When it comes to security, size doesn’t always matter.
In fact, small companies are often at a greater risk for security breaches than their larger counterparts. That’s because small businesses usually have fewer resources and less experience dealing with security threats.
Despite these challenges, there are a number of things small businesses can do to protect themselves from security threats. Depending on your risk profile, you may want to consider adopting security practices meant for larger companies:
If your risk profile is high, or you want to jump right into the deep end of security, you can adopt the advice catered towards large companies. For instance, we cover some of this in our posts about outgrowing open-by-default (meant for 10 to 50 employees) and achieving compliance with exceptions noted (meant for 50 to 150 employees).
For startups looking for minimum viable security, we have five suggestions. These are all low effort to implement, and can have a big impact on putting you (and your customers who rely on you) at ease about your baseline security:
One of the first steps any company should take to improve security is to create a security policy. This document should outline the company’s approach to security and explain how employees are expected to safeguard company information.
If you're considering a compliance framework like SOC 2, HIPAA, PCI, or other standards, you may want to consider looking at the controls you'll need to produce evidence for when you establish your security policy.
Once you have a security policy in place, it’s important to make sure all employees are aware of it and understand their role in protecting company information.
Employees should be trained on things like password security, phishing scams, and how to spot and report suspicious activity.
In addition to employee training, small businesses should also implement some basic security measures. This might include things like installing firewalls and anti-virus software, using encryption, and creating backups of important data
Single sign-on (SSO) is typically thought of a sign of growing from a team into an enterprise, but there are a few reasons why even a small startup should use single sign-on:
Using SSO is like future-proofing your identity stack. It makes it a lot easier to manage onboarding new team members and their access to your systems.
But, if you’re not sure, you can always start with "Continue with Google", which even supports SAML apps, and then migrate to Okta for the necessary apps.
Most companies will add a security policy control called "least privleged access" with the goal of limiting how many people have access to sensitive resources. In theory, this would mean that only the people who absolutely need certain access have it, but in practice, everyone in the engineering team has access to production.
Why does this happen? Well, it turns out that the most important thing for startups is to make sure that the people who need access have it.
If a customer reports a bug and the engineer who needs to fix it doesn't have access to the bug, they'll have to ask for access and wait for someone else to get it for them.
It's hard to know who needs access, teams have to consider:
When a company is still building the product and it's not really being used for anything critical yet, everyone on the team might just have access to everything. But, as the product grows, it becomes more and more important to make sure that you're not opening .
If someone has access to something they shouldn't, it could cause an accident like running a query meant for staging in production or, in the worst case, a security incident. If that access is only granted for a certain amount of time, then it minimizes the chances of something bad happening.
At Indent, we've been working with a few different ways to grant access on-demand. We think you shouldn't have to choose between prioritizing security and productivity — the most secure workflow has to also be the best user experience.
Here are some of the common use cases for granting access on-demand:
For example, PlanetScale made sure we knew that their auditor loved the logs and audit reports from Indent. Life after SOC 2 has also been improved for admins at PlanetScale through their use of the Indent Platform.
PlanetScale has seen an 80% reduction in their IT workload, allowing them to focus on projects that more directly impact revenue. You can learn more about how Indent has helped them by checking out their case study.