Having an AWS environment or using Shopify does not mean your business is cyber secure.
A lot of online businesses don’t think too much about their security. Someone else takes care of that, right? Unfortunately, that’s not quite the case. Whether your business uses a managed service provider (MSP), Shopify, AWS or another platform, you need to be aware that there are limitations to how much these providers can protect you and your business.
Most of these services do put a lot of effort into security. They have to, because if their clients were constantly being attacked, there would be a huge rush to their competitors. Trusted MSPs will have secure infrastructure, devices, computers and software in place, taking care of updates, patching, auditing and a number of other important aspects of your security.
No one denies that Shopify does a lot to keep client data secure. For example, it’s compliant with the Payment Card Industry Data Security Standard (PCI DSS) and equipped with firewalls to protect its systems. Its accounts come with free SSL certificates and they also offer vulnerability management and access control tools. On top of this, they have a bug bounty program which they use to seek out security flaws.
AWS takes its security seriously as well, providing strong “security of the Cloud”. This means that it takes care of security for the hardware, software, networking and other aspects of the Cloud service.
All of these services can be great, taking a lot off your plate when it comes to your security. But that doesn’t mean that they can keep you safe from all cyber attacks.
What Are Your Security Responsibilities?
To start with, you need to be aware that not all MSPs are created equal and some may not take your security as seriously as necessary. Do your research beforehand to make sure that you commit to a reliable provider.
An MSP will not be responsible for the security of your website or the security practices of your people. What many businesses fail to grasp is who is actually responsible for their security of their data. Having a provider issue new laptops to your employees is not going to prevent your website from suffering an SQL Injection attack and customer data being stolen. These potential security gaps are only identified by a deep security review or penetration tests – and MSPs just don’t do that kind of work.
Even if you are using the services of a trusted provider, there are still a number of ways that you can be attacked. Insider threats, such as disgruntled employees who already have access to your systems may decide to steal your data or bring down your business from the inside. If you have weak passwords, external attackers can brute-force their way in to exfiltrate data and commit other cybercrimes.
Likewise, despite Shopify’s many protections, it cannot stop insider threats or hackers from busting open weak passwords and trawling through your data. Depending on which cloud service a client uses, they may have significant security responsibilities. Amazon EC2, Amazon VPC and Amazon S3 each leave all of the security configurations and management tasks up to the client.
No matter how much of your operations you delegate to outside services, your online store will always have its own responsibilities when it comes to security. These may be as simple as employing good password management and reducing access privileges to only what’s necessary.
The important thing is to recognise what your responsibilities are, so that they don’t get neglected. The last thing you want is to suffer a devastating breach, then have your service provider pointing to the fine print in the contract, telling you it’s not their problem.