editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
My first mobile phone, in 2000, was a Nokia 3310. Nostalgically referred to as the “brick,” my Nokia was there mostly for emergencies. Now we have mobile phones that function as mini computers and have infinite possibilities.
The first computer I used was in the computer lab in my elementary school. Instead of using that primitive Apple iMac once a week on Tuesday during our “lab time,” I now use my laptop for hours every day.
The fast pace of technology is seen not just in the devices we use, but also in the jobs we do. It would be rare to find a job today that doesn’t involve using a computer or mobile device most of the day.
storyI originally studied as an accountant. During my undergraduate studies, I remember talking with my professor about a radical idea of automated bookkeeping using artificial intelligence. Less than ten years later, I was working as a security engineer for a New Zealand growth organization that provided an accounting Software-as-a-Service product that did just that.
Why does the rate of technology matter to security? Two reasons: technology is never flawless, and finding those flaws has become automated.
The people making technology race against a clock; they need to release their product or service quickly to gain a competitive advantage, or address customer needs, or, frankly, to start making money. Security can feel like a sunk cost when an organization is focused on making their business viable.
With each new piece of technology comes new and complex software and hardware. Even the most talented engineers and designers cannot predict the future or build things perfectly on a budget. Inevitably, there will be weaknesses—and these can be used to make the technology do something it wasn’t intended to do.
This is exactly what hacking is all about—finding different ways to make a piece of technology do something it is not meant to do. Often technology is made to hold, transfer, or process data. Hacking makes it possible to access, modify, or delete that data.
The weaknesses, or vulnerabilities, are not always obvious at the start. It might take time for these to be discovered. This is the difference between known and unknown vulnerabilities. There might be some people who share the vulnerabilities they find in software and hardware with the world, but that can’t be counted on. Once a vulnerability is made public and known, it is up to everyone who uses that software or hardware to apply the fix, or to use alternative software or hardware if there is no fix.
However, just as we write scripts and code to make our technology, people can do the same to make tools that find weaknesses. These tools are like double-edged swords—the tools can be used for defense (to find weaknesses), or they can be used for offense (to attack your technology). When used for offense, we often call them exploits.
The probability that a potential security vulnerability will be identified, exploited, and lead to impact on your organization is called the risk the organization faces.
It looks like this:
You build a new piece of technology with multiple pieces of software.
If you find out about new weaknesses in the software you use, you will have to either apply the fixes, change to a different piece of non-vulnerable software, find other ways to protect your software, or do nothing.
Meanwhile, attackers might be adding those new, known weaknesses to their tool set so they can find them and hack your technology.
The more software you use, the more times you have to repeat this process.
If it feels unfair, that’s because it is.
Katie Moussouris’ interview in The Verge is a great starting point to learn about the vulnerabilities market. She has done amazing work and research in vulnerability disclosure and bug bounty programs (or organizational programs that pay for vulnerabilities found in their product).
Nicole Perlroth and Kim Zetter are fantastic authors and cybersecurity journalists that tell fascinating stories about the vulnerability market.
The Cuckoo’s Egg and The Hacker Crackdown are two popular books that re-tell stories of hacks, investigations, and computer crimes from the 1980s and 1990s.
Everything is now online. If your organization doesn’t use current tools, or even have a website, you will lose out to your competitors. Avoiding technology isn’t really an option if you want to run a business—no matter how small the business.
You might think you are too small of a business to be attacked. Surely, that could only happen to the larger company that has big and valuable data to lose. But on the internet, no one cares how small you are.
An attacker’s two most common goals are (1) to access your data and (2) to use your resources (like your servers, mail systems, or online reputation). If they are trying to harvest as much data and resources as they can, they will often go for the lowest-hanging fruit.
The concept of low-hanging fruit comes up a lot in security. Just as the lowest-hanging fruit on a tree is picked first, weaknesses in system security that are easy to find are most likely to be exploited. Examples include a website administrator login page that uses an easy-to-guess password, a server that uses software with vulnerabilities that have not been patched, or the Twitter account with the same password as a LinkedIn account that was exposed in the 2012 password breach.
The problem with these weaknesses being easy to find is that finding them can be automated. Attackers can create tools that will scan the internet to find the fruit and pluck it off the tree before any human effort is involved.
The encouraging part of this story is that it can be easy to keep your own fruit higher in the tree. That is the purpose of this book. Whether what you must protect is your personal accounts, your small business, a startup, or a growing company—there are ways to keep weaknesses further out of reach.
Definition Attackers don’t always attempt to go straight to hacking your technology. Often they might try to hack the humans, or do what is called social engineering. Social engineering is where an attacker uses psychological manipulation to get a human to do something or reveal something. Usually using fear tactics, they may lie and weasel their way through convincing you to give them access or sensitive information. These types of attacks are successful for many complicated reasons.
In general, people with less exposure to technology will be more likely to fall victim to these attacks. Think about how resistant you can be to change. When your bank moved you from mailed statements to paperless, how long did it take you to change your routine to check your accounts in your email rather than your mailbox? When your social circles moved from sending printed invitations to Facebook event invitations, how long did it take you to get used to virtual RSVPs rather than using a stamp or phone call?
When you consider those change comparisons for someone who didn’t grow up with technology, the reaction time might be slower. They might have missed a few parties, had a few late payments, or had some other negative impacts before they actually caught on and changed their behavior.
Some of you may be experts in your field of business, but have had to adapt new technologies just to maintain competitive advantage. Or you could be trying to learn one way of building a system or service using a centralized approach, only to find the industry shifting quickly to a decentralized approach (which makes it harder for you to understand if what you have is still right).
Regardless of where you fall on this scale, don’t worry—just like any business or personal risk, security just needs to be managed.
The rate of change on the attackers’ side of things is speeding up too. I am not providing you with this information to scare you into being safe, however the context is important so you understand why your data is so valuable.
Security breaches happen very often,*** and result in important data about us being leaked to the wrong people. This is data about us, our organizations, what services we subscribe to, and sometimes even sensitive data like our passwords or identity information. You can rarely go a month without reading about a data breach in the news or getting a breach notification from a service you use.
The data in these breaches have low value on an individual level. The risk of a password that is leaked still being valuable after the incident is identified is low because most organizations will force a password reset. However, you might reuse that same password or follow a similar pattern for other services.
There is also some data that can’t be reset, such as your passport number or the types of websites or services you subscribe to. For example, when a popular slot machine parlor in the US had a security breach, they leaked a large amount of personal and sensitive information about their customers. If your data was included in this breach, you can’t reset the association your identity now has to gambling services.
Insight into your password patterns and what services you use allows attackers to understand who you are and what you might be vulnerable to. If they aggregate all that data around a common unique data point, such as your email address, attackers start to build a view of someone’s online identity. A single breach of an online poker tournament website alone might not be a massive deal. If an attacker used those leaked email addresses to find users who are also signed up to other online casinos and lottery websites, then they might be able to run a pretty successful attack if they took advantage of those users’ gambling interests.
Now, don’t go all blockbuster movie, thinking that there is someone out there specifically trying to target you. Think about it instead as a wider scam attempt based on a category of people. For example, if you were to see a glimpse of the online services I subscribe to, you would see that I really love animals and have a very big soft spot for cats. You would see this through all the social media pages I subscribe to publicly, and also because of all the online pet stores and charity accounts I have (if these were ever breached). If you wanted to lure me into a scam, you might target me (and others) with a heartstring-pulling email asking me to make a donation to a cat charity in dire need. The donation link in that email would link to a fake PayPal login page that is meant to steal your credentials. The website might not sound off alarm bells right away as you expect to pay a charity via PayPal.
The growth of an industry has formed over the past few years with the rise of online breaches. These online identity groups are ideal for those that want higher success rates with their attacks and scams. The concept of data brokers is becoming a large business, where groups buy and sell breach data in order to make their portfolio of identities more valuable. The more data points you have about an individual or a group of people, the more you can infer about their online habits and vulnerabilities, making it more possible to carry out a successful attack.
We’ve talked about the fast rate of change of technology, the forced need to be online, our ability (or inability) to adapt to this change and keep our technology and systems safe, the lack of control over other services’ data breaches, and the burst of growth in the sale of our data and identities.
It’s obvious security is important. But it can feel daunting to know where to start and what to secure first.
We recommend beginning with yourself and working outward:
Start with your own security and the security of the systems and accounts you use that are managed by others. Anywhere you put your data and your money should be in this category, and your email should be considered your crown jewels.
We have been doing the cybersecurity dance for a while—Laura recently hit her 20 year career anniversary! We’ve seen a lot, and while much has changed over the years in terms of technology, many aspects of cybersecurity have stayed depressingly the same.
We see stories in the news about large companies paying exorbitant amounts of money to regulators and their customers for losing data, or companies becoming irrelevant after undergoing an attack that also took down their competitive edge. This doesn’t even cover the hundreds of organizations that are too small for air time, that have to shut their doors after a security incident.
What we have found is that the root of these problems and pain is often a lack of the same good security practices. We want to change that for all companies, not just those big enough or established enough to afford security teams and expensive tools.
Most good security practice boils down to a simple set of foundations—unique passwords populated in a password manager, two-factor authentication prompts for each login, mindfulness and limiting of sprawling data duplicated across websites and devices, automatic or prioritization of regular updates and patching, turning off of unnecessary features, and setup of safety net monitoring emails and notifications for when things fall through the cracks.
Our mission at SafeStack has always been to help as many small businesses and people as possible. Rather than building a giant consultancy and working only with wealthy businesses, we wanted to share our mix of experience, understanding, technical know-how, empathy, and pragmatism with as many people as possible. We want our expertise to be accessible and our advice easy to follow. We wanted it to be clear where to start, what to focus on, and what to do. We determined that the best vehicle for this mission would be a digital book that is searchable, shareable, and accessible. We chose to publish with Holloway so we can bring you just that.
Whether you are just trying to protect yourself or your small business, we are excited to share the years of experience and advice that we have provided to people just like you. We hope you find helpful nuggets of wisdom in the advice for your own security that you feel inspired to share with others in your network, social circles, or family.
We believe this book will be helpful to people of a variety of backgrounds, but we do make some assumptions about your technical skill and security goals. We expect most readers to fall into one or more of the following buckets:
You are at least mildly tech savvy, willing to learn more, and work somewhere where information security matters.
You work at or own a startup and care about security.
Key points are highlighted like this:
important An important note.
danger A danger or caution.
confusion A confusion or reminder.
important If you’re reading this Holloway Edition of the book online, please remember you can add comments and suggestions. No book is perfect. This will help it improve in future revisions, and selected helpful comments will be published to assist other readers!
I want to give you permission not to read this entire book.
Let me explain.
When it comes to securing what matters to us, we each start at a different place and have different goals. We bring with us a set of experiences, expectations, and skills. We each operate in a different set of circumstances with a different set of constraints. Your pathway towards security will be different to others around you and as such, your needs from this book will be different.
While you can of course read this material sequentially, you are equally encouraged to approach it in a way that suits you and where you are now:
As well as your personal experience with security, the environment you are trying to protect can change your requirements for security.
For individual security, this means the difference between protecting an occasional internet user from phishing attacks, and protecting a high-net-worth individual while they frequently trade stocks online. This difference in circumstances will change all aspects of your security approach—the risks you face, the impacts if they were to be exploited, and the processes, actions, and technologies you can use to manage the situation safely.
For those of us protecting businesses or other organizations, the field in which we work makes a big difference too. Whether you are in the finance sector or retail, non-profits or high tech—our industry, size, profile, and the types of data we handle will change the risks we face and the standards we are required to meet.
Whatever your environment or context, understand and work with where you are now. By working on the risks and requirements that are truly relevant to you, you are able to focus your time and resources to reduce the likelihood of security incidents in a meaningful way.
When we are approaching security for the first time, it can be daunting. Not only is there a lot to think about and cover, but many of the actions we need to take are associated with technologies or technical concepts that we may not be familiar with. Depending on your background and the role you play in your company, these can be a real challenge. It can be easy to dismiss security as something you can handle when you are technical enough or when you hire someone who has that specialist knowledge. In reality, sometimes it’s that delay or reluctance that makes us the most vulnerable. There is no right time to start security or perfect skill set that prepares you for it. The sooner we get started, the more small steps we can take to reduce our risk.
While technology has a role to play in securing our data, people, and systems, it is only part of the picture. Security requires us to balance technology, processes, and human actions to change the way we face situations that could cause us harm.
For example, take malicious or phishing emails. Buying a mail security product can feel like the answer to our problems. It should block suspicious email from reaching us. However, it takes more than buying a tool for this to work; without policy and process to configure and maintain that new tool, it will not prevent malicious email.
If we do not empower our people to identify and respond to emails that do slip through the cracks as we configure our defenses, we may still suffer from the consequences of this attack.
important We will encourage you to apply the advice here as you read by making your own lists of devices, accounts, and data. As your business grows bigger, it will become more and more important to be aware of these assets, so that you can make sure they are secure. The need for security will grow over time, and having a list you can call upon and reference can be helpful in the long run.
How you keep and manage those lists will be up to you. We don’t encourage you to keep other sensitive information with those lists (like account passwords). However, these lists will give you a bit of a “security blueprint” for yourself and your business. Keep it safe, as you would any other type of blueprint-like document. I am more of a “list on my Google Keep” or “Asana board shared privately with the SafeStack team” kind of gal, but there is nothing wrong with good old fashion pen and paper lists stuck to your home office whiteboard.
In Part II we address small businesses, in Part III we move on to startups, and Part IV is dedicated to mid-size and growing companies that are refining their strategy. The line between a small business and a startup is not always obvious, so let’s define what we mean. It is important to get this straight, as this dictates the security strategies we recommend you follow.
For the purposes of this book, especially in Part II and Part III, we are using the term “small business” and “startup” to refer to businesses that meet the criteria in the table below. If your business is larger or more mature than the “startup” stage, you will likely find Part IV most helpful.
| Characteristic | Small Business | Startup |
|---|---|---|
| People | • It is just you, and maybe a few others that work part or full time. • You may also have seasonal employees who come on board to help during busy seasons. • You are an individual freelancer, contractor, or owner operator. | • You have between one and ten people. • This is often a mix of founders, contractors, and early team members. • You may also have some advisors, investors, or informal governance. |
| Budget | • You are running this business off of the natural organic sales coming in. • You are bootstrapping the business on your own from your savings, or are funding it through your business revenue. | • If you are bootstrapped (self-funded), the budget is likely small and the company may have a “runway” of just a few months. • If you have achieved some form of investment or funding, there may be a larger budget (or “runway”) tied to strong growth objectives. |
| Goals | • You aim to be a profitable and resilient business. | • You aim to achieve product/market fit with your product or service. • You are looking to acquire early customers and prove your business model. |
| Priorities | • Small might be a choice. You don’t want to become a growth company, or scale your business bigger beyond what you can manage now. • You might serve a small market niche. No one else locally does what you do; who knows what your business will look or how big it will be in five or ten years. | • Profitability is not a high priority at this stage, especially if you have funding. • The pressure to achieve results has amplified with the amount of money you have raised. • You are technology-driven or creating a solution with a large technical component. This may be built in-house or with outsourced partners. • Your target market may be large (spread across many industries or geographic areas). |
When do you go from a startup to a company with the larger needs outlined in Part IV? That can be hard to pinpoint, and depends on your circumstances. We’ve outlined the effect growth has on your security needs and strategy, so you can better determine where your organization stands.
Growth is amazing. However, the more successful you are, the more interesting you are to potential attackers. Simply put, before you grew, nobody knew you existed and they didn’t know how interesting and valuable you might be.
As your customer base and product grows, so does the complexity and size of your data. From customer data to commercially sensitive documents and application code—you have more of everything and it’s more spread out than ever before.
In the beginning, you were small. As a leader, you probably hired everyone personally, often from your social circles or close professional network. As you grow, however, this changes—and for good reason.
Making a book is hard.
I was lucky to have the best business partner in crime (Laura), helpful and passionate editors and publishers (Holloway), patient and supportive friends (Dibbie, Sarah), a partner who made sure I was always fed and watered (Len), a son who patiently waited to arrive into the world until after all the hard parts were finished (Kana), and parents who bought this book to support me even though they still can’t be convinced to use a password manager (Eric, Sherrie).
—Erica
Erica is much more eloquent than I am at these sorts of things, so I will keep it simple.
Protect your digital assets, just as you protect your home and other physical valuables.
🚀 As explained by Erica
Before we look at protecting the digital assets of your business, we need to cover your personal digital security. Your online identity connects to your finances, your work, your family, and your relationships.
If you are a business owner, co-founder, or a key member of a small startup, your digital assets may have even more value. As the person making key business decisions, impersonating you can give a bad actor access to financial and business accounts. The financial consequences to the company are your responsibility. Even worse, poor personal security by employees often leads to new risks for the business, such as a compromised personal email account leading to compromise of a business account.
The bottom line is, you need to think about protecting your own money and assets the same way you would a business asset.
The value of your money to an attacker is straightforward—there is literal financial value assigned to your bank accounts, credit cards, cash apps, physical cards, and cash. An attacker’s goal would be to try to funnel that money out of your account.
List the apps and accounts that you use to access things that have monetary value to you. If there are any risks you’re worried about, put them down too.
exampleTo get us started, here are some common scenarios involving access to your money. Included here are risks that you may not have thought of at first—but that we’ll have to protect:
Scenario: You access your banking and credit cards mostly online.
Accounts: Your bank’s and your credit card’s online payment systems.
Risks: These accounts could be compromised or data leaked, and an attacker could transfer money.
Your devices carry an inherent security risk themselves. That risk can also change depending on their environment. Risk is like a temperature scale. For example, if you are logging into your PayPal account to check your recent incoming payments, the risk goes from cold to hot in these situations:
Using your desktop computer at home (cold, lowest risk)
Using your mobile device on a partially full train (cool, low risk)
Using your mobile device on a crowded, elbow-to-elbow train (warm, moderate risk)
There is value in impersonation. As an individual, a business owner, or a decision maker, your voice carries weight. You are the person who can authorize changes, information disclosures, and transactions.
The two most common types of attacks you might face would be requests to your staff to transfer money to an attacker’s account, or requests to your phone provider to transfer your SIM to another phone. Once your SIM is transferred to another phone, password resets or two-step login prompts would go to an attacker’s phone rather than yours. Such attacks are becoming more expensive as we rely on SMS for verification on logins when making large payments.
In the physical world, identity is established through government-issued documentation, such as driver’s licenses, passports, and birth certificates. In the online world, our identities are inferred in the email addresses, usernames, and communication channels we use and share with others—WhatsApp, WeChat, Facebook Messenger, Signal, the examples are endless. You build trust with friends, staff, and business contacts through regular interactions using these digital identities, and they may not second guess any favors or questions that seem to come from you.
There is also more traditional value in your identity that you have probably heard of. Attackers can use copies of your identity to commit fraud like opening loans or credit cards, and then going on a bit of a shopping spree. When the financial survivability of your business early on depends on credit, these types of events can be damaging.
Looking at your list, it might feel daunting to get started on securing all these things. Now is an important time to learn about the 80% theory.
storyFirst, a confession: I used to be a perfectionist and completionist, and I also am a huge video game nerd. Every video game I started I would push to get 100% completion. My Pokédex in Pokémon Red was complete with 151 Pokémon. I found every Easter egg and secret ending there could be found. My goal in life was to finish level 255 in Pac-Man so I could experience the level 256 integer overflow glitch. When I started picking up more hobbies, my ability to complete games started becoming harder and harder.
Most of us probably know the experience of playing a game. You can play it from start to finish, and that represents roughly 80% of the game play. You can play again to finish up side quests and alternative paths to the ending and get closer to 100% completion, but it takes more or more time and investment the closer you get to 100%. You end up investing more time in that final sprint than you do playing the game for the first time from start to finish. And the value received is quite minimal at this point.
I try to apply that same thinking to securing everyday situations. There will be situations where you need to cover that final 20%. For example, when implementing a login function to a web application, you want to go that extra mile. But for most situations, you get the most value out of investing that first 80%.
🚀 As explained by Erica
Your email is like a skeleton key—it is effectively a single key that can be used from anywhere to sign in to various services. Once an attacker obtains your email password, their job gets a lot easier. In this chapter we’ll cover how to set strong passwords all around, but particularly with your email.
Most of us probably set up our password to our email years ago, before hacks were a common everyday occurrence. When I was 12 years old creating my first Yahoo account, I wasn’t thinking about long passphrases or special characters—and as it was inspired by Hanson, it was certainly not secure. Nowadays, most of us can barely recall all the online accounts we have signed up for using our email address—especially with the rise of social media and Software-as-a-Service. There has also been a rise in reported data breaches, where the companies that provide these online services have lost copies of their password databases.
danger If you reuse your email password across your other online accounts, there is a higher chance this password is leaked. Once you lose access to your email, your other online accounts are one password reset email away from being lost too.
As a business owner, you will have more than a few critical passwords—and even with the best memory in the world, you will struggle to maintain them. That’s where password managers come in.
A password manager is a tool that provides one central place to safely store and manage your passwords so they can all be unique and strong—that is, long and complex enough they are very difficult or impossible for attackers to guess.
confusion “But wait, how is storing all your passwords in one place safe?” I hear you say. Yes, it does seem counterintuitive to do this, but it is safer. Consider the alternatives, like a password-generating formula you thought up (like service name + year + a $ or & or number), or maybe reusing the same group of two to three passwords you use across all your systems. These methods have proven to be unsafe, and you need a new method that works for how you operate and the important accounts you need to protect. Considering the context of how attacks against accounts can be automated and performed, this is your best defense against these attacks.
important It is important to pick the right password manager and set it up right because that one tool will hold your whole digital world in one database, including the password to your email.
Now that you have a safe place to store your new secrets, we can work on protecting your email. As mentioned before, your email acts like a skeleton key for a large part of your online identity—people you communicate with associate your email with trust, and your email is also a key factor involved in logging into other accounts and receiving password resets. With access to just your email, an attacker can unlock access to more information and accounts.
To protect your email you will have to take these steps:
Reset your password and store it in your password manager.
Set up a strong two-factor authentication.
It doesn’t matter what clever method or hoops you might have mentally jumped through to create your current password. Let’s start with a fresh slate, and reset it so you know for a fact it is unique.
Your password manager should help by suggesting a password that is very long and as random as it can technically be. If not, aim for at least 16 characters in length. Research has shown that it is more important to have a longer password. Mathematically, long passwords offer more possible combinations, which would take too long to guess even with today’s available technology.
Once you reset your password, all your previous logged-in sessions should also expire. This gives you the added comfort of knowing from this point forward, only you have access to your most important digital key. (Although this does mean spending some time logging back into your email on your phone, laptop, and so on.)
A long, long time ago it was perfectly OK to use just a password to access your account—since the availability of tools to guess your password was limited, and those accounts also didn’t have as much value as they do today. Nowadays, you need to take a few steps to prove who you are to make it harder for people to bypass or trick their way into your account. One essential way to achieve this is to use two-factor authentication.
Definition Two-factor authentication (2FA) is a security measure that requires two modes of identification before access to a system or application is allowed. You may also see such multi-step authentication processes called multi-factor authentication (MFA) (when more than two factors are used) or two-step verification (2SV) (which is almost the same, but the steps may be on the same device).* For simplicity, we’ll just refer to all of these options as 2FA in this book.
important 2FA is especially important for your email account.
As with “strong” encryption, it can be hard to assess if 2FA is “strong” without expertise in IT security. A few options for 2FA exist, and I’ll provide a high-level overview from most to least secure:
After going through the process of configuring 2FA settings, you might get to the end of the steps and see a new term used: backup codes.
Backup codes (or recovery codes) are “break glass” codes that can be used as a backup option in the event something happens with the device you use to generate the two-factor codes.
The list of apps for generating two-factor codes is long and includes Google Authenticator, Authy, Microsoft Authenticator, Duo Security, and others. When you use an app on your phone to generate those codes, it generates keys that are stored on your phone so only your phone can generate the right codes to get into your account. If you experience that horrific moment of losing or breaking your phone, those keys may be lost. All hope is not lost, however, and that is why you are given backup codes at the end of that set-up process.
important Get into a good habit of saving and protecting backup codes, just as you would your password or your 2FA device. Do not just download the file and leave it in your downloads folder, or just skip saving them altogether. Treat these backup codes like the spare key, and protect it the same way you would your normal key. Copy them into your password manager or print them out and keep them stored somewhere safe that others can’t access, like a locked file cabinet or safe.
Assuming that the steps outlined above have been followed, it is unlikely that you would lose your password at this point—your password is stored safely, and two-factor authenticated to boot.
Account recovery options for a service allow a user to have a backup email or other contact information, or answers to questions on file with the service, to recover access in the event the user forgets a password or otherwise loses access to the account.
danger Setting up account recovery options securely is important because these settings could give an attacker an alternate way to access your account—even if they don’t have your password.
Correct account recovery options are also needed in the unlikely situation that account access is lost. Think about losing your unlocked laptop that was already logged into your email. The very first thing that an attacker may do is change your password. In that heart-dropping moment, you want to be able to confidently get back in without having to remember how to get access to that old, defunct email account you set as your account recovery option.
The last step to protecting your email is to manage and control access to your email by third-party applications.
Third-party access is when you grant permission to your email provider to share access to your information with another service.
Third-party access is coming up more and more as small web applications are popping up and relying on larger identity providers to manage access for them. One of the most common identity providers used is an email provider, such as Google or Microsoft. This is perfectly legitimate, and something we will recommend to you in later chapters when faced with creating a user login function for your system.
danger Third-party access is something to grant carefully and monitor. People can create malicious applications to siphon data from your identity provider if you aren’t checking the permissions you are granting. Attackers can also take control of older third-party systems that are no longer supported, but that might still have access to your identity provider account.
Now is a great time to go back to the list of accounts you started off with. Like me, you probably don’t have just one email account. Hopefully, unlike me, you have less than five. Either way, don’t forget to protect each of your accounts using this same process.
If you no longer use an email account, you can reset the password to something long and unique, and be done with it. But first, ask yourself a few questions and check through your inbox to see if any of the following apply:
Do important contacts still use this email to contact you, whether that is family, friends, or business contacts?
Do you get mail to this email for any accounts that are on your list that you need to protect? Is this email used as the login or password reset for those accounts?
This is a question I hear a lot. No email provider is perfect. Using email from large providers, such as Google and Microsoft, might have privacy trade-offs as they have a history of allowing scanning of emails for advertising purposes. On the other side of the token, you might find you are locked into a specific email provider because of the technology ecosystem you have—if all your devices are Apple products, then it might be natural to gravitate towards an iCloud email account.
The best way to tell if your email provider is safe is to see if you can make it through the steps outlined earlier for protecting your account. If there are features that are not available, like 2FA, then it is a dealbreaker when it comes to security.
danger 2FA should be considered the bare minimum. If your provider doesn’t allow it, then this is a dealbreaker and it is time to set up a new email with a provider who does. There is a great community-created website called 2FA Directory that you can use to find a new email provider. This can be a huge pain to set up, but in the long run you will thank yourself. Especially with the rise of security breaches through weak security configurations, that unsafe email provider is probably one bad press release or low valuation away from selling or shutting down that headache service.
I have a few email accounts; this is the burden of an IT nerd. So when going through these steps, I have to perform them for a few different accounts. I have one main personal account, one (very old) backup account that is nearly old enough to drive, and three work accounts. Here is how I work on protecting those:
For my personal account, I use four (!) layers of authentication. I stay logged in on the main devices I use every day, so I rarely have to assemble the four keys like in some dramatic rocket launch sequence. One layer is a physical hardware security key, the second is a backup physical hardware security key, and the third is a mobile device push notification, and the final is an obnoxiously long password.
My backup personal account, which I use for account recovery for my primary account, is protected by a similar four layers. I use this for any career-related accounts or subscriptions, but nowadays it is mostly there as a backup account so my main personal email doesn’t rely on a work email for account recovery.
My work accounts all use 2FA, using either push notifications or one-time password apps on my phone.
🚀 As explained by Erica
On your list of things to protect, you likely have a mobile device that operates like a multi-tool. It has access to your accounts in the same way you access them on your laptop, it is connected to your multiple communication tools, it can even pay for things like a digital credit card using NFC. Aside from your mobile Swiss Army knife, you also have a laptop where you perform most, if not all, of your personal and business functions.
important Protecting these devices is critical. At a minimum, you should perform these steps:
Lock your screen. Set up a screen lock and a long, unique PIN or passcode you don’t share with others.
The first thing to have set up is a screen lock for all your devices on your list. This includes mobile phones, laptops, and any other devices that are logged into important accounts like your personal or work emails. Screen locks can come in multiple shapes and sizes.
For mobile devices: Avoid using patterns, like connecting dots on a four-by-four dotted grid. Instead, use a PIN (personal identification number) that is at least ten digits long. You can also use a password, meaning you include alphanumeric characters, but I’m personally not a fan. I find phone screens to be too small to properly type it in using trained reflexes. Once your PIN is ten digits or longer, it would take years for a machine to be able to iterate through and crack it, whereas a four digit PIN can take as little as 15 minutes.
For laptops: Use a long and unique passphrase; I say passphrase because you will have to type this baby multiple times per day. Five random words strung together is one great technique I recommend, or a phrase that makes sense to you but isn’t easy to guess. “My name is Erica” is a bad phrase, but “Baby Yoda slurps his soup” is a pretty good one.
Biometric authentication, like fingerprints and face scanning, have started to become more popular. Even if you have these enabled, you often have to set up a PIN or password backup because they aren’t always reliable. Not all biometric authentication is perfect. In general, fingerprint authentication has been harder to bypass—and even then, only after making tons of fingerprint molds and spending a whole heck of a lot of time trying to get a match. Given the context that we started off with at the start of this part of the book, it is unlikely the person trying to get into your phone is that motivated or well researched. They might find it more worth their time to just wipe your iPhone and resell it on eBay.
The software on your devices provides an opening to bad actors as well—software is made by people, and it often has mistakes or bugs that crop up that can be misused. Imagine an attacker delivers an email that looks like an invoice, sent via a macro-enabled Word document. Most likely, that document has a script that will try to take advantage of a bug that hasn’t been patched in your operating system software. Software developers release patches that contain security fixes to close these bugs, but it is up to us to actually make sure we apply them.
important Enable automatic updates within your mobile or desktop operating system. Keeping software updated means you’ll always have the latest security protections. Most operating systems now allow you to set updates to happen automatically; be sure these are switched on. Mobile phones usually do a good job of telling you when an update is available, and will even auto-update your apps when you plug it in to charge while connected to wifi. Windows, macOS, and Linux on laptops are also usually configured to automatically update, but now is the best time to double-check.
It is important to set these to automatic, because the last thing you will be thinking about when running your business is “Am I protected from that latest Windows vulnerability?” News like that might not even make it to your radar, so having automatic updates gives you that peace of mind.
You also want to make sure that your software is still supported—Apple has a history of supporting their device software longer than other competitors, but that doesn’t mean the other competitors are unsafe. The window of support is just shorter, which might force you to update to a newer device sooner than you would like. If a device no longer receives software updates, that is a sign you need to upgrade. Since this device is critical to you and your business, it has a wealth of information and access stored on it.
Before starting your business, you might have been a bit laissez-faire with the software or apps you downloaded. Now that you use those same personal devices for business, you need to be a bit pickier. That doesn’t mean you can’t download what you want, it just means the consequences of bad downloads no longer affect just you—they can also affect your business.
For example, downloading a social media app like TikTok to your mobile device before might have seemed harmless, despite the laundry list of permissions it asked for and vague terms-of-service wording. But who reads those when they are using something for personal use anyways (except me and other huge nerds)? However, if you have both business and personal contacts and data on your phone, TikTok would now be able to slurp up both.
Now is a great time to do some spring cleaning of your device software and apps, and see which ones you use and need, and which can go. Similar to how we cleaned up apps with third-party access to our email, if you are unsure if you need it or not, remove it and challenge that decision later if you find yourself needing it again. This is especially the case for any software that asks for permission to data that it really doesn’t make sense to need. When you open Apple Maps and it asks for your permission to share your location so it can give you more accurate directions, those permissions make sense. What doesn’t make sense is that Sudoku app you downloaded to kill time asking for permission to read your text messages.
storyYou may be thinking: “But what about the apps and software that everyone uses? I need to use them too to keep up to date with the latest social crazes!” I hear you, and I get it. I play a lot of video games, and some of those are mobile games I play with my online guild. The developers are questionable (to be nice about it). I still play these games, but on my older devices that are no longer logged into my accounts and that no longer have my business data on them. They have some limited data; all apps need basics like name and email, but this is information that I have already accepted is on every possible spam and scam list one can imagine. This is the perfect use for those devices that you have cleaned up and don’t use, which we will get to later.
storyWhen I was younger, my parents were terrible at keeping track of their keys. For Christmas one year, I got them one of those keychains that beeps when you misplace them and need help finding them. We set up a similar feature on their iPad a few years later, which came in handy when my parents accidentally left it at a customer’s office.
Most devices and phones nowadays have lost device features built into their operating system that can be enabled. Doing this gives you two options:
Learning where your device is, so you can go retrieve it.
Wiping the device, if you’re unable to retrieve it. This will turn your device into a concrete brick, rather than a golden brick of data.
important You should set all your devices up to back up, automatically and daily, to a cloud-based storage account. This is important because there may come a time where your device is infected or lost, and you need to restore it back to the point before this happened. With the rise of destructive malware, like ransomware, and the fact that we are often on the move and at risk of losing devices, having a backup gives you peace of mind that you can hit “undo” on that whole bad outcome.
controversy The concept of using “cloud storage” can be concerning because it still feels new for a lot of us. There is also a fair share of bad takes and jokes from technical people about how “the cloud is just someone else’s computer.” This isn’t necessarily wrong, it just doesn’t consider the alternative—using a computer that you do own and control. This alternative takes time to learn and set it up right, and requires ongoing maintenance to make sure that the computer is kept up-to-date and secured. While I might have a hard drive at home that I use to copy important files to as a backup, I know this isn’t an option I can expect from others.
The cloud-based storage that you will end up using will be the one provided by the device manufacturer or email account tied to that device. Vendors like Apple, Samsung, Microsoft, and Google have been in the cloud storage game since before we called it “the cloud.” The original iPhone released in 2007 had an app called MobileMe, which helped users back up their devices to their MobileMe account. Before that, 2002 Mac devices could use software from Apple called .Mac, which would allow you to perform your own personal backups to their iDisk service. These services and software were the blueprints that Apple used for making iCloud in 2011. So if you feel uneasy with the term “cloud,” just remember that we have been using these services for years now, minus the cool, hip name rebranding. As long as you secure that account using the advice we have given you, you’ll be fine using cloud-based storage.
Turning on your device to automatically back up to your cloud storage account is a low effort move to make sure if you were to lose your device, or get it infected beyond repair, you can restore it to a last-known good state. Most operating systems, like macOS and Windows, allow you to easily configure these backups to be stored in cloud storage accounts, which means you don’t have to stress and do the manual gymnastics required for storing backups locally on a removable hard drive. If you prefer to not use cloud storage, a physical hard drive is still OK, it just requires more effort.
important If you have old devices that you no longer use, or have upgraded to a new one after realizing the old one is no longer supported, be sure to clean it up before passing it on to someone else or storing it away. How you clean it up will depend on how you used it before.
If you only used it to access your personal or business data via a browser or web application: You are fine to just log out and clear any data in the browsers you used. This would be the case for a device that you might have used temporarily, perhaps one you used while your main device was being repaired, or a computer in a hotel business center you used to print documents from your email.
If you used it for more than just the browser, perhaps to store copies of documents or to log into specific software or apps: A full factory reset is the best option. There will be small breadcrumbs of data that you may leave behind, and clearing them completely by doing a full reset is the best way to ensure safety.
If you are planning on selling the device to someone else: You will need to do more. A factory reset doesn’t always guarantee that no files were left behind if someone was actually looking for them. It all depends on how your device performs its factory reset. When looking to on-sell an old device that was used to carry your data, you can use a professional device wiping service that will make sure the entire hard drive is cleaned. When determining if a business that provides this service is legit or not, check if they follow the standard NIST 800–88 (or follow that standard yourself, as it has some helpful guidelines to follow depending on the device). What I do instead is purge data from old devices and keep them in my closet, which I lovingly refer to as my old technology museum. It is always good to have a device to use as a backup, or a device for others in the house to use without lending them my own.
With so many manufacturers out there, multiple media outlets talking about privacy, and geopolitical risks relating to large technology companies, it can be hard to know if the devices we use are safe.
For phones, sticking with a major provider is your best bet. This includes Apple, Google, and Samsung.
Apple is the sole manufacturer of the iPhone, the only phones with the iOS operating system, which means it is easier for them to commit to security updates for longer periods of time without having to worry about cross-compatibility across different hardware manufacturing providers (unlike Android).
If you want to go an extra mile and enjoy organization, start using browser profiles, which are a browser feature that let you and others maintain separate privacy and personal settings while using the same browser. The main browsers of today, like Firefox and Chrome, all support the use of multiple profiles.
Using browser profiles is as much a usability benefit as a security benefit. They let you keep your personal and business life separated from each other digitally. Your browser history, plugins, stored passwords, and bookmarks are all stored in a separate profile. For example, if you use a not-so-safe browser plugin on one profile to watch Netflix in the UK, then that won’t put at risk any browser data stored for your business accounts in your business profile. (That is totally just a hypothetical example.) Browser profiles also tend to give you different visual cues to help you tell which one you might be in, either by having a profile picture overlap the software icon in your taskbar or by even letting you change the color backgrounds. If you’re a constant multitasker, this feature alone is a huge help.
Years ago, everyone manually installed anti-virus software (which is more accurately called anti-malware software) to detect, mitigate, and prevent malware on your computer. Now, operating systems have become advanced and contain most of the protective features we need without having to download other third-party software. This is a good thing, because half the battle of downloading something is trying to understand if it is safe.
confusion For mobile phones, you will see anti-virus software in the app stores, but you don’t need it. You should only be downloading your apps from the pre-built-in app stores like Google Play Store and Apple App Store. There are multiple checks that happen before an app can be hosted in an app store, and while it is not perfect, it covers most of your needs. (If you know what an APK file is, you should only be downloading these from the internet if you actually know what you are getting into, and if it is to a device that is essentially a throw away.)
As far as computers, people who create malware tend to make it mostly for Windows. Windows comes with built-in anti-malware features that are turned on by default using Microsoft Defender. Now is a great time to check that this is still enabled for you, along with all the other security recommendations it provides, such as signature updates and an enabled firewall.
confusion Malware for macOS used to be very rare because there wasn’t a large market share of users using Apple operating systems. This is no longer the case, and while Windows has quite a large lead on malware, macOS is far from being invulnerable. Similar to Windows though, macOS also has anti-malware protection built-in by default in the form of a firewall and their Gatekeeper feature, which checks software and files before they are run to make sure it is made by a known developer and doesn’t contain any nastiness. This is all you need, and you don’t have to go out and buy something extra. Do a quick check of your settings under “Security & Privacy” to make sure these are both still enabled.
If you travel often, and have to rely on free internet in cafes, libraries, or hotels, investing in a VPN service is worth it. A VPN has two purposes. Many of us know it for its benefit of showing our traffic as originating from somewhere else, so you can bypass geo- or region-based filters on the internet. However, the main benefit is the secure tunnel it forms between your laptop and the VPN server.
A free, public wifi network can leak information to others on that network. When you connect to a VPN server, it will send all your traffic through a secure connection that only your device and the VPN server can see.
important Use a paid VPN service. Free VPN services are often murky on the details of how their services operate, and may put you at risk. It is possible to run your own VPN server, but that requires many technical hoops and I don’t recommend it unless you truly know what you’re doing. Instead, just pay for a service that seems trustworthy.
When looking for a VPN software, I always recommend people to the VPN comparison research and table that is maintained by the /r/VPN community on Reddit (which you can find under their subreddit’s wiki). Some of you may be using VPNs for more than just protecting yourself on a public, untrusted wifi network. This comparison can help you find the right software for you based on a rating across multiple areas like privacy, security, business practices, and pricing. Privacy Tools also does great research and provides their recommendations too.
How I manage my devices might feel closer to your reality than how I protect my email and password managers:
For my phone, I used a PIN that is over 12 numbers long. I also use biometrics as the main form of unlocking; however, my phone will always fall back to my PIN when I restart my device or if my phone thinks someone is trying to bypass their way in. For my laptop, I use a long passphrase and biometrics, and it has the same fallback.
When my family or friends need to borrow a device, I give them an old tablet or laptop that doesn’t have any of my accounts logged in. Sorry nieces, no you can’t play games on my phone. (I am not very popular at family gatherings for this reason.)
I have a spare phone I use for downloading apps that I wouldn’t trust on my main phone that is used for both business and personal use. As an avid MMORPG fan, I want to be able to enjoy these without having to do a full security audit each time there is an update.
🚀 As explained by Erica
Now it’s time to secure the rest of the accounts on your list. You will want to:
Re-save passwords and enable 2FA. Reset and save passwords into your password manager, and enable 2FA.
Delete old accounts. Delete and remove data from any accounts you no longer need or use.
After resetting and re-saving our email account passwords into a password manager, the same needs to be done for these other accounts. I will admit that I have previously created poor, easy-to-remember passwords just to see what the service is like; only to later forget to reset the password when I started to load my data into the service. Now is a great time to reset those passwords to new, unique ones and re-save them into your password manager. Again, don’t worry too much about being able to manually type out these passwords, as your password manager can often generate and plug them in when needed.
For 2FA, you can be a bit more loose depending on the data being stored within the account, compared to how we selected the method used for your email. Some of these accounts won’t give many options, and you might be stuck with just SMS. You might also find yourself with a service that doesn’t give any option at all. This is where you need to balance out the data kept in that service with the risk it carries.
The best way to do this is to think about the data inside the account, and weigh it against it getting leaked to others, or the account being used to cause harm to others. For example, an email marketing campaign account might have limited data stored inside, mostly business names and email addresses that are already quite public. However, an attacker can use your campaign account to craft scam emails and send them to your contacts, breaking trust and causing harm. These types of accounts need to be protected with 2FA, and any second factor is better than none.
If you have accounts on your list that have sensitive data or the potential for harm, and don’t offer a two-factor option, then it is time to look for a competitor that does. A great website to find alternatives is 2FA Directory. It is an open-source, managed list of different websites that do and do not provide 2FA.
It is 2 a.m., do you know where your data is? Probably not, because even I struggle with tracking all the websites and accounts I have signed up for. You need an account to use most websites, and my password manager is starting to look as thick as a phone book.
On your list, you might have been forced to think about accounts that you have forgotten about. If you no longer use an account or social profile—delete it. Although you can’t guarantee 100% removal of your information, it is the one small action you can take to try and limit the data sprawl and information footprint you have online. If that account provider has a breach and accounts are accessed, you have done as much as you can to reduce your personal risk. A lot of us don’t have the time and energy to track down all these accounts that have been long forgotten. Heck, I forgot I even used LiveJournal until I was notified about a recent security breach. Wherever there is a time-consuming process, there is a company out there providing that process as a service. Services like DeleteMe are great for those of us who need an extra hand in finding which accounts we might still have out there, and an extra hand in getting them shut down.
This also applies for all those Software-as-a-Service (SaaS) accounts you signed up for as a free trial (to vet it for use in your business), uploaded some data to play around, and then moved onto something else. We will dive into a bit more detail around picking the right SaaS tools for your business later. For now, being conscious of the accounts you create and the data you store in them is what you need to do. If any of that data has value, it needs to be protected with a unique, long password and 2FA.
Being the key business ambassador, you want to be visible. You want to shout to the rooftops about all the amazing things you are doing and accomplishing, in hopes it gets picked up, goes viral, and causes business to boom.
But every public profile, tweet, post, blog, and even list of connections and people you know can be used against you too. While this book is focused on security, privacy and security often go hand in hand and we would be silly to not mention it.
The passive and active information we share on social media can be used by others to start to put together the pieces of an attack. While you are unlikely at this point to have an attacker that seeks you out, there are still some easy and automated attacks that you could fall for.
danger If your social accounts have relaxed privacy settings, and you tend to be loud about your customers and partners you work with, an attacker can scrape that data and use it as an easy impersonation point. It is common for attackers to scan through and create fake profiles on social media accounts, mirroring the real one, and attempting to message you with strange requests. By keeping lists like these private, we prevent ourselves from falling for some of the low-effort type attacks like these.
One of the more helpful features of password managers is the ability to share passwords with teams. It is an inevitable part of running a business with digital accounts. Some accounts only allow you to have one user, such as Twitter, and you might need a hand in managing the account. Or you might need to share accounts to manage account costs.
For example, if there is an online account you use for creating digital content like banners and images for sharing on social media, you might get help from a few people on the team to get these made, and they never have to use the account at the same time. However, the cost to have an account per user could be way out of the budget if you run a small team and business. Just because your business chooses to share a single account doesn’t mean the security of that account has to go outside the door. Setting a unique password in a password manager, and sharing it within your password manager with others on the team, is a great way to keep the account safe.
confusion When you go down this path, checking the terms of the account that you are looking to share is important. This of course reduces revenue for the software company, so most of them are not keen on people sharing accounts. Software companies explain (though it is often clear as mud) their rules around sharing accounts in their terms of service.
What I do to protect my information and accounts will look similar to what you’ll be doing:
For every account I create, I have my password manager auto-generate and store it for me using password manager browser plugins. If I find myself creating a password without it, I pick five random words and string them together so I can easily remember how to store it later.
Before I start putting more data into these accounts, I enable 2FA. I aim to always do push notifications or one-time passwords where I can, and settle for SMS where I can’t use any other options. A good example here is Twitter, which only updated their two-factor options in 2019.
I often hear about password breaches at websites and online services via social media or email, and I respond quickly with a password reset. Since I work in security, my news and Twitter feed are littered with news like this. This news can also come via email, but I often do a quick check to make sure that email is legitimate before acting on it, in case it is just a phishing email in disguise. I do this by going directly to the account’s website myself, and checking if there is any news about a breach.
Your business is established but small. It might be organically growing, or it could be intentionally small and local. Security at this stage is cheap, cheerful, and carefully invested.
🚀 As explained by Erica
confusion Not sure if you’re a small business or a startup? Check out our guide in the introduction.
The speed of adoption of technology that helps us sell more things (from point-of-sale systems to websites) has always been faster than the adoption of technology that protects our systems, data, and selves. The gap makes sense. There are a lot of small businesses—the local brick-and-mortar shops, the online shops run out of houses or small offices, the side hustles run on established e-commerce websites like Etsy. And when you think about security, you recall the bad news about that big corporate or global enterprise that got hacked. You don’t often think about those small businesses getting hit.
In reality, the small businesses do get hacked—they are just often not big enough for journalists to cover. “Local insurance agencies get hit with ransomware and go out of business” isn’t a headline that draws readers quite the same as seeing a recognizable brand like CNA Financial.
The previous part on individual security talks about protecting access to your personal email, other accounts, and devices. As a small business, you protect not just your own data, but the hold the data of others—your customers, clients, employees, and partners.
When you yourself sign up to a new service or website, you agree to a long, waffle-y terms of services that uses legal jargon to explain a simple agreement: by signing up, you are giving your data in exchange for a service. You are trusting the creator to be ethical with that data.
Well, the same applies here in reverse. If you are providing a service or a product to someone, they are trusting you to protect the data that they share with you. If your website banner said, “Give us your credit card data at your own risk,” I can’t imagine you would have many sales. There is an inherent trust relationship you are creating when you collect data from others.
If you lose this data, you break that trust. Not every country right now requires you to fess up when this happens, but these updated privacy laws will come soon. The General Data Protection Regulation (GDPR) in the European Union requires you to notify those impacted within 72 hours, and is likely to set precedent globally. The California Consumer Privacy Act of 2018 allows consumers to sue companies that have a breach. In New Zealand, the Privacy Act requires organizations to disclose breaches that might cause serious harm. Even without these laws and regulations, sometimes people can put two and two together to find out it was you and then publicly expose you online and on social media.
In your small business, you operate with the support of others. Sometimes the tasks that you delegate to others carry security risk, and others might not have the same security mindset or risk-focused thinking as you. Now that your business is more than just you, it is time to start bringing your team into the fold and having a conversation about security. They need to be encouraged and enabled to make risk and security calls themselves to avoid making a mistake later.
You will need to give others, either your employees or a third party, access to the systems you have to run your website, application, or store. A large number of security incidents happen by taking advantage of human nature. Social engineering attacks are a fast-growing risk in almost all organizations. In a 2022 study by Verizon, 82% of the incidents investigated included a human element.
A social engineering attack may ask your employee or outside provider to “urgently download this file onto the work kiosk computer,” and next thing you know you are locked out of your files and can’t get back in. Making your systems and approaches “secure by default” and setting up those safety nets will be important.
Before we get into the doing, we want to share two pieces of advice to frame your mindset for this part:
Attackers love small businesses, especially ones with no technology budget, no security budget, and loose business processes. Your work email, website, and various Software-as-a-Service (SaaS) accounts are ripe with data, and are where your customers interact with you financially.
Most attacks that a small business gets caught in are those where an attacker uses the same technique against businesses using a specific tool or technology, and is playing a game of numbers in hopes that a good percentage of their attempts are successful.
For example, a popular target for attackers is Magento, a platform used by small businesses for running e-commerce websites. Attackers create automatic programs that scan for websites with unpatched Magento platforms and break their way in. Once inside, they add credit card skimming software to silently send copies of credit card data back to the attacker. This way the website owner is unlikely to catch on to the attack, and the attacker’s program can sit there collecting data forever. Back in September 2020, there were over 2,000 website hacks alone over one weekend after Magento announced an older version of their platform as “end of life.” This target is so popular that the attackers and their software even have their own name, Magecart.
In this part of the book, we focus on the “secondhand Windows laptop” type of security for your small business: steps that will be cheap (but usually free) and simple to do. They will be strategic in the sense you will be able to quickly think through the risks and make a call to secure something (or just live with the risk, which is a valid response when done intentionally).
If you read through Part I of this book, you will have made your own personal, individual security to-do list.* This part focuses on key areas that most small businesses tend to relate to: email, websites, tools, and the third parties you work with. The context of how your business and employees operate, along with the company size and growth, will drive the need or decision on certain security controls.
🚀 As explained by Erica
We already learned a lot about how valuable our email is, and the power we have to be able to secure it ourselves. Personal email security might just apply to a single inbox. As a small business, employees may need email addresses, and email security applies to the total number of inboxes that represent your business and are in your business’s domain.
Figure: Growing from one email account to many.
While the technology is the same, there are subtle differences between personal and business email accounts. Business email accounts often provide features that would not be used for individuals, like creating multiple users and inboxes, and setting configurations across the entire domain instead of one account. Let’s talk about how to pick or vet the email provider you currently use, and how to keep it secure.
The first step in protecting your employees and your work email is to decide how it will be set up. The ultimate setup that will make it easier for you to manage if your business is growing is to move to a business email account—and this section will take you through the security involved in that.
This is not a one-size-fits-all solution. Moving to a business account usually involves a nominal monthly fee (usually at least a few bucks per month), and involves more work. The good news is that the work is up front—meaning you do it once, and then leave it be.
Now you have an email domain set up, it’s time to ensure your email is protected. Whether it’s brand new or you set up a business email domain in the past, you can revisit these steps:
Set a strong password policy.
Require 2FA for all users.
Provide a password manager to your team.
At this point, we assume your business email domain is set up, and you have your own administrator account. Now we need to make sure when your employees log into their accounts, they can set everything up safely.
Most major business email account providers will already have strong rules that users have to follow when making their first password. These rules are password characteristics like numeric, alphanumeric, upper-case, lower-case, and special characters. Those of us with scar tissue from old, enterprise workplaces might remember needing to reset your password every 90 days too.
Times have changed, even if the old enterprise workplace password policies have not.
danger The most important characteristics of secure passwords is that they are unique and long. You might not be able to tell if a password an employee uses is unique, but you can ensure that your business email account settings require passwords over 12 characters in length.
It’s also important to require 2FA for all your employees. Your business email provider should allow you to toggle a setting that requires it to be set up for everyone, and if not, should at least tell you who has and who hasn’t set it up.
Remember how we discussed the different types of two-factor authentication? This is the point where you have to think a bit more about which types of two-factor authentication you use. You are going to start having accounts that have really sensitive access, like the administrator account to your business email provider. They have what is referred to as “privileged access,” which means they have permissions to perform risky actions like changing users or security configurations, so you want to make sure the security measures for accessing these accounts are as strong as they can be.
For your administrator accounts, you want to use stronger 2FA setups. This includes using hardware security keys or push notifications to your phone. It is unfair to assume that your staff know how to use a security key (or even know what they are, and how to keep them safe)—they don’t get security training and are not expected to be technically skilled. It is OK for them to use the other forms of 2FA, such as a code delivered via text message, if their accounts don’t have any administrative access.
Password managers are a handy tool you are already familiar with since you use one for your personal life (especially after reading and going through Part I). You probably already store the password you use for your business in your personal password manager because that is the safest thing to do. Great!
Password managers aren’t specific to email, but while we are on the topic of shared and individual email accounts, it is an important elephant in the room to address: how will my employees create and store their passwords?
We can remove any thinking about “unique and strong passwords” by using a password manager to auto-generate a strong one for you. We can also remove any thinking about “safe storage” by storing them in a password database that is protected by layers of security. All we need to memorize (to access all our passwords) is one master password.
But what makes a business password manager different? Should you use the same password manager for your business as you do your personal life? What about your employees? Do they really need one? These are all valid questions, and possible to solve with some upfront thinking now:
Remember how we covered third-party apps and systems back in Part I? The same goes here, except now you can control it at a central level and protect your employees from any oopsies or quick (and unsafe) setups.
Third-party access to your work email comes up often and in very similar situations to your personal email. It gives an easy way to sign up and into apps and accounts, and from a security perspective it has a bunch of perks:
The work email administrators can see who has linked their work email account to third-party systems, which can help to see what third-party apps are used.
The end user doesn’t have to set up yet another unique, strong password and save it to their password manager.
The theme of this chapter has been “set it and forget it.” This step is no different. Your employees might get unsolicited emails from people trying to trick them into downloading bad attachments, clicking on links to go to bad websites, or replying back with important information. Even as a small business, these things can happen. They aren’t targeted—it is just really easy to set up an automatic script that sends the same bad email to thousands of people. It is a game of odds for an attacker: if just one person reacts, they can win big.
On the bright side, larger email providers realize this, and recognize that they are in the best position to protect people. Not all providers do this; that is why it was important at the very get-go to go with a good provider. Your Googles and Microsofts will definitely have these settings available.
Larger email providers host your mailboxes for you, which means they can also check it for any badness before letting you and your users see emails. They have some default protection already in place that will send obvious spam messages, like those about pharmaceuticals and that million dollar inheritance that you are missing out on, to the spam folder.
Email providers tend to turn the sensitivity dial down quite low and give you the options to dial it up if you want. The reason why they can’t dial this up automatically for you is because it can accidentally pick up and put things in spam that are actually legitimate. We recommend that you do dial it up because it is unlikely, due to how you operate, that it will catch too many false positives. The benefit of protection far outweighs the occasional checking of spam for a mismarked email. You likely send text files, Word docs, spreadsheets, images, and PDFs; hardly ever send things like macro-enabled spreadsheets; and never send things like password-protected zip files to people you have never interacted with.
While you are deep in the administrative settings of your mailboxes, there is a setting you need to turn off. Automatic forwarding allows any user to set up a rule where all mail is forwarded on to someone else. It probably seems harmless, such as automatic forwarding of emails for ex-employees to a current employee’s inbox. However, let me reframe how this setting is misused.
When an attacker successfully gets their hands on a pair of valid login credentials for an email, often the first thing they will do is try to “maintain access.” They want you to continue to use the inbox, not suspecting anything, while they wait for the best moment to strike. A common setup for maintaining access looks like this:
Setting up automatic forwarding to a different inbox, usually a throw-away one where they can see copies of emails that are forwarded. All incoming and outgoing mail sent will also send a copy out to this mailbox.
Once they see a message come in (such as one asking for bank account or PayPal details) or see a message going out (such as an invoice with payment details), the attacker will log back into the stolen account.
The last setting to turn on in the administrative settings is alerting. This is the one setting you shouldn’t overdo. It can be easy to turn on “all alerting,” then later hit a point called “alert fatigue.” This is similar to the little kid who cried wolf one too many times, so when there was a real problem no one reacted.
The best way to not overdo alerting is to turn it on for events that you need to respond to (or higher-risk events). If your business grows, you might have people who are responsible for reading through alerts that just need to be “watched closely” (or lower-risk events), but for now we need to make the best of the resources we have. These high-risk events won’t happen often, so when you do get a notification, you know you need to act now.
important Here are a few high-risk security alerts that would cause you to sit up and take action, and what you can do when they happen:
User-reported phishing. This means someone in your business reported an email they received as being dangerous and suspicious. If this happens, talk to the employee: congratulate them for doing the right thing, and look at the message they received. This is a great way to reinforce positive actions on your employee’s part, while also being aware of attempted attacks on your business or people. (Who doesn’t like a pat on the back for a good job?)
We spent a lot of time thinking about work email and enabling your employees to be secure; now we need to think about the stuff around the edges of that. What about the people on the other end of the email message?
At the end of the day, email is just a digital way we communicate with customers, suppliers, and others. When a supplier comes by to drop off some goods and hands you an invoice, you instantly know and trust that they are who they are. They might be wearing the supplier uniform, driving a supplier branded vehicle, they might even be the same person from the supplier you have worked with for ages. You can trust who they are, what they are doing, and more importantly that the invoice they have handed you is real.
When applied in a digital sense, it is tricky, as you need to rely on cues you find in the email or elsewhere online. Most of the time this cue is the senders’ email address. Sadly, this can be easily spoofed, or faked. It is like a stranger coming into your business, with a handwritten and fake supplier name badge, asking to pick up that payment you missed last month.
You need to think about this as if you and your business was spoofed. What if someone could send an email from your domain? Not only would this be a bad look, but the possibilities could be endless. Someone could impersonate you to your customers, future customers, employees, suppliers, or anyone. Even something as innocuous as sending a very obvious scam email could cause people to raise concern that your work email domain is not safe. That can have a domino effect on your email’s reputation, ability to send emails without problem, and even the indirect impact of people not trusting your business.
🚀 As explained by Erica
The minimum operating expectations for any business nowadays is to have a basic website with service or product information, and contact details. Depending on whether you sell products/services via your website, you may just set it up and forget about it, or regularly interact with it.
Either way, your website is valuable real estate. That might seem silly considering how cheap and easy it can be to set one up. Anyone can make one, right? While this is true, let me explain the economics behind why someone else might want to just take advantage of yours rather than set up their own. We’ll then explain the few things you can do to stop an attacker from misusing yours.
But first, it’s important to understand the general steps involved in setting up a website. These can broadly be broken down into the following four steps:
Some attackers have automated scripts to run through the four steps above to set up malicious websites that host phishing pages or other scams. Technology providers have caught onto this, so they might protect you by blocking or warning you about visiting a website that was only just recently created and has no “online reputation.” It is like a game of cat and mouse—where business services are provided, attackers pop up to try and take advantage of it, and the security community reacts.
Some attackers get more creative. Why create their own domain and website when they could just use an existing one? And one way to get a website is stealing or hacking into yours (because asking nicely to use your website for crime probably won’t work).
This is another case where being “low-hanging fruit” on the internet tree bites us in the bum. Attackers will simply scan the internet for poorly secured websites to hide their bad stuff in. Have you ever been linked through to a phishing website, and noticed the URL looked odd? Perhaps it looked like a website that belonged to a small business, but it had a page that looked like a fake Microsoft login page. The website owners usually don’t notice because the page is buried in the website hosting panel, away from their site. There is also no link to it from the main website—someone would have to know the full URL path to see the page. It is like running a physical storefront, with criminals using the back door to run illegal operations. It might sound like we have been watching too many mafia movies, but these are real situations that happen.
You might think, what is the harm? So long as the attacker doesn’t destroy your website, why not let them co-exist? This isn’t a good strategy to follow because once their pages get reported (which will happen), you are the one who feels the impact. It could result in a negative impact to your online reputation by:
How do attackers tend to get access to these low-hanging fruit websites? The answer usually falls into one of three categories:
Weak credentials for accessing the domain name registration website, website hosting provider, content management platform, or website server itself.
Unpatched website software.
Unnecessary services running on the website server that are not safe.
While this chapter will go through the steps to take to elevate your website higher up that internet fruit tree, let’s be honest—not all of us are website fanciers or connoisseurs. While it wouldn’t be worth it to outsource management of your email, outsourcing websites are a different story.
A service provider who looks after your website’s security is often responsible for:
Picking and managing the hosting providers and software you need for running a website.
Keeping your website and any software and plugins you use up to date and configured securely.
Once you have a domain and a website, it is time to do a stocktake and see if it is safe enough to use, or if it is time for an upgrade. There are a few different providers involved in hosting a website, even if some are not very obvious to you or others. These include:
The domain registrar, which is the service provider who you purchase and manage your domain name through.
The DNS hosting provider, which is the service provider where you configure different technical settings related to your domain name (like your TXT records for SPF/DKIM) and the records for tying your domain name to your website (IP address). Your DNS hosting provider and domain registrar may be the same company.
The website hosting provider, or the service provider who gives you a website server to share or use to host your website itself.
You are going to see the phrases “unique passwords” and “two-factor authentication” so much in this book that you will start dreaming about security. It is probably no surprise that protecting the accounts used to manage your domain, servers, and website content are important. Attackers often break into unsecure websites by simply guessing passwords, re-using leaked or stolen passwords, or brute-forcing their way in. You already know the best defense against this is a unique password for each account, and adding a second authentication step in case that password is lost.
This is a case where having a team password manager can come in handy. You might be getting help from others on the team to manage your website. Most of the time, website management accounts only allow you to have a single user, or in some rare cases they may charge you per user.
True, sharing accounts can be risky. But when it comes to setting up a website, you might not be using those accounts all the time. Sharing a single account is a great way to save cash. The safe way to navigate this is to create a unique password, and store it in a shared folder or vault in your password manager. If you picked a good password manager, you can also use the 2FA that is built into your password manager. So you can keep your account secured, and also get help from others in managing it.
The next step of protecting your website is to turn on automatic operating system and software updates that will both prevent attacks and also help you recover in case something goes wrong. While there is the risk of an update causing a bug or issue, it is one less thing you have to think about or make time to do. For most websites that lack technical complexity, automatic updates are pretty low risk—unlike an unpatched website software that is relatively high risk.
Your website and its content is simply made up of many lines of code. More often than not, that code is not perfect. Think about it like building a fence. Anyone can go down to the hardware store and get wooden planks and make a fence. You don’t have to be a builder to do it, you just need some tools and have an idea of what you are trying to make. After making a fence, you need to maintain it. Maybe you built it to a certain height, but now there is a new neighborhood dog (or threat) that can jump it (or bypass the security of the fence). Or maybe the weather has taken its toll and over time the fence has fallen apart and caused gaps to show up.
The software you use to build your website is the same as the fence. You have to keep the software up to date to manage any new security holes that are found and also to maintain the code base it is built on. Updates for you are less about the flash new features, and more about maintaining security.
important If you are using a website builder service, you might not have to worry about underlying website software because this is taken care of by the vendor. If you are running your own website, or pay someone to run the software for you, you’ll need to make sure you or the software manager keep it up to date. Websites also have the concept of “plugins,” or additional apps or software that provides a specific feature. Common plugins include shopping cart features, customizable forms, or features to help you with SEO. Keep website software and plugins in mind when you are toggling on updates to happen automatically.
We spoke about how your website is just made up of lines of code. The more lines of code you have, the more problems you could have. If the fence you are making is miles long, it carries more risk than the one that just goes around a small house. If you don’t have to have all that software installed and running on your website, then now is the time to do spring cleaning. This is similar to the advice we gave on removing old apps from your phone that you no longer use.
When you initially set up your website, turn off any features or default software that you don’t need. Your website builder might by default come with different features like mail or file transfer features. These are commonly misused features that can be turned off right from the word go. If you have outsourced setting up your website, contractors might have remote access services enabled so they can get things set up for you. When they are finished, have a close-out chat where you go over how to maintain the new website, while also closing up any access that they might have left behind.
During your monthly check for updates, if you notice that some plugins, apps, or software have not had an update available in a long time, it could be that they are no longer supported. This isn’t an emergency now, but with time that feature can fall apart and become unsafe, so you will need to set aside time to replace it with something that is supported.
It is common for people to build software, share it with others, then move on and give up on supporting it. It is similar to how you probably have a closet or bin somewhere with all the personal projects you have half started. Like building a fence, you don’t have to be an expert to make software and give or sell it to others. The plugin or app ecosystems online are full of hobbyist software developers. Most people are more interested in solving a problem and creating something than they are with maintaining and taking care of it for life.
It can be challenging to find replacements for unsupported plugins and apps. If you search in the plugin or app store for “shopping cart” functionality, you will probably have thousands of lines of results. Shopping for a plugin is kind of similar to shopping for anything online. You have to have some criteria to filter down to a smaller set of options that check your boxes. The boxes here determine whether a plugin or app is safe to use.
You can run through these questions when you are assessing a new plugin or app to use for your website:
When was it last updated? Acceptable answers are within the past four weeks. The further it gets away from this date, the more risky it is.
Who manages this app? Acceptable answers include recognizable companies, your hosting provider, or the owners of the CMS or website software you use. If you have not heard of the author, Google or search their name online. If the results come up with limited results, that is a red flag and you should move onto the next.
In some cases you might have had a need for remote access to your actual website server. This might be because a third party was helping you set up the website, and using remote access software was easier for them (rather than giving them access via your account). This remote access usually works in the form of special access, or ports, being opened up on your website server itself. Opening up remote access is not as secret as it might seem—when attackers are scanning the internet for websites to attack, they are also checking to see what other access is opened up.
important With remote access being so different from just logging in via a website, you don’t immediately think about it when it comes to security. Remote access is often configured with just a password. Think of it like putting some heavy-duty locks on your front door, while leaving your windows unlocked. This access needs to be protected to the same degree as your accounts, including a unique password and 2FA.
confusion More often than not, though, it is not you using this access but the people you have hired to help with your website. Make security for this access a rule, and require third parties to follow the rules or their access will be turned off. With IT, there are usually multiple ways to achieve the same goal, so be empowered to challenge your hired IT support when they ask for things to be set up a certain way. Just because they know about IT, doesn’t mean they are security experts. They are often more likely to follow the path of least resistance to help with your website, rather than making it as secure as it can be.
Sadly, there is no central resource or place we can direct you to to get exact step-by-step instructions for performing these security changes. However, the more common platforms and software (such as WordPress, Joomla, Squarespace, Wix) have large communities online that tend to provide guides and help docs. When in doubt, do what any techie would do and Google it. At the end of all of this, your website will be a bit higher up the tree of website security and less likely to get attacked due to common and easy-to-find weaknesses.
🚀 As explained by Erica
Your email and website are the most important parts of your technology, regardless of what your business does. The rest of the technology in your toolkit will vary depending on the context of what you do.
To help get you thinking of the tools and other accounts you need to secure, think through these scenarios and note the ones that apply to you.
example Securing devices:
By going through the exercise above, you will find yourself with a handy to-do list of things that need securing (if they aren’t already). We have already helped you identify the accounts that likely carry a higher risk because of the type of data they tend to hold. You have already spent the brain power coming up with this list of tools, so capture it somewhere so you don’t have to repeat this exercise again later.
There is no right or wrong way to record this list of tools. It could be a page you ripped out of a notebook and posted on your office corkboard, or it could be listed on a digital notepad text file. It could even be a list of accounts you have in your password manager if you didn’t want to make duplicate lists, as you are likely to have access to all the tools your business uses. Use something that works for you. For us, we have an Asana board (a task-tracking SaaS tool) where we list all of our tools and the information we need to track. This has the extra benefit of helping us with onboarding and offboarding people too.
In addition to keeping a list of the tools, there is other information that is helpful to inventory for each account:
How you log in. Nowadays, when you sign up for an account, you often have the option to log in via another account (like Google or Microsoft), or create a new username and password. Make a record of how you expect you and your employees to log in so your team can be consistent.
Alternatively, make note if this account is a single shared account. We will get into how to set those up safely later in this chapter.
In Part I, we recommended you toggle updates to happen automatically for your mobile devices, laptops, and other devices. This will still be the case for the devices you use now as a small business, except with the added complexity that you are not the only one using or controlling those devices. If staff are using personal devices, there is even more complexity, as you might not be able to legally tell them what to do with that device even if they are using it for work.
Think of it this way: every copy of business data we have, the more security risk we introduce. That makes sense, because you are increasing the chances of it getting lost or stolen. Every copy of data therefore needs to be protected with the same level of security to prevent this from happening. When you are a small business, the resources needed to scale that security can be a challenge. Access to data is the same as duplicate copies of data—the more ways you can access the data, the more security risk you have.
If your staff log into work accounts from their personal devices, ensure that there is a way to protect the work data that device has access to—in the same way you would protect the data on a work device with anti-malware software or an up-to-date operating system.
If your staff take their work devices home, be sure that your staff can apply good physical security controls to protect that device—in the same way you would physically protect it at the office by keeping it behind locked doors.
Now is the time where you have to make a decision that can have a big security impact on your business. Do you allow staff to use their personal devices for work? If not, do they have other work-owned devices they can use to get the job done, or does your business operating model need to change? If you do allow them to use personal devices, how do you make sure those devices are just as safe as the work devices they could use?
To help you make that call, here are the realistic scenarios you can pick from. Think of it like choosing your own adventure, except all paths lead to safer devices!
You now have an inventory of devices, accounts, and tools used; you have a strategy for keeping devices used (work or personal) secured; the last step we want to talk through is securing the accounts and tools you listed. We will use tools and accounts interchangeably here, this is because they are quite synonymous in this context. We are referring to any software or website (or Software as a Service) that you use for your business and you need to log in for.
We split this into two sections to tackle two very common licensing situations: tools where most of your team need access, and specialized tools where only a limited few require access.
For tools that nearly everyone needs to access, the options are:
🚀 As explained by Erica
Mini celebration time! If you have made it this far and have been following along, then the digital tools used in your business are well secured. Your staff also have access to some great tools, like password managers, and are managed by tools that enable them to make more secure choices, such as required 2FA on email providers.
This last chapter is about how you can make small changes to how your business operates to protect yourself. It is less focused on the technology (although it might be involved), and more focused on the people and process.
There are two things you need to consider each time you engage or work with someone outside the business:
What are they doing for me or the business—what kind of data, information, or access do they need?
How are they going to protect that data, information, or access?
Ultimately, you provide a service or product, and people (inherently or explicitly) trust you to do it well and safely. When you are engaging or using a third party for your business, you are sharing some of the work and risk with them. You need to make sure they handle and manage that risk, or take the same or similar steps towards security as you do. You can always delegate or hire others to do work, but the buck stops with you when it comes to risk ownership.
To manage your security risk while getting help from others, let’s rephrase the above two considerations into principles you should follow:
What is the minimum amount of data, information, or access they need to still do their job?
How can I control how they access that data, information, or access (so I know it is going to be secure)? Or how can I confirm how they will be securing it (so I can keep them accountable)?
The first principle is all about limiting the impact of the risk of something going wrong. If your accountant doesn’t provide you invoicing services, then they shouldn’t have access within your accounting software tool to manage invoice settings. This just opens up and increases the risk of their access being used to cause big damage to you. This isn’t about being secretive or cagey, it is about taking the security of your business seriously and limiting the chances of something going wrong if access or data does not need to be shared. Think of it as the same as when you hire someone to come to your office to clean, or hire someone to watch your pets while you are away from your home. You might give them the keys so they can come in and do their job, but you would leave important things—such as important documents, money, and valuables—locked away in a drawer or safe.
So you can set the groundwork for how you share documents and communicate with others. This is the part of the business relationship where you can control things. There is also the other side that you have to consider—the ways the third party operates in general, and whether or not you can trust them with your business. You can’t control how a business operates, but you can go through the steps to vet or check how they run things and see if it is good enough for you.
The good enough bar you set is the same bar you would set for yourself if you were to be doing that service or job. It can be hard to vet this information; the service might be from a large global provider who doesn’t care about “earning your trust” because they have plenty of people coming to them for business and it is not worth their time to go through an exercise like this. It can also be hard because you are essentially asking them to tell you where they do “good security,” which inversely tells you where they are not doing good security. You are kind of asking them where their holes are, which would be very helpful information to an attacker.
Vetting a third party is like a dance: it might not be very fluid from the start, you might step on some toes, they might step on yours. You might even find a different dance partner if you can’t quite dance in the same rhythm. This happens, and is a great way to vet out anyone who might not take security seriously. If toes are stepped on, it is important to bring the conversation back to “We care about security, and we need anyone we work with to care too.” It might be you asked them a question that they can’t answer directly, but they can give you some other detail to allow you to build that trust that they too care about security.
To help guide you through this tricky dance, here are a few starting questions that most third parties should be able to answer:
Invoice scams are a common type of attack recently because of the low-effort and high-value reward from an attacker’s point of view. We explained how these attacks work in Disable Automatic Forwarding. As you know now, security is all about multiple steps you can take to protect yourself, rather than “this one weird trick that fools all hackers.” Those don’t exist.
Taking the technology outside the equation, one step you can add to an already existing payment process is to verify any new or change requests. This means:
When a new contact that needs to be paid is onboarded, you call them or chat to them in person to confirm where payments are made.
When an existing contact needs to change where they are paid to, you call them on a number you have used before and ask them to verify the new account.
Sometimes things go wrong, and you will need help. The thing you can do now to help future you is to make that contact list now of who you would need to contact. To get started, start with a very simple spreadsheet or document (that is stored in a central place, like a shared drive) and list out all the key roles and people involved (if it is outsourced to someone else). This may include:
email administrators
website and domain administrators
your country’s Computer Emergency Response Team (CERT), for example the US Cybersecurity and Infrastructure Security Agency (CISA)
You will need to set some lightweight processes for how you manage people inside the business as well as those outside the business. This includes people who are hired, as contractor or permanently, as well as those who leave.
Managing new starters is easier than managing leavers. You want to start small on access, and add over time. If you run into problems where they don’t have enough, it is less risky to open access up rather than try to claw it back when you notice them (accidentally or intentionally) misusing this access.
Leavers are a bit harder, and it helps to have the process clear beforehand. The best tool at your disposal here is a quick onboarding and offboarding checklist. You can store it anywhere—in a task management tool, or on a document stored on your computer. So long as it is something easy for you to pick up, create a unique copy for a specific person, and save it for your records, it should work fine.
On that checklist for offboarding, you want to include the following steps:
Your company is young and has big aspirations. This is a time of energy and change where your organization, its ideas, and its operations are vulnerable in many ways, not just from security risks.
Are you a startup? If you’re not sure, see Are You a Small Business or a Startup.
Before we get started with choosing which controls we should put in place or the money we need to spend, it’s important to acknowledge that security is a huge field that touches every aspect of our business. Choosing to secure your organization requires careful review and prioritization of the approaches and controls available to you.
Saying that you are going to “sort out the security” of your organization is a bit like saying you are moving to Europe. It gives you a rough direction but it really doesn’t help you understand where you will end up or the path you need to take there.
🚀 As explained by Laura
When discussing security management for a business, it helps to have a structure to work with. This structure will group the measures you can take by the type of action and impacted areas of the business, letting you review and approach each area in turn rather than trying to tackle everything at once.
There are a number of frameworks for information security that each define their own version of these areas. In this section we will cover a simplified version of the international (and global standard) framework, ISO 27001.
Definition Management domains aim to set the direction and security expectations for your organization, and will often involve thinking about and planning how you would like security to be handled by your team. These practices and associated policies are then used as a measure to decide if your team has met your expectations when approaching security tasks.
Definition Prevention domains aim to identify risks and threats that apply to your business and take steps to reduce the likelihood of them happening. While there are no guarantees in security, and rarely can we be sure that we have stopped a security vulnerability from occurring, prevention aims to do the best we can to protect what matters.
Definition Response domains are those focused on events that could potentially happen. They are the mechanisms we use to predict and plan for security incidents and disruptions to our operations. These domains act like the cards in the seat back of your plane. While we all hope nothing goes wrong on our flight, we know it’s important to read the card and know what to do—just in case. These domains aim to respond quickly and effectively as bad things happen, so that we can minimize the impact on the business and restore operations to normal as soon as possible.
Let’s reorganize our domains by these categories.
🚀 As explained by Laura
When it comes to figuring out how much security is “enough” for your business, there is no “one-size-fits-all” template you can follow. Use the following prompts to understand how your business, industry, and aspirations will affect how much or how little security will be needed for your stage.
Factors affecting your minimum viable security requirements:
Your budget and runway. Whether you need to purchase new equipment or software, or just invest your time—there is always an opportunity cost when implementing security. Your available budget for security will determine how much time and resources you can dedicate to it. Be realistic and pragmatic when assessing your budget. It’s better to pick a small list of achievable actions that you can afford to commit to, rather than stretching your budget too thin trying to address everything from day one.
Take time early in your security planning to prioritize your approach and make it clear to your team what you expect the organization to achieve and what will be added to the backlog for a later stage.
This process of reviewing your security needs and prioritization will need to happen at regular, key milestones for your business. These typically include:
annual reviews as part of planning and strategy
significant operational or product changes such as a pivot or diversification
🚀 As explained by Laura
Identifying and protecting that which has value for your organization and your customers is at the heart of how you should approach security. For many of us, that value lies in the data we store and process.
This includes customer data, commercial IP, and company operational data. Some of this data is created by your organization and did not exist before this point. Other data is entrusted to your organization as part of the product or service that you offer. These different data types, their sensitivity, and the pathway they take through your company are all important factors to understand when planning how to protect them.
When starting to define your data protection requirements, we begin by identifying all the data within your organizational context.
Then, for each set of data, we need to gather some information to understand the data and its security requirements better. Specifically, the information detailed in the below chart.
You might be forgiven for dreading this section. Phrases like “information classification system” rarely spark excitement. But stay with me—let’s move past the dry language and dig into what this phrase means and why it matters to our company and its data.
The importance of this section starts with a truth: just because our organization generates, stores, or processes a piece of information, that doesn’t mean it is sensitive or needs securing.
Some of the data we handle, generate, or process poses little to no risk to our organization, no matter what we do with it. Conversely, there are data types that we encounter that can have significant impacts on our organization, our systems, or our customers—if they are mishandled.
Definition An information classification system is, at its core, a way to label the data within your organization according to how sensitive it is and how much impact it would have on your organization if it were to be improperly handled or shared.
Once you have defined your classification levels, you need to find all data of each type and ensure that it is labeled correctly to communicate its sensitivity.
Figure: The first step in implementing a classification system is to find, classify, and label your data.
🚀 As explained by Laura
While almost all organizations rely on software in some way or another to get the job done, not all organizations need to build their own software. If you do, though, this chapter is for you.
This includes companies that sell their software (perhaps as a SaaS model) or those companies that need to use custom software internally but do not sell this software as part of their product or service offering (for example, a service organization that has built custom software to manage their scheduling, workflows, and billing). Some organizations build their own software, while others pay external companies to build software on their behalf. Whichever approach your company has taken, security needs to be front of mind throughout the process.
Throughout this chapter, we’ll take a high-level look at the factors you need to consider when building software and how to ensure security is part of your overall software development process. Specifically:
Deciding whether you should build a team internally to develop your software or work with an external company to build the software on your behalf is complex and involves consideration of much more than just security—including cost, market, complexity, and time requirements. For the purposes of this chapter, we will focus on the security elements, including reviewing what we are protecting in this decision, the risks that you will face, and your options in each scenario.
For most organizations, there are two primary security concerns when building software:
protection of your intellectual property (IP)
protection of the data stored within your systems once they launch.
Most early-stage companies don’t have a dedicated security person, let alone someone who specializes in application or software security. It’s common for security to be part of another role or a shared responsibility in those first years, and while that’s not the end of the world, it doesn’t necessarily mean your team has the right specialist skills to help you secure your applications.
In this section, we will take a look at the sorts of external help you can use to support your software development lifecycle and how to get the most out of this process.
| Service | Aim | Typical Outcomes |
|---|---|---|
| Design and Architecture Reviews | Review the design or proposed architecture of your software before it is built or before significant changes are made. | Identifies potential vulnerabilities before the software is built to allow you to plan design changes or monitoring approaches. |
| Vulnerability Assessment | Use automated tools to frequently review your built and deployed software to identify “low-hanging fruit,” or common, simple-to-exploit vulnerabilities. | A list of potential vulnerabilities in your software that can be investigated and addressed. |
| Penetration Testing | The use of a specialist training team or professional to simulate the process taken by an attacker and identify vulnerabilities in your application. | A report documenting specific, confirmed vulnerabilities identified in your software, how they were found and recommendations for their remediation. |
| Bug Bounty Programs | The provision of a managed program for security researchers. This program will incentivize researchers to investigate and find vulnerabilities in your software in return for cash or other rewards. | Documented vulnerability submissions from a global community of security researchers. |
| Development Lifecycle Consultancy | Reviewing your software development process to identify changes or additions that can be made to increase the presence of security and increase the likelihood that vulnerabilities are identified before release. | Reports or findings that document proposed improvements to your software development lifecycle. In some cases, engineers may be available to implement the suggested changes alongside your team. |
With security, as with most things, once our software has been delivered and we are happily serving our customers, our job has only just begun. Security is important for the life of the application or system, which (we hope) is for many years to come.
All internet-exposed systems are subject to security activity, and it’s important that you spend some time thinking about how you and your team will identify when such activities are taking place. The sooner you know, the sooner you and your team can respond and protect your systems and data from harm.
While we won’t cover how to set up monitoring and alerting systems in this book, we will give you some idea of the things to consider when doing this crucial work.
🚀 As explained by Laura
We build our companies, including our own software, on top of other software. That makes sense—nobody has the time or resources to build every component of their business from scratch. That would be a real waste and would stop us from focusing on what matters most. As a result, our software is much like Russian dolls: bigger things containing much smaller things underneath it all.
Figure: Traditional nesting Matryoshka dolls. Credit: Dennis Jarvis (Wikimedia Commons)
Let’s have a look at the vulnerability discovery process together.
Figure: Vulnerabilities are continuously found, published, and analyzed by the security community.
Search: Security researchers identify software of interest and focus on finding vulnerabilities. It’s like being a treasure hunter, every day looking for one little bit of a clue to find your next vulnerability.
There are a range of great sources to use to keep up to date with security vulnerabilities: social media, vendor websites, CVE Details, RSS and news feeds, newsletters, podcasts, and so on. Please remember though, with each of these places, they each have a different motivation for sharing vulnerability information.
| Information Source | What to Watch For |
|---|---|
| Social Media | A great source of varied opinions, often available without charge, social media hosts a range of security news feeds that announce vulnerabilities and updates. Buyer beware however, social media is rife with misinformation and not everyone sharing security know-how is credible. Use your research skills to review your sources before trusting. |
| Vendor Websites | Tool and technology manufacturers may provide details of vulnerabilities as part of change notes, updates, or disclosures. Please remember however that most vendors are not obliged to announce if they have had a security issue unless it is mandated by law. Security details may be buried deep in technical patch notes or just listed as “Updates to security” on a new software release. |
| Government Advisories | Many countries have centralized government bodies that help coordinate and communicate critical information security information to affected businesses and organizations. This may be your local CERT (computer emergency response team) or a larger organization such as NIST (the USA National Institute for Standards and Technology, which includes a number of security departments). Look at your local and national government entities and identify and notification services you can subscribe to. They are also a great source of support if something goes wrong with the security of your own organization or product. |
| Scanning tools | Tools that can be built into your development and technical environments to identify components with known vulnerabilities such as Snyk or spot issues with configuration of components such as AWS Inspector. |
For a really clear picture of how this process works and why it’s important to your company, there is no better case study than the Log4J vulnerabilities identified in late 2021.
A standard open-source logging library for the Java language, Log4J is the de facto logging choice for a huge number of applications around the world.
In late 2021, researchers identified a remote code execution vulnerability in the source code for this library. They filed a vulnerability disclosure to both the Apache Software Foundation and NIST, resulting in a worldwide response.
Within hours of the disclosure, people and bots were actively scanning any site on the internet. We saw significant scanning activity that started quickly and ramped up over days.
If you’ve been notified that a tool or technology you use has a security vulnerability, there are actions you can take and mitigations you can put in place.
Before we act, it’s crucial that we understand the risk this vulnerability poses to our organization. This starts with asking the following questions:
When was it found?
There are a few common reasons for not being able to update a technology. In this section we’re going to be pragmatic. We know that you don’t live in a perfect world and you’re making some tough decisions.
You can’t make the change. It could be that the technology or the vulnerability is in a legacy project, one that’s no longer supported. Or in the worst-case scenario, if you don’t even have the code for that system anymore (it was lost in that disc failure in 2003), it belongs to a third-party contractor or an outsourced company.
It’s a breaking change. The security change might be small, but it’s included in a large batch of updates that takes you up to a major version of a library. In this case, the amount of work to implement the patch is likely to be significant.
There’s no patch available. If the vulnerability is an open-source library or framework, it could well be that the community doesn’t have the expertise, resources, knowledge, or even time to get to that vulnerability and patch it. There are still major software systems that have known vulnerabilities in their stacks and have done for some time. Being a big company doesn’t mean you’ll instantly patch in a well-behaved manner.
🚀 As explained by Laura
Definition Due diligence is the process whereby an organization will assess the risk of an activity before it begins. It’s the business equivalent of checking the temperature of your coffee before you take that first sip.
There are two main types of due diligence your company is likely to encounter, customer due diligence and financial due diligence. While they share the same objective, they work slightly differently. We will cover financial due diligence later when we talk about fundraising, acquisitions, and IPO.
If you are selling your products or services to other organizations (a B2B, or business-to-business, company), you will no doubt encounter customer due diligence at this stage.
Definition Customer due diligence is the systematic process of verifying the security maturity of an organization you plan to buy from. This form of due diligence focuses on the risks your organization may encounter by interacting with this organization as their customer. It can be used for both product and service transactions. These risks may cause your company, people, systems, or data harm.
Our businesses operate as part of an ecosystem. This system is made up of organizations of all shapes and sizes connecting to each other to share information, collaborate, and transact. No organization can operate alone, each of us needs other companies and organizations to provide the products and services we need to get the job done (but they are not part of our core business model).
This ecosystem is vast and densely coupled. Each organization connects to dozens if not hundreds of others in an interconnected network.
Figure: The business ecosystem is highly interconnected.
Supply chain attacks are on the rise. Incidents like the 2020 compromise of security solutions provider SolarWinds illustrate the complexity and severity of these attacks. In this incident, attackers were able to compromise a security software platform developed by SolarWinds and use it to distribute malicious software to their customers. Approximately 18K Solarwinds customers globally are believed to have been infected and compromised as a result, including national government organizations as well as Fortune 500 companies.
Remember that, like most people, attackers are lazy and looking for the most effective ways to compromise the most targets. Supply chain attacks can provide an economy of scale for these criminals who are able to invest once in their attack and compromise many companies as a result.
Due diligence helps us to systematically verify supply chain security and gives us confidence that our security will not be compromised as a result of this relationship. While this assessment can never completely remove the risk of a supply chain attack, it helps your organization understand where it has vulnerability and risk outside of its immediate control, and gives you an opportunity to plan for and manage this risk.
Due diligence can be useful after incidents and compromise.
I’m sure we would all agree that identifying and addressing security risks upfront is the preferred option, however, there is no such thing as 100% secure and breaches happen with increasing frequency.
When a breach occurs, due diligence evidence is often reviewed as part of the investigation or post-mortem process. The aim of this review is to identify if anything could have been done differently to identify or prevent this breach from happening. In the case of compliance regimes such as PCI DSS, this check is part of their process for understanding which organization is at fault and liable for any damages that occur.
During this review process, assessors (or auditors) will be trying to understand how risk was managed and understood. They may consult the evidence and notes from due diligence processes and assess whether the information provided at that time was complete and accurate. If evidence suggests that the information provided was incomplete, or included errors, inaccuracies, or omissions, this may impact liability and expose your organization to legal threats.
In this section we walk through the typical stages of due diligence.
Figure: The typical workflow of a due diligence process.
Maybe you’ve completed the really long questionnaire and there are questions you couldn’t answer. Or perhaps you have submitted your responses and received feedback, identifying some gaps in your approach.
First, take a breath. This is normal.
Failing to meet the requirements in a due diligence questionnaire can be normal in these early stages. To be clear, failing due diligence isn’t a good thing, it’s just that it’s a normal thing and doesn’t necessarily mean the end of your sale or a failure to proceed.
It can take a significant amount of time to complete due diligence questionnaires, particularly if they are based on international standards, they have been customized tightly to your customer’s environment or language, or you operate in an environment processing large volumes of personally identifiable, financial, or otherwise sensitive information.
Here are some of the ways you can make this process less time consuming and stressful for everyone involved.
Don’t be afraid to ask for a chat if things are unclear. Due diligence processes can be complicated, and often include questions and considerations framed in the language of regulators or the larger enterprise you are dealing with. This can often mean that questions are confusing or unclear. It’s OK to be unsure and ask questions. If you need clarification or to understand what the risk/concern is related to a particular requirement, ask. You may find that the person who sent you the questionnaire appreciates you taking the time to understand before you submit your responses.
Always link the security control to the risk that is being managed. So your due diligence questionnaire has a question about a specific type of security vendor device and whether you have one in your network. You don’t have much of a network and you certainly don’t have that expensive device.
Before you jump into your answer, consider what risk that device might be trying to reduce. Perhaps you don’t have this specific device or architecture but are you managing the same risk in a different way. It’s OK that your organization does things differently, your job is to help others understand that difference.
Remember, due diligence is about communicating how you reduce risks rather than meeting a checklist of technology implementation requirements.
Your company has had some level of success and is gaining confidence. You want to keep this momentum going and keep growing while managing your increasing security risk.
🚀 As explained by Laura
Like with most parts of your business, the time has come to get organized. You are probably already familiar with the benefits of increasing organization as you scale, but in case you need a recap:
Spot mistakes and issues faster. The more consistent and organized you are, the easier it is to spot when things are going wrong and adapt quickly—minimizing the impact.
Work as a team. Moving things from ad-hoc to managed processes enables you to engage the wider team and share the load—freeing you up to be the leader you need to be at this stage (or to take a holiday or a sick day).
Simplify communication. Managed processes make communicating your practices to stakeholders such as customers, compliance regimes, and shareholders easier and more consistent, saving both time and ambiguity.
The first rule of security management is that you can’t address all of the security vulnerabilities your organization is exposed to. As mentioned in in the introduction, these are called risks.
Definition The process of identifying, measuring, and prioritizing our approach to these issues is called risk management and is the mechanism we use to decide what to deal with and what to record.
Before you are ready to build your security management system, you need to:
define how you will measure and calculate risk
Impact is how we measure the effect of exploiting a flaw in our security. It helps us understand what will happen; what systems, processes, and people are involved; and the effect this exploitation may have on our wider organization.
In security, we often start examining impact by looking at the effect on the confidentiality, integrity, and availability of operations, systems, or services. These effects can be on a system-by-system level or on an organization-wide level.
Let’s get familiar with each of these impacts.
While confidentiality, integrity, and availability are all important parts of how we examine the impact of a security event or risk, there is one last step we need to take. We need to translate these systems, or process-level impacts, into the overall effect that this event will have on our organization, data, or customers. This is a less technical, more business-focused assessment that is often used to communicate risk to senior leaders and directors. You should consider the following factors.
Loss of revenue. Your organization makes less money.
Increased operating costs. It costs more to keep your business operating than it did before, which will impact its decisions about hiring and buying new things.
Reputational damage. People trust your organization less, so they might not sign on or may churn, or they might give your business a different risk rating or change their behavior with you.
Definition Once we have assessed the likelihood and impact of our risk, the result is known as the criticality. This is often a numerical value or label that we give to a risk that communicates how serious it is and how quickly we need to act.
While the exact terminology and labels may vary between companies, the general principle is captured in this diagram.
Figure: A commonly used set of labels for risk criticality.
Much like your business is rapidly changing, the world in which it operates is changing too. In fact, all of the elements that you used to calculate your risk will change. We should consider a risk calculation to be correct for a particular moment in time, rather than something final that will remain unchanged forever.
Many factors can cause risk to change. Try to find ways to identify these changes and how they might affect risk for your company.
Increased brand awareness and publicity. For those of us who are building product- or marketing-led businesses, this is the security curse of our approach. The more well known we become, the more at risk we are. Simply put, attackers have to know you exist before they will try to cause you harm. You may find your success leads to increased security pressure and risk.
Using a very well-known or popular technology. Remember that our attackers can sometimes favor the easiest route. They will often spend time finding vulnerabilities in popular technologies so that they can potentially attack more targets. If you are using a very popular technology or framework, such as WordPress, this could lead to increased risk.
You have a great memory, you have made a successful company from your plucky spirit and ability to juggle many complex tasks at once … resisting the formalization and documentation of things like risks is a natural urge. After all, you haven’t been hacked yet, so why change?
Recording (or making a written record of) risks shouldn’t be a laborious process. It’s not about killing the joy and culture of your team, and it’s certainly not about slowing down or being more wary of the world. Recording risks is simply a mechanism for making consistent decisions about how you will approach a challenge, sharing that decision with those who need to be aware of it, and remembering that decision so that if times or circumstances change, it can be revisited and allow us to ensure it remains the right course of action.
Definition We call this documented record of risk decisions a risk register.
While you may handle the day-to-day responsibilities of managing security in your organization, your executive and board members hold the accountability and overall responsibility for them, and all other sorts of risks faced by the business.
This role is well defined by both national and international directors’ institutes and is governed by law in most countries. In fact, a director’s responsibility is so well defined and important that many organizations take out specific insurance to cover this risk.
important It is this legal responsibility that makes choosing when and how you communicate security risks with your board of directors and executive teams incredibly important. Once a director has been informed of a risk, they must take actions to either mitigate, reduce, or otherwise eliminate it. It’s not optional, it’s their legal obligation to do so.
🚀 As explained by Laura
If risk management is the mechanism we use to decide what risks to deal with in our organization, our policy, standards, procedures, and playbooks are the guidelines we set in place so that everyone on the team knows how we reduce the impact and likelihood of these risks.
They are our guidebooks, our instruction manuals, and in some cases, our North Star. They turn our security decision-making into a repeatable process based on agreed expectations rather than a subjective process based on our feelings, instincts, or current context.
I know that “policy” has a reputation for being as dry as sawdust, and about as much fun, but stay with me here—the right amount of policy, standards, and procedures can mean the difference between security being complex or simple, and confrontational or collaborative.
confusion One of the common misconceptions about policy, standards, procedures, and playbooks is that these words are synonyms—and probably amount to boring tomes of legalese that are best left rotting in a drawer.
Although the legalese part has some element of truth in it (especially in older, more formal security and governance circles), policy, standards, procedures and playbooks are all very different types of document, each with an important part to play in leading security in your company.
Policies set the company’s high-level expectations of how systems, data, processes, and technology will be protected within an organization.
Standards are the implementation guidelines that turn policy from principle to practice.
For most people, their experience of policy has been the documents you receive from an insurance company or finance team. Pages and pages of very complex, multi-clause sentences that cover the rules and regulations governing every possible permutation of a scenario. These are long, impenetrable documents that have left an entire generation scared of policy.
Thankfully, policy doesn’t have to be like that at all.
A good security policy outlines the domains that are expected to be considered throughout the organization and sets guiding principles to which all standards, procedures, and playbooks are expected to align.
Good policy is easy to understand, concise, and easy to digest.
If our policy outlines the high-level expectations and principles guiding your organization’s approach to security, then our standards are where we get specific about what this means.
Standards tell us the specific requirements our team must meet if we are to say we have successfully followed our security policy. One security policy may result in ten or more standards, each tackling a part of the overall security landscape and all linked back to root policy principles.
Let’s take a look at an example standard, in this case supporting the principle we used in the example previously, relating to the security of our people.
To recap: our policy defines our security principles, and our standards define the requirements we need to align with those principles.
That brings us to procedures and playbooks, which turn the standards into action. They give our team the tools and instructions they need to meet the security expectations placed on them through our policy suite in a way that can be measured, repeated, and iterated on as our business evolves.
important Procedures and playbooks are living and evolving operational documents that should be collaborated on across your team. They exist to teach teams how to carry out their responsibilities, to reduce the chance of key person risk, and to ensure that whenever these important tasks are carried out, that they are done consistently.
What’s the difference between a procedure and a playbook?
All of this may seem overwhelming and like a huge commitment of time and resources. As a result, many people turn to their handy local search engine and type “Information Security Policy Templates” in the helpful little box. Often you will find dozens of collections of policy templates, often referred to as “policy suites.”
I get it; we have all been there. You never want to solve a problem that has already been solved, and why invest this time and effort if you can simply buy, download, and customize a policy suite.
There is a lot to this question, but let’s dig into the pros and cons.
A policy, standard, or playbook that sits unloved and unimplemented does nothing for your company’s security.
It’s important to remember that creating these documents isn’t the end of the process, it’s the beginning. From here it’s up to you and your team to ensure that the requirements and processes defined in this document suite are understood, widely known in the team, and most importantly, put into practice across every area of your business.
There is no one-size-fits-all approach to how you do this. Your business and operations will be unique to your context, and so you will need to weave your new security practices through your culture. As you begin to do this, there are a few things you may want to consider that will help maximize your chances of success.
Security should not be a block or an obstacle. People (and growing companies) will avoid blockages and obstacles at all costs. It’s in our nature. If your new process or practice is going to slow things down or block something from happening, consider what people may do to avoid it. Instead, work with your teams to explain why the process is needed and what it is trying to accomplish, and then seek their help in finding a solution that won’t cause unexpected detours.
🚀 As explained by Laura
Our organizations are built around sequences of events that get the job done every day, from events that happen every day like clockwork such as standup meetings, to things that happen less frequently such as hiring and onboarding a new team member.
For every activity or event that happens in our organization, there is an accompanying set of security activities we can carry out to help keep our people, systems, and data secure.
Understanding this relationship helps security become a part of your company’s rhythm, rather than a special event that happens outside of its normal operations. After all, why waste energy debating where security fits into the world if you can save a lot of sweat by assuming there is a little bit of security for every situation? Your job as a leader is to find painless ways to weave security through them.
So how do we go about understanding these events and how we can add a dash of security to them? It begins with looking at why and when these events occur and how likely we are to be able to plan for them in advance. To start, let’s look at the two types of common events—planned and unplanned.
Definition Planned events are predictable in some way. For example, if you are posting a job advertisement, you can safely assume that sometime soon you will hire someone and then hopefully onboard them to your team. You can also assume you will need to give them a device to use and provide them with tools to get the job done. Each of these processes and events has a parallel set of security activities.
Planned events will operate in repeating patterns. This means we should be able to build systems and tools to make them easier to secure and track.
Definition Unplanned Events are difficult to predict. This does not mean that they are not likely to happen, it just means that it’s difficult to know when they are likely to occur in your company.
This all seems quite straightforward, right? There are events we can plan for or prepare for, and so long as we are well organized, we can weave security through everything that happens in our business. It’s simple … except when it’s not. Let’s take a look at the common challenges we face with triggered security events when we’re growing.
Even predictable events (hiring, promotions, etc.) can be difficult in a growing company due to the pace our worlds run at. We have the same events as any other organization, but because of the way we are funded and the ambitions we drive towards, we may experience many more of these events in a shorter time period than a more established company. Combined with relatively constrained resources and budgets, handling all of these events can be challenging enough without adding a layer of security on top.
Acknowledging this challenge doesn’t excuse us from trying, however, it just means we need to be clever with our approaches. Using automation and playbooks can make these tasks easier to complete (and sometimes automatic) and enable you to share the responsibility across the team. We’ll dive deeper into how to do that later in this chapter.
The following table is by no means exhaustive, but provides a guide to the types of events that might happen in your company that you would want to plan for. Don’t get overwhelmed, there are a lot of them (and I’m sure you will think of more)—remember that a lot goes on in your growing business, so it’s not surprising that there is a lot of security to consider on the way.
For each of these, you would list the associated actions, procedures, or playbooks that should form part of your response. For example:
| Event | Suggested Actions |
|---|---|
| A new device is acquired | 1. Record the device in the asset register. 2. Assign the device an owner. 3. Provide secure storage guidance to the new owner. 4. Configure the device with appropriate security controls or hardening. |
See the table of ISO domains for a refresher on what each area covers.
🚀 As explained by Laura
Unlike triggered security events that are linked to operational events in our business, security also requires a set of events that happen outside of the core operations and are purely in the security domain. We call these ongoing security activities (or scheduled security activities).
Our ongoing security activities can be laid out as a calendar across the year, with some activities needed more frequently than others. Unsurprisingly, our calendar will contain daily, monthly, quarterly, and annual activities, and may be expanded with more custom intervals that suit your organization’s needs.
important Remember that this ongoing security schedule is the heartbeat of your security operations. These are the basic, recurring tasks that ensure you are prepared for the unexpected and can respond quickly should the unexpected or malicious occur.
Just because it’s an essential hygiene process, it doesn’t mean our ongoing security activities and calendar should be treated as a background role or given to just one person to manage.
important In fact, one of the most important things you can do is ensure that this ongoing program of activities is shared across the wider team. This reduces the key person risk associated with having just one person in charge of your security program and also reinforces that security is part of the entire team’s responsibility.
confusion Remember that making security a team sport doesn’t just lighten your workload—it’s also good for the overall resilience of your company. Shared responsibility means there are many hands helping and many eyes watching for issues. Not only are you more likely to get more done, but you can respond quicker should bad things happen.
How do you make sure this new team approach to security sticks? One of the biggest hurdles is making sure you keep going. There is a common pitfall when a problem is shared between a group of people where nobody takes ownership. If everyone assumes someone else will do it, often nobody will.
In a rapidly growing company, change is everywhere. It often feels unnatural that something like a calendar would remain steady and predictable in the beautiful chaos of everyday operations. If we’re honest, sometimes these steady and predictable baseline activities can seem less glamorous or important than the fast-evolving processes that add to our revenue or move us towards growth targets.
As a result, we see a predictable decline in security momentum after the first few months or after a security goal (such as certification or compliance) is achieved. After all, who wants to spend all day doing the housework when someone is knocking down a wall and redesigning the kitchen?
Maintaining security momentum is as much about leadership as it is about operations. The importance of security needs to be communicated regularly from the top and related back to the key business objectives such as growth and profitability. Without this leadership first, those charged with security will lose momentum and often find themselves lacking motivation and a clear understanding of why their actions matter to the business.
Once you have a clear leadership message and the team are feeling their value in the context of the organization, remember that all security needs four things to thrive as an ongoing business function:
🚀 As explained by Laura
It’s a cliche, but a lot of what we do in security is try to avoid bad things happening and prepare to respond if they do. It’s a profession of pessimists, and our pessimism and preparation are what makes the difference between a fast, smooth recovery and a prolonged, public crisis.
Let’s take a look at the two categories of “bad things” that typically affect our organizations—incidents and disasters—how they differ, and how we prepare for them. Think of this less like creating a bug-out bag and embracing survivalism, and more like having a plan for when the fire alarm goes off.
confusion Two of the most commonly misused words in security are incident and disaster. They are often used interchangeably, with every “incident” described as a “disaster” for the business. While we all love a good bit of hyperbole, in this chapter and the resulting plans and processes it yields, we need to make sure we have these two events defined clearly.
Definition Incidents are any form of event or occurrence in our organization, system, or processes. While they are typically perceived as negative events, an incident without context or investigation is simply a marker that something has happened. The cause and overall impact of an incident is unknown until a full investigation is carried out.
Incidents are not unique to security. They are categorized in many different ways, in many different fields.
Incident types that growing companies will typically encounter include:
Incident response is a well-established practice in the technology space and there has been a lot written about it. This introduction gives you a high-level overview of how incident response processes work and the typical actions and considerations that are associated with every stage.
The first thing to note is that for the most part, incident response is not linear. An incident response is a triggered process that will loop between a number of stages until all evidence and impact of the incident is resolved.
Figure: The stages of incident response.
There are many ways to document these plans—stick with what works for your internal culture and documentation style. Rather than define the document template, we will look at the sections you need to include and why they are important.
Like many of the subjects we have discussed in this book, just because something is an incident, it doesn’t mean the world is ending. Security isn’t always critical and that’s OK.
important Before you dig into the steps you need to take to respond to an incident, it’s important to define the levels of criticality associated with incidents. Like we mentioned when we discussed risk, defining these upfront allows you to prioritize and plan your actions based on likely impact, rather than your emotional response to a stressful situation.
While the steps outlined as examples in our overview of the incident response process are a good starting point, each incident scenario will have its own set of recommended actions and priorities. Creating documented playbooks for common incident scenarios can help you respond quickly and minimize the disruption of these events.
In this section, we will take a look at some common examples your company may face. You can use these as the basis for your playbooks or add new scenarios that are specific to your company or operating environment.
| Description | • Computing or communications equipment is stolen or lost. |
| Potential Scenarios | • Theft from any of the organization’s offices. • Theft while traveling (hotel, in transit, at the event). • Item left behind or lost while traveling. |
| Incident Response Priorities | • Device replacement • Assessment of potential data loss • Insurance process compliance |
| Suggested Actions | • Notify security team of the loss. • Identify if the device was secured sufficiently (passcode/password, disk encryption). • Gather written accounts of circumstances. • (In case of theft) Contact law enforcement if the intention is to prosecute or claim from insurance. • Contact insurance company to initiate claim. • Conduct root cause analysis to ensure travel choices, storage security, or device security choices remain appropriate. |
🚀 As explained by Laura
A disaster recovery plan is critical to your organization’s ability to respond to and recover from a range of disruptive events.
The objectives of this plan are to:
Undertake risk management assessment.
Define and prioritize your critical business functions.
The first common element of both disaster recovery and incident response plans is the need to plan your communications during an emergency. There are many reasons why you don’t want to leave this to chance:
Your normal communication tools may not be available due to an outage or fault.
You may have no physical access to your communication devices, or other physical locations or equipment needed to use them.
You may not have reliable internet access.
The second common element of both disaster recovery and incident response plans is the need to test that the plans work.
I know that it’s tempting to say “we have incidents all the time so we know what to do,” but in all honesty, just because you have incidents frequently, it doesn’t mean that they are representative of all the events you might need to deal with. There is also the question about who is “handling” your incidents. If you are responding from instinct, experience, or memory, that response is probably different from what is in your plan and may be difficult for someone else on the team to replicate.
important Every plan you create should be tested, at least once a year. It’s as simple as that.
The risks and threats faced by an organization change over time, as do the staff members involved with protecting it. Testing on a regular basis ensures that the plan remains accurate and appropriate. Testing also ensures that all potential response team members are familiar with executing this plan.
When something goes wrong, the best course of action (once you have recovered) is to do some reflection and try to identify changes that can be made to systems, processes, or situations to avoid the same thing happening again.
A post-incident review is a structured exercise designed to review the chain of events surrounding an incident or event. By evaluating the activities that led to and resulted from an incident, the post-incident review is able to establish a timeline of events and identify any areas for improvement.
When structured well, a post-incident review is a blameless tool for evaluation, feedback, and process improvement. You can learn more about blameless approaches to post-incident reviews by checking out Etsy’s work in this space.
A post-incident review should be held after every incident, preferably within two weeks of the main event. This ensures that things are still fresh in people’s minds and that you don’t end up reviewing one incident while handling another.
Everyone involved with an incident should be included in the post-incident review. This may include representatives from external stakeholders and customers where appropriate. A high-level summary of lessons learned and changes made should be added to the customer view of the incident documentation.
All incidents should be documented. This documentation serves as a historical record of the incident and the activities resulting from it.
Documentation should contain at a minimum:
a timeline of events
example notifications and alerts that triggered the event
Whether you are planning to respond to incidents or disasters, there are a few common challenges and mistakes that companies make. Check out this list and make sure you and your team don’t fall into the same traps.
Downloading a template and not customizing it to your environment. An auditor comes by one day and does some snooping around. They ask where your incident response plan is and you look sheepishly for an exit, quickly downloading a template from the internet, and passing it over for review.
We’ve all done it. I don’t judge, but using a template that wasn’t built for your team can be more distracting and dangerous than helpful when faced with a real event.
Your plan doesn’t need to be fancy. There is no prize for design or how many syllables you use per word. An ugly, misspelled plan that is built for your team, systems, and environment with realistic scenarios is perfect.
Not testing your plan in a realistic range of scenarios. No matter how young or old your company is, there are many, many ways that an incident or disaster can unfold. Some of them happen to all companies at some point, whereas some are very specific to what your company does.
For example, a fire is a normal disaster scenario in office buildings, but a chemical spill would be a disaster scenario only found in companies handling hazardous chemicals.
No matter what your business is, it’s crucial that you list all the possible incident and disaster scenarios you could face and test your plan and playbooks for each of them. While it’s unlikely you will do this all at once, having a test every couple of months, each covering a new scenario, can get you a very long way to being prepared for anything.
Not including important stakeholders in your tests. Incident response and disaster recovery are definitely team sports. If you find yourself testing a plan on your own in an empty conference room, it’s likely that when the time comes to actually respond to an incident or disaster, the people you need at your side won’t have a clue what to do.
Testing a plan isn’t just about checking the plan is accurate and works, it’s also a form of collaboration and knowledge sharing. It teaches the team how to work together in the event of something bad happening and what each person needs to do.
So before you schedule a test all on your own, make sure you list and invite everyone who would have a part to play in the scenario you have chosen to test.
🚀 As explained by Laura
There will come a time when managing all of this yourself or sharing it across your team doesn’t work anymore. Perhaps incidents are happening, you’re finding it hard to keep up with customer security questionnaires, or your company simply needs your time elsewhere.
Whatever brings you to this point, you need to know how to find your first security lead and what to look for in this person. In this chapter, we will discuss everything you need to know when making this crucial first security hire.
Of all the questions addressed in this book, this has to be one of the most difficult to answer but one of the most important to get right. Hiring in a growing company is challenging enough without the added complication of hiring a role that won’t directly add to your company’s bottom line.
The old hiring adage in this scenario is to “hire when it hurts,” and if we are honest with ourselves, we may complain that security hurts right from the beginning. But let’s avoid that temptation and really assess what our triggers are for hiring someone for this difficult role.
You have a strong understanding of the importance of security in your organization and have started to build your foundations.
You have established the start of recurring and triggered security actions, but keeping on top of them is beginning to become a challenge
At this stage in your company’s journey, you have probably defined a clear set of psychological and cultural requirements for your new hires to ensure that new team members not only meet the educational and operational requirements of the role, but also to maximize the chance that they will understand your cultural ethos and share your overall vision. If you haven’t started to work on this set of requirements yet, take a pause here. These baseline requirements are the foundation of the next set of requirements we will discuss here.
Strong communication skills: The ability to explain complex situations in an understandable way is just the starting point for secure communication. Extra points here for someone who can speak as articulately and clearly with the most and least technical people in your company, your executive and board, as well as your customers. This role will require communication in every direction and in both written and verbal forms.
Ability to connect with others: The ability to form relationships with groups in your team or external stakeholders and manage these relationships over long periods of time is really important. It’s unlikely that you will be able to hire more than one person to begin with and, as you will have seen in this book, there is more than one person’s worth of work to be done. The ability to connect with others will help your new security lead find help and collaborate on security items across the team.
Understanding of or experience with organizations of your size and stage: Security in early-stage or fast-growing organizations is quite different from security in enterprise organizations. It’s important that your new security lead not only knows this, but can articulate this difference and help slowly navigate from where you are now to where you might one day be.
Like every other professional field, security professionals are often bunched together as a single role category, when in fact there are many different types and only a few of these would suit your stage and security maturity. Let’s take a look at the five most common roles, their strengths and weaknesses, and what to consider when hiring.
Common job titles for this role: chief information security officer (CISO), VP of security, director of security
This is a senior leader in security, someone with many years of experience across a range of roles (though probably in larger organizations). This person is an expert at communicating with both internal and external stakeholders. They may be used to assessing and presenting a risk to fellow/upper senior management, as well as maintaining a complex security program.
You may have guessed by now that young companies rarely need one of these roles full time, rather they often need at least a few of them on a part-time basis. Given the global shortage of skilled security professionals and the complex and evolving nature of your business, part-time help is not only very challenging to find but also more difficult to manage.
So what’s the solution? There isn’t a perfect one. (Sorry.)
As the leader of an early-stage, fast-growing company, this shouldn’t be surprising, nor should it be an insurmountable challenge. You have grown your company to this stage by navigating challenges just like this. Your organization is full of people who are adaptable and have learned to embrace and conquer roles and responsibilities that they had never encountered before. The person you choose for your security role will be another example of the adaptability of people and your ability to lead in a way that evolves with your company’s needs.
In short, you are going to need someone who is a hybrid, a generalist, someone who has enough experience to get started and get your program in place and running, and then has the potential to grow with the role as needed.
Let’s jump ahead—you have a person who is a good cultural fit, a great communicator, and someone who’s not afraid of getting down into the daily operations to get the job done. You may have found them outside your business or have been lucky enough to have found them within your existing team. Whatever the story is, wherever you find them—you need a plan. Your new security lead needs support if they are to survive and thrive in this new role within your organization.
The following are some elements you will need to consider when planning support for your new security lead.
You need to be their champion. This role has not existed before—you (and the leadership team) need to publicly support the new security lead. You also need to reinforce to the wider organization why this role is important and ask for their cooperation as they begin to roll out changes. This support will provide this role with not just the accountability for security, but also a public sense of authority under which they can act.
You need to know that change is coming and you need to help. Rolling out a security program impacts almost every element of the business in some way. As a leader, you need to be aware of this and factor it into your strategies. You need to make room and budget for security to operate—without it, it will waste away behind blocks and conflict.
🚀 As explained by Laura
Change is not just inevitable, but frequent. As your organization grows, there will be complexity. Hopefully you operate long enough to emerge from this chaos with a range of policies and processes that help you reign this in, but for many companies this takes a long time and a lot of effort from the wider team.
While not all changes to your business or operating environment affect the security of your data, people, and systems, there are some events and changes that you need to watch carefully for.
Rather than fearing the chaos itself, let’s take a look at some of these complexities and how they can affect your security. Not all chaos is bad so long as you understand and anticipate the impact.
The more successful your company, the more people you need to keep it moving. Not only will the number of people increase, but also the range of experience levels, skill sets, and roles.
While you may have started as a small group of friends or early employees who knew each other well enough to trust deeply and quickly, before long you will struggle to remember the names of your new team members and may even no longer be involved directly in hiring them.
This can introduce the following security challenges:
Hiring risk. Without consistent processes and checks, you may hire someone who poses a risk to your organization. Whether they are willfully malicious or just not very good at what they do, ensuring that all new team members have background and reference checks can reduce this risk.
You are selling more, you are serving more customers, and there are way more “things to do” in your world that you could possibly imagine. The more you grow, the faster you go. Whether that is truth or perception, it doesn’t matter—your world is not slowing down anytime soon.
This can introduce the following security challenges:
Monitoring and spotting issues. Have you ever been working so hard and going so fast that when you finally come up for air you are surprised by how far you have come? That’s common when we are pushing hard and scaling. This focus (required to succeed when growing) can also lead to a tunnel vision where we don’t notice what is going on around us. As the team grows, this problem gets worse, as it’s now more and more difficult to get to all the meetings, meet with all the project teams, and understand what is getting done around you every day. All of this means that issues can crop up unexpectedly and you may not notice—including security ones.
Cutting corners, inconsistency, and shortcuts. Ever been trying hard to get something done and found yourself slowed down or frustrated by the process you need to follow? Of course you have, it’s human nature to try and find the easiest way to get a job done (and not in our nature to always choose the path with the best quality outcomes). Securing our organizations often involves introducing more processes. Even when very carefully done with a focus on enablement, these can cause frustration. There will always be times where people (including you) cut corners and avoid processes. There will also always be times where you or your team are distracted, and make bad decisions or make a mistake. The more you grow, the more this will happen.
Fighting human nature is a terrible idea. Rather than trying to stop people from making mistakes or cutting corners, make the secure path to getting something done the easiest path to take. Reinforce this by monitoring as much as you can so that if something does go wrong, you can respond quickly.
There isn’t a tool or product on earth that meets every customer’s needs the first time, so you are likely to be iterating quickly to get to the ideal product-market fit. The things we don’t get around to doing on the way, we call technical debt.
As you iterate, your product will grow and become more complex. There will be compromises made and technology decisions that seemed like a good idea at the time.
This can introduce the following security challenges:
Software vulnerabilities. As we have discussed in previous sections, every software and technology can have security flaws and vulnerabilities. The more technologies we use or build, the more chances these will impact the confidentiality, integrity, and availability of our systems.
When you started selling to customers close by, it was likely fairly simple, operationally. You understood the operating environment, the people, the laws, and the culture.
If you are a company that has expanded outside of your immediate local area, this certainty in your context will fade. The further you get from home, the harder this gets, and some of the risks introduced are far from your normal world.
This can introduce the following security challenges:
Change in risk profile. If you happened to grow up in a nice neighborhood where the worst in local crime was the theft of your neighbor’s beloved garden ornament, then you may not have a lot of experience when it comes to understanding the difference in security culture and crime in other parts of the world. It is really difficult to understand what you have never experienced.
Everywhere is different when it comes to security risk. Some places have more physical crime and theft, others more electronic. Some markets have operating cultures like bribery embedded in day-to-day life, others have very strict and tightly enforced anti-corruption laws. Your risk comes not only from the systems you build and the processes your company uses to operate, but also the environments in which you and your customers operate. This changes not only their behavior but also their expectations. Do your research, work with product teams, and generate personas for your new customers and markets to understand not only how their needs differ from your existing customers, but also how their behavior and environment will affect their security.
🚀 As explained by Laura
If you are used to building new systems and processes, often with the intention of disrupting an industry or changing the way an established industry operates, the idea of inheriting a compliance or regulatory system is disheartening.
For those who like to try new things and move fast, compliance has a reputation for being the exact opposite of how you want to run your fast-growing business. A world filled with complex (often outdated) systems of requirements and controls, supported by auditors and accompanied by the threat of large fines or inability to operate, rarely makes anyone excited.
Have no fear, though—while this may not be your happy place, it doesn’t have to be a burden.
Before we dig into how to achieve and maintain compliance, we really need to be clear about what compliance means and why it matters.
Definition Compliance schemes are systems of controls and requirements defined by a governing or regulatory body to achieve a certain aim. In the most part, compliance schemes aim to protect something. That something might be the health and safety of people in and around your organization; the quality, reputation, and prestige of an industry; or the security of personally identifiable or financial information.
There are three main reasons why an organization will pursue compliance with a particular scheme:
Legal regulations and the law. They may be required to meet a certain compliance standard based on the laws of the country or territory in which they operate. Not meeting compliance requirements will often mean that the law has been broken and company directors will be liable. Health and safety law is a typical example of this.
The following are common schemes you may encounter, with resources for further information.
Governs the safe storage and processing of credit card information. This standard applies to all companies that process and handle credit card payments.
A handy six-stage guide to PCI DSS compliance
For most of us, compliance schemes are a natural part of growing. There are hundreds of different regulations and compliance schemes around the world, and you may find your organization is subject to a number of different schemes depending on elements of your business model and operations.
Let’s take a look at the relationship between your business operations and the compliance schemes it may need to comply with.
| Operational Detail | How Does It Relate to Compliance? |
|---|---|
| Your customers’ location | Regardless of where your company is located or registered, many compliance regimes are based around the idea that the location of your customers is more important than where you are. Often these regulations are set by the country or location in which these customers live. Examples: • Sales tax • Privacy law |
| Your company’s registered location | When registering your company, you agreed to follow the local laws and regulations of that place. These regulations often cover: • Company management • Director responsibilities • Taxation • Employment laws • Health and safety • Environmental protection |
| Your industry | From finance to health, and from food production to mining—almost all industries have some form of regulation of compliance. Sometimes this is built to protect people and keep them safe, sometimes this is about regulating markets and preventing financial incidents. Whatever your industry, it pays to know what compliance schemes apply. |
| The type and quantity of data you store | Not all data is created equal and as you will remember from our discussions on classification, the risk posed by collecting, processing, and storing some types of data can be severe. Data types with considerable compliance or regulations include: • Health and medical information • Personally identifiable data • Intellectual property |
| The way you handle payments | Whether you handle credit card payments or do national or international transfers, there are compliance schemes and regulations you need to follow. Some of these come from the banking industry, some from national governments, and some from the credit card providers themselves. Getting these wrong can be the difference between frictionless payments and a lot of headache (and fines). |
| How your company trades | Whether you are publicly or privately owned changes the way you have to operate. Once your company lists publicly, you are held to the regulations of the stock exchange in which you are trading. These regulations are enforced from your initial intention to list and all the way through your lifetime on that market. |
This section doesn’t provide everything you need to get compliant with one or more schemes but it should be enough to get you started.
danger Though we won’t ever admit it to our friends, both authors of this book are former auditors, so before we wrap up this section, here are some common mistakes we have seen in this space.
Poorly documented evidence that is impossible to replicate.
Spending hours arguing that controls are outdated and make no sense. You are probably right, but take a breather—arguing won’t change this. You need instead to show you meet them “as a minimum,” not as a target.
🚀 As explained by Laura
While we may not focus on it very often and we certainly don’t talk about it a lot, most growing companies are trying to get somewhere very specific. For most companies, this means an IPO, an acquisition, or a sale.
It’s tempting to think that this “ending” also ends your need to focus on security. After all, all going well, your company is entering a new phase, perhaps even under new ownership.
There are parts of the exit and acquisition process, however, that have a significant relationship to your security program, and it’s worth taking a look at some of these key events and considerations.
If you have read Part III of this book, you will remember that there are two main types of due diligence your company is likely to encounter, customer due diligence and financial due diligence. While they share the same objective, they work slightly differently. We cover customer due diligence in Part III and we will take a look at financial due diligence now.
Definition Financial due diligence is the systematic process whereby an enquiring party who has (or is planning to hold) a financial interest in a legal entity will examine the behaviors and financial situation of the organization. This process hopes to assess the operating health of the organization, the potential for growth and return on investment, and any risk that the organization carries that may be inherited by the new owner or investor.
Financial due diligence is not specific to security and it is used widely throughout the financial services industry to ensure that risk is managed and assessed appropriately before significant transactions take place.
In recent years, cybersecurity has started to play a role in this financial due diligence process, with specific review sections included to assess the maturity of an entity’s security program, product, and operations.
During customer due diligence, the aim is for your potential customer to decide whether the risk they will inherit from using your product or service is acceptable in relation to their security expectations and risk appetite. If a customer decides this is not acceptable, they will not buy. If they purchase your product and later decide the risk has changed, they can revisit this decision and may choose not to renew their contract or ask for a change in the product or operations.
Misrepresentation in customer due diligence may lead to poor customer relations, lost customers, and lawsuits; however, these are limited to the terms agreed in your operating terms of service and often have a fixed maximum limit of liability.
In financial due diligence, things are quite different.
Financial due diligence is the precursor to investment, company purchase, IPO, or acquisition. These are significant transactions that involve material sums of money. If an investor chooses to fund your organization and finds that the information they received in financial due diligence was incorrect or misleading, the consequences for your company (and you as a company director) can be significant.
Definition A warranty is a claim or promise made by a seller. Often during large financial transactions, the buyers or investors will ask for a series of warranties to be included in the contract. These warranties are a set of promises the seller must ensure are met or true for the contract to be honored. These warranties must be met at the time of contract completion and may need to be maintained for an agreed period of time after the completion date.
Warranties give the party receiving them (in most cases the buyer or investor) the right to sue for damages if the warranty is breached and the breach causes loss or liability. In short, these fundraising and exit events will require you to make legally binding commitments regarding aspects of your business.
Increasingly now, cybersecurity is included amongst these warranties and as such, we need to know how to stay safe and meet our warranty obligations, for our company’s success (and our own).
Given the legal profession’s love of creating new and inventive clauses, there really is no set of fixed cybersecurity warranties. Let’s take a look at some themes you can expect:
The cybersecurity program and details you provided when asked were accurate, truthful, and up to date.
Your systems or products have been validated, audited, or reviewed by a qualified third-party organization and the results were accurately made available on request.
You are not aware of any previous, current, or potential security incidents or risks that may materially affect the organization that have not otherwise been disclosed to the buyer/investor.
Firstly, as mentioned above, this is not something to mess around with. Talk to your lawyer and let them help you navigate this process. It is their job to help you stay safe.
important Some tips on how you respond to a cybersecurity warranty request:
Like any other claim, promise, or decree in contract law, your responses to warranty checks should be in writing. If you do verbally discuss something, ensure that you also document and share a written statement (and that the two statements match).
Answer only the specific questions asked as part of the warranty. Remember, they don’t want to know everything about everything, they are asking very specific questions. If you are not clear about what they are asking, clarify before responding.
All Companies Are Different—Other Odds and Ends You May Encounter
Although the name on the front of this book is Security for Everyone, we can’t possibly cover every context and situation. Frankly, there are some situations that we are not qualified to help you out with, even though we are professionals. There are other great people out there in the security community who dedicate themselves to helping specific groups of people and have a lot of experience doing so. In this part, we’ll lightly touch on these other situations, and point you to some fantastic resources and people who can help.
This book also assumes that your business is on one trajectory: upwards. While that would be fantastic and roses, not all of our businesses will have such a direct path. There are bumps and drops, and with each of those different security risks that we are exposed to. In this part, we also want to talk through these challenging situations and help you feel empowered to make the right security decisions. In some cases, these security decisions might even make you feel a bit more in control of what might be a chaotic situation.
🚀 As explained by Laura
Throughout this book, we have often assumed that your business is growing. However, we know things don’t always work out that way. Sometimes you are faced with scaling your business down or downsizing and are faced with different risks and decisions to make. We speak from experience on this; SafeStack has been around for over seven years now, and we’ve had to scale down and change a few times before we got to where we are now.
This uncertainty triggers our fight for survival. You may not be directly thinking about security—but the risk is still there. There may be employees you have to let go, accounts and services you need in order to continue to operate, and expenses you need to cut back on.
When scaling your business down, you should reduce the amount of money spent on software and other services. Sometimes these services are based on the number of user accounts associated with your account. You might find yourself deleting accounts for any employees who have left, and scaling down the number of accounts so that your team shares access to a single account.
controversy I am aware terms of service for some software services don’t allow this. But when a business is faced with surviving and paying bills and salary for the month, or paying for additional user accounts, most of us will choose the former.
Aside from reducing user accounts for your services, you might also be downgrading or canceling services you don’t need to keep your business alive. It drives me mad, but some services only provide security features for users on paid or higher-level service tiers. Service providers might not handle service cancellations with grace, which means copies of your data might be lingering around, which also leaves the security risk lingering around too. These changes can limit the amount of security protection your accounts and data has, and there are a few things to check before you hit “cancel service.”
For services you are downgrading, check what security and data protection features are included in the lower-tier plans. You can often find this information on the service provider’s pricing page, or you can search through their knowledge base or support documentation. If you can’t find this out after a quick search, ask the service provider.
To help you draft that email, you will want to ask if the following features are still available at lower or free service tiers:
Are the following features still available at lower or free service tiers: 2FA and the ability to export account data?
The last area to address when scaling down is your people. This is going to be the hardest one to address because no business owner wants to be in this situation. Restructures and redundancy processes are difficult, and we might do anything to make this situation pass as quickly as possible. Try to avoid that impulse—you can carry out this step with empathy and kindness, while still making sure you take the time to protect what is left with your business.
First, you need to consider the devices and accounts your employees have access to. You will want to retrieve what you can, knowing that you might not be able to retrieve it all. Even if you lose copies of some documents or data, you can still keep control over accounts by resetting passwords or removing access just after they leave. If there are devices you can’t get back, for example, if they are lost, damaged, or it’s unsafe to claim them, you can monitor your accounts to block and unlink access from these devices. You can also remotely wipe these devices if you set that up when we covered it in Part II, but be sure to do it with kindness. We have all used our work devices for personal use at one point or another, and it would be a real kick in the ankles to lose your job and copies of some personal data you had stored on your work laptop. You can always give employees who have left a heads-up that you need to wipe the device, and give them a chance to back up or move any personal files they might have stored.
danger Watch out for systems or workflows that might depend on an individual employee’s account. Often, we might set up automated workflows or system service accounts that are tied to our own individual emails or accounts. If these accounts are disabled, this could result in a domino effect of failures that would be a challenge to clean up.
This is especially the case for any software engineers or leadership team members that might have been key account holders or key people involved in setting up new software or systems.
🚀 As explained by Erica
Accessibility and usability are important across the software industry, including security. Throughout this book we have assumed that you are able to implement any recommendations in an accessible way. This could mean setting up assistive technologies and tools, and/or using an adaptive strategy during rollout.
That is quite a big assumption to make, especially since some software security features have ways to go before they are accessible and usable by everyone. Often, the paths users follow that involve security, like logging in with a password or using 2FA, are created without considering users with disabilities. They have been created without considering accessibility for years. Back in 2000 the National Federation of the Blind sued AOL because their ATMs and online banking could only be used with the help of a sighted person. In 2012, my co-author Laura performed field research with Britta Offergeld and the Royal New Zealand Foundation of the Blind to evaluate how effective common security advice is for those with visual impairments, and they came back with a raft of improvements and possible solutions that needed to be made.
Things are slowly changing, with big software providers being held to account when they deploy features that are not accessible. For example, LastPass is one of the larger password manager software providers out there, and for years the visually impaired community has commented in forums and social media about how inaccessible their software was. In May 2021, LastPass finally released multiple accessibility features, which are a few good steps in the right direction.
If you are in the software business, the accessibility of software features won’t be new to you. You may have had to answer support tickets or sales objections that relate to how well your software supports users with different accessibility needs. For the rest of you, you may only be familiar with these issues if it is something that has had a direct impact on you or those close to you.
The Web Accessibility Initiative defines Web accessibility to mean that people with disabilities “can equally perceive, understand, navigate, and interact with websites and tools.” Web usability is about “designing products to be effective, efficient, and satisfying.” These two concepts can be very closely related if usability considers users with disabilities as part of their scope.
Usable security can look like different things for different people. Accessibility breaks down into five categories:
Those of us who build software have a responsibility to our customers to create accessible and usable software. This includes any security features or flows that we build—like the flow users take to log in, the masking of data entered into sensitive fields, the use of CAPTCHA to stop automated bots, the 2FA options we have available, or the third-party overlay software we allow interactions with. We know our customers best, and it is up to us to make sure it is inclusive and usable by all of them.
Including accessibility as part of your engineering practices is not just important, but also beneficial. When providing customers security features, your aim is to reduce the amount of incidents or negative security impacts your customers face and to ultimately help them feel like their data and account with your software is safe. If those features can’t be used by a part of your customer base because their needs and abilities were not considered, there will be a high barrier to entry and a low uptake of those features. So while you can pat yourself on the back for finally launching 2FA, the value you and your customers get from it will be lower. You can’t be surprised when you still have a high number of support tickets asking about 2FA or account takeover when the options provided are not usable.
The Web Content Accessibility Guidelines (WCAG) by W3C is the main international standard when it comes to accessibility. It covers guidelines for the four key principles of web accessibility: making your software perceivable, operable, understandable, and robust for people with different abilities. These guidelines are a great place to start, and the W3C website is chock-full of other supporting guides and resources to start learning more about improving the accessibility of your software. Another great source of information is section508.gov, which stems from Section 508 of the US’s Rehabilitation Act. It was made to provide guidance to those who are responsible for technology accessibility and is full of lots of advice, even outside of just pure software development.
Next, we will want to assess where your software is at when compared against guidelines like WCAG. The A11Y Project is a community-run, open-source effort to make web accessibility easier for software development teams. They provide checklists to help organizations assess their own WCAG compliance, as well as a list of resources if you want some additional or professional support. Their resource list also includes some tools you can use to automate your self-assessment, but we highly recommend getting help from a professional who can provide an in-depth human assessment and can consider the context and details of your customer personas.
I am lucky to know some fantastic people in the cybersecurity community who do a lot for accessible and usable security. One of those people is Britta Offergeld, who has spent a good part of her career working and supporting others in this area. Thanks to Britta, I have some great starting points, tips, and resources to share for those that need additional support getting you, your teams, and your businesses set up securely. Although some organizations and links I share might be New Zealand-specific, I will try and give you enough information so you can search for similar organizations in your local area or country.
Online or regional community groups are a great place to start when it comes to picking software or technology that best suits your abilities.
There are country-wide or regional groups that provide support to specific impairment groups, like Deaf Aotearoa (an organization that provides services to the deaf community in New Zealand) or Blind Low Vision NZ (an organization that provides services to the blind and low-vision communities in New Zealand). Groups like these may have resources or community networks they can point you to in order to get advice on software, technology, and security. They also may have assistive technology advisors or trainers on-hand that they can recommend if you want to get professional support.