Getting down to the basics of device security
By Alex Norman —
The workstation that you use will be a focal point for almost everything you do. It may not always be possible in the early days to have a dedicated work device, but it’s definitely in everyone’s best interests to try and keep the work and personal data separate. Beyond that, there are a few basics that can help protect your startup in case your device gets stolen or you accidentally clicked a link on a phishing email.
Where to find the settings and what advanced security features your device supports will vary. We’re going to focus on a few basics that should be available everywhere.
What | Start | Next |
---|---|---|
Strong device password | Use a unique passphrase | MDM |
Disk encryption | Enable disk encryption | MDM |
OS updates | Turn on automatic updates | MDM |
Endpoint security agents | License business AV | EDR |
The recommendations in this section are intended to protect against the leaking of company data if a device is lost or stolen.
Setting up basic device security will help prevent a thief who has stolen your laptop from being able to access the data. It will also prevent random strangers from trying to access the data on your device if you’ve left it unattended.
Basics to get started? Set up a strong device password and encrypt it.
Less of a problem for phishing attacks since they need to be in front of your laptop or phone to try and guess your passwords. More of a problem when your kids or friends see a shiny new MacBook and want to start playing with it. Setting a reasonable password definitely applies if your device gets stolen. Don’t use ‘password’ or ‘1234’ to unlock your device. Anything slightly more complicated or unique will do. You don’t even need to change it that often.
All recent Android and iOS devices are encrypted as long as you have set some kind of screen lock such as a pattern, pin, or fingerprint. For macOS and Windows, you may need to check if it’s enabled using their FileVault and Bitlocker encryption features respectively. The one main caveat is that you may not be able to recover the data from the device if you forgot the passcode, pin, or password that unlocks it.
What’s next? You’ll need to start looking at Mobile Device Management (MDM), also known as Universal Endpoint Management (UEM), tools when your startup begins to grow. It’s easy to verify a small group, but it will become tedious and error-prone when you’re hiring a few new starters every week. By incorporating an MDM tool, all company devices can enforce a standard security baseline with reporting to validate this. Some allow for application management and other advanced security features. But do keep in mind that there is an overhead associated with MDM tools since you will ideally need to get the tooling setup before someone starts using the device and for someone internally to manage the tool itself.
What does Kinde do? Being a small team, we’ve opted not to use MDM yet. We’re using a tool called Pareto Security that validates basic security settings such as screensaver lockout, device password, encryption, and firewalls. It doesn’t enforce anything but will report the key security settings back to a central portal so that we can validate the common security baseline across the company. It also has an icon on the desktop menubar that lets users know what settings aren’t enabled and helpful information on how to change them. Basically gamifying the security experience. We felt like this was an appropriate compromise between the effort in managing the device and ensuring our secure baselines are applied correctly.
Turn on automatic updates. A lot of phishing attacks and malware take advantage of vulnerabilities in the underlying OS. A classic example is the EternalBlue exploit from 2017, which allowed an attacker to infect other unpatched Windows machines within the same network with relative ease. Installing the latest Microsoft patches at the time would have protected your workstation. Take the easy route and just do the monthly updates as soon as practical. Yes, they can be a massive download. And yes it can take half your lunch break to finish the updates. But getting into this routine may save you a lot of pain down the line.
Further to OS updates and mainly applicable to laptops and desktops, have some kind of endpoint protection or anti-virus software installed. This will help protect your device from malware-ridden files shared with you, phishing downloads, and malicious behaviors. There are arguments both for using anti-virus, such as safety in layers and using a dedicated security vendor to protect your device, and against using anti-virus, such as the OS vendors have built-in protections and slowing down the computer. In our experience, it’s best to use it given the risks it can protect your device from compared with the low cost and usually low maintenance required.
Basics to get started? Set your OS to do automatic updates. Install them as soon as practical, like at the end of the day or over your lunch break. Find affordable anti-virus software for business. There are free options out there if you’re cash-strapped, but these usually come with some caveats like ad pop-ups, community-run updates, and no centralized reporting. Browse through the vast list of options out there as noted by the G2 category for anti-virus. We’re also specifically referring to a business license because it will have centralized reports and alerts so that your team will quickly find out when someone’s device has malware on it or is exhibiting malicious behaviors.
What’s next? Similar to the earlier topic about device passwords and encryption, an MDM tool will help enforce the installation of OS updates as well as automate the installation of the endpoint protection tools. The next step beyond anti-virus is Endpoint Detection and Response (EDR). These are usually add-on agents or licenses that will monitor for threats to your devices and automate the response to those threats. EDR tools are generally for when a company is scaling up quickly and need to help simplify its security response to lots of devices.
What does Kinde do? All company laptops run Crowdstrike’s next-gen antivirus with alerts going to a security Slack channel. Both Crowdstrike and Pareto Security can report on the status of OS updates. Installation and verification of the agents are done during the security onboarding session for all new starters. We also have occasional validation tasks to verify that everyone’s devices are reporting back to the central consoles correctly, all the devices are up to date, and that we didn’t miss any alerts.