When you run your business online, privacy and security are always top of mind for keeping your accounts, passwords, user permissions, and access safe from bad actors. In order to prevent incidents of unauthorized account changes:
- Account Sharing
- Password Security
- Multi Factor Authentication
- User Access Auditing
- PCI Compliance Responsibilities
- OMG Trust Center
- Additional Resources
Account Sharing
Unfortunately, shared accounts are at significant risk of being compromised, as they rely not only on good security practices for an individual, but on the hope that all such connected individuals maintain good security practices themselves (and that none of them are compromised by other means). Additionally if a user leaves or is terminated from your organization, a shared account is not easy to disable as other people may still need access to it.
On both the Pop-Up and Company Stores platforms, OrderMyGear does not charge for the creation of new user accounts, nor do we impose any limitation on the number of users that can be connected to a business’s account. Consider creating a new user if someone needs access to your account, rather than sharing login credentials.
Password Hygiene & Security
Passwords are the keys to your account. They should be stored securely and never shared. OrderMyGear staff will never ask for your password. There are several things you can do to ensure your account is kept safe with good password practices, including:
- Use impersonal passwords that incorporate numbers, letters, and special characters
- Password should be a minimum of 8 characters, ideally at least 12
- Use unique passwords for every different login
- Use password managers (such as 1Password, Dashlane, or Apple’s Keychain) to store your passwords, instead of writing them down or trying to remember them all!
Multi Factor Authentication
Multi Factor Authentication (also known as MFA, DFA/Dual Factor Authentication or 2FA, two factor authentication) is one of the most important steps you can take to ensure your account is safe, even if your password is stolen or leaked. OrderMyGear recommends using MFA everywhere it’s supported - and OrderMyGear mandates all employees & contractors use MFA when available.
When setting up MFA through Company Stores, it’s highly recommended you use the app MFA method - SMS/text messages are better than nothing, but they are not considered a secure method of communication. OrderMyGear uses MFA to secure your account, which will be triggered when a login is detected under any of the following circumstances:
- New device: a login is detected from a device that hasn’t been used to access your account in the last 30 days.
- Impossible travel: a login is detected from a location that’s too far away from a very recent previous login location.
- Untrusted IP: a login is detected from a suspicious IP address.
At this time, Pop-up clients will have MFA enabled by default using the user’s email address for verification, and Company Stores or dual-license clients can configure further MFA settings via the Company Stores platform.
User Access Auditing
Staff come and go — some get promoted, some get reorganized, some leave. Whenever there are changes in personnel status, it’s a best practice to review who has access to your accounts and with what level of permission. Perhaps you’ve bought a business but the old owner is still listed as a user; if that user can still log in, they could have a dangerous level of access that they should no longer have. Maybe there’s an employee who previously handled matters requiring a certain level of permission within the platform, who no longer perform those duties; if that’s the case, it’s a good idea to make sure their level of access is appropriate for the kinds of tasks they need to perform, and that they don’t have excessive or extraneous levels of permissions (for example, someone who no longer handles billing no longer requires access to invoicing and deposit information, and can have their access to that information safely revoked).
PCI Compliance Responsibilities
While OrderMyGear is PCI Compliant, it is also the responsibility of your organization to complete & maintain PCI (Payment Card Industry) compliance, if you accept credit cards. If you do not accept credit cards you do not need to be PCI compliant. For additional information on Merchant PCI compliance, please see https://www.pcisecuritystandards.org/merchants/
OMG Trust Center
If you have any additional questions on OrderMyGear’s security posture, please check out our Trust Center at https://trust.ordermygear.com or reach out to your CSM!
Additional Resources
Please take advantage of these resources to bolster your security education and boost your confidence in how OMG protects you and your business’s information on out platforms:
- Setting up new users on Pop-Up
- Setting up new users on Company Stores
- Setting up MFA on Company Stores
Comments
0 comments
Please sign in to leave a comment.