8 Essential security tips for start-ups

So you’ve just finished your new filtered-video app/proximity-based social network/fresh-thinking small business’ website. You’re financed. People are interested.

Trademarks are solid. You’re ready for the big wide world right? Wrong, you’ve forgotten security. ‘No I haven’t!’ you cry, you’ve got passwords for all your back-ends, cameras in the server room, and your office even has a slightly overweight guard sitting in the lobby overnight. But there’s always something you’ve forgotten.

Here’re a few areas, both online and off, that you may have overlooked on your road to glorious success.

1. External partners

You’ve got a guy doings your Adwords, another advising you on SEO, a whole team down the road who host your email marketing. Did you mention non-disclosure in their contract, did they sign a stand-alone NDA? Make sure you do, because these people will get the chance to see all sorts of details. From upcoming changes to your business model, to feature release and even individual client details. They all need to be trusted, and also legally covered by an agreement so that they know what’s confidential.

2. Firewalls and Antivirus

Not just a firewall for every computer in your app (which most computers come with these days) but one for your online app if you have one. The server(s) it’s based on will need rudimentary protection and failsafes for any attacks it may suffer. And these days everybody and their grandma is DDOSing anyone else who gives them the slightest reason. Antivirus is most important internally. You may be able to vouch for your own browsing, but you can never be too careful when you’ve got an office full of employees.

3. Passwords

Enforce a format for passwords. At this point I’d like to reference what is likely becoming the internet’s most referred to guide to password creation; XKCDs comic on password strength. It’d also be wise to give your employees a central database of shared passwords, for any resource that multiple people need access to. Teampass is a lovely secure version of this, and it has to be, it will contain all of your eggs as it were.

4. SSL certificates

If your site/app has a login of any kind it’s probably going to be a good idea to encrypt your traffic. You can do this by getting yourself a shiny SSL certificate from a company like Verisign. Also rather handily you can get Verisign to inspect your site periodically for malware, and if you’re clean you’ll be able to proudly display their seal of approval on your site. The main benefit of this is being aware of any malware if it does ever pop up, because you may not be looking for it.

5. Keyfobs

On the offline side of things, electronic keyfobs can be great way of giving and monitoring access to your employees. They’re generally just a superior version of key. A small black fob containing a radio frequency ID can be used to uniquely identify everybody coming into your office. This will let you log and analyse office traffic, which is useful to see who is working late, or who might still be in your office in case of a fire. It also makes getting new keys as easy as pie, as you don’t need to go down to the cutters, you can simply set a new one up from your supply via the management tool on your computer.

6. Access restrictions

When and where possible restrict access. If an employee just uses your Google analytics account to check data, there’s no need to give them admin access, so lower them to a standard user. If you’ve got a big powerful CRM like Salesforce then you can give each user a customised degree of access that goes right down to which fields they can see on a clients account profile.

7. PCI compliance

If you’re going to be exchanging money with clients (and you likely are) then compliance with PCI’s standards will be a big bonus to your business. They are a well recognised standard for any industry that handles financial information. Which can be anything from retail to accountancy. You’d do well to follow their guidelines as it will increase trust between you and your clients, especially the larger clients who are likely to be compliant themselves.

8. Remote management

A sysadmin’s dream. When an employee is having trouble, or a server has decided to conk out, there’s nothing more sublime than being able to just log in and assume direct control of the problem, often from wherever you are. If you want to feel secure and in control, and maybe a little like a megalomaniac, then make sure you kit yourself out with the remote access you need for your business.

Whew, once all that’s done, you’re ready for everything the world can throw at you. Of course it probably won’t throw anything at you, but at least you’ll be secure in the knowledge that your exhaust port is well and truly covered.

Tim Morris is a writer for Crunch Accounting, an online accounting firm with an impeccable security record. Crunch accounting is revolutionising the industry by taking a trained accountancy team online, available to you at the click of a button. You can peruse their range of packages here, and even use their software for free!