Actions for Early-Stage Companies to Boost Security

Actions for Early-Stage Companies to Boost Security

Originally posted to: https://www.linkedin.com/pulse/actions-early-stage-companies-boost-security-now-aaron-wurthmann-s2gdc/

Over the last few months, many of my advisement calls have centered around no or low-cost actions an early-stage company can do today to move the security needle.

Below is some of the general advice I give, please don't hesitate to add more no or low-cost actions in the comments. Let's make this a conversation and perhaps... just perhaps we can make things a little more secure.

🛠️ Build a “Secure by Design”, “Secure at the Start” Culture

✅ Keep An Inventory of All Assets and Associates

1️⃣ Use Single Sign-On (SSO) and Multifactor Authentication (MFA) Everywhere BONUS: Where possible use hardware/USB keys/Yubikeys.

🔍 Monitor Accounts for Compromise

🎤💼 Use Separation of Duties for All Accounts

🔑 Securely Share Passwords and Secrets

💻 Ensure there are No Passwords, Secrets, or Keys in the Code

🤏 Adopt Role-Based Access Controls (RBAC) and the Principle of Least Privilege (PoLP)

📧 Enable Email Domain Protections

🏷️ Ensure Critical Company Contact Information is Available Offline

🛠️Build a “Secure by Design”, “Secure at the Start” Culture

Security is everyone’s responsibility, not just information security professionals. Adapting a business's security stance to match the ever-evolving threat landscape is critical. When leaders place security at the forefront, taking a people-centric approach whether it's by fostering cybersecurity awareness, streamlining collaboration between development and security teams, or nurturing talent, they gain a critical edge over their competitors. From informing the accounting team that the CEO/CFO will never ask that large sums of money be transferred in haste to educating all associates that IT will never ask you for a password. This is more than “Security Education” because it sets the standards for conduct that everyone should follow.

By adopting methodologies like DevSecOps organizations can position themselves to confront the latest threats with greater resilience. DevSecOps is crucial for building secure, resilient software in an agile and rapidly changing development landscape. DevSecOps bridges the gap between development and security, making security an integral part of the software delivery process.

✅Keep An Inventory of All Assets and Associates

Physical assets, cloud assets, development/framework, software/SaaS assets, data repositories, data flows, employees, contractors, consultants, temps, partners, and vendors, all have security controls that should be applied. Compiling a list of these items is the first step to securing them and the environment. Having assets inventoried and managed through a System of Record that applies to that asset type is ideal.

For example, implement processes that ensure all associates (employees, contractors, and consultants) are managed through your HR system; have the HR system be the System of Record for all human assets. Later automation can tie the status of the associate’s employment to their user account status. (Onboarding, Onboarded, Offboraded)

1️⃣Use Single Sign-On (SSO) and Multifactor Authentication (MFA) Everywhere

Chances are your company is already using an SSO provider. You don’t need to start with a feature-rich Identity and SSO provider like (Okta, OneLogin, Ping Identity, etc) both Google and Microsoft offer this functionality, you are likely already paying for it.

Passwords alone are no longer secure, PERIOD. Wherever possible add Multi-Factor or Two Factor to every login. Build this into the culture and general understanding. It is best to use an app over SMS/text codes when possible. BONUS: Where possible use hardware/USB keys/Yubikeys. For example, it is doubtful that any engineer is going to need access to the AWS environment from their mobile device so use Yubikey as the second factor on AWS accounts. Remember the hierarchy of MFA methods (from strongest to weakest) hardware key > one-time-password > push to login > text message

🔍Monitor Accounts for Compromise

Head over to “https://haveibeenpwned.com/”, it's free. Sign your company domain up for notifications, and send those notifications to a list or group. Encourage the company personnel to sign their personal accounts up for notifications. By no means does this free service replace a full-fledged Threat Intelligence program but it is a start.

🎤💼Use Separation of Duties for All Accounts

Keep your personal accounts personal. i.e. Don’t email folks at the company from your personal account. There are many, many reasons including legal and tax reasons why you want to keep personal-personal and business-business but in this case, what I am asking is that you educate associates to only respond to you in email through your business account. This practice will lower phishing opportunities for bad actors.

Separate “normal” productivity accounts from privileged accounts. i.e. Do not use your everyday account (the account you use to check email) to administer and manage Google/Office 365/etc. A separate account should be used.

This is especially true of founders and those in public-facing roles.

🔑Securely Share Passwords and Secrets

Sharing passwords is often unavoidable. For example the Twitter account, maybe the Amazon Owner account, etc. I cannot stress enough how important it is that these passwords are not shared in a spreadsheet somewhere. Investing in a password-sharing platform early can defer a lot of risk later. On this topic, the password-sharing platform MUST be able to share/use MFA. Remember you want to MFA everything. The cost associated with a password-sharing platform is typically on a per-user basis. BONUS: I'm a fan of Cerby, 1Password, and Keeper, this is largely due to their ability to share passwords as well as one-time-passwords/multi-factor tokens. Investing in any of these platforms for Teams or businesses is worth the cost. Your one-time password/MFA token for Cerby/1password/Keeper shouldn't be stored within itself. I recommend Authy, Google Authenticator, or Microsoft Authenticator for that, all of which are free.

👩💻Ensure there are No Passwords, Secrets, or Keys in the Code

Beyond just a cultural and best practice item many of the popular code repositories have the ability to scan source code for potential secrets. Secrets, passwords, or keys should not be stored in source code. The solution is going to depend on a few factors, platform, coding language, etc. This isn’t a replacement for a full Code Analysis program, it is a good first step.

🤏Adopt Role-Based Access Controls (RBAC) and the Principle of Least Privilege (PoLP)

PoLP & RBAC are fundamental concepts for Information Security. Adopting PoLP & RBAC early is very powerful. The concepts are, only giving access to people/system/process accounts with the lowest privilege needed to perform their role or task.

📧Enable Email Domain Protections

There are a few steps that you can take right now to protect your email domain. There are of course some great full-featured platforms, but as always I recommend starting off with the basics. 1) Check out the anti-phishing features you are already paying for with your email provider. Both Google and Microsoft have some basic functionality that you can take advantage of. 2) Take inventory of who/what should be allowed to send emails on your domain’s behalf. Typically these are systems like your ERP, CRM, Marketing Automation, and your email/collaboration platform. This will require some technical understanding or some reading and research. You want to manage your domain’s SPF, DKIM, and DMARC records so that only the approved list is allowed to be sent. In the absence of technical understanding or time to allocate towards managing these resources, a full-fledged solution can be acquired. BONUS: I was, very briefly, on the customer advisor board at Valimail when it comes to managing your DMARC records I recommend Valimail, they also have a free product available to start your journey.

🏷️Ensure Critical Company Contact Information is Available Offline

Getting a hold of IT, Security or in some cases, the CEO/CFO should never be guesswork. You want employees to feel comfortable saying to someone emailing or calling them “Let me call you back after confirming you are who you say”. You also want people to be able to easily report instances and suspicious behavior. Remove the guesswork, print labels to be placed on laptops, and publicize important contacts.

Title: Actions for Early-Stage Companies to Boost Security
Author: Aaron Wurthmann
Date: 1/30/2024
Link: https://www.linkedin.com/pulse/actions-early-stage-companies-boost-security-now-aaron-wurthmann-s2gdc/