The Startup Security Checklist

Live your best (security) life now!

We get it, you’re trying to run a company. You also want this company to be secure but you’re not a security expert. That’s a tough spot to be in. Let us make it easier for you. The following isn’t an exhaustive list of steps you can take but it’s a short list of the steps you should take… right NOW!

#SecurityLyfe

Why

Security is a way of life, some might even call it a lifestyle. It’s not an activity that you do once or something that you talk about every quarter. It’s a cultural decision to build in security to your processes and technology, not bolt it on later. This starts with the CEO. If the CEO makes security a priority, others will follow her lead. As a leader in your company you should review this guide and then ask others to familiarize themselves with the principles outlined here. Enthusiastically embracing security principles will go a long way to helping the organization make security a part of its day-to-day operations.

Pro tips

  • Create a culture of open dialogue where team members aren’t afraid to make mistakes. If people feel like they can trust each other they’ll speak up when they’ve accidentally clicked a suspicious link or need help enabling multi-factor authentication.
  • Reward people when they report a phishing email or find a security bug. You could have a monthly drawing for a gift card between everyone that’s reported something.
  • Don’t make security optional in your processes. Mandate multi-factor authentication for your company’s email. With any new process make the default option the secure option.

Resources

Security Planner from Citizens Lab

Multi-factor Authentication. On all the things.

Why

If an attacker learns or guesses your credentials, she can break into your accounts. She could phish you, peek over your shoulder, or simply make a lucky guess. If you don’t have multi-factor enabled she is free to pillage your accounts, read your messages, and steal your data. Adding a second factor significantly increases the attacker’s work. Ideally this second factor is a one time password (OTP) app such as Authy or Google Authenticator for Android or iOS. Avoid using text message (SMS) based multi-factor at all costs.

Pro tips

  • Make a list of all the technology you use in a month and then go enable multi-factor for each service.
  • Whenever you enable multi-factor make sure to download and safely store “backup codes” in case you lose your phone.
  • Some password managers even let you store the OTP code so that anyone you “share” the password with also has access to the second factor code.
  • After locking down your main accounts, look into locking down less used, but still important accounts such as your domain registrar account.

Resources

Facebook, Google, G Suite, Office 365, Twitter, Instagram, GitHub

These Password Aren’t Going to Manage Themselves

Why

Have you ever used the the password “Password1”? Is your password still your dog’s birthday? Do you reuse passwords because it’s hard to remember all of them? Wait! Don’t answer any of those questions. If you use a weak password, a hacker can simply guess your login. If you reuse a password and it’s compromised in one site’s breach, it’s compromised everywhere else that you’ve use it. So you should have a unique password for every login, but that’s hard to remember. Just get a password manager and be done with all of these password woes. Remembering one strong phrase is easier than remembering a hundred terrible passwords. And did we mention? It’s far more secure.

Pro tips

  • Pick a strong memorable passphrase like “The folks at Revis Solutions are crazy about security” (Pssst…. Don’t use that one).
  • Share passwords between your fellow visionaries with password managers that allow you to create “teams”: BitWarden, LastPass, Dashlane, or 1password.
  • Enable multi-factor authentication for your password manager.

Resources

How Secure is My Password?, Have I Been Pwned?

Strong Abs — Err I mean Apps

Why

Actually building strong apps is like building strong abs. A few crunches everyday will give you a *solid* product in the long run. Security is easiest and least costly if done from the beginning. Taking an extra day to add multi-factor to your app is much easier than dealing with fraudulent account activity. Asking developers to brush up on secure coding practices will help you save face as your competitors deal with PR nightmares from data breaches. I know, I know, you’re trying to move fast (and break things?). There are simple steps that don’t add much time. For starters, have your devs understand how to avoid common security bugs. Use the Open Web Application Security Project (OWASP) top 10 lists for web and mobile applications.

Pro tips

  • If a third-party is building your MVP ask them “how do you all handle the OWASP top 10?” Their answer can help you choose between firms.
  • When raising money, budget for application security assessments.

Resources

OWASP, Hack Yourself First

Use an A6*9KL;”@6% Messaging App

Why

You don’t want your source code backdoored with a hacker’s code because you texted someone your GitHub password in an emergency. There are less drastic scenarios than that but many can be avoided by simply using a secure messaging app. Emails (outside of your G Suite or Office 365) and text messages can be transmitted in “clear-text”, meaning that an attacker could intercept, read, or modify communications. That doesn’t sound good and it isn’t. Whenever you transmit sensitive information use a secure messaging platform such as Wire or Signal.

Pro tips

  • Your secure messenger is only as secure as the device it’s on. Keep your phone secure by using a lock code and only installing legitimate apps.
  • Sending a secure message won’t stop the recipient from downloading a file or taking a screenshot. Only message people you trust.

Resources

Wire’s Security Audit, Signal’s Security Audit

Encrypt the Mothership(s)

Why

Well for starters it’s pretty awesome to say “The mothership has been encrypted”. Also, your mothership will be encrypted, which a great thing! If you’ve never ever lost anything or had something stolen or don’t think either of those things could happen to you ever, you can disregard this advice. For everyone else, you need to plan for worst cases scenarios. What if someone runs into that coffee shop while you’re in the bathroom and steals your nice new Mac with the touch bar (are those even userful?). Can you rest easy, or rest as well as one can following a major theft, knowing that your sensitive company and customer information is safe? Encryption gives you this peace of mind. It’s easy to activate on both Windows and Mac.

Pro tips

  • Make sure all of your backups are encrypted and preferably keep them in a location separate from your computer like a home safe or a locker at your co-working space.
  • Don’t put sensitive information on USBs. Use something like VeraCrypt to create “encrypted volumes” on portable media.

Resources

Enable BitLocker on External Media, Keep Your Time Machine Backup Secure

Run the Latest and Greatest

Why

The latest and greatest are the greatest because they’re the latest. In other words, keep your stuff up-to-date! When security researchers find a new vulnerability, it’s a race between the black hat hackers and the software vendors to fix the problem. If you’re running up-to-date operating systems and software, you’ll be immune to the latest attacks that exploit these vulnerabilities.

Pro tips

  • Make sure secondary devices such as wireless routers and printers are also kept up-to-date.

Resources

Microsoft Update FAQ, Keep Macs Up-to-date

Lock down that connection!

Why

While riding the subway, you wouldn’t speak loudly about that rash that just showed up (you known the one I’m talking about). Don’t let your computer do the same thing when you’re on WiFi. Many startups work out of coworking spaces or from coffee shops. Consider these networks hostile. Sure, free internet is nice but having a hacker listen to your digital conversations is not. Stop these inquisitive hackers by avoiding shared WiFi or using a VPN if you do. A VPN creates an encrypted connection to the Internet and prevents those on the shared network from “overhearing” your Internet conversations.

Pro tips

  • Checkout popular VPNs such as Private Internet Access, and NordVPN.
  • Be aware that a small group of websites block traffic from VPNs because malicious users also employ VPNs to hide their identities. If a site is blocking you, hop off WiFi and use your cell phone data or setup a mobile hotspot.

Resources

How a VPN Works