I want my company to be more secure

This article is written by Mihai Ionescu, CEO of Blackshell, and published on Substack.

Hi - we are a small company (anywhere from 10 to 200 employees) and I want us to become more secure, but I'm not sure where to start. Fortinet keeps pushing video cameras, Palo Alto reps are camping outside in their weird hats, CrowdStrike insists we need their entire platform just to scan three laptops and Carbon Black's sales team has already scheduled our next five meetings without asking. Also - we want to spend less than $200 per year.

We get this question so often that I decided to write a blog post about it. Please note that this is by no means a replacement for a proper security framework - it is merely a guide to get small companies from 0 to 80%. If your company is required to meet certain compliance standards, this is not for you. Please contact us at blackshell.tech/contact if you need specialized advice. Finally, if you already have a security person within your organization, I’m sure they’d be happy to help, and they’re likely to know better.

When the budget is tight but security needs to be tighter

The proper way to do this would be to work with a security team - however, I know from experience that most companies are highly unlikely to do so, which is why I’ll stick to this realpolitik approach of suggesting low-hanging fruits that fall into the DIY category. The biggest threats that such companies face are various sorts of ransomware or denial of service and data theft.  Generally speaking, you mainly need password management, regular backups, full disk encryption, and some basic disaster planning - leave the fancy threat modelling, hardware keys and endpoint monitoring for when your organization can actually support them.

Create an asset inventory

1. Make a list of all employees, all assets, all services and all accounts that your company is using (including things like domains, websites, WiFi routers, Facebook accounts, mobile phones).
   1. When applicable, write down things such as serial numbers, who owns the asset, what operating system they’re running, who’s in charge of paying for the subscription and when the billing cycle / contract ends
   2. You can use any tool (such as Excel or Google Sheets), but I strongly recommend using something like Notion or Confluence for all this information - the extra features will come in handy later.
2. Group assets and services by criticality:
   1. Critical
      1. Core business systems that would cause immediate business stoppage if compromised; Customer databases and sensitive personal information; Financial systems and payment processing; Critical intellectual property and trade secrets; Primary production/service delivery systems
   2. High
      1. Internal communication systems (email, chat); Customer relationship management (CRM) systems; Network infrastructure and VPNs; Backup systems; Development and testing environments with production data
   3. Medium
      1. Internal documentation and knowledge bases; Non-production development environments; Office productivity tools; Secondary business applications; Marketing assets
   4. Low
      1. Public information; Individual workstations with no sensitive data; Test environments without real data; Legacy systems being phased out; Non-essential business tools

Start fixing things

1. Cybersecurity is all about risk management, so you will have to make your own decision on how far to go with those things. However, some things are non negotiable:
   1. For all items in the Critical and High categories, ask yourself what would happen if you suddenly lost access to them or if they were posted on Facebook. These things really do happen - see the CrowdStrike outage of 2024. What is your minimal business continuity plan and how do you ensure you can still keep the lights on?
   2. Get a password manager
      1. I recommend against self-hosting, but that’s up to you. BitWarden, 1Password and Proton are all good choices.
      2. Get everyone in the company to use the password manager for everything. Yes, it'll be a challenge - if you can enforce it for Critical and High importance assets, you’re already in a much better position. Use long passwords - forget about 8-10 characters. Try to avoid using anything smaller than 16 characters - ideally, stick with 32 or even 64.  Always generate them with your password manager and get in the habit of copy pasting or auto-filling passwords instead of typing them. Pick a strong master password and follow the app instruction to store it securely.
      3. Change all default passwords on printers, routers, WordPress etc.; use the password manager to store the new passwords.
      4. Turn on MFA for all accounts. You don’t need YubiKeys. Try to avoid SMS codes when possible - they’re not safe. My suggestion is to use a combination of one-time codes and FIDO-compliant passkeys such as those provided by fingerprint scanners. Store recovery codes somewhere safe and make sure you have access to them without the MFA device or password manager! Printing them on a piece of paper is fine - just make sure you’re not using a public printer.
      5. Please use passwords and PINs on every device you have. Nothing is easier to hack than an iPhone with no lock screen. If you’re using a PIN, 6 or 8 digits are a lot better than 4.
   3. Turn auto-updates on on all work stations. Turn full-disk encryption on on all user devices, and make sure the decryption keys are stored securely (the same advice applies here). How you do this will be different depending on the operating system. DO NOT LOSE THE ENCRYPTION KEYS.
   4. Make sure you have backup procedures in place for all core assets. Make sure those backups actually work and you can recover from them. Unless you have a good reason and a solid backup strategy, stop storing documents on local machines - use a cloud solution that provides encryption, backups and disaster recovery. For any service that can be moved to the cloud, consider doing so - it will mitigate liabilities on your side and greatly reduce risk. For files that cannot be stored in the cloud for various legal or operational reasons, make sure they are encrypted and backed up.
2. Get a B2B VPN. We sell one and we think it’s the nicest out there, but so do other companies (NordLayer, Tailscale etc.). Some products (including ours) come with many additional features that can greatly improve your security posture

What next?

1. Write a minimal set of security policies for your team. Things such as not letting visitors unattended, destroying confidential documents or wiping whiteboards, locking devices when going away from the keyboard etc. Consider specialized training for your employees - people will always fall for scams, but you can try to reduce their success rate.
2. If feasible, buy company devices for your employees and make sure they only use them for work.
3. Perform some sort of automated pentesting / auditing of infrastructure. We offer this through Bluefin, our vulnerability scanning platform, but so do others (such as Aikido or Pentera).
4. Eventually hire someone to take care of this on an on-going basis. Some companies even sell a CISO-as-a-service product.

This gets you 80% of the way there - miles ahead of where you started. The good news is that it should not take more than a couple of weeks and can be mostly done in-house and with minimal spending. To security experts, this might not even scratch the surface - however, it is more than what most companies have and - most importantly - it is within the realm of possibilities for a small company

For more advanced use cases (or if you need someone to guide you through the process), don’t hesitate to get in touch with our team at blackshell.tech/contact.

‍