Startups, more than anything, are organizations built to move quickly and efficiently. Unfortunately, in the mad dash to product market fit, security often gets lost in the fray.
Information security is often thought of as a costly set of processes that slows everyone down, creating unnecessary bureaucracy in order to protect against an unknown, immeasurable threat.
Luckily, there are a number of simple, effective measures that can be taken to make your organization instantly more secure, with the click of a few buttons. Nothing in this list requires a developer, or even information security expertise. In many cases, sound security practices are a matter of knowing which settings to change.
Most organizations use a small number of core services that make up the majority of your organization's attack surface: email, chat, file sharing, and code repositories. Most of the services you're using across your company have organization-wide two-factor authentication, and you should enable and require it for your entire company.
This can't be emphasized enough: enabling two-factor auth is the single biggest security measure you can take to increase security at your company. It costs your company nothing, takes very little time to implement, and it significantly decreases the attack vectors available to attackers.
Use an authenticator app instead of SMS
While SMS-based two-factor auth is better than nothing, it has one major security flaw: it's tied to your cell phone number.
Your cell phone number is a growing attack target for carrying out phishing schemes and more sophisticated attacks that exploit the nature of the cellular system to intercept SMS messages in transit. This has been exploited most prominently to gain access to key accounts in order to steal cryptocurrency balances from their owners. In essence, attackers use a combination of social engineering (phishing) and weaknesses in cell phone providers' security protocols in order to temporarily intercept SMS messages that contain two-factor auth codes.
While this may seem like a sophisticated attack, it is not at all difficult to carry out, especially if the attacker has a specific target in mind, such as an executive at your company. The potential cost of switching to a dedicated authenticator app is far outweighed by the potential damage that could be done by an SMS-based attack. Often, all it takes is one compromised account to gain access to a treasure trove of information, especially if it were a person with a high level of access.
- Go to Google Apps Admin Console > Security > Basic Settings
- Click Go to advanced settings to enforce 2-step verification
- Under Enforcement, click Turn on enforcement now
- Under Allowed 2-step verification methods, click Any to allow SMS as a two-factor source, or check Only Security Key to require the user of Google Authenticator, or a physical key.
- From the Slack top left menu, choose Administration > Workspace settings
- Click the Authentication tab, and under Workspace-wide two-factor authentication, click Activate two-factor authentication for my workspace
Slack Message Retention Policy
The other measure you can take to greatly reduce your company's Slack risk is to set a message retention policy. From a security standpoint, the less you have in your Slack logs, the better.
- In Slack admin, click the Settings tab
- Scroll down to Message Retention & Deletion
- Set a number of days after which messages get deleted.
- Uncheck Let workspace members override these settings
- From the top-right menu, click Settings, then select the Security tab
- Under Authentication Settings, check Require two-step verification