Hello! I build IT teams and design IT Systems for startups and nonprofits. I consistently encounter the same problems, so I set out to create a series of guides to help others navigate the IT Ecosystem. You can learn more about my philosphies via my website dave-bour.com or via my weekly newsletter.
Each startup I’ve joined has had clear opportunities to address gaps in technical security. Let’s evaluate some of the quick wins to increase your startup’s security posture.
A key task when hardening company laptops is enabling full disk encryption (FDE). It’s free using tools built into the operating system and is now considered a basic security measure that all companies should have enabled. Filevault for Mac and Bitlocker for Windows can be enabled with ease — just make sure to save the key where the device user and yourself can access it.
Before you begin enabling encryption, it is important to understand why and how it works. Think of it like this — without encryption turned on, I can pop off the back of your device, remove the hard drive, and plug it into my computer using a $10 hard drive enclosure to access all of your data. It’s no different than plugging in a USB drive.
When you turn on encryption, I can still perform these steps but the data is inaccessible unless I enter the key used to encrypt it. When you turn on your computer or unlock it from sleep, your computer password is a key that decrypts the data. If you lose access to your password or account, having the key acts as a backup.
If you choose not to enable this when issuing a device to an employee, remember that they can. If they enable encryption and do not share the key with you and they leave on bad terms — well, they have something you now need. Avoid that situation with enforcement controls in a device management solution.
This mechanism is useful to safeguard your data against device theft, loss, retirement, or sale.
If you’re providing internet access to employees, it is likely your company infrastructure includes a combination of firewalls, switches, routers, and wireless access points. For smaller businesses, modern residential devices can perform all of these functions for $130 — a Netgear AC router is a firewall, wireless access point, and router.
In either case, there are some basic security measures you can take for free or low cost.
- Find DDOS protection in your router settings and enable it
Distributed Denial of Service is a common attack used to bring down a router. It is often a targeted attack, but it is still a free tool that will not sacrifice speed.
- Change DNS to Google’s 18.104.22.168 and Cloudflare’s 22.214.171.124
Your ISP provided their own DNS — how thoughtful of them! Unfortunately, Comcast has to change it’s name every few years so customers can disassociate horrible service with their name. I wouldn’t recommend trusting them with your internet searches.
- Maintain an active security license
This is not free and requires a business or enterprise firewall. When companies have these, they are often bought and setup and never touched again. During this time, the security license expires and antivirus and antimalware/spyware scanning are unceremoniously disabled. A layer of security at the network layer is crucial to catching a large number of common digital attacks.
- Turn on Intrusion Prevention System (IPS)
Also a function of business/enterprise firewalls, an IPS will often detect malicious attempts to access the device itself or a device behind the firewall.
In the world of cloud services, there are two distinct pathways to security — access to the service and utilizing service capabilities. For example, enforcing multi-factor authentication (MFA/2FA) is a method of improving access security. An example of service capability is turning on DKIM within gSuite’s GMail product will improve the security of email delivery.
Today, we’ll focus on Access Security and I’ve already mentioned the top recommendation — MFA or 2FA.
MFA or 2FA (2-Factor Authentication) is a concept. It states that to gain access to a system, you should supply information from at least two of the following four categories.
- Something you know (username/password)
- Something you have (Access token (card/usb drive) or code texted to your device)
- Something you are (fingerprint)
- Somewhere you are/are not (In US, not in Russia (unless you’re a member of the Trump Administration))
Most of us pick the first two. The idea is that combining two fields of information drastically improves access security. Why? Let’s look at it this way.
Remember that account you signed up for 6 years ago to list your sofa for sale when you moved? That service lost all of its member’s usernames and passwords to a hacker who sold it on the black market. The person who bought it has a bot that is trying that same combination of usernames and passwords against every major banking website — Chase, Bank of America, etc. Oh no! Your email and password were used on Chase and they’re now transferring the funds to their own account. If 2FA had been enabled, they would have been prompted to enter a code they wouldn’t have.
These three recommendations are just the tip of the iceberg when it comes to organizational security postures. Please reach out if you’d like a consultation customized for your business.