I'm a non-technical indie founder and just built my first startup with a technical co-founder. I'd like to improve our security but I'm not sure how I should protect the company so we don't get scammed out of our money or worse expose client data. Any advice?
When you’re a tech startup, one of the first things you’ll want to do is make sure your business is protected. There are plenty of bad actors out there that will try to access your company data, so it’s important to know how to keep them out!
First of all — I highly recommend using a proxy with in-build firewall functionality, it can either be Cloudflare or Google Cloud Armor. Cloudflare makes it easy, GCloud is good after you’ve reached a point when you need to take it more seriously with custom application firewall rules.
You can also use a proxy to hide your real server IP, which makes it harder for hackers to do harm. There are a lot of contractors who can set up proper VPNs and security rules for you. Most of them are set once and forget, so invest some $$ at the start.
Wherever you have a contact form on your website — use a google reCaptcha or Akismet to protect from spam. You can’t imagine how fast you’re gonna get spammed with viagra, pharma, and crypto stuff if you leave a form unprotected, and never allow sending emails to other users with arbitrary content inside them. These are the juiciest ones for the spammers, they’ll add you to the list of “allows spam” websites.
Instruct your team members that if they receive an email from you asking to perform a quick task for them and reply to them to get more details — highly likely that it’s a scam attempt and they should always double-check the validity of the email contents.
Make sure all of your employees understand their role in keeping the company data safe — run security training sessions in which they learn how to spot suspicious activity, be it social engineering or phishing websites. This way, everyone will be able to identify potential threats before any damage is done.
Don’t install any weird software from random sources — if you’re on a Mac, always install stuff from the app store only and if you’re asked to allow the package to make changes to your system, be really careful when allowing that.
Use a Password Manager like 1Password or any other. This helps with having a unique password on every site.
2FA everything. This will save your ass when someone will decide to get into any of your accounts. From Email to Gcloud to Slack — everything needs to be connected with Two-Factor authentication.
Backups are super important. No database should ever be running unless there’s a backup process running alongside it. If you’re using cloud databases – turn on the point-in-time restoration option and save at least 2 weeks’ worth of backups.
Order a pen-testing. If you want to test how secure your webapp is — you can go to any cyber security firm and order a penetration test done. It usually costs from 5’000 USD to 15’000 USD depending on how many services you have.
These are the low-hanging fruits of how you can protect your company. Add some more if you have any, I might edit this answer later.
I value the startup community because we are all in this together, we're all amateurs trying our best to build something meaningful. Share your unfiltered experiences and thoughts with others, one mans rant is another mans valuable lesson.