Implementing these three things is often the first thing I do when I join a startup.
While these are my top three IT recommendations to any business over 50 employees, some view these as ‘nice to haves’ as companies of this size are laser-focused on growth, product/service, and strategy. However, delaying these measures is a form of technical debt that will be paid for at a later date.
These IT functions are foundational so consider this — for every SaaS service or employee added, someone will have to retroactively change all their work habits and your companies work culture to use the tools below. Incorporate them now to save your company the pain later on.
1. Device Management
There are many terms for this — MDM, BYOD, MOM, EMM, MAM — but they all mean the same thing: how your company manages its devices. You might recognize services such as JAMF, Microsoft In-Tune, and Meraki Systems Manager, amongst many others that all perform the necessary service of inventory, management, and remote access.
Implementing device management will:
- Provide an inventory of devices and information about them,
- Allow you to control settings for compliance, audit, or best practice purposes,
- Help you locate, recover and/or wipe lost or stolen devices,
- Remotely assist employees.
Why you need device management
This is your dynamic inventory and enforcement mechanism for all device standards and policies. Do you need to prove all computers lock after 10 minutes of inactivity? Do you want to know how many computers are you in your business? This is your tool.
This service often costs ~$2/device/month.
2. Single Sign-On (SSO)
Everytime I join a startup, I see a common problem that seems to plague all of them. To set the scene, consider how you got here — you focused on your product or service. You’re tweaking it, marketing it, doing everything you can for the product or service when, all of a sudden, it starts to get legs. You’re hiring, you’re selling, and you turn around one day to see 50+ employees. What you don’t see is the 200+ services they’ve signed up for with company email accounts and credit cards, or, worse, their personal credit card which is now expensing the service (services like Blissfully can help manage this).
Think about a fiefdom as a collection of houses — these are the services in your organization. There’s so many! They all operate independently of each other! One day, a queen rides in and builds a castle and a wall around all the houses. This is SSO.
SSO has two branches which are essentially cousins— Password Managers (PM)and Identity Providers (idP). If you’ve ever heard of Okta, OneLogin, or AzureSSO — these are Identity Providers. LastPass, Dashlane, 1Password — these are Password Managers.
The different between an idP and PM is the role they play within your organization. A PM knows what it is — it stores passwords and fills them in for you for you visit a login page that it knows about. An idP will do the same, but it wants to be the authority directory service for your employees and it offers the ability to automatically create accounts in other services when you make a new account in it. An idP is considered enterprise tool while a PM can be anywhere on the spectrum.
SSO performs several key functions.
- It provides one platform to access many services. This is a landing page whereby you can click a button and it fills in your login information.
- It allows you to implement security features that individual services lack. If Service A lacks multi-factor authentication, you can often setup your SSO to require it’s own MFA when staff click the Service A button.
- Allows you to securely share information amongst employees — shared credentials, API keys, credit cards.
- Consolidates access management and procurement through a single entity, often IT.
Why you need Single Sign-On
With a Device Manager, you can enact policies on your devices; but you’ll need single sign-on to do the same with cloud services. Your staff will spend less time with password management and improved security will result.
This servicevaries in cost as it is packaged together to meet a company’s specific needs. The basic level is ~$2/user/month. Essential addons often bring the cost to $6–8/user/month.
3. Security Training
Look, I get it. Everyone wants to take a shortcut here and implement a new tool to improve security. The fact is, the liklihood of an employee responding to a phishing email is exponentially greater than a malicious actor successfully getting into your firewall.
In my personal experience, the magnitude of misinformation and confusion surrounding phishing is the same as it was 10 years ago — staff treat a suspected phishing email like nuclear material because no one has ever trained them on how to recognize or handle it. This creates space for them to make mistakes that cost your business.
Or, think about it from the malicious actor’s perspective. What are you trying to accomplish when you go into work? They’re trying to accomplish the same thing as you— earn money or power. They’re not going to hack your firewall, they’re going to hack your social media account (power) so they can post their reseller link to 1 million followers (money). They’re going to send an email to an employee that appears to come from the CEO (power) asking for a quick favor to buy some Amazon gift cards (money) for employees.
You have an antivirus on your machines and scanning at your firewall but how are you protecting against this? Perform security training for your staff to protect your business and their hard work.
Why you need security training
Your business will be the target of social engineering, phishing, and/or attempts to extract money or information. Malicious actors will target employees and services over devices. Train them to recognize the attacks.
This service costs time to create plus employee time to train.
It is my hope that these three recommendations help your company continue to scale in a secure and sustainable manner. My experience in helping startups in their explosive growth phase has provided the platform by which I make these recommendations. Please reach out to me to discuss your company’s IT needs.