The MVP of Security

The MVP of Security

In the rush to build new features, sign new clients and rule the world it's easy to forget about IT security. We either forget or purposely reject the thought that we should give enough care to it.

Because we all know what security means. Tons of passwords, lots of rules to follow and no trust to anyone except ourselves.

We tend to explain to ourselves that we don't live in the enterprise world. We don't need physical security or access control to services we use. It's against the spirit of transparency, teamwork and getting things done.

What this way of thinking misses is that security doesn't mean binding the whole company with stiff rules and procedures. There are many things we can do to improve our security that don't take too much effort.

Let's take a look at the most common mistakes startups make.

Logins & Keys spreadsheet

A lot of people using Google Apps know this image above - a shared list of credentials to various services, stored in a Google Sheet or Evernote. Company transparency and all this kind of stuff.

What was the password to our stripe account?
Just look it up in the spreadsheet.

Though this is an easy way to make passwords accessible to anyone who may need them, it's just as easy for the information to get into wrong hands.

In addition to the fact that these passwords are unencrypted, the spreadsheet can accidentally be shared with someone outside the organization (especially if it's shared to everyone with a link, see below) or be accessed by an employee that was recently fired.

How to solve that?

There are many password managers on the market (i.e. LastPass or TeamPassword) that are designed to share passwords across teams. They take care of encrypting them and make sure that only the right people are able to access them. Also, they integrate nicely with web browsers and make it easier to fill the login forms on websites.

Publicly shared Google Docs

That's another pattern commonly seen among Google Apps users, especially when sharing documents with people outside of their organization e.g. clients or business partners.

A publicly accessible document can easily get into wrong hands

There's an option allowing everyone with the link to anonymously access the document. It lets you send the link through IM or email, but it also makes it possible for these people to forward the link. In the end, you'll never know who's got access to it.

As uncomfortable as typing every recipient's email address when sharing the doc is, it's worth the hassle. Also, people whom you forgot to add, may still easily request to access the doc.
And they can create a google account in 2 minutes for emails outside google.

People that aren't permitted to see the document can still ask us for permission

What it leaves us with is peace of mind that we know exactly who's accessing our documents and we can easily revoke access in case something goes wrong.

Keeping accounts of ex-employees

No matter if a person is saying a good-bye to the company or the other way around, it's usually very emotional and creates a bit of uneasiness in the following days.

In either case, we need to keep in mind to lock their company e-mail accounts and revoke their access to all the SaaS products we're using.

If you have an off-boarding checklist for your employees, just put it there.
When they're not around, we may not even notice that one of their accounts got hacked and let attacker access company's confidential data.

Also, IP thefts by ex-employees happen once in a while, especially if they left in somewhat unpleasant way.
Better safe than sorry.

Non-encrypted hard drives

A lot of small companies struggle with physical security.
It takes some effort to enforce it and in some cases, like working from a coworking space, it may even be impossible.

Our computers often provide an easy way to access sensitive data - we save our passwords where possible, are able to access production servers and store private documents on the hard drive.

A person able to get access to our computer gets everything. Even if they cannot log in into the operating system, they may be able to access data on our hard drives.

Fortunately, it's quite simple to encrypt the hard drive, so that it's impossible to access its data without signing in first.

For example, macOS's FileVault let's you encrypt your data in a way that's transparent to you. You need to turn it on in system preferences and that's it!

Setting up encryption in macOS is literally a single click

Using only email and password for authentication

Services like e-mail easily become the backbone of company's infrastructure. They carry a lot of private information, may become the main way of contacting us and can be used to sign in into other services (or reset their passwords).

When talking about IT companies, there's often another critical pillar - cloud hosting providers like Amazon Web Services. They provide the infrastructure for our applications and can be used to access confidential data stored in them. Also, they usually cost quite a lot of money, so setting up new servers by an unauthorized person can hurt our wallets.

In either case, we need to properly secure access to them. A basic method of authenticating users by username/email and password may not be enough, since this kind of data can easily be captured by malicious software.

Many popular services offer improved security with Two-Factor Authentication. Each time we sign in to them, we'll also need to provide additional code that's specifically generated for this sign in to confirm our identity.
The code is usually sent via SMS to a number provided when enabling 2FA or generated with an external app paired with our account.

Also, we can mark certain devices (e.g. our notebook) as trusted, so they won't require 2FA code each time we sign in on them. This will make this transparent for us most of the time, but will still protect us from people from outside trying to take over our accounts.

If for some reason you can't enable 2FA across your whole organization, it'd be great to enable it for at least all the administrators. Losing access to these accounts will hurt you the most.

Forgetting about security on mobile devices

Our mobile phones feel more personal than company's notebooks, but also can provide a lot of private information to other people. Starting with our clients' and business partners' phone numbers ending with access to our email. Because who doesn't have their phones permanently signed in to their email account.

Also, even if we use 2FA to make logins to various services we use more secure, our mobile phones are the master key to all of them.

Some time ago iOS started pushing people to set up a passcode when setting up their phones for the first time. Besides blocking access to the phone it's also used to encrypt all the data that's on them.
And if used with Touch ID sensor it's almost transparent since it doesn't require anything besides pressing home button with proper finger when waking up the phone.

If for some reason you're not doing it yet, keep in mind that if you use your mobile phone for anything related to your company, it might be worth taking a moment to make sure it's also properly secured.

Summary

Even if you're working for a startup (or any sort of small business), it's worth it to at least reach for low hanging fruit when it comes to security.

There are multiple common mistakes startups make that are extremely easy to fix and neither require too much attention nor takes flexibility away from the company.

Even if we don't have problems with it now, it will certainly become a problem once the company grows and becomes high profile.

And just like with many other things, it's easier to fix security issues in their early stage.

Did you like this?

We write about building software products, no fluff included.
Leave your email and we'll let you know when we publish a new post.