editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
Your email and website are the most important parts of your technology, regardless of what your business does. The rest of the technology in your toolkit will vary depending on the context of what you do.
To help get you thinking of the tools and other accounts you need to secure, think through these scenarios and note the ones that apply to you.
example Securing devices:
You and your employees use work devices: laptops, desktops, tablets, or phones.
You or your employees might take these devices home, and they might use them for personal use (even if you ask them nicely not to).
You and your employees use personal devices to log into work accounts.
There is downloaded software that you or your employees use for work (that can’t be accessed from a browser).
You have a physical space where you own and manage networking devices for internet connectivity. There might also be the occasional printer, fax machine, or other networked and shared devices.
exampleSecuring accounts:
Your business has social media accounts.
Your business uses other Software-as-a-Service accounts that can be accessed through your browser or device apps. You likely store business, employee, and even customer data in these accounts. The ones you want to focus on securing are the ones you use for:
Financial tasks such as accounting and bookkeeping, invoices, expenses, and payroll (like QuickBooks, Xero, Wave, Gusto, Paychex).
File storage and sharing (like Dropbox, Google Drive, and Citrix ShareFile).
Communicating with your team (like Slack, Discord, and Microsoft Teams).
Communicating with customers for email or marketing campaigns (like Mailchimp or Constant Contact).
Accounts that hold specific data, such as customer relationship management (CRM) tools (like HubSpot or Zoho CRM).
Accounts where you pay for resources used, such as cloud hosting providers (like Amazon Web Services or Microsoft Azure).
If your business has been operating for a while, you might find it challenging to identify all the tools or accounts to protect. Remember the 80% theory—don’t be paralyzed for action because you don’t feel you have a complete view of all the tools and accounts you should be securing.
important A good technique I often advise small businesses to try when trying to think through all their accounts is to check their bank/credit card statements. If you are paying for a service, chances are that account is worth protecting and holds important data.
Another method is to check the websites you have bookmarked, stored, or remembered by your browser when you log in, and the ones that email you periodic marketing information. You can even revert to the old-fashioned pen-and-paper method and write down each tool that you use each day for a few weeks. This can also be a helpful exercise for you to see the tools you do need, and the ones you might be paying for and don’t use.
By going through the exercise above, you will find yourself with a handy to-do list of things that need securing (if they aren’t already). We have already helped you identify the accounts that likely carry a higher risk because of the type of data they tend to hold. You have already spent the brain power coming up with this list of tools, so capture it somewhere so you don’t have to repeat this exercise again later.
There is no right or wrong way to record this list of tools. It could be a page you ripped out of a notebook and posted on your office corkboard, or it could be listed on a digital notepad text file. It could even be a list of accounts you have in your password manager if you didn’t want to make duplicate lists, as you are likely to have access to all the tools your business uses. Use something that works for you. For us, we have an Asana board (a task-tracking SaaS tool) where we list all of our tools and the information we need to track. This has the extra benefit of helping us with onboarding and offboarding people too.
In addition to keeping a list of the tools, there is other information that is helpful to inventory for each account:
How you log in. Nowadays, when you sign up for an account, you often have the option to log in via another account (like Google or Microsoft), or create a new username and password. Make a record of how you expect you and your employees to log in so your team can be consistent.
Alternatively, make note if this account is a single shared account. We will get into how to set those up safely later in this chapter.
How data is stored. This is going to be the biggest driver behind how you secure that account. We made a fair assumption earlier about the level of risk these accounts carry, but you know better than we do the actual information you keep in those accounts. For example, if you have a Dropbox account that you only use for sharing branding, logos, and other promotional material, it is less important for you to prioritize securing that account now. Compare this to a Dropbox account that is a smorgasbord of customer, internal, and other sensitive data—you’ll want to make sure this one is secured as best as it can be.
This is also a great chance to do some digital spring cleaning. You might notice you pay monthly for a Microsoft 365 account, but can’t really recall what data is stored in it. Now is the best time to log in, take a look, and either record the data you find, or take time to purge the data and shut down the account.
Same goes for any accounts that might have been jogged in your memory by reading through the list of accounts earlier. If you don’t use this account anymore and really don’t want to take care of it, log in now and remove any data or files that you might have left behind. I can speak from experience here—there is a terrible “hole in your gut” feeling that happens when you see a password breach for a service you used to use and you can’t quite remember what password you used.
Subscription or license costs. This does not have a security impact, but instead a business impact. Later on we will talk about sharing accounts for the sake of saving money on licenses and subscriptions while still keeping those accounts safe. Keeping track of the subscription and license costs per user per month will have you make a rational decision on why you might need to share accounts versus having a unique one for each user.
In addition to having this full list of your accounts, you’ll want to pay close attention to your devices.
In Part I, we recommended you toggle updates to happen automatically for your mobile devices, laptops, and other devices. This will still be the case for the devices you use now as a small business, except with the added complexity that you are not the only one using or controlling those devices. If staff are using personal devices, there is even more complexity, as you might not be able to legally tell them what to do with that device even if they are using it for work.
Think of it this way: every copy of business data we have, the more security risk we introduce. That makes sense, because you are increasing the chances of it getting lost or stolen. Every copy of data therefore needs to be protected with the same level of security to prevent this from happening. When you are a small business, the resources needed to scale that security can be a challenge. Access to data is the same as duplicate copies of data—the more ways you can access the data, the more security risk you have.
If your staff log into work accounts from their personal devices, ensure that there is a way to protect the work data that device has access to—in the same way you would protect the data on a work device with anti-malware software or an up-to-date operating system.
If your staff take their work devices home, be sure that your staff can apply good physical security controls to protect that device—in the same way you would physically protect it at the office by keeping it behind locked doors.
Let’s be real here too: the assumption we made at the start of this part was that your staff are not necessarily technical experts. They might not know how to digitally or physically protect a device. If their job does not require them to have these skills, this is a fair assumption to make. You will need to consider if it is fair to put the burden of that security risk on them, or if things in your business need to change.
Now is the time where you have to make a decision that can have a big security impact on your business. Do you allow staff to use their personal devices for work? If not, do they have other work-owned devices they can use to get the job done, or does your business operating model need to change? If you do allow them to use personal devices, how do you make sure those devices are just as safe as the work devices they could use?
To help you make that call, here are the realistic scenarios you can pick from. Think of it like choosing your own adventure, except all paths lead to safer devices!
If your staff are handling personal information or sensitive business data, this is a path for you to consider.
In this scenario, your business provides a work device that staff use for most of their work. It is managed by you and the business, which means you can protect them however you need to. You are not big enough to have a “centrally managed” device setup, so you will just be using standard consumer-type devices, and configuring them before giving them to the team. There is enough built-in protection on these devices that if they were lost or stolen, they can still keep the data and access stored on them safe.
You don’t require staff to use their personal phones, because they have work devices they can use to access things as needed. They can optionally opt in to log into their work email on their personal phone if they want, but they are not required to. If they do, the sign-in process explains that the phone will be partially controlled by you and the business to protect this access. This means if the device is lost, you can remotely wipe the device in a similar way you would if you were using the “Find My iPhone” feature. It also means you can require a few basic things, like a lock screen with a password or PIN.
If you choose this path, you need to make sure to:
Turn on the basic settings for mobile device management with your email provider. With major email providers like Google or Microsoft, you can be quite granular with the level of permissions you can keep for yourself. At a minimum, you need to have the ability to wipe any work-related accounts and data, and require a lock screen with a PIN or password. This is usually the basic option.
Set up work devices to be secure before handing them over. You can easily search any of the terms below in the device’s search bar to find the right spots in settings to turn these features on.
An up-to-date or updated operating system. You are at a size now where you don’t have that burden of old, legacy software that prevents you from using newer operating systems. Use the latest version where you can. The major operating system providers, Microsoft and Apple, tend to be clear and upfront on how long they will support existing versions.
Automatic updates are enabled. These are turned on by default, but now is the best time to check before handing a device over to someone else. Make sure that updates have not been “paused,” and you have nothing to download when you click the “check for updates” button in the device’s settings.
Security settings are enabled. Open up the device’s security or virus protection settings. Make sure the anti-malware, anti-virus, firewall, and other similar features are turned on. These features that come pre-built into your operating system are made to protect everyday people, and your business is small enough that it is easier to turn all the settings on and set automatic updates, rather than get too bogged down with trying to understand the exact risk a feature is meant to protect against. If it is a feature within your settings, chances are Microsoft and Apple thought it was important for their users and you can leave it at that.
Turn on hard drive encryption. This is a helpful setting that keeps all the data on the device secured and encrypted when it is turned off. This is especially helpful for if the device was ever lost or stolen, as it prevents someone from taking apart the device and getting to the data inside. It also has the added benefit of requiring the device user to set a password to unlock the device, so turning this on is like hitting two security tasks with one stone.
Create a second user account and store your administrator account in your password manager. You would have set all these settings up as an administrator on the device. You don’t want your staff to undo all the work that you have done, accidentally or on purpose. Save the username and password for the administrator account you used in your password manager, and make sure you made it clear which device this was for. Then you can set up a second user account, or the user account your staff will use. When you sign them up, they will be given basic access to be able to use the device, but will be stopped from performing any sensitive changes, like changing security settings or pausing security updates.
Speak to your staff about how they can protect the work device, and make sure they know to call you immediately if anything seems strange or not right. Your defensive perimeter has now expanded. Since you are sharing out the control of the devices that let people into your business and see your data, you need to think of your staff as the first lines of defense. They might be one of the first ones to tell if something has gone wrong, and it shouldn’t matter at the time if it was their fault or a mistake they made. Focus on growing that positive security culture by telling people to contact you when they need help. Having them save your phone number in their address book now will save them from panic later.
Make it clear personal devices are not needed, and what opting in to using their own phone means for the control you have over it. Oftentimes, if you provide staff with a work account they won’t have a need to use their own. Sure, there is nothing stopping them from logging into their work email on their personal laptop, but that is why security is usually a series of steps rather than a singular doodad you turn on. You’ll find, especially if you grow, half the battle with security is communication. While communicating with your staff now about personal devices won’t stop a problem from happening, it opens up a channel of communication and the expectations that “security here is important to us.” It sets that first impression and culture, which makes things like reporting problems or talking about issues later on much easier.
It also allows staff who might not be technically savvy to ask questions and understand what these security controls mean. “Can you see what my text messages say?” or “Can you listen in to my phone conversations?” are questions that might seem silly but are important to address now. They are handing over some privacy on their personal devices by logging into their work email now, because you do have the ability to see what type of phone they have, what operating system it is running on, and when/where they last used it. Setting these as clear understandings now is important so your staff can make a more well-informed decision on actually using their personal phones.
Make sure the expectations you set for them and their responsibilities at work align with how you have set up their device access. It would be unfair to expect your staff to immediately respond to a work email if you don’t require them to use a work phone or have work email on their personal phone. It also wouldn’t be fair to expect them to get work done if you haven’t provided them a work device yet. Realign your business or operational processes to make sure they account for this new way of using devices.
confusion You probably notice the emphasis on “opt in” for personal mobile devices here. I am a firm believer that if you require someone on your team to use a device, and as part of their role they have access to data that needs to be protected, it is the business owner’s responsibility to make sure they have a secure device to access that data from. You can’t have your cake and eat it too—you can’t have your staff use their own personal devices and expect them to be able to protect it the same way you would if your business owned it. If you do need to require staff to use mobile devices, option 2 might be for you.
In this scenario, your business provides both a laptop and a mobile device for staff that need them. You have expectations that these staff will be accessible for work on an on-call or ad hoc basis, and therefore have to provide them both.
Some staff will prefer to use just one device for both work and personal reasons. They can choose to opt in to use their personal device for work, and they understand the trade-off of control they are making here.
Any work devices are managed and controlled by the organization, but using consumer-level software. You are too small to use the clunky enterprise versions, and therefore will have to configure devices before handing them over.
If you choose this path, you need to make sure to:
Set up work laptops to be secure before handing them over. This would be the same steps as above, and we won’t duplicate them here.
Turn on the advanced settings for mobile device management with your email provider. The advanced settings allow you to have more granular control over any mobile devices that are logged into an account on your work email domain. Usually this requires the user to download an email provider app from the official store so that the email provider can get more permission or access to change things. Without this app, often the setup would fail.
This is also where the larger email providers like Google and Microsoft allow you as the administrator to approve specific devices and disallow others. You want to set this up to require new mobile device connections to be approved, which means you or the other email provider administrators get an email or notification each time a new one tries to connect. You can easily accept or allow for the work mobile devices, or chat to any staff trying to connect their personal mobile devices.
For now, the rest of the advanced settings can likely be left to default, and you can easily change them over time as the context of how you operate or the size you operate changes.
Set up work mobile phones to be secure before handing them over. You can easily search on the phone settings for these terms to find the right menus:
An up-to-date mobile operating system. Sadly, phone operating systems fall out of support faster than laptops, although it can usually be cheaper to replace an old mobile phone than an old laptop. Make sure the phone is on a supported operating system that still gets updates from the provider.
The rest of the security settings can be configured by your staff, as the advanced settings you have set on your email provider will require them to set things like a lock screen and a PIN.
Speak to your staff about how they can protect their work devices, and make sure they know to call you immediately if anything seems strange or not right. Again, set the security culture at the very start. Make sure they know why you have set up devices the way you have, what their role is, and how they can get help.
This option goes the extra mile by providing work devices and retaining more control over how they are used and secured, which is especially important for staff who have access to important systems or data. You might find yourself in a situation where you have some staff who have no access to risky systems or data, and perhaps the biggest risk they pose is that their email account is compromised and is used in a phishing attack. That is where option 3 comes in.
Option 3: Allow personal devices for staff in lower-risk roles, and provide work devices for everyone else.
In this scenario, you have staff that don’t have access to customer or other personal information, nor do they have access to sensitive internal business data. For example, this could be staff that help you produce and manage digital marketing or sellable content, or perform physical tasks or work in a physical shop. All the access they need will be located in the physical workplace, or the access and data they need is low risk, and if it was lost or stolen it wouldn’t be the end of times. It would still be annoying, but a manageable annoyance.
You could let these staff use their own personal devices without needing to get control of them. If you have other staff that do have access to information and data that needs protecting, those staff would get their own work-provided devices so they can be secured and controlled.
If you choose this path, you need to:
Turn on the advanced settings for mobile device management with your email provider. All roads point to some type of mobile device management setting. This is because it allows you to collect some data about how your staff access their email accounts, and you can always toggle off any required security settings, such as the ability to wipe these devices.
Knowing where accounts are logged in will be important, so you can tell if something seems not right about where they have logged in from or the type of device they are logging in from.
Be prepared to provide devices if their role or access to data changes. You have some staff using personal devices now because they present a lower security risk. This can change; they might start supporting someone in your business and start getting access to customer data, or they might cover for someone else in the business who goes on extended leave. It is important to scale the security the same way you might scale the accounts or system they need access to.
Make sure the expectations you set on them and their responsibilities at work align with how you have set up their device access. With this option, you are expecting staff to be able to do their jobs with very limited access to data. It is important to make sure that this expectation is right, or if you need to consider providing these staff with work devices or requiring their personal devices be secured.
danger We never recommend giving employees the option to use a personal device to access sensitive or risky data. That risk for you as a business owner is very hard to control. You don’t have much of an authoritative leg to stand on to require staff to secure their devices to a level you need them to, while not giving them any money to overcome any challenges. What if your staff can’t afford an iPhone that still receives security updates, or what if your staff share devices with others and can’t afford their own? Then it can’t be fair for you to put the burden of managing security risk on them. You need to either give them work devices, or you need to find ways for them to do their job with limited access to data.
You now have an inventory of devices, accounts, and tools used; you have a strategy for keeping devices used (work or personal) secured; the last step we want to talk through is securing the accounts and tools you listed. We will use tools and accounts interchangeably here, this is because they are quite synonymous in this context. We are referring to any software or website (or Software as a Service) that you use for your business and you need to log in for.
We split this into two sections to tackle two very common licensing situations: tools where most of your team need access, and specialized tools where only a limited few require access.
For tools that nearly everyone needs to access, the options are:
Have users sign up or sign in using your email provider (single sign-on).
Have users create an account and generate a unique and long password from their password manager. (If the account is higher risk or if you want to require it, configure your team’s access to require 2FA.)
You can see how easy the first option is, hence why we recommend it! You should opt as much as possible for tools that allow you to sign in with your email provider. This is also sometimes referred to as single sign-on, meaning you use one single set of login details for your email provider to access your email and other accounts.
A few years ago, this type of feature might have cost a bit extra. Nowadays, most entry-level or free pricing offer this as a base feature. This is great for a few reasons:
It allows you to control access from one central point. This means if your staff leave, you only have to worry about removing them from one account rather than many.
It allows you to take advantage of strong security with your email provider to protect these other tools. Let me let you in on a developer secret: creating a way for users to log into software is easy. Making it secure—not so much. If a developer can just hook their system up so that the email provider has to do all the hard work on securing things, they often will. The other positive here is that your email provider will require 2FA (because we already set that up before), so this account is also protected by that same two-step process. Win-win.
When going through your inventory of tools, or when assessing which tool to pick when signing up for a new one—check for and use single sign-on where possible. This is a great practice that will pay off later if you ever end up growing too, so start this habit early.
This won’t always be available, or it might only be available in tiers that are well outside your price point and are not worth the extra cost. This is entirely reasonable, and where you choose this path it will be critical to make sure the password used to sign up is unique and long. Previously, we spoke about giving your staff password managers, and this is where that really starts paying off. Have staff use their password managers in ways that make it frictionless to sign up and create unique passwords. This means having staff use browser-based plugins or extensions or mobile apps for their password managers, so when they are on a log in or sign up page, it does all the work for them. Generating and storing a password in their password manager is probably even faster and easier then them sitting and thinking of a password they use elsewhere and making sure it checks any specific password requirement boxes.
What about 2FA? Good security advice says “use 2FA wherever you can,” and we agree. If we are being honest with you though, you might opt to accept the risk of not forcing staff to use it for your truly lower-risk accounts. I can hear the audible gasps around the globe as people read this line, so let me explain how to make that risk call.
A tool is going to be higher risk and need 2FA if:
It has personal information (such as in the form of documents or data stored).
It is used for communicating with people (such as social media or marketing emails).
It has any financial data or use (such as invoicing, payroll, or accounting tools).
It holds control or access to important IT things (such as your website or domain name).
It relates to your email or website (but you already knew that from previous chapters, right?).
Unauthorized access to this account would not be acceptable to you and would be an incident you wouldn’t want to clean up (not that anyone would find them fun or opt in to one, but you get what we mean).
Those above need 2FA, and if they don’t currently provide it, I am sorry but you should spend the extra time to find a provider that does. Thankfully, to make sure you don’t spend much time on that, 2FA Directory shows you alternatives by type of tool.
Even if you want your staff to use 2FA, some tools might not allow you to enforce this. If a tool does not have any group management features, that means if someone signs up their account might exist in their own world—you might not have authorization rights (also called account rights) to control what they do inside the tool. This is why you need to support your staff when they sign up, and make sure they take the right steps at the start.
For all the other tools that don’t fall into the list above, you can make a call as a business owner about what you want to do. If the values of your organization prioritize security, or if you want your staff to follow a very security positive culture, you might want them to sign up for 2FA for everything. However, given the context we set out at the start of this part, you may opt to allow your staff to make the call when they sign up. Forcing them to use 2FA for every account if they don’t have a smartphone and therefore have to receive a SMS every time when their cellular coverage can sometimes be spotty—that might not be a fun experience. It would cause a negative association with this security control, which often leads to people finding creative ways around security. Reducing friction for your team can support a positive security culture, especially when your team might not be as technically savvy and these barriers might be harder for them to manage.
Now let’s get into those specialized tools. The most common examples are:
tools that don’t allow you to make unique, individual logins (such as most social media)
tools that are not widely used by the team and charge per user.
Regardless of which bucket it falls into, the solutions are the same.
Some accounts we need might not let us set up individual accounts. Twitter and other social media accounts are perfect examples of this. Others might be quite special-use tools that have a high cost associated with each user you sign up for. We will preface this: we are not lawyers, just people trying to run a small, growing business as best we can. You have to be mindful of all the tools and accounts you pay for, and the type of licenses you use. Now, we are not telling you to break terms of service of your tools. We are just saying that if only one or two people on your team require access to a specialized tool, and they don’t use it at the same time—buying a single license might be a cost effective option for you.
As a business owner, you need to have access to manage the licenses or accounts your business pays for. You need to be able to access payment details, license details, and other information that your team won’t need. You might access them through the same login you use to access the tool itself, or you might have the ability to give the license key to the staff member who has downloaded and uses the software. Either way, you will have the need to share something secret with someone else.
You don’t want to go against all the good advice you have gone through in this part and share that account login or secret key via email or written down on a Post-it Note on the office desk. There are safer and even smarter ways to handle this.
We spoke earlier about team password managers, and how they give you the ability to share secrets with others on the team. This is a perfect use case for using those secret sharing features. This allows you to retain and control access, while also giving it to those on your team that might need access to that account or key.
Now that you’ve inventoried these business accounts and devices, you can have a digital board or internal team wiki pages that capture the tools that your team uses and what data they store. Your team will also have better techniques for securing their individual accounts and securely sharing the others. This inventory you have will change over time, and having this all captured in a central place means it can be a team effort to keep this updated.
🚀 As explained by Erica
Mini celebration time! If you have made it this far and have been following along, then the digital tools used in your business are well secured. Your staff also have access to some great tools, like password managers, and are managed by tools that enable them to make more secure choices, such as required 2FA on email providers.
This last chapter is about how you can make small changes to how your business operates to protect yourself. It is less focused on the technology (although it might be involved), and more focused on the people and process.