents when they occur to recover and resolve any issues in a suitable time frame.

  • Test your plans to ensure the organisation’s relevant staff members are aware of the processes involved and to identify any potentially unforeseen problems.

  • Ensure your website and data is regularly backed up so you can restore them in the event of an incident.

5. Website and payment gateway security

  • Set up SSL/TLS certificates (https) for your website, especially for any webpages that handle personal/sensitive information such as payments or contact forms.

  • If you are maintaining your own website domain, remember to renew your certifications and contracts for third party services.

6. Cyber security and awareness training

  • A cyber-aware culture in your organisation is a very important aspect to consider.

  • Staff should be regularly trained on cyber security and advised of current trends they might encounter whilst at work and at home.

7. Security plugins

  • Security plugins are a simple way to enforce security protection on your website. They can protect against a multitude of cyber-attacks.

  • Always install extensions only from trusted sources and keep them up-to-date.

  • Do not install any extensions or software links received through suspicious emails.

8. Device and system control

  • Restrict the functionality of every device, operating system and application to the minimum needed for the business to function.

  • Access to systems, software and services should be limited to only those who need it. Ensure access is revoked for any staff leaving the organisation.

  • Use multi-factor authentication (MFA) for your accounts wherever possible.

9. Fraud protection

  • It is recommended to use reputable platform service providers or developers to set up your online store. Ensure they can provide you with adequate fraud prevention tools to assist in identifying and stopping fraudulent activity.

 

  • Your payment gateway service provider will also be able to help with anti-fraud tools and advice.

10. Data protection

  • You must ensure your company is GDPR compliant. You may be storing more information about your customers than you would if you were operating a traditional bricks-and-mortar business. You need to be sure that you (and any third parties) are handling this data properly and securely.

 

  • With the introduction of GDPR, a data breach can result in large fines, not to mention the loss of reputation and trust in your organisation. Make sure you have a data breach response plan in place to minimise damage and speed up recovery in the event of a data breach

 

This page was last updated on 12/04/2023