We have been doing the cybersecurity dance for a while—Laura recently hit her 20 year career anniversary! We’ve seen a lot, and while much has changed over the years in terms of technology, many aspects of cybersecurity have stayed depressingly the same.
We see stories in the news about large companies paying exorbitant amounts of money to regulators and their customers for losing data, or companies becoming irrelevant after undergoing an attack that also took down their competitive edge. This doesn’t even cover the hundreds of organizations that are too small for air time, that have to shut their doors after a security incident.
What we have found is that the root of these problems and pain is often a lack of the same good security practices. We want to change that for all companies, not just those big enough or established enough to afford security teams and expensive tools.
Most good security practice boils down to a simple set of foundations—unique passwords populated in a password manager, two-factor authentication prompts for each login, mindfulness and limiting of sprawling data duplicated across websites and devices, automatic or prioritization of regular updates and patching, turning off of unnecessary features, and setup of safety net monitoring emails and notifications for when things fall through the cracks.
Most organizations we have worked with suffer from these same missing foundations, building their company operations and infrastructure on a bed of sand. As these companies grow, establishing security practices can become exorbitantly costly—or come too late.
It isn’t the small business owner or organization’s fault, however. With the way technology is moving and changing, it can be hard to keep up. And when faced with making decisions to keep your company—and yourself—alive and growing, keeping your digital assets and data secure doesn’t always feel like a priority.
Additionally, there is plenty of advice for large enterprises or governments that have to comply with specific regulations and control frameworks, but there’s very little for those organizations that are too small to have security budgets or tools. We couldn’t point the smaller businesses we work with to any resources that would scale to their level and needs. The little advice that was available was hard to find for people short on time and not sure where to start. Or worse—they might rely on expensive security widgets that burn money and still may not keep their most important assets protected.
Our mission at SafeStack has always been to help as many small businesses and people as possible. Rather than building a giant consultancy and working only with wealthy businesses, we wanted to share our mix of experience, understanding, technical know-how, empathy, and pragmatism with as many people as possible. We want our expertise to be accessible and our advice easy to follow. We wanted it to be clear where to start, what to focus on, and what to do. We determined that the best vehicle for this mission would be a digital book that is searchable, shareable, and accessible. We chose to publish with Holloway so we can bring you just that.
Whether you are just trying to protect yourself or your small business, we are excited to share the years of experience and advice that we have provided to people just like you. We hope you find helpful nuggets of wisdom in the advice for your own security that you feel inspired to share with others in your network, social circles, or family.
We believe this book will be helpful to people of a variety of backgrounds, but we do make some assumptions about your technical skill and security goals. We expect most readers to fall into one or more of the following buckets:
You are at least mildly tech savvy, willing to learn more, and work somewhere where information security matters.
You work at or own a startup and care about security.
You work at or own a small or growing business and want to ensure your security strategy is strong.
For those running small businesses or growing companies, we wrote this book so it can grow with you—you might only be a one-person band now, but soon you might grow into a small team with more customers, assets, and risks you need to think about. We structured this book so you can revisit it again when your context changes, so you know where to best re-direct your small amount of resources to make the biggest impact.
Eventually, your organization may outgrow this book. There might be a point where you grow big enough to need your own internal security team. You may find the amount of data, assets, and systems you have is well past what you and your team alone can manage. Consider this book to be the roadmap to help you manage your security from now until then—so that you can reach that stage safely, and with strong security foundations already in place.
For those of you further along your security journey, this book can also be a tool to help share your practice with others—a way to guide those around you in a simple and pragmatic way. We hope this book can help you support these groups and your local communities and businesses, without spending too much of your time and energy.
Key points are highlighted like this:
important An important note.