editione1.0.0
Updated October 9, 2023🚀 As explained by Laura
Throughout this book, we have often assumed that your business is growing. However, we know things don’t always work out that way. Sometimes you are faced with scaling your business down or downsizing and are faced with different risks and decisions to make. We speak from experience on this; SafeStack has been around for over seven years now, and we’ve had to scale down and change a few times before we got to where we are now.
This uncertainty triggers our fight for survival. You may not be directly thinking about security—but the risk is still there. There may be employees you have to let go, accounts and services you need in order to continue to operate, and expenses you need to cut back on.
If these types of risk situations were to happen, this would make your survivability even more challenging than it has to be. This is not meant to be a fear-based exercise; rather, this should help you think of concerns that you might not have had to consider before.
There are things you can do to manage these new risks in ways that allow you to keep your business afloat while you weather this storm. We can break these strategies into three different groups:
Downgrade or cancel service subscriptions
Let employees go
When scaling your business down, you should reduce the amount of money spent on software and other services. Sometimes these services are based on the number of user accounts associated with your account. You might find yourself deleting accounts for any employees who have left, and scaling down the number of accounts so that your team shares access to a single account.
controversy I am aware terms of service for some software services don’t allow this. But when a business is faced with surviving and paying bills and salary for the month, or paying for additional user accounts, most of us will choose the former.
Generate that new password from your password manager and make it long—over 16 characters. It shouldn’t be a password that is easy for your team to remember or write down on a Post-it Note.
Set up 2FA using your password manager’s one-time password function.
These few steps actually help protect your business in a few different ways:
Setting up the new account with a unique, long password makes it harder for someone outside the business to guess it.
Having 2FA set up in the password manager makes it harder for employees who have left the business to get into the account after they leave.
Using an account email that is accessible by the team means any account changes, like password or account configuration changes, are visible.
These actions can help you regain control over accounts that will now be used and shared amongst your team, while also keeping them as safe as you can.
Aside from reducing user accounts for your services, you might also be downgrading or canceling services you don’t need to keep your business alive. It drives me mad, but some services only provide security features for users on paid or higher-level service tiers. Service providers might not handle service cancellations with grace, which means copies of your data might be lingering around, which also leaves the security risk lingering around too. These changes can limit the amount of security protection your accounts and data has, and there are a few things to check before you hit “cancel service.”
For services you are downgrading, check what security and data protection features are included in the lower-tier plans. You can often find this information on the service provider’s pricing page, or you can search through their knowledge base or support documentation. If you can’t find this out after a quick search, ask the service provider.
To help you draft that email, you will want to ask if the following features are still available at lower or free service tiers:
Are the following features still available at lower or free service tiers: 2FA and the ability to export account data?
What happens to any excess data if we switch to a service tier that has lower data storage limits than what we currently have?
If the answers you find are not ideal, don’t be afraid to negotiate a new service arrangement. The other side of that support email is a human, and sometimes humans have empathy and the ability to make exceptions. This could be in the form of discounts, temporary details, or modified service plans. It is always worth asking before making arrangements to remove your data or shift to an alternative service that gives you the security features and pricing you need.
For services you are canceling, check what happens to your data after you cancel. Often, services might leave this data in their databases until it gets archived years later. If this service has a data breach, your business could still feel the impact even if you aren’t an active paying customer. Thanks to new privacy legislation like GDPR, service providers have to have processes to delete personal data. This means it makes asking these requests a lot easier and more likely to be fulfilled.
In an ideal situation, you can export copies of your account data and then request all account data be deleted. Don’t assume that just because you canceled your services the service provider will delete your data. They might specifically wait for a request to delete it, or just leave it there to gather dust. In a less ideal situation, you might have to delete the account data yourself and then wait for a short period of time to pass (usually 30 to 90 days). This short period of time is often the amount of time your data will stick around in backups and might still be accessible. Regardless of which situation you have to go with, at the end of it, you can be confident that you have cleaned up any left behind data and can consider that service canceled.
The last area to address when scaling down is your people. This is going to be the hardest one to address because no business owner wants to be in this situation. Restructures and redundancy processes are difficult, and we might do anything to make this situation pass as quickly as possible. Try to avoid that impulse—you can carry out this step with empathy and kindness, while still making sure you take the time to protect what is left with your business.
First, you need to consider the devices and accounts your employees have access to. You will want to retrieve what you can, knowing that you might not be able to retrieve it all. Even if you lose copies of some documents or data, you can still keep control over accounts by resetting passwords or removing access just after they leave. If there are devices you can’t get back, for example, if they are lost, damaged, or it’s unsafe to claim them, you can monitor your accounts to block and unlink access from these devices. You can also remotely wipe these devices if you set that up when we covered it in Part II, but be sure to do it with kindness. We have all used our work devices for personal use at one point or another, and it would be a real kick in the ankles to lose your job and copies of some personal data you had stored on your work laptop. You can always give employees who have left a heads-up that you need to wipe the device, and give them a chance to back up or move any personal files they might have stored.
danger Watch out for systems or workflows that might depend on an individual employee’s account. Often, we might set up automated workflows or system service accounts that are tied to our own individual emails or accounts. If these accounts are disabled, this could result in a domino effect of failures that would be a challenge to clean up.
This is especially the case for any software engineers or leadership team members that might have been key account holders or key people involved in setting up new software or systems.
A common example of this is tools like Slack. Messaging platforms are often the first to be set up in a company and are often created from a single individual’s work email address. If you were to just delete the associated email address, the main Slack administrator account may be lost too, creating a massive headache and risking the loss of key company communications.
confusion Instead of deleting an account, it may be safer to change the password and store the new password in your password manager. This allows you to handle situations where their account was personally coupled into a key system or workflow with care (rather than during a highly stressful restructure).
When faced with downsizing, you are already finding yourself in a challenging situation. The good news is that if you consider those three areas, your business will be in a much better position to survive this dark time and avoid unnecessary security and data risks, and hopefully emerge on the other side as a new, growing business.
🚀 As explained by Erica
Accessibility and usability are important across the software industry, including security. Throughout this book we have assumed that you are able to implement any recommendations in an accessible way. This could mean setting up assistive technologies and tools, and/or using an adaptive strategy during rollout.
That is quite a big assumption to make, especially since some software security features have ways to go before they are accessible and usable by everyone. Often, the paths users follow that involve security, like logging in with a password or using 2FA, are created without considering users with disabilities. They have been created without considering accessibility for years. Back in 2000 the National Federation of the Blind sued AOL because their ATMs and online banking could only be used with the help of a sighted person. In 2012, my co-author Laura performed field research with Britta Offergeld and the Royal New Zealand Foundation of the Blind to evaluate how effective common security advice is for those with visual impairments, and they came back with a raft of improvements and possible solutions that needed to be made.