While you can read our full guide to start-up security, we figured it would be easier to digest and apply the best practices in smaller chunks. So, we broke up our full guide into four parts. This is Part 1.full guide to start-up security, we figured it would be easier to digest and apply the best practices in smaller chunks.
Introduction: PPT Rules Everything Around You (for better or worse)
People, process, and technology (PPT) can be used to help you break down and assess your security approach and architecture at your company. More specifically, you can assess your security practices through the lenses of operational (people and processes) and application and infrastructure (technology).
Operational Security: It’s All About the People and Processes
Foster a Blameless Security Culture
1. Not just for airports – See something, say something: Empower everyone to speak up without fear whenever they see or suspect a security issue, even if it looks trivial or if they inadvertently caused a security issue. Mistakes happen, and it’s better to fix them immediately, instead of hiding them.
2. Appoint and or hire a “Security Czar”: Have one person be the go-to person for all things security, and ensure they’re empowered to enforce and foster security best practices across the company (exec team support is key).
3. Ensure security awareness training (but don’t turn it into a speedrun): A lot of security awareness courses consist of “common sense” info, but they help with reinforcing and reminding security best practices. PagerDuty has solid open-source security training courses if you don’t want to pay for a course.
Extend that Culture to Safeguarding Your Customers’ Data
1. MFA everything: ’nuff said.
2. Encrypt all company-issued laptops and phones: Always do it before new employees start (and save those encryption keys).
3. Use a SSO provider and password manager: They streamline and centralize account management for your employees, and make on/offboarding easy. They also minimize risk even further by ensuring that every user remembers only one set of credentials for logging in. Combine them with MFA to be even more secure. For SSO, you can’t go wrong with providers like Okta and OneLogin. And for password managers, 1Password and Dashlane are solid. Whomever you decide on, always do your due diligence and see 1) which providers have had security incidents and breaches and 2) what their security incident response plans entail.
4. Make locking computers a company-wide habit and game: Sure, it’s hilarious setting a screenshot of your co-worker’s desktop as their wallpaper so they try to open folders from their desktop for two days. But, it’s not a laughing matter when unwelcome outsiders get physical access to an unlocked computer.
Having a Plan is Better than No Plan (esp. When You Get Proverbially Punched in the Face)
1. An efficient incident response plan: Your plan should be optimized for the fastest response, especially for whomever the point person is at the time of a breach / crisis. Keeping it to the three “Who’s” (“Who’s in charge?”, Who do we call?, and “Who can help?”) keeps it simple and actionable for everyone involved (credit to security legend Ryan McGeehan’s playbook).
2. Create an infosec plan and update it every year: Despite Mike Tyson’s famous take on plans, keeping these two things in mind makes scaling your security efforts that much easier:
- Have an internal security policy defining who’s responsible for security and whom they should go to for all things security.
- Create a company scaling event checklist, e.g, when sales team doubles in size in two months, when the company onboards at least two people a month across several departments.