ANTIVIRUS IS STILL NECESSARY BUT GOES BY A DIFFERENT NAME
You might be thinking, “Well, what about antivirus?” I've devoted all of Chapter 4 to this topic because of the volume and complexity of solutions available. I also discuss many options that may require capital expenditure that might not seem so lean for a start-up. Just know if you happen to use pirated software you will not be able to receive critical security updates. You also cannot verify the authenticity of what you've downloaded and could very well have opened a backdoor into your system for attackers. Legitimate start-ups should only use legitimate software.
Open source software, which is a legitimate free option, can also come with risks. Depending on the country your start-up is founded in, you may need to pay close attention to open source software from specific countries and geographic locations. This applies to antivirus software or anything else you use in your start-up.
So, what do they call antivirus these days? Marketing has now rebranded this technology as endpoint detection and response (EDR). While it does have many more features than the popular antivirus software of the 90s and 00s, it still has basically the same functions and keeps your device secure. We'll dive into this more in Chapter 4.
MOBILE DEVICES
Mobile devices are now woven into the fabric of everyday business – smartphones, tablets, etc., are used to run and secure your start-up. These have the same level of access to critical information as your laptop. Many MFA solutions, which I discussed earlier, run as apps on your smartphone; physical tokens are still the most secure but not as convenient as a mobile app. Our mobile devices are now acting as the keys to the digital kingdom. Nearly all the same security rules we've discussed so far apply to our mobile phones and devices. You must make sure the operating system is up to date; keep installed applications up to date; set a strong passcode, fingerprint authentication, or face authentication; and encrypt the phone if it is not on by default for your make and model. Some of this is not already activated out of the box and is easy to skip over in the setup process.
Setting a passcode, passphrase, pattern, or fingerprint is the first line of defense to protecting the data on your phone and the data it has access to. Nearly all modern devices support these features and you should enable them when you buy the phone or do so immediately. There are many lines of thought on which option is most secure, again a larger discussion than can be covered in this book, but you should enable at least one of them. You should also encrypt your phone in the case that it is lost or stolen. While most thieves resell the phones and don't attempt to retrieve data from them, encrypting your phone will provide peace of mind if it goes missing. Both Google and Apple offer the capability to find your phone if it is lost, or remotely delete all sensitive data if it is stolen. These features are not enabled by default and you should ensure you switch them on for any device you use for conducting business.
When a device is lost or stolen you have now lost your ability to log in to services that require your MFA code, such as Google Workspace or Apple iCloud. Both services have procedures that will allow you to log in after an emergency but it can be a lengthy process. Both services do allow you to set up an emergency phone. This should be someone you trust explicitly: a co-founder, spouse, or another family member whose device you could quickly access in an emergency. So preferably not someone that lives on a different continent. Or you could even have a second phone that you leave locked away for such an event, depending on how critical your data is.
As you scale, it becomes more important to manage these devices. This will certainly be a business decision that is made on whether to issue mobile devices to employees. This provides stronger controls around how users access your sensitive data, but also requires employees to now carry two devices. Another option is to require employees to install corporate mobile device management software on their phone to block certain apps from accessing your data. Or to force users to use only certain applications to access your start-up's sensitive data. This option requires careful consideration based on local, state, and federal laws not only where your start-up is located but also where your employees are located. There can be privacy implications as well as employees refusing to give access to their personal device.
SUMMARY
Regardless of the stage of your company – formation, validation, or growth – these are all unique starting points and require a different effort and level of investment of resources. Understanding the foundational components will help you determine where you must start or where you need to accelerate projects. Not everyone bakes in cybersecurity from the day they sign the documents to legally form their business.
Identify the stage your company is at and then build your cybersecurity program to at least that level. Make sure you identify the risks that may have been overlooked in previous stages of the company. Both technical debt and cybersecurity debt are a real thing. The longer you put it off, the more that debt scales with your business.
ACTION PLAN
Determine what stage your business is at: formation, validation, or growth.
Define and write down who your ideal customers are.
Write down what industries they are in.
Write down what data, if any, you will process, store, access, or in any way have access to.
NOTES
1 1. https://workspace.google.com/
7 7. https://www.microsoft.com/en-ca/microsoft-365/microsoft-teams/group-chat-software