Online Business Security: How To Bulletproof Your Online Business

Whether you make some, or all, of your income from an online business, protecting that business should inherently be part of your everyday practices. To be clear, we’re not just talking about hackers—far from it. Spam, poorly coded apps, a computer crash or theft, lack of backups, lawsuits, insurance claims, Google algorithm changes, cash-flow fluctuation, and a host of other internal as well as external factors can damage or completely wipe out your business at a moment’s notice.

The good news is that there are a lot of simple things you can do to bulletproof your business and there are everyday best practices you can employ to harden and protect you from the majority of threats you’re likely to face over the course of your business.

This post will cover many facets of protecting your online business, including:

Security Best Practices & Privacy
Protection & Encryption
Prevention & Insurance
Marketing & Revenue Diversification
Fraud Prevention

Following along and implementing even some of the recommendations in this post can go a long way in helping you build a longstanding, successful online business while minimizing potential disasters.

Ready to bulletproof your online business?

Get a Private Business Phone Number

If you’re an online business, there will be many occasions where you have to provide and list your phone number, sometimes even publicly.

For example:

Corporation registration
Credit card processor (which is provided to customers)
Shipping customs forms
Vendors applications

As a small business owner—maybe working from home—the only phone number you likely have is for your cell phone. This will begin to feel a bit weird, just handing your personal number out to a lot of random people and companies, sometimes to be listed publicly. Combined with the fact that eventually, it will likely lead to a lot more telemarketing calls as your phone number gets scrapped from online directories and sold.

That’s where a private business number comes in. Long gone are the days that you need to install a separate line into your home, or even get another cell phone or SIM card. These days, there’s an app for that.

OpenPhone comes in both iPhone and Android apps which allow you to create a new phone number on the fly from your choice of dozens of countries. Plans start at $10 per month for OpenPhone which includes unlimited talk and text and the option of local or toll-free numbers.

Your new private business line works just like your regular phone number: You can make and receive calls from it, text messages, and you even get voicemail. The best part about it? If you ever want or need to change your number, you can do that in seconds.

It’s a small price to pay for such a convenient business service that will help protect your own personal privacy but also make your business seem even more professional.

Get a Private Business Mailbox Address/Service

Much like a private business number, when starting an online business, you’ll be required to list (legally, on some occasions) your business address. If you’re working from home, that means using your home address for things like your business registration (which ends up online for many states/provinces), your email list (it’s required by law to have your physical mailing address at the bottom of all emails), and your domain registration (which ends up online if you don’t purchase, forget, or accidentally let expire, your domain privacy).

That’s where a private business mailing address/forwarding service comes in. There many of these services available from a wide range of companies but we recommend Anytime Mailbox. For a relatively small monthly fee (usually about $10+ per month, depending on the location, and they have locations all around the USA, Canada, UK, Europe, and Asia) you can get a proxy address to use for your company. Whenever you receive mail to your Anytime Mailbox, they will bundle it up and forward it all to you (usually once per week) or you have the option to allow them to open your mail for you and they’ll scan it and digitally forward it to you so you can determine whether it’s worth going to pick up or not.

Note: We’re not talking about a PO Box here. Unfortunately, you can’t legally use a PO Box for things like business registrations. There needs to be someone physically present at the delivery address to accept mail on your behalf.

Protect Your Domains (WhoIs Protection)

When you register a domain, you have to supply a valid phone number and address. This is then publicly posted to the WhoIs online database for everyone to see. Again, using your personal cell phone number and your home address isn’t the best idea and there’s no real benefit to posting any of your information publicly.

WhoIs privacy protection is offered by nearly all domain registrars (some are paid services, others offer it for free like Namecheap). When enabled for your domain, your registrar will replace your personal information with theirs. This will prevent your information from being listed publicly and being scrapped and spammed by bots.

Use a VPN (Virtual Private Network) on Public WiFi

One of the best things about being an online entrepreneur is that you can work from almost anywhere whether it’s the local corner coffee shop, South America, or the beaches of Bali. The concern with working from somewhere other than home is the relative ease for hackers on the same WiFi to use software enabling them to monitor the traffic and login credentials of other people on the WiFi connection.

Make no mistake about it—public WiFi is a major security risk to your business. Your emails and login credentials can be read in plain text by anyone with a bit of knowledge and some free software.

If you’re going to be working from locations other than your home or office (on secured WiFi) you need to be using a virtual private network (VPN). A VPN is an app you install on your devices and, when turned on, it will encrypt your internet connection, protecting you and your business from prying eyes.

Check out NordVPN for a super easy-to-use (literally, just an on/off switch) VPN. We’ve thoroughly reviewed their service in our Web Security & Privacy Tools to Lock Your Online Life Down article and we recommend them over other VPN services because they’re one of the few that take DNS leaks into account and protect against them.

Encrypt all Your Devices

Just because your laptop has a password enabled, doesn’t mean it’s secure. All someone has to do is remove your hard drive and connect it to another computer to view all your files. If you’ve been saving your passwords in your browser, they can get easy access to those as well, which means your online accounts can also be compromised.

Even a simple trip to the coffee shop can turn into a really bad scenario for your business if someone swipes your computer or smartphone when you’re not looking. To protect yourself, you need to encrypt all of your devices. This will make the data impossible to read without your password.

Here’s how to enable encryption on all of your devices:

Mac: Enable FileVault in your Settings panel
PC: Use BitLocker if your computer is compatible. Otherwise, use one of these alternatives
iPhone: Encryption is enabled automatically with your passcode
Android: Select the “Encrypt phone” option under Security in your settings menu

Encrypt All Pages of Your Online Stores (SSL)

All online store owners need to protect customer information, especially credit card numbers; the penalties for not doing so are massive. If you’re on a self-hosted platform like Wordpress, you’ll need an SSL certificate for your site. Adding an SSL (Secure Socket Layer) to your store will encrypt all the information between your site and your customer, and vice versa. This keeps hackers from stealing customer credit card numbers and your customer’s information.

If you’re on a hosted platform like Shopify or BigCommerce, they automatically secure your entire website with an SSL certificate so you’re good to go. Shopify automatically creates a new SSL certificate for your store when you add a custom domain (so when you switch from “yourdomain.myshopify.com” to just “yourdomain.com”) and BigCommerce offers 3 different SSL certificate options for store owners where they can either use the free SSL certificate that BigCommerce automatically adds to stores with custom domains (which is like what Shopify does), or if you want additional security features you can purchase a premium SSL certificate from BigCommerce, or the final option that only Pro and Enterprise plan holders have is to install their own third-party SSL certificate. Learn more about how SSL certificates for Shopify work here and how SSL certificates for BigCommerce work here.

You’ll know if your store is protected with an SSL certificate when the web address shows “https://” instead of just “http://”.

Change Your Passwords

Your passwords are your first and most important line of defense against malicious acts against your brand and business. But if you’re like 98% of people out there, you probably need to change all of your passwords immediately.

Here’s why it’s important to change your passwords, even if you have no reason to suspect they have been compromised.

Let’s say you’re like most people and use the same email as your login and the same password for the majority of services you subscribe to online. One day you sign up to a website or service and that site doesn’t follow basic security procedures by storing your password in an encrypted database (common). Maybe days, weeks, or even years later, that website is hacked and all the user registrations are stolen (this includes all usernames and passwords).

These usernames and passwords are then entered into a program that’s designed to automatically start trying the same usernames and password combinations on hundreds of the most popular services online including Gmail, Facebook, Twitter, etc.

You can easily see how vulnerable you are if you use the same username/email and password, right?

Unfortunately, this is a pretty realistic scenario which is why it’s so important to have a different password for every service. Many people think “Why would someone try and hack me?” but you can see from the example above that it’s not necessary someone specifically targeting you, it’s just about your username/email and password from a hacked list being fed into a program that can attempt thousands of logins per hour.

When choosing a new password, you’ll want to absolutely avoid anything common or guessable by someone that knows you well. That means using a combination of letters, numbers, and symbols. Even more secure is using passphrases instead of passwords.

What’s a passphrase and how much more secure it is? Check out this comic below which explains it:

Use a Password Manager

Making up new passwords for all the different online services you use can be a major pain, they also become near impossible to remember and manage. The best and safest alternative is to use a password management app for ultimate security and convenience.

Dashlane is a top of the line password management app that’s free. There is a paid premium version of Dashlane that will allow you to sync your passwords across all devices, however, there’s really no need for most people to sync all passwords to their smartphone and other devices. When you consider most web services you subscribe to, you’ll never need to log into them from your phone regularly (think about it).

Besides storing all your passwords and automatically logging you in, Dashlane also allows you to store secure notes, and credit card information which will enter all your billing and shipping information instantly and securely.

A few password apps you may want to also consider are:

Dashlane: Closed-source, free/commercial
1Password: Closed-source, commercial
LastPass: Closed-source, free/commercial
KeePass: Open source, free
RoboForm: Closed-source, commercial

Enable 2-Factor Authentication (2FA)

Besides strong passwords, and using unique passwords for every service, enabling 2-factor authentication (2FA) for your most important accounts is your best line of defense against hacks.

2-factor authentication adds a second level of authentication to an account login. By enabling 2FA you’ll have to provide a unique, one-time code (provided through a desktop or mobile app like Authy, or by email or text message) every time you log in. This way, even if a hacker gets hold of your username and password, they still won’t be able to access your account without your authenticator app code.

2FA should 100% be enabled for your email if you use an email service that has 2FA (Google Gmail and Microsoft Outlook both have this feature).

Consider this: If you use a Gmail email address for most of your online accounts and a hacker were to get your email login credentials, they could then just start going to other services (like Facebook, Twitter, etc.) and use the password reset feature to get into all of your other accounts since they have access to your sign-up email account. That’s a pretty scary prospect, so that’s why we recommend at least setting up 2FA for your email account.

Besides your email, you should also turn on two-factor for any other important accounts you have. Here are some of the more popular services that support two-factor authentication along with a link to where to go to set it up:

Shopify: Enable it in your profile settings, or check out the Shopify documentation.
Google/Gmail: You can enable it here, or check out Google’s documentation for more info.
Apple: You can enable it here, or check out Apple’s documentation for more info.
Facebook: You can enable it here, or check out Facebook’s blog for more info.
Twitter: You can enable it here, or check out Twitter’s blog for more info.
Dropbox: You can enable it here, or check out Dropbox’s documentation for more info.
Evernote: You can enable it here, or check out Evernote’s blog for more info.
PayPal: You can read more about it and enable it here.
Microsoft Accounts: You can enable it here, or check out Microsoft’s documentation for more info.
LinkedIn: You can enable it here, or check out LinkedIn’s blog for more info.
WordPress: You can enable it and read more about it here.

For a more complete list of services that offer 2FA, check out the Two Factor Auth List.

Watch for Phishing Emails

All this password protection is great, but it’s all out the window if you just give away your username and password—that’s the goal of phishing emails. Phishing emails are legitimate-looking emails from services you might be using that somehow encourage you to go to their website (which usually looks identical to the web service they are pretending to be) and asks you to log in. Except when you enter your information, it’s sent to the hackers.

Modern spam controls built into most email services help protect you from some of these, but not all. It’s up to you to be diligent and sure you only click links in emails if you are 100% certain it’s from who it appears to be from. If you’re unsure, always open a browser window and type the URL of the service and login from there.

Utilize Alias (Or Forwarded) Email Addresses

This is a more advanced step, however, if you want to take your business and online security even further, especially for more important online accounts, you can increase security but using email aliases or forwarded email accounts for your email usernames.

Essentially, if your main email address is “mike@onlinestore.com” you could register for an online service with an email address like “mike+facebook@onlinestore.com” or—with some services—your other option is to create a forward on the email address “facebook@onlinestore.com” which would be redirected to Mike’s original email address, “mike@onlinestore.com”.

This way, someone trying to access your important online accounts wouldn’t even know the email address (even if they stole it from another service), since it would only be used with that one account. It’s almost like the email address is acting as a secondary password in itself.

Gmail allows anyone to receive messages sent to “your.username+any.alias@gmail.com”. For example, messages sent to jane.doe+notes@gmail.com are delivered to jane.doe@gmail.com. You can set up filters to automatically direct these messages to Trash, apply a label or star, skip the inbox, or forward to another email account. It should also be noted that this also works for Outlook email users.

If you’re using your own domain with Google Apps, click here to learn how to set up email address aliases. If you’re using another email service, check their docs and FAQ’s to learn how you can set up forwarded email addresses or aliases.

Use Disposable Emails to Test New Online Services

Speaking of email, although not directly related to security, this tip is worth mentioning as it’s still important. There’s an insane amount of new tools, apps, and services created every day. How many times have you signed up to a new tool just to try it and end up never using it again? It’s really helpful to use a fake email service like Mailinator or 10 Minute Mail to create an instant and disposable email address to test services before you commit.

Using one of these disposable email services to test new services can go a long way in preventing your email address from being spammed and added to an endless list of newsletters, crowding your email inbox.

Backup All The Things!

You’ve been told to back up your files for years, much like your dentist has been telling you to floss for years. If you’re like most people, you rarely do it—if ever —but as an online business owner, you’re no longer dealing with old college term papers and photos of keg stands. You have a business to protect and, when all else fails, backups are the only thing that can make your world right again.

Computer/Files

Probably the best form of backing up the day-to-day files you use for your business is to use Sync, Dropbox, Google Docs, or a similar cloud-based file backup platform. This way, your files are always accessible from any computer, always updated, and they’re shareable. As we discussed in our From This to That: 15 Popular Apps We Left for Greener Pastures article, we prefer to use Sync because they add an extra layer of security and privacy by encrypting everything.

Of course, these services aren’t the best for everything, so a full, automated, local backup is always a smart decision. There’s a wide variety of tools and apps that will do this for you, including Time Machine on Mac.

Website/Store

There are reasons to back up your online store beyond recovering from potential hacks. Altering your theme settings and installing apps can both potentially mess up your store pretty badly. Even uninstalling apps can leave messy code in your theme files which can still cause conflicts. Keeping regular backups of your store can save your business in the event that things go to hell.

For information on backing up your online store through your hosting provider, check out the links below but to automate your store’s backup process at all times, check out Rewind (Rewind Review). They’re an essential backup service that we recommend all business owners use and they integrate directly with Shopify, BigCommerce, MailChimp, and Quickbooks so you don’t even have to think about your backups until you need them.

Bookmarks

If you actually organize your bookmarks, they are more likely to be a big part of your productivity as you hop from website to website throughout the day. Exporting a backup of your bookmarks and saving them in Dropbox or on a USB key can save you a lot of time and hassle down the road should you lose them for some reason.

Receipts

Start early and be diligent about backing up your receipts. While the old throw-them-in-a-shoebox trick worked well for the last 100 years, times have changed and there are better ways now to backup receipts for your business and for the taxman. Apps like Shoeboxed allow you to forward email receipts, upload PDF documents, or take a photo of receipts with your smartphone to have a permanent, digital backup, categorized in the cloud. This will make your life, your bookkeeper’s life, your accountant’s life, and the tax man’s life much easier. Shoeboxed even has a free plan for those of you just starting your business.

Password Manager Achieve

Most password manager apps (like Dashlane) allow you to save an encrypted archive of your passwords. This archive can be saved on another computer or USB key in case you lose your computer or it’s stolen. Making an update of your password archive once every few months can save you a lot of time and hundreds of password resets, should anything go wrong. Of course, the premium version of Dashlane and other password manager apps will automatically backup your passwords to the cloud in real-time. Regardless, it’s not a bad idea to keep a real backup for yourself every once in a while.

Learn to Identify Fraudulent Orders

Fraud can take your entire business out in more ways than one, just ask Soulja Boy. A high number of fraudulent charges can not only cost you a lot of money, but they can also have credit card processors rejecting you, leaving your business with no way to process payments or very high rates that make your business unfeasible.

Different businesses carry different levels of risk. The best thing you can do you protect your business is to prevent it from happening right from the beginning.

Here are some major red flags to be cautious of when reviewing orders:

Different shipping/billing address
The IP address of the order is different than the region being shipped to
Addresses are different on big-ticket items
Customer does not respond
Repetitive orders
Big-ticket orders overseas
Shipping address looks odd
Express shipping

Second-guessing and following up with each of these red flags can help you prevent fraudulent orders and keep you on good terms with your credit card processor. In addition, you may also want to consider some of the apps that are available to further protect you and your business.

Diversify Your Advertising & Marketing Channels

Diversifying your advertising and marketing channels is critical. Experienced internet marketers have learned time and time again that no single channel can be counted on to build a long-term sustainable business.

Consider the following:

Facebook Page reach has decreased exponentially in the last few years. A post that use to reach 30%+ of your fans, now reaches 1-2%.
Facebook Ads is always changing and sometimes things happen. We’ve heard from many business owners that have had their ad accounts shut down without warning, sometimes for a few weeks until things are sorted out, other times permanently for violations.
Google is always changing their ranking algorithm. A major update from Google can wipe out your organic traffic overnight.
Twitter has begun filtering their news feed meaning your tweets will likely be seen by a lot less of your followers.

The list goes on but the impact is the same for your business, potentially leaving you high and dry if your one and only marketing channel dries up.

Diversify Your Revenue Streams

Similar to having multiple advertising and marketing channels, diversifying your revenue streams is critical to the health of your online business. Remember, different revenue streams keep your cash flow more consistent and immune to shocks and bumps. This is important because ecommerce stores generally run on thin margins. As the saying goes, lack of profitability is like cancer, it will kill you over time, lack of cash flow is like a heart attack, it will kill you right away.

There are several ways to expand on your revenue streams and bulletproof your cash flow. Let’s take a look at some options:

Sell on More than One Channel: If you currently just sell on a marketplace like Amazon or Etsy, you should also consider building your own brand and selling through your own branded store. This can protect you in case your primary marketplace shuts down your account (which happens often). Vice versa, if you only sell through your online store, also selling on a marketplace can help if organic traffic to your site ever tanks due to a hack or Google algorithm update. Finally, there are always offline options as well to further diversify your revenue streams like selling at trade shows, pop-up shops, or opening your own physical storefront.
Direct-To-Consumer & Wholesale: If you currently only sell direct to consumers, selling wholesale to other small stores can give you an additional and steady revenue stream that is more immune to shocks and bumps.
Different Geographic Regions: Selling to just one geographic region can impact you in many ways. Seasonality, the volatile exchange rate, economy, new regulatory restrictions, etc. of a country can also have an impact on your business if you only sell to one country. Catering to multiple countries can help you even out your cash flow year-round and make your business more resilient to economic, political, and seasonal bumps.

Consider Business Liability/Inventory Insurance

An online business generally experiences much lower risk if you don’t have a physical storefront that customers are entering, however, there are still risks involved that make having insurance an important consideration for every online entrepreneur.

In general, there are two major risks: The first is the liability of the products you sell. Should the products you sell harm or injure a customer, you may be held liable for those damages. Even if you’re reselling another brand’s products, you may still be liable.

The second major risk is theft or damaged product/inventory. If you manufacture products or purchase wholesale, you’ll have to store your inventory somewhere. Whether that’s in your home, a factory or a warehouse, you run the risk of your inventory being stolen or damaged (like in fire or flood). Business insurance can help protect you from these events.

Your best course of action is to speak to a qualified lawyer about your business and products to better understand your potential exposure. From there you can make a better decision as to when is the right time to purchase insurance for your business.

Note: Legal advice doesn’t have to be expensive and intimidating. We’ve created a round-up of the best resources for startups to find affordable legal advice online. Click here.

Invest in Trademarks, Copyrights & Patents

Trademarks, copyrights, and patents are all a form of insurance and protection for a business. Let’s first take a quick look at what the difference is between all three:

Trademarks: Protects brands
Patents: Protects inventions
Copyrights: Protects intellectual property/artistic work

To get a better understanding of the differences, visit the USPTO (United States Patent & Trademark Office) website.

Registering a trademark, patent, or copyright takes time and money. It’s also not for every business but it may be the right choice for certain businesses at certain times. Your best bet is, again, to talk with a lawyer who specializes in the protection you’re looking for to better understand exactly how much it will cost and when the right time is for you to register it for your business. Make sure to check out our legal resource roundup for your best options to find a lawyer to help you.

Conclusion

Starting an online business is one thing, but building a long term, sustainable, and defensible business is a completely different thing. No matter what type of business you run, you’ll always face threats to it, that’s why it’s important to spend some time identifying your business’ weaknesses so you can properly defend yourself upfront against the majority of issues that will arise.

Following the topics outlined in this post, you’ll create a much more robust, secure, and healthy business which you’ll be able to grow for years to come.