Cybersecurity for startups

Startups can be flippant with cybersecurity, but even small companies are targets for attack. Worse, many startups never outgrow their poor security habits. For every high-profile breach, many early-stage startups face existential risk due to poor security posture.

Fortunately, healthy security practices are easy to achieve when you have them in mind from early in the lifecycle of your startup. A single article can’t comprehensively cover everything a startup should do, but this is a good start for anyone yet to take security seriously.

Access management

Startups use a lot of SaaS products to get their work done. When a startup is breached, it is usually because someone on the outside has managed to access an employee account for an important SaaS tool. By managing access responsibly, you can mitigate this risk.

First, create and maintain a list of all company-provided software tools. This list will help you to periodically audit access and billing and guide your employee on/off-boarding procedures.

Second, ensure authentication for each tool is managed in the most secure way possible:

• Centralise access management so that a small group of trusted individuals are responsible for granting and revoking access to systems. Many startups give this to their finance, HR, or operations teams.
  • Employees should only receive the access they require for their job — don’t give all employees access to all systems, and don’t make everyone an admin.
• Where ever possible, utilise single sign-on, which allows you to access an application using the credentials of another. Microsoft and Google both offer SSO solutions that enable your employees to use their Microsoft or Google accounts to access other SaaS tools like Atlassian or Slack.
  • By centralising access to a single Microsoft or Google account per employee, you make it easier to grant and revoke access to your employees. By disabling a user’s Microsoft or Google account, you also disable their access to other connected systems.
  • Another benefit of this centralisation is that it reduces the number of passwords each employee needs to manage. The fewer passwords an employee has to manage, the easier it is for them to do so responsibly.
• Adopt a company-wide password manager, like 1Password. Password managers are the most secure place to keep secrets. Their features also make it easier for your staff to manage access responsibly, which increases the probability they’ll do so.
  • Responsible use of a password manager should be mandatory for all staff. Make sure they keep passwords in the company-provided password manager and not their web browser’s default keychain.
• Where single sign-on is not supported, enforce multi-factor authentication. Many SaaS apps allow you to force all users to have MFA enabled. One-time passwords, securely stored in your company-wide password manager, are usually the best available type of MFA (WebAuthn is coming). SMS should be used only when it is the only option on offer, as SMS is relatively insecure.
  • MFA is most crucial for company email accounts. If someone can get into your employee’s email account, they can send seemingly legitimate emails on their behalf. They can also likely reset and access many other accounts.
• Avoid company-wide shared accounts. It might save you some money to share SaaS accounts, but it could be an expensive mistake if access is compromised. Use common sense based on the type of data being stored in each system.
• Replace any vendors who do not support SSO or MFA via a password manager. When no alternative is available, submit feedback to these vendors.
• As a software vendor, offer SSO and MFA to your customers. It is much easier to offer these from the start than to add them later.

Prepare for phishing

Phishing is one of the most common ways that startups are breached or scammed. No business is too small to be the target of a phishing scam. Almost every startup I have worked with has had phishing attempts against them.

Phishing is a method of identity theft that relies on individuals unwittingly volunteering personal details or information that can then be used for nefarious purposes. It is often carried out through the creation of a fraudulent website, email, or text appearing to represent a legitimate firm. — Investopedia

Phishing is relevant to SaaS startups because:

• Scammers are likely, at some point, to contact your customers, pretending to be you, to try to get access to their accounts or to get money out of them.
• Scammers are likely to contact your staff, pretending to be senior management, one of your customers, or one of your vendors, to try to get access to their accounts or get money out of them.

Common phishing/spoofing scams include:

• A scammer sends your customers a fraudulent log-in page, impersonating your SaaS, to try to collect their username and password.
• A scammer sends your staff a fraudulent log-in page for one of the systems you use to try to collect their log-in details.
• A scammer contacts your customers, asking them to update their payment details on a fraudulent payments page.

Some ways to reduce the likelihood of being phished include:

• Avoid using email wherever possible. Have your customers contact you via your app or support hub and manage their payments from within your app. Post any company-wide announcements (such as the rollout of a new internal system) to your company knowledge base (e.g., Notion, SharePoint, Confluence) and communicate over Slack, where sender identity is easier to verify. Only email things that you’re comfortable with leaking out.
• You should obviously be using SSL (i.e., HTTPS) for all of your web apps/endpoints.
• Ensure all staff use SSO or MFA when accessing internal systems. Offer SSO and MFA to your customers so that even if a scammer is able to get their username and password, they still cannot access your software on their behalf.
• Utilise DMARC, DKIM, and SPF to secure your company emails. These simple technologies are easy to set up and will make it much harder for third parties to impersonate you.
• Establish a process to verify your customers’ identity when they contact you, especially when they are asking you to make a change on their behalf.
  • It can also be a good idea to have your customers nominate a restricted list of users who can request this type of support. This can be automated within the UI of your app.
• Educate your employees. For such a common scam, employees may know little about the risks of being phished. It is your responsibility as an employer to provide training to new employees. Consider baking this into your employee onboarding process.

Establish a data-management policy

Leaky file storage and data loss can be major risks for startups. Establish a standardised policy for how data, documents, and files should be managed:

• Decide between the Microsoft and Google office suites and ensure employees only use the chosen suite. If you choose Microsoft, employees shouldn’t be using their personal Google account for the sake of Google Sheets.
• Documents should only ever be stored on Google Drive or Microsoft OneDrive. This dramatically reduces the risk of data loss in the event that an employee’s device is lost or damaged. It also makes it easy for you to revoke access for compromised devices or former employees. Employees shouldn’t keep local duplicates of files.
• Adopt a company-wide wiki tool like Notion, Coda, or Confluence. By default, all documents should be created within this wiki. Only use another tool when specialised functionality is required (e.g., Excel or Sheets for financial models, Word or Docs for contracts).
• Customer data should only live within your CRM (e.g., HubSpot or Salesforce), billing system, or ERP. Where possible, conduct any reporting directly in those systems. When you need to export data for analysis in a spreadsheet, anonymise it. At the very least, keep exports confined to a secured directory and delete them when they are no longer needed (many finance teams do this).
• Data in analytics and business intelligence systems should be anonymised.

Centralise and log sensitive requests

Some business operations are more sensitive than others. Delegate these tasks to a specialised team of individuals (this could be your HR, finance, or operations team), and log requests and actions.

Examples of this type of work include employee on/off-boarding tasks, granting an employee access to a new system, adjusting terms and conditions, and installing a new Slack app.

The easiest way to do this is to funnel these requests through a standardised request form that creates work in your support help desk, CRM, ERP, or task management system like Jira.

Avoid sensitive data

The best way to secure sensitive data is to delete it or never have access to it in the first place. Only collect and keep what is necessary to provide services to your customers.

• Never store credit cards. Tokenise them in your payment gateway or in a specialised tokenisation service.
• Anonymise data in product and platform analytics. If you need to know who did what, use a unique cryptic identifier for each customer so that you can identify customers internally without adding PII to your analytics.
• Limit what your staff can see in any admin panels or internal tools. Don’t give everyone access to God Mode.

Responsible product development

As a software vendor, you have the same responsibilities as your own vendors. Offer SSO and MFA to your customers. It is much easier to offer these from the start than to add them later.

Architect your product with security and privacy in mind. Consider quarantining services that handle sensitive data from other services so that as few people as possible can access them. Encrypt sensitive data in transit and at rest. Collect service logs, so you know who is accessing what. Don’t keep secrets (API keys) in code repositories. Sanitise inputs to mitigate code and SQL injection.

Audit your dependencies and keep them up to date. Subscribe to publicly disclosed cybersecurity vulnerabilities to be notified when new vulnerabilities are disclosed.

Unless you can properly enforce it, avoid charging customers per user. This encourages them to share accounts internally. Try to charge based on the value you provide instead. Similarly, many SaaS companies charge a premium for SSO — you should avoid this, if possible, as it is always in your best interest to provide the best security to your users.

Seek external advice. As you grow, the potential damage of a breach grows exponentially. So, your security practices should improve beyond the simple baseline outlined in this article. Most governments have cybersecurity recommendations for small businesses that you should be across. Data residency, for example, is regulated in many geographies and industries. OWASP is a great resource for engineers. If, as a technical founder, you don’t have experience with securing a SaaS product, ensure one of your early hires has done this before.