In general, startups are lean, fast, data-driven, and forward-thinking, making them prime users of cutting-edge tools, big data, and cloud-based technology. However, these fast-paced, high-stakes environments also make security critical, and regardless of workload, startups can’t afford to let security fall to the wayside. In fact, with the right security and tools in place, startups can fuel faster, more effective growth and position themselves for smooth scaling.
In this blog, we’ll cover the common challenges startups face when securing users and their devices — especially in the increasingly common remote or hybrid workplace — and solutions to help you continue growing quickly and successfully.
(For a deeper look into securing your startup’s cloud infrastructure and applications, check out our companion startup security blog).
Lead with Documentation and Training
Employees can’t possibly uphold security policies they’re not aware of or don’t understand — especially when working in an unsupervised environment, like a remote workspace. Organizations need to create a security program that specifies their security standards and policies and train employees on them to cultivate a security-oriented company culture.
The security program doesn’t need to be a complex or long document; in fact, a clear, concise program for your employees is likely to work much better than a long list of items that they need to do or be aware of. The right security program gets your employees thinking about how they protect their personal data, accounts, and access because they understand the significance.
As security experts know, the most critical component in the security chain is the user. No matter how great the systems in place or the processes, a mistake by an individual can render all of those safeguards useless. Conversely, an educated employee using strong security practices can dramatically increase the level of security in the organization. While each organization’s security program will vary, consider including the following foundational items in yours to cover the most common and dangerous threats.
While you may set up password complexity requirements for your systems and applications, getting your users comfortable with creating strong passwords is critical. Some tools, like the JumpCloud Directory Platform, enable you to establish and enforce minimum password complexity requirements.
Password managers are a highly effective way to ensure employees create strong and unique passwords without compromising their effectiveness by writing them down. We recommend that companies require employees to generate and store all passwords with the password manager to keep password practices consistent, secure, and reliable.
As passwords become easier for hackers to compromise, they can no longer be a reliable means of protection on their own; users should implement multi-factor authentication (MFA) to establish an extra layer of protection around their systems and applications wherever possible. Especially when coupled with a smartphone, the process is fairly simple (in some cases, it’s as easy as tapping a button).
Separating Business and Personal Accounts
When employees mix their business and personal account passwords, compromise to a personal account puts the business at risk. Encourage your employees to create unique passwords for each of their accounts, preferably with a password manager, as detailed above. Their security training may even encourage them to add MFA to their personal accounts as well.
Further, cutting corners on licensing is a common way lean startups look to save. However, using personal accounts for business activity or sharing one account among several employees creates vulnerabilities by intermingling personal and business data. It also removes the organization’s control over its data: how can you restrict employee access to company resources when they have access through a personal account you have no control over? Personal accounts used for business raise compliance issues, endanger corporate data, and muddy the offboarding process.
You should be able to account for every user in your organization and store critical data about them, like permissions and assigned resources, at any time, and from anywhere. Here are some of the attributes you should be able to see and manage:
- Assigned device(s)
- Role in the organization/group membership
- Access to IT resources
- Permission levels
- Provisioned resources
- Password security settings
- Account lockouts
Most companies use directories to accomplish this. Some startups wait to start using a directory if they’re only managing a few users; however, opting to go without a directory service and tracking this data manually hinders startups when it’s time for exponential growth.
While most directories allow for user and user data tracking, cloud directory platforms give cloud-first startups a step-up by offering single sign-on (SSO) to all cloud-based applications, automated provisioning and deprovisioning, system management/MDM capabilities, RADIUS integration, compliance reporting, and several other time-saving features, all with no on-prem equipment.
The business shift to the cloud has sparked a growing misconception that endpoints don’t matter. The thought process goes something like this: “Because applications and data are now hosted in the cloud, endpoints don’t host any critical or sensitive data, so I don’t need to worry about them anymore.” While it is correct that many of today’s applications are hosted in the cloud, the truth is that endpoints do matter, and they do host critical data. But, perhaps more importantly, the machine is the conduit to accessing confidential resources — if that machine is compromised, so is your user’s access to their IT resources.
As proponents of Zero Trust security, we never recommend putting all your trust in one layer of defense if you can help it. Because humans are the most critical — and often most vulnerable — link in the security chain, we need to account for human error. Despite their security training, some employees may still download data or save files on their local machine, keep their passwords in a Word document, or use easily guessable ones. Securing devices provides one more important layer of protection against mistakes, workarounds, anomalies, and shadow IT.
While all work devices should have strong controls and be encrypted, this should not be the only method of defense. Employees must understand that they are responsible for keeping physical control over the devices they use for work, whether personal or corporate-issued. Adding this layer of diligent control and protection by the employee further secures corporate data.
The latest operating systems offer full-disk encryption to help protect the data located on endpoints. Because it is highly likely that corporate data can be found on endpoints despite using cloud services, device encryption is an important step to take in protecting valuable corporate data. Disk encryption is relatively simple to enable, and it is also user-friendly. The password to the device can toggle the disk encryption on or off, which underscores the importance of a complex password. A centralized approach will ensure that recovery keys are safely stored as well as reporting on what users/machines have disk encryption enabled and those that don’t.
In addition to using MFA for systems and applications, employees should enable MFA on their devices. A complex password adds to the security of the endpoint, but adding MFA access to the endpoint raises it to another level. Conditional access can reduce the friction of this step when a user signs on using other known criteria, like on an approved network.
While there are several MFA offerings out there, note that some cloud directory providers bake MFA into their platform, eliminating the need to purchase two different solutions.
Unpatched software is one of the most significant vulnerabilities for any endpoint. If your IT admins struggle to keep endpoints up to date, consider investing in a SaaS-based patching service like JumpCloud to track and manage your patching needs.
Antivirus (AV) software should be installed on every device. There’s a reason that this security protocol has been an IT staple for many years. While AV software does not catch every issue, it does dramatically decrease the chances of an endpoint being compromised. Again, layered security is always better than a uni-dimensional approach, and antivirus/anti-malware is an effective frictionless layer.
Remote and Hybrid Workplace Security Considerations
Many organizations have adopted long-term remote work plans, and startups are prime candidates for remote work, as most were born during a time when remote work was already in use around the world. Many also use a hybrid mix of remote and office work. We’ll cover security principles for both in-person and remote workplaces to help startups appropriately address security in their environment.
Remote Environment Challenges
Network and Resource Access
Remote employees must be able to connect to all the resources they need to get their work done, but doing so from their home or public networks can be risky. Traditionally, the VPN has been the method for getting employees access to the company’s private network and resources. However, as companies shift toward cloud hosting, the VPN becomes less relevant and other cloud-based solutions that encrypt resource access directly have gained in popularity. JumpCloud’s Cloud Directory Platform, for example, uses LDAP, RADIUS, SCIM, SAML, OAuth, and other protocols to provide employees with secure remote access to all the resources they need.
Home and Public Networks
Even with a VPN or other encryption method in place, the user’s home network still matters. For example, when working in a cafe, you would need to use its public Wi-Fi for a few moments to connect to the corporate VPN, and that initial activity goes unencrypted and is vulnerable to attack. Offices should create policies around remote Wi-Fi use — home networks should be protected with a strong password and public, unprotected Wi-Fi should be avoided, when possible. Some tools offer conditional access, which can deny access to corporate resources if a user attempts to access them over an unsecured network.
Onboarding and Offboarding
Startups’ rapid growth and frequent changes can mean a good deal of onboarding and offboarding. Both can take several hours per employee, which can be particularly inconvenient when onboarding an entire team or coordinating a quick offboarding.
SSO significantly helps with these challenges by applying one set of secure credentials to all the applications an employee needs by automating individual resource provisioning, which can take a significant amount of time when done manually. Additionally, using a directory solution that allows you to create user groups can help you automate provisioning based on department, administrative level, and other criteria.
With these solutions, off-boarding becomes just as quick — in a cloud-based directory, all you need to do is delete the user to immediately revoke access to all resources.
Lack of Supervision
Many companies worry employees won’t follow security policies at home. The solution to this challenge is two-fold: startups should establish, teach, and enforce security best practices, cultivating a company culture that prioritizes security. Secondly, companies need to invest in the tools that make cloud-based remote security possible and user-friendly. Cloud-based directory platforms combine several of these security tools, including the directory, MFA, secure SSO, and more, into a fairly frictionless user experience.
Cloud-Based Asset Management
With remote environments, some companies worry about keeping track of cloud-hosted assets, especially when users aren’t being supervised when accessing and saving them. For items like files, develop and enforce clear naming conventions and storage policies — cloud-based companies shouldn’t allow users to store items on their desktop, for instance. For applications, user data, device data, and other asset tracking, remote companies should look for a cloud directory platform that can track and connect these cloud-based assets.
Office Environment Challenges
Most startups that use offices today are in either shared office spaces or have open floor plans, which can make theft and data compromise more likely. Even with most IT infrastructure in the cloud, cloud-forward startups still need to prioritize security from every angle, which includes physical security in office spaces for any in-office or hybrid-remote company. Consider the following suggestions for increasing office security.
Awareness of an employee’s surroundings is critical. While a startup’s office may be small or may be a shared space, knowing who should be in the office is important. If a stranger is in the office, ask them if they are in the office to meet someone. Hackers will often try the old technique of masquerading as an employee or a visitor.
Control and Monitor Physical Access
Many offices have some sort of physical access control, either through a key, fob, or card access system. Consider investing in a digital solution with regular logging of who enters and exits to track unsolicited visitors, as in the in-person social engineering tactics described above. Video cameras are also advisable to monitor your equipment and materials — some cameras are intelligent and network-connected, so they can alert you to after-hours activity and save footage in the cloud.
Internet Connection Security
The internet connection in your office needs to be secured as well. There should be, at a minimum, a next-generation firewall at the connection that blocks malicious traffic. Investing in more security like content filtering or intrusion detection technology is a great improvement, but having a strong firewall is required.
Wi-Fi security should not just be an SSID and passphrase. That level of security is simply too easy to compromise.
Each user should have unique access to the Wi-Fi network through an authentication system like RADIUS, which authenticates each user individually. RADIUS eliminates the problems that shared network credentials pose (like writing the Wi-Fi password on the office whiteboard).
Ideally, RADIUS should integrate with the user directory to streamline user data and maintain one central repository system. JumpCloud, a cloud-based directory platform, is one solution that does just that, but fully in the cloud, eliminating your organization’s need to maintain a RADIUS server — check out its cloud-based RADIUS integrations here.
For an additional layer of protection, create a separate guest VLAN with restricted access to ensure security while providing a positive user experience.
Locked Server Closet
Just as you would only assign administrative privileges to a select few people, you should keep the server room just as tightly restricted and monitored, if you have one on-prem. If your organization still has on-prem servers, keep them locked up, only grant access to people who need it, and keep track of those who have access.
Looking Ahead: The Future of the Directory
While some see startups’ size and early lifecycle stage as a disadvantage, it presents organizations with the incredible opportunity to build themselves and their security practices exactly how they want. Chipping away at a mountain of legacy equipment is difficult, from the configurations themselves to advocating for change from the top.
For cloud-based startups building their security practice and preparing to scale growth, don’t fall into the trap of doing something because that’s how it’s been done in the past. Instead of investing in an on-prem directory service like Active Directory, consider maintaining your cloud momentum with a cloud-based directory platform that can accomplish more with fewer solutions (and expenses). The JumpCloud Directory Platform combines LDAP, RADIUS, SSO, MFA, and other critical features in one cloud-based platform. It’s free to try with up to 10 users and devices — try it for free today.
To learn more about securing your cloud resources, read our companion blog: Security for Startups: Securing Cloud Infrastructure and Applications.