Startup companies often ask the question: “What is the most critical technical item we should address?”
Every startup is unique – there’s no single ‘do this first’ action item that fits everyone. But cybersecurity should have a prominent place on your very first to-do list because it’s of primary importance.
The technical aspects of securing a company are unto themselves an entire industry – cybersecurity – and an adventure down that path can be overwhelming or even impossible for a startup. However, armed with some basic knowledge and a focused starting point, you can make dramatic improvements in securing your startup. Proper cybersecurity may not deliver your next product feature, but it can certainly help mitigate a catastrophic or even business-ending event.
As we often say with startups, make lots of mistakes, just no fatal ones. A security breach can be a fatal one.
The single item that may result in the most significant improvement in your startup’s cybersecurity posture is the use of multi-factor authentication (MFA) for access to all core digital resources. Even if you’re a non-technical person, it’s essential to understand MFA basics, which we’ll describe below.
As an aside, this is an area we look at during due diligence for startups, and we make certain that these basic measures are in place, or ensure their rapid remediation post-investment.
Cybersecurity professionals often describe three authentication factors:
Historically, most digital resources have been protected by a single factor, usually a simple password. If this password is discovered or leaked, then the corresponding system can be easily compromised. Over recent years, most of us have been introduced to a second authentication factor; typically, a text verification code sent to a mobile device. While this security method has its shortcomings and is falling out of favor, it nonetheless provides improved security when compared to a password alone. Finally, many of us have experienced the explosion of fingerprint and facial recognition used in smartphones, yet another security factor.
While three security factors would be ideal, the application has challenges in daily, practical use. Security professionals recommend a good fallback position: always use a second authentication method in addition to a password. This second method introduces the term “two-factor authentication,” also known by the acronym 2FA.
Support for 2FA support is not yet universal. Surprisingly, some services offer no 2FA support (shame!), while others support only a limited variety of secondary authentication factors. We do not prescribe any one best option since it’s unlikely that one alone will fulfill all needs or be universally supported.
Often, 2FA will be either enabled and configured by an account administrator (who should tell you about the settings and policies in place) or individually under your account/security settings.
A helpful list of services with known 2FA support is at https://twofactorauth.org/, along with links to supporting documentation. The creators of the Authy software token application (described below) also have a helpful guide.
2FA security solutions come in the following forms, listed in order of preference, most to least secure.
Hardware tokens are discrete devices that plug into a computer’s USB port or are activated in proximity of a smartphone. Once set up, a simple tap is all that’s needed to supply a second authentication factor. As long as the hardware taken is in your possession, the security layer it provides is tough to subvert.
Products such as YubiKey start at approximately $45 each and are a robust and cost-effective startup security solution. Many of the core digital services used by most startups support this device, and its low cost makes their use an easy decision. Google’s Titan Security Key is another such option. Note that several hardware token protocols exist – the details of FIDO/U2F/UAF, FIDO2/WebAuthn, etc., are beyond the scope of this article. However, do make sure the token you choose is also supported by the service(s) on which you would like to enable 2FA. Some forward-looking financial institutions also provide dedicated hardware tokens, such as RSA SecurID. You may need to inquire for one to be issued.
Other devices like smart cards are not considered here as those typically present a cost and complexity scope reserved for large enterprise installations.
Software tokens are applications that live on your computer or mobile device. These generate codes on demand to permit access to 2FA protected resources. There are several solutions available, with no one correct answer – the correct answer will be the one(s) supported by the platforms you use (Windows, macOS, Android, iOS, etc.). Some examples, in no particular order of preference:
Each solution will provide its options for backup, device transfer, account recovery, etc. (Think: what to do if a phone is lost or upgraded?). Pay attention to these particulars and make certain the facilities provided by your chosen software token are enabled and put into place. Most are free, so there’s no excuse for not putting one of these to use.
For a more detailed deep dive, see “Choosing 2FA authenticator apps can be hard. Ars did it so you don’t have to“.
SMS (mobile text message) is used nearly universally as a second factor but is being phased out in specific applications, such as financial institutions. SIM swapping and other sophisticated exploits may compromise this authentication method. You can read more here: Do you use SMS for two-factor authentication? Here's why you shouldn't. In short, only use SMS when no other 2FA option is made available.
In practice, expect to utilize both a hardware and software token for the most robust security posture with the broadest coverage. SMS authentication is an appropriate fallback position when all else fails.
While all accounts that support 2FA should have it enabled, this can be a daunting task to take on from square one. Instead, prioritize enabling 2FA for accounts in a manner that incrementally reduces the maximum amount of risk.
Consider prioritizing:
If you have 2FA in place across your startup, congratulations, you are ahead of the curve! However, if your use of 2FA has gaps or is outright missing, now is the time to inventory these deficiencies, make a remediation plan, and most importantly—execute that plan.
Further, it is equally important to implement these measures in your personal life; after all, access to your own digital resources could provide a gateway to exploiting those of your company. Startups are especially vulnerable here, since in the early days, personal and company assets often overlap and bleed into each other in both understandable and unexpected ways.
Although beyond the scope of this article, take a note to explore implementing 2FA for your product or service too. It’s not only the right thing to do but also de-risks your offering and is a valuable differentiator.
Remember, 2FA is a critical security need but is just the tip of the iceberg. Cybersecurity is an ongoing concern and should be reevaluated periodically, even in an early-stage startup environment.