Jeff Bezos’ phone was hacked. And if the richest person in the world is vulnerable, chances are good that your startup could get hacked, too.
The good news is that, as a tiny company, you’re not a big target. But as soon as you hire your first employee, it’s time to think about adopting basic security practices to ensure that you’re less vulnerable. Nothing is perfectly secure on the internet, but you can mitigate risk.
When you have fewer than 10 employees, you don’t want to use a single sign-on service like Okta. Solutions that work great for companies with tens of thousands of employees are not practical because they’re not designed for you.
As a basic rule, you want things to be simple by design. Relying on fewer services will reduce your attack surface, and if people can follow rules without even thinking about them, your organization will be less vulnerable. You might be great at spotting phishing attempts and securing your own accounts, but your startup is only as secure as your least-savvy employee. Most security issues come from human error.
1. Force two-factor authentication everywhere
Your startup relies on multiple tools to communicate and collaborate. For instance, you might be using G Suite for your emails, calendars and documents, Slack for your conversations, GitHub for your code repositories, HubSpot for your CRM and so on.
All your employees have an account on all those services. As admin, you can force users to enable two-factor authentication when they create an account or the next time they sign in. Enable that.
2. Use a password manager for teams
There are two reasons why a password manager for teams is useful. First, it helps employees generate unique and secure passwords for every service they use. Second, you can more easily share credentials with the rest of the team.
1Password, Dashlane, LastPass and others now all offer team plans. You can create a shared folder for your shared logins (Twitter, Instagram, etc.).
3. Keep a list of the services you use
One of your employees might need to use a very specific tool. Make sure you don’t forget about those tools as they could be connected to some critical services with API tokens.
When you only need one account for a service, always use the same email address — it could be the CEO’s email address, for instance. This way, if an employee leaves the company and you need to delete that account down the road, you can still access the account.
4. Secure laptops and phones
Require employees to create strong and unique passwords for their laptops, such as a multiple-word phrase. They should also change their settings to require a password after the screen saver turns on — remind them not to walk away from devices with active screens.
Both macOS and Windows have built-in encryption features that are transparent for users; your employees should enable FileVault on macOS and BitLocker on Windows. This way, if somebody steals their laptop, they can’t access data on the hard drive.
On the smartphone front, tell your employees to use a strong passcode (at least six digits). Your employees should keep smartphones and laptops up to date to get the latest security patches.
You can also tell Mac and iPhone users to enable iCloud and Find My Mac/Phone. If they lose their devices, they can be remotely wiped.
5. Be careful with cloud servers
Your most sensitive data could be hosted on Amazon Web Services, Microsoft Azure or Google Cloud. Managing rights on those services can be complicated, as it has been designed for large companies.
Your employees shouldn’t be super admins on your cloud-hosted services. You can create an admin account with sufficient rights, share that account with your employees in your password manager and have a physical second factor. You can use a YubiKey for that. It’s not perfect but it works…
6. Deactivate accounts when employees leave your company
It sounds simple, but don’t leave dormant accounts behind.
7. Discuss best practices
Make sure someone is in charge of security, even if it’s not their full-time job. When it comes to security, it’s an ever-changing landscape. This person could create a recurring meeting in their calendar to evaluate the company’s current security practices.
You can write a short security guide in your onboarding documentation and consider discussing security at the end of team meetings to make sure everyone is on the same page. For instance, it’s important to remind everyone that they should talk about work via Slack or using their professional email addresses.
Tell employees not to discuss confidential information in Messenger, Telegram, WhatsApp and other messaging apps and instruct them to be careful when they create a public URL for a Google Doc and open it to everyone on the internet. Have you advised employees against leaving their laptop unattended or open while in a coffee shop?
Simple conversations like that can create a positive culture when it comes to security. It doesn’t necessarily make everyone’s job more difficult, and it’s a great way to prove that everyone cares about what your startup is building.