the Hussey Coding blog
Today we're going to be continuing our look into cybersecurity and giving you some more hints and tips that you can implement to help secure your Magento store. So what are you waiting for?
In this blog, we will look at
- 1. KO the FTP
- 2. Check the oil
- 3. Who knows what?
- 4. Practice, practice, practice
- 5. I have a cunning plan!
#1 -KO the FTP
If you are using FTP, then it is our strong recommendation that you stop!
Instead allow your server to use SSH, which in turn will allow you to use SFTP, giving you a much better and secure way of transferring your files. A typical method for hackers to gain access to online stores is by going after FTP passwords. Remember to also delete access to anyone who has had access in the past like old employees or third party companies as this is an easy way of allowing unwelcome access.
Getting yourself set up with SSH if you are using the Linux OS is easy as it's part of the package if you are using the Windows OS then follow this link to the "How to use PuTTY on Windows" guide by SSH.com
or if you are using MAC OS check out SSH.com's guide for you here
Or you can ask your development team to do it for you, don't have one?
Then take advantage of the free project creation offer available now at Developerconnection.co.uk
#2 - Check the oil.
The same way you check your oil and water levels in your car, every now and then go over your settings, change your passwords and review who has access to what. You'll be amazed when you remember how much you forgot.
Ask your dev team to analyse your store for any vulnerabilities, if they don't find anything, great, if they do, get it fixed.
If you are using Magento extensions, do keep in mind that those extensions may not be updated often. This creates an opportunity for hackers to exploit out of date extensions until a patch or update is released. Using popular extensions is a great way to combat this as they will traditionally receive regular support and updates. When reviewing your extensions, ask yourself questions like "do I need this extension?", "is it still useful to my company?" Or "Is there another extension out there now that can do the job of multiple extensions I have running at the moment?".
#3 - Who knows what?
Let's say that you have taken all of our advice, you've updated your computer and Magento store, you've even made sure that all your extensions are up to date. The big question now is "what about your staff?"
You may have heard of the term social engineering, this is where an attacker will manipulate individuals into unknowingly releasing confidential data for the use of illegal purposes.
Put another way, your bank just emailed your accounts department asking them to verify some details otherwise, there may be issues with payments further down the line, they even provided a handy link to follow and it looks legitimate. Once there, all they need to do is confirm your companies address, credit card number, email address, all the sorts of things your bank would need to know. A few months later, when you decide to "check the oil" you notice a steady stream of money is now missing, no one seems to know where it is and you end up spending more money hiring a team to find the root of the problem. You discover that your whole company has been breached and that you need to fire Susie from accounting who's been with you for nearly 20 years.
A massive number of companies spend all their cybersecurity budget on teams and software but considering that one of the biggest risks to your security is through social engineering you are going to need to invest some of that budget in training all of your staff in cybersecurity.
Training staff to identify fraudulent email, unsecure websites and general social engineering methods used by attackers could save your company, your reputation, your stock, your finances and Susie's job!
#4 - Practice, practice, practice.
This might seem like an odd one but it's really effective, don't just tell your staff about cybercrime, let them experience it in a controlled environment.
Send out some emails with a fake link in it and see who opens them or if you have an IT department ask them to simulate a cyberattack and see how your staff respond. Simulated attacks really help to show vulnerabilities in your security, gives you and your staff real-time experience of the stress-filled, chaotic nature of an attack and an opportunity for all involved to learn, adapt and better prepare for the real thing.
Simulated attacks also shift your companies thinking from a reactionary mindset to a proactive one, what's that saying about the best defence being a strong offence? Thinking about what and how attackers might attempt to infiltrate your business helps you be better prepared than just dealing with an attack that has already happened or that you have heard about.
#5 - I have a cunning plan!
Form a response plan, have one in place from day 1, there's an old saying that goes "it is far better to have and not need than to need and not have".
There are various different ways that you can be attacked, some of which we have covered in our previous blog "6 common cyberattacks to watch out for (which you can read HERE), some very obvious and some are not.
If you think you are under or have been the victim of a cyberattack we strongly recommend you contact your developer/development team right away, if you don't have a regular team to keep costs down then now is the time to pay out for one as they will be able to identify the origin, type and extent of the attack and be able to take steps in preventing and repairing the damaged caused. As always you can contact us here on firstname.lastname@example.org to take advantage of decades worth of experience using and developing the Magento platform.
Want some more pointers in what should be in a cunning response plan? Never fear, Hussey Coding is here! We have a whole blog dedicated to this very issue coming soon.
With all of these things in place, you are well on your way to having formidable security in place. Do remember that these are not the only things that can be done but a basic list of things that YOU can do to help secure your store! Also bear in mind that having the best security in the world doesn't guarantee that you will not become the target of an attack, nor does it guarantee that an attacker won't get through but having these things in place does help prevent both losses to you and your customers.
If you missed our first 5 tips to securing your store follow this link to read them HERE.
Thank you for taking the time to read this post, we hope it helps keep your online store secure and attack free. As always, should you wish to contact us here at Hussey Coding or at Developer Connection then all our details are below.
Until next time, stay safe and have a great day.
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn - linkedin.com/company/hussey-coding
Sign up to developer connection at www.developerconnection.co.uk
Facebook - facebook.com/DeveloperConnection
Twitter - twitter.com/devconnectionuk
LinkedIn - linkedin.com/company/developer-connection