WooCommerce Tutorials

The constant threat of cyberattacks, and how to protect yourself

As Russia’s invasion of Ukraine continues, attention focuses on cyberattacks and threats to global systems – large and small. 

Western media outlets and cyber experts quoted in the media are yet again pointing at Russia ahead of anticipated cyber attacks in the West. Security and academics say the attacks are likely following the wide range of sanctions against Russia as punishment for its invasion of Ukraine. 

However, the reality is that we live in a world where the threat of cyberattacks is constant from around the world. They are not something that arise only during a time of global crisis or war.

Make it a priority to identify the main threats your business faces and take effective measures against them while minimizing the impact on your daily business operations. If you’re not sure what cyber threats your business faces, work with a security consultant to identify them.

Cyberattacks: Always be vigilant

As CEO of web development company Saucal, I’m in contact with eCommerce founders and managers all the time. I get to witness the frustration and misery any website owner or manager experiences when their site is hacked or their network is taken down. It’s an incredibly costly and disruptive experience, and sometimes can take days or weeks to recover from.

Many of these attacks are preventable. But before I turn to prevention, I want to mention a couple of things.

  1. Saucal isn’t in the business of cyber security. What I’m sharing here are my tips and advice, and some things worth checking out. For cyberattack prevention, I recommend that eCommerce stores get advice from a reputable business that specializes in cyber security services, or at least read or watch good content about protecting yourself.
  2. I’m a big believer in the importance of simulated events! They really help us prepare. And simulations give foresight into what highly powerful people have on their minds, and sometimes even what they might be planning next. If you ever have an opportunity to participate in a simulated event, I highly recommend it.

Get set for Cyber Polygon!

There are lots of events, books, and training you can explore to prepare for a cyberattack. One of the best is Cyber Polygon, set for Friday, July 8 this year.

Supported by INTERPOL, Bi.zone, and the World Economic Forum’s Centre for Cybersecurity, Cyber Polygon is a unique cybersecurity online conference that combines:

  • An online conference with the participation of senior officials from global organizations.
  • Technical training on cybersecurity for corporate teams.
  • Expert talks featuring leading experts in practical cybersecurity.

This year the event’s theme will be: Digital Resilience in the Cloud Age. Speakers from around the world will discuss how to maintain business continuity and develop safely in the cloud era. Among the invited experts are leaders of the private and public sectors from across the globe, as well as representatives of international organizations.

During the technical training, participants will work through the actions of a corporate response team in a targeted attack on their hybrid cloud infrastructure. This simulated response will be a huge and important learning for participants. 
Cyber Polygon is annual, and you can take a look at the summary from 2021’s event here. The key focus areas last year were:

  • Secure ecosystem development and the obstacles that ecosystems must overcome.
  • The future of the financial system as digital currencies continue to develop.
  • Protecting children against cyberbullying and other online threats.
  • Exploring how technology can help victims of warfare.
  • International collaboration in the fight against cybercrime.

Why simulated events matter

If you’re unfamiliar with simulated exercises, look back at Event 201, which took place in 2019 before the real COVID pandemic hit the world. Event 201 saw a simulated virus, called CAPS for Coronavirus Associated Pulmonary Syndrome, started in Brazilian pigs who passed it to farmers. It resulted in symptoms ranging from mild flu-like symptoms to pneumonia. Three months in, the hypothetical illness had caused 30,000 illnesses and 2,000 deaths. 

The eerie thing about Event 201 is that it was so like the real pandemic – which originated in China in 2019 – that the simulated news reports could easily be confused with the real pandemic media coverage we’ve seen in the last three years!

Full information about Cyber Polygon 2022 hasn’t been released yet, but I’m guessing it’ll have the same approach as Event 201. There will be a simulated coordinated cyber attack where one of these will happen: The power will go out or the Internet will go down, and as such key infrastructure will go with it.

Cyberattacks in the post-COVID world

The COVID pandemic has completely re-shaped the cyber world. Consider these key points:

  • During and after COVID, almost everything went digital. 
  • Digital opens up the world, but it’s now a significant Achilles’ heel: Take down the internet, a whole infrastructure falls with it, too.

This means without doubt the time is now when it comes to protecting yourself. When people ask me “How can I protect myself from a cyberattack?” this is what I tell them.

How to protect your eCommerce business (and yourself) from cyberattacks

First, if you’re a private individual who’s found this blog post because you’re searching out stuff on cyberattacks, don’t worry too much. It’s highly unlikely that attackers will target individuals, unless you’re a person of note in the Ukraine-Russia conflict, or you’ve done or said something that they view as offensive, provocative, or dangerous.

As an aside, you could even be hit by cancel culture if your views upset enough people, platform owners, or even Big Tech. 

So, don’t be anxious, but have basic measures in place. And you should be doing these things anyway, not because the threat of cyberattacks is now making headlines.

Protect your personal finances and files from cyberattacks

I highly recommend viewing cyberattacks the way you do Mother Nature, which can be unpredictable, destructive, and violent. So take the same prep approach with cyberattacks, and then add a layer of identity theft-ransomware prep on top of that. If your identity is compromised or you’re locked out of important accounts, have some physical cash and Bitcoin on hand in case credit cards or banks get hit. Consider the recent moves made by Visa, MasterCard, and American Express in the wake of Russia’s invasion of Ukraine

Make sure your home has a back-up power system, along with a good supply of non-disposable food and a way to cook it if the power goes out for a couple of days.

Diversify away from the Internet

Find ways to have parts of your life away and separate from the Internet. On the business side, see if you can continue to do your job without the Internet. Now would be a good time to have backups of files on an external hard drive (and then disconnect it from the Internet or your laptop). A popular IT saying about the cloud is: “It’s just someone else’s computer.” If possible, make your own offline copy of anything saved on the cloud in case your Google drive takes a hit. On a laptop store everything that is important for you. Every couple of months, update your stuff onto it. 

Also, have a short url where you can start your whole digital life from scratch, using solely what is in your head and a fresh laptop. Practice it. 
I don’t think we’re going back to the pre-Internet age, but some common sense preparations will go a long way. And if the internet does indeed go down, make sure you can access essential services. Having a ham radio is always a good idea – it can go a long way in an emergency.

Protect your eCommerce store or business from cyberattacks

Avoid software censorship

Try to avoid censorship. If possible, use open source software – which is why I believe in WordPress and WooCommerce. Always keep in mind that if you find yourself in a natural disaster, major services could go offline. And in zones of conflict, you could be without Big Tech platforms. In the current Russia-Ukraine crisis, both Microsoft and Windows have been disabled remotely.

I recommend these steps:

  1. Get an ETH domain name
  2. Have a backup email that isn’t Gmail or any big tech email. 
  3. Backup your documents, including images and videos, with a separate, removable drive.
  4. Ensure your business isn’t solely dependent on apps in the App or Play stores.
  5. Double-check to make sure your applications are web-compatible.

Update software immediately

Hackers exploit software vulnerabilities all the time. A well-known example is the Panama Papers. One of the first assumptions made about the alleged hack into the Panama law firm’s Mossack Fonseca documents is that the hackers exploited a flaw in a plugin called Revolution Slider used by WordPress

At Saucal, we recommend that you use different software systems for different purposes, and keep the connections between them to a minimum. While this sounds counterintuitive and runs against today’s tech philosophy of ease-of-use and integration, remain aware that using only one or two systems and having them connected can pose a significant security risk. If an attacker accesses one software system, they can easily navigate connections to any connected systems.

When you are prompted to update software, do it as soon as you can. Remember, software updates are sometimes patches, and hackers will exploit any vulnerabilities a patch is designed to repair.

Use two-factor authentication

Always use two-factor authentication with a service such as Authy, which dramatically increases your security by requiring that you input a code visible from your mobile or desktop device. Authy codes are sent by SMS or an app that syncs with the website you are accessing. However, my advice is to avoid SMS if possible, because it’s easy to hijack a SIM. An app on your phone is a better choice.

Consider using an app or service that syncs across multiple devices and can even provide web access, such as 1Password. This approach is really useful, because if you lose your phone you still have access via the web. However, you are slightly less secure because you are saving your encrypted passwords in the cloud – which is essentially someone else’s computer. 

Be careful when giving site access

Give site access to only those who need it – and you need to trust the people who do have access. For example, someone in customer service doesn’t need to access your eCommerce site. If they want to login, find out why first.

Use strong passwords

Reset your passwords regularly, and use strong ones, because lame passwords will be the death of you

People ask me about password managers, but I don’t recommend them if you want an ultra-secure setup. I know they offer convenience and convenience, and they’re good at generating strong passwords, but with password managers you sacrifice security. Always keep in mind that storing your passwords in the cloud can be dangerous, and what are you going to do if they remove access?

Here are my recommendations for password use and storage:

  1. There is no single right way to manage and store passwords. So develop the most secure system for your business, and combine that with usability.
  2. Keep a local encrypted copy of your passwords and back it up!
  3. I don’t recommend this, but I realize that some people want printed copies of their passwords. If this is you, be sure you keep that copy super secure. As said, don’t rely on password managers because they pose a security risk.
  4. Saving passwords in your browser is a no-no. If your laptop is stolen or hacked, the attacker will have your passwords.
  5. The user is the weak link. If your team members are writing down passwords, work with them to develop a system that’s more secure. 
  6. Stay up-to-speed on password systems and password security.
  7. If password management and/or security is an issue for your business, get assistance from a reputable cybersecurity firm.

Back-up files

Back up your eCommerce store weekly, as well as all business files you need and use regularly.

Track site access

If you use WooCommerce, I recommend installing the Activity Log plugin to track website activity. Activity Log is a free activity recording plugin for WordPress-powered websites. It will record modifications to posts and pages, custom post types, media, plugins, themes, WordPress settings, user login and profile changes, and a lot more. Activity Log works with WooCommerce and bbPress websites to keep track of actions on your online store or membership site. Saucal uses Activity Log for all its customer project work. 

Audit third-party software

eCommerce stores use a lot of third-party software and programs to perform functions and keep the site running smoothly. All this software is built according to different standards. So while you need the programs and extensions, they can create vulnerabilities. Before you install new software, check reviews, speak to the developers, if possible, and read up on the company that created it. Weigh up the risks and benefits before installing anything on your website. 

If your eCommerce store is on WooCommerce, it is easy to see reviews or check in with the WordPress community for their opinion on the plugin or extension. If possible, use a web developer like Saucal to create custom extensions for your website.

Don’t rely on a single source of traffic

This is a mistake many businesses continue to make, despite lessons from the past. If your traffic comes from only one place, find multiple sources, and fast. Remember how businesses used to rely on Facebook, for example, for all their traffic? That tech giant’s changes to news feed algorithms and page features over the years literally wiped out some small businesses. Make finding diverse sources of traffic a priority. 

Have a cyberattack recovery strategy in place

Hackers are innovative, working hard to exploit every measure designed to protect businesses and eCommerce stores. Have a plan in place so that you can get your store up and running quickly, and reassure customers, if necessary.

Use a reputable host or host your eCommerce store yourself. We recommend VIP for WooCommerce stores.  If you’re with Shopify or BigCommerce, you probably know that while they back up their own infrastructure, you’re on your own when it comes to files such as images, invoices, customer purchasing history, and data. 

Questions about cybersecurity? Drop them in the comments below and we’ll answer them soon.