Five cyber security tips for a start-up
So you’re a start-up and you’re worried about security. Well, caring about cyber security is a good thing, and doing so right at the beginning means you can start right now and ensure you maintain the good practice as you grow. Retro-fitting good security is very hard – building it in from the beginning is pretty easy.
You’re probably going to use cloud services quite a lot, and in fact if you can avoid building too much ‘on premise’ stuff, I’d recommend it. There are clearly some risks involving cloud services – but they take away a lot of the pain of managing and updating operating systems and software, which is onerous at the best of times but even more so when you’re running a barebones operation and trying to get a business off the ground.
So, recommendation #1 – turn on two factor authentication for every service you use, and have 2FA (and security more generally) as a factor in your choice of service provider. 2FA means you need a password and something else to log in. That ‘something else’ can be sent to you via text message, generated via an app on a smartphone or be a physical hardware device you plug into a USB port. It makes life harder for anyone trying to compromise your cloud accounts.
Recommendation #2 does the same – have everyone use password managers. Unique passwords are very important. If you use the same password across multiple accounts, if (or more accurately when) one of them is breached the hackers essentially have the key to every other account you have created with the same password. Password managers make life easy – they generate and store passwords for you, meaning they are always unique. Also, it means you won’t create a weak password or one which contains dictionary words. I use and like 1Password from Agilebits (I have no commercial relationship with them beyond paying them for their software), but plenty of others are available.
Recommendation #3 – we’re moving away from cloud services here and getting more tangible. However ‘cloudy’ you are, you and your staff are going to need to use physical devices. You need to make sure these meet some basic set of security requirements. If you provide those devices that responsibility is yours. If you allow people to use their own devices the responsibility sits with them, but you should give them clear guidance on what is expected. As a minimum I’d suggest for laptops that you mandate disk encryption, they must keep the device operating system and applications up-to-date and run antivirus. For mobiles and tablets, make sure they have passcode, they keep it up-to-date and can remote wipe the device if lost.
Recommendation #4 – identity isn’t something you think about too much when you are only a small number of people, but once you get beyond a very small company managing who has access to what, and how to take it away from them when they leave, becomes a tricky problem. There are services that take this pain away – you can create a new user, give them access to your O365 and github environments (or whichever services you use), mandate they use 2FA for these and then disable their access when they leave. This may sound wildely unnecessary but managing identity is a huge problem for lots of organisations, and doing it retrospectively can be a massive challenge.
For an idea of what I mean take a look at Okta – you can get a feel for the power of this kind of tool and how it might make your life easier (and I’m not endorsing Okta here – there are other providers. You can use Microsoft for instance if you’re an O365 or Azure user).
Recommendation #5 – have a look at the National Cyber Security Centre (NCSC) website. Even if you’re not UK based, and never intend selling to the UK their advice is worth following. Also considering getting the ‘Cyber Essentials’ standard (or following it even if you don’t want to actually get the tick in the box for compliance). It was originally aimed at small businesses and walks you through clear steps for ensuring you meet a good baseline standard for cyber security. The NCSC also have lots of other good guidance and publish regular updates.
I hope that’s all useful. A small amount of effort in the early days of your company will make life massively easier later on!
Thanks for reading,