Starting a business from the ground up takes dedication and nerves of steel. That’s been a fact since the dawn of modern economies. With every internet citizen as a possible customer, digital-native SMBs have the added pressures of figuring out how to build a globally accessible business from the get-go. If that weren’t enough to keep some founders up at night, add in the possibility that all of that hard work and innovation can be crippled or destroyed by vulnerabilities in the very raw components that make a digital business possible. Securing a business seems a tall task for many digital entrepreneurs.
Here’s some good news. Making good security choices has actually become easier over the past decade, even as attacks have increased. The basics have become more accessible to non-security professionals. The shared responsibility model of cloud computing allows engineers to offload some security management to a I/P/SaaS provider. Without the traditional ‘moats’ surrounding the castle hiding a history of security debt, digital-first businesses can choose to enforce good security practices out of the gate. Most businesses won’t look into hiring a security team until around 50 people in the business, so without dedicated staff how should the leaders of a digital SMB approach security?
Here’s a top 5 to get started.
- Assign security ownership. Even without a traditional security leadership role, the CTO or other technical leadership role should be armed to make secure-by-default decisions. Without accountability, poor choices are far more likely to occur.
- Use centralized identity management and single-sign on. Remove the possibility of creating ‘one-off’ accounts with various service providers, and infrastructure, which become a nightmare to manage, and a target for takeover. Start with an identity provider that makes enforcing policies across platforms easy.
- Enforce two-factor authentication everywhere (and buy hardware tokens!). By following point 2. above, this one should be easy, and cannot be understated in importance. FIDO hardware tokens help prevent SMS intercept, and the very common phishing or vishing timing attack that tricks employees to accept a second factor push to the phone. Hardware tokens, assigned specifically to trusted devices, creates a significantly higher barrier for an attacker.
- Protect employee devices. Deploy anti-virus and/or endpoint detection and response agent to employee devices. These may require tuning, but generally out-of-the box configurations will work for most circumstances. Developer laptops doing container-heavy work or performance tuning may need to have configs tweaked. And for all our Linux fans out there, make sure there’s compatibility with your favorite flavor of Linux… but note that should not be an excuse not to protect your endpoints.
- Make security architecture easy. Every business will have a different tech. stack and a different set of service providers. It’s easy to get lost in a rabbit hole of security services that may be at minimum a distraction, and at worst actually degrade security posture. With hundreds of service providers out there where should you start? Start with simple, intuitive platforms. Fully featured products that maximize configurability are often full of complexity. And unless a particular part of your tech. stack requires unique security functionality, plug-and-play options are your best bet. The second key factor is scale. By reducing complexity and planning for scale, things like Web Application Firewalls, DDoS prevention, and Security Log Aggregation are all achievable at minimal headcount while you scale towards hiring a dedicated security team. Don’t buy things you’ll have to spend a lot to maintain. Get the basics right with simple technologies, that ‘User Behavioral Monitoring’ technology may sound great, but is completely unnecessary at this stage.
Tyler Healy is Vice President and Head of Security and IT at DigitalOcean, a cloud service provider with data center locations around the globe. In his fifteen years as an information security professional, Tyler has held roles driving technical and strategic transformation within public and private sector organizations. Alongside his full-time responsibilities, he has served as a tech startup advisor, helping new companies navigate the complexities of when and how to invest in security.