Security for Startups: The Starting Five

2 years ago
Written by
Fouad Matin
@fouadmatin

When it comes to security, size doesn’t always matter.

In fact, small companies are often at a greater risk for security breaches than their larger counterparts. That’s because small businesses usually have fewer resources and less experience dealing with security threats.

Despite these challenges, there are a number of things small businesses can do to protect themselves from security threats. Depending on your risk profile, you may want to consider adopting security practices meant for larger companies:

If your risk profile is high, or you want to jump right into the deep end of security, you can adopt the advice catered towards large companies. For instance, we cover some of this in our posts about outgrowing open-by-default (meant for 10 to 50 employees) and achieving compliance with exceptions noted (meant for 50 to 150 employees).

For startups looking for minimum viable security, we have five suggestions. These are all low effort to implement, and can have a big impact on putting you (and your customers who rely on you) at ease about your baseline security:

  1. Create a security policy
  2. Train employees on security
  3. Implement security measures
  4. Use single sign-on, where possible
  5. Grant access on-demand

1. Create a security policy

One of the first steps any company should take to improve security is to create a security policy. This document should outline the company’s approach to security and explain how employees are expected to safeguard company information.

If you're considering a compliance framework like SOC 2, HIPAA, PCI, or other standards, you may want to consider looking at the controls you'll need to produce evidence for when you establish your security policy.

There are a number of companies that can help you with this, check out our SOC 2 overview or integrations with compliance partners like Secureframe, Vanta and Drata.

2. Train employees on security

Once you have a security policy in place, it’s important to make sure all employees are aware of it and understand their role in protecting company information.

Employees should be trained on things like password security, phishing scams, and how to spot and report suspicious activity.

3. Implement security measures

In addition to employee training, small businesses should also implement some basic security measures. This might include things like installing firewalls and anti-virus software, using encryption, and creating backups of important data

4. Use single sign-on, where possible

Single sign-on (SSO) is typically thought of a sign of growing from a team into an enterprise, but there are a few reasons why even a small startup should use single sign-on:

  1. It saves time and energy. Instead of having to remember multiple usernames and passwords, employees only have to remember one set of credentials.
  2. It increases security. By using a single sign-on solution, businesses can track activity and better monitor who is accessing what information. This can help prevent data breaches and unauthorized access to sensitive information.
  3. It improves productivity. When employees don't have to waste time logging in and out of multiple systems, they can be more productive and get their work done more quickly.
  4. It simplifies IT management. Single sign-on can make it easier for IT staff to manage user accounts and access to different systems.

Using SSO is like future-proofing your identity stack. It makes it a lot easier to manage onboarding new team members and their access to your systems.

We generally recommend using Okta (especially their free developer tier) because it comes with out-of-the-box features like SCIM provisioning and a bunch of other nice-to-have security features.

But, if you’re not sure, you can always start with "Continue with Google", which even supports SAML apps, and then migrate to Okta for the necessary apps.

5. Grant access on-demand

Most companies will add a security policy control called "least privleged access" with the goal of limiting how many people have access to sensitive resources. In theory, this would mean that only the people who absolutely need certain access have it, but in practice, everyone in the engineering team has access to production.

Why does this happen? Well, it turns out that the most important thing for startups is to make sure that the people who need access have it.

If a customer reports a bug and the engineer who needs to fix it doesn't have access to the bug, they'll have to ask for access and wait for someone else to get it for them.

It's hard to know who needs access, teams have to consider:

  • Who needs standing access?
  • Who should be able to review access requests?
  • Why does an engineer need access to production?
  • How long is reasonable to wait for access?
  • How long should they have it for?

When a company is still building the product and it's not really being used for anything critical yet, everyone on the team might just have access to everything. But, as the product grows, it becomes more and more important to make sure that you're not opening .

If someone has access to something they shouldn't, it could cause an accident like running a query meant for staging in production or, in the worst case, a security incident. If that access is only granted for a certain amount of time, then it minimizes the chances of something bad happening.

At Indent, we've been working with a few different ways to grant access on-demand. We think you shouldn't have to choose between prioritizing security and productivity — the most secure workflow has to also be the best user experience.

Here are some of the common use cases for granting access on-demand:

  • On-demand production access: Secure production with least privilege access model that facilitates time-bound access based on immediate need. Access requests are routed to approvers based on predefined policies, ensuring compliance. Approvers can grant and set the access duration via Slack, expediting access for the requester.
  • On-call auto approvals: Adjust privileges based on change of responsibilities related to on-call status. On-call status triggers a bot to grant the necessary access, ensuring compliance principals are maintained while the access is logged for later review.
  • On-demand admin access: Secure Okta with least privilege access model that grants admins time-bound access based on immediate need. Admins are able to get access quickly when they need it, without needing to continually maintain their elevated privileges, keeping the organization’s most sensitive systems secure.
  • Uniform day one access: Grant access to new internal and external users based on roles and responsibilities. Protect against privilege creep and make sure that new users have access to the necessities for their role, while being able to request additional access on-demand.
  • Automated audit evidence collection: Automates your evidence collection by storing all access related data in immutable logs. They can then be easily exported with a single click and shared with your auditor.

Interested in learning more or have questions? Feel free to reach out to our team and we're happy to help you figure it out. You can either schedule a demo or contact us.

For example, PlanetScale made sure we knew that their auditor loved the logs and audit reports from Indent. Life after SOC 2 has also been improved for admins at PlanetScale through their use of the Indent Platform.

PlanetScale has seen an 80% reduction in their IT workload, allowing them to focus on projects that more directly impact revenue. You can learn more about how Indent has helped them by checking out their case study.

Try Indent for free.