This cybersecurity guide is for early-stage startups. In many cases, these types of startups use freelancers and remote developers they have never physically met. Remote workers probably use their own laptops, and you are likely unaware of their working location. For all you know, they may be working from a coffee shop while connected to public Wifi without a VPN, firewall, or anti-virus. Additionally, their machine may not even be patched. Yes, resources are limited; however, moving fast without even basic security is asking for trouble.
So what can an early-stage startup with limited resources do to secure their environment?
I posted this question on LinkedIn and over 100 security experts replied. Here is the summary of their response.
SOMEONE needs to take responsibility
This may sound obvious, but before you do anything someone needs to take responsibility; otherwise, it just won’t work. The R&D manager, product manager, developer, or founder could assume ownership. That person doesn’t necessarily have to be a security expert, it’s more about taking responsibility and managing the project.
Don’t do it yourself
If you are not a security expert, then find someone who can help. The risk of doing it on your own is far too great, partner with an individual consultant or company.
Start with assessing the risk
Identify the top security and compliance risks - what are you trying to protect, why do you want to protect it, and what are the potential risks. For example, is it IP theft by competitors or ransomware that may lock you out from your data? Also, are their regulations and contracts you need to comply with? A generic list of controls that fail to take compliance obligations into account opens an organization up to liability. A best practice is to create a data flow diagram that maps where the data is and how it moves through the business. This will make it easier to identify where your data may be at higher risk.
Now, let’s talk about technology
You need to provide an isolated environment to work from.
Since you probably are unable to control remote worker laptops, provide them with a hardened virtual machine (VM). They will use this VM only for your project. There are free solutions such as VirtualBox that can be used to run the VM. You can also use Linux Mint as the guest VM, it's easy to use for both Windows and Linux users. Enabling vt-x on the computer BIOS this will make the virtual machine so fast that it is practically indistinguishable from the host system. Lastly, make sure to install the VM on an encrypted partition, this will help in the event a laptop is stolen or lost.
When you build the VM image make sure to include:
VPN - Implement a VPN for all your team members. It’s not just for remote workers, founders also need it as they tend to travel often and connect to their resources using airplane, airport, and coffee shop WIFI networks. When traveling or working remotely, connect only using a VPN.
Patch management - Apply the latest security patches and software updates across all your endpoints.
Endpoint protection - Use anti-virus or EDR solutions.
Firewall - Make sure the firewall is properly configured and always on.
Backups - Backups are extremely important and are a must-have. This is especially important in the event a hacker uses malware to lock you out of your computer(s). Make sure the backups are located off-site and not connected to your network. Lastly, don’t forget to test that you can restore a backup in case you need to.
Implement 2FA - Many of the cloud apps you are probably using have basic security features, so take advantage of those. Don’t just use the default settings, this is especially true for your cloud resources (e.g., AWS, GCP, and Azure), email (e.g., GSuite, and O365), and source control (e.g., GitHub, and GitLab).
Code Peer Review - Don't allow anyone to add new code to the project without a peer review. It's basically when developers check each other’s work. And make sure they are not syncing any config files to GIT that contain keys/tokens
Use role-based access instead of all or nothing - For example, most developers don’t need access to the production environment - make it read-only if it is required.
Use secure communication - Instead of slack consider more secure communication solutions such as MatterMost or even Telegram.
Complex Passwords - Implement a method or use a password manager to generate truly unique, random, and long passwords for all your services (e.g., Dashlane, and LastPass), including managing your API keys.
Legal Stuff - Make sure to sign a nondisclosure agreement with everyone, do background checks and make sure you have full contact details. not just skype or social media profiles
Policies and Procedures - Create a handbook for how to work securely. Keep it short and to the point so they will actually read it.
Security awareness training - Educate your team about cyber threats! If the team is not trained, then the risk they will become infected increases dramatically. Develop a mindset where they’re looking out for suspicious emails and practicing how to avoid becoming a target. There are many security awareness solutions, including free ones such as https://wizer-training.com that include comprehensive training videos, quizzes, and analytics to track user progress.
Monitoring - Use something like Azure Security Center to centralize your security operations
And what if things don’t go as planned?
An incident response plan is basically a plan for what to do if your business gets hacked. How you respond to each incident depends on what has happened. For example, if all of your computers were locked by a hacker demanding payment to unlock them, you may take different actions if you have a backup and can restore everything versus no backup. An incident response plan will guide you to who you should notify and what actions you should take to put an end to a breach. To speed recovery, you may find it valuable to have pre-staged simple flowcharts and contact lists of people and organizations requiring communication in the event of a breach. These suggestions are important to ask whoever is responsible for securing your network, and make sure the plan is easy to read and is rehearsed...you never know when you will need to use it.
Additional useful resources…
The first is the U.S. NIST Small Business Act, it was passed into law in August of 2018, it provides cybersecurity resources to SMBs to help protect them against cyber attacks. The second is the UK Cyber Essentials, which is a government information assurance scheme that encourages organizations to adopt good practice in information security. Both resources are government-backed frameworks designed to help small businesses in protecting against cyber threats.