You are completely reliant on your cell phone provider's network to provide security of your message. However, when it is transmitted it is unencrypted and you have no confirmation if it has been intercepted or even modified.
I recommend using programs like Signal4 or Wickr5 that provide end-to-end encryption, meaning the provider of the service cannot view or even decrypt your message. While too lengthy a topic for this book, this type of messaging is also referred to as zero knowledge encryption, where the service provider has no knowledge of encryption or decryption keys. Some of these providers also have the ability to set an expiration date on messages so they are automatically deleted from the recipient's phone after a specified amount of time. Sometimes, as a start-up, you can't follow every rule of the book to get things going; maybe it is more convenient to quickly share an administrator password to some system and then create a new user. Tools like Signal and Wickr can help you do that quickly and securely.
Chat programs like Slack6 and Microsoft Teams7 (included with Microsoft O365) have become hugely popular in large and small businesses alike. It provides an easy-to-use platform to collaborate across teams and physical distances. Like all services, there can be limitations to security based on cost. Some free versions may not allow the same amount of control over data within the platform that you would get if it was paid for.
It is critical to understand the difference between free and paid versions of the same product as well as to read through the terms of service. Most of these platforms encrypt data when it travels over the Internet but may not store it in an encrypted state. The ability to scroll back to the very first message is convenient but also comes at a risk cost of that data being stored somewhere, possibly encrypted. And if that service provider suffers a data breach, it could reveal your chat logs. If it is critical to have total confidentiality and integrity over the messages or data you need to share, then don't use chat platforms.
SECURE YOUR CREDENTIALS
Access to all of these great tools requires nearly the same things: a username and password, at a minimum. Unless you've been living a disconnected lifestyle in the wilderness of Montana, you'll most likely have heard about every major breach in the last 10 years. Of the vendors that respond to these data breaches, one in particular, Verizon, publishes a report8 every year on the breaches they respond to.
Every year in those reports, the compromise of usernames and passwords are at the top of the list of initial causes of those data breaches. You should treat your usernames and passwords (i.e., credentials) as you would your new amazing start-up intellectual property. Protect them at all costs. Many of the services I discuss in this book provide extra layers of security you can enable called multi-factor authentication (MFA).
The use of MFA is a business requirement today and can drastically reduce, if not eliminate, the possibility of someone that has stolen or guessed your credentials from logging into your account. There are various forms that MFA can come in; a text message is one of the most popular capabilities. However, as we have already discussed, text messages can be insecure.
Multi-factor authentication requires you to enter an additional piece of information when you log in with your credentials. You might even already use a feature like this with your bank where you receive a code via text message that you have to enter to complete the login process. While not all services you use will have this capability, you should enable it immediately, especially if you are like 80% of users that reuse passwords across many sites.
Some more advanced services like Google Workspace for Business allows users to use an app on their phone to conduct the MFA portion of their login. This app is called Google Authenticator and is free to use. Authy9 and LastPass10 are also popular free apps. For sites that support this type of MFA, you simply log in to your specific account, enable MFA, and the website provides a QR code that you then take a picture of with the authenticator app.
When using these apps, you will typically be presented with backup codes when you set up this type of multi-factor authentication. Print these codes out and put them in a secure place. If you lose your phone you lose your ability to authenticate into the services you've protected. I'm saying this twice because it is critical: print out and save your backup codes.
FIGURE 1.1 Yubikey Product Line
Source: https://www.yubico.com
This syncs your phone and the specific account. When you log in with your credentials again you simply open the app and enter the code displayed. There are alternative services to this app, such as Authy. Both of these apps work on iPhone and Android. Large organizations may even employ a physical token that displays a number that changes every 30 seconds. These physical tokens offer a higher degree of security but are more expensive to deploy and maintain.
FIGURE 1.2 Google Titan Security Keys
Source: https://cloud.google.com
SAAS CAN BE SECURE
Nearly gone are the days of setting up a physical server in your garage that runs the website, email, build, dev, staging, and production environments for your start-up. Software-as-a-service (SaaS) allows start-ups to both launch and scale quickly and take advantage of enterprise-level cybersecurity controls. Even in the shared security model adopted by most infrastructure-as-a-service (IaaS) providers like Amazon Web Services (AWS)11 or Microsoft Azure,12 a start-up is starting ahead of the game with SaaS.
Starting a business requires a lot of data and documentation and collaboration on that data and documentation. Whether you are developing the next mobile app to disrupt the housing market or developing a new fireproof fabric, the information and intellectual property surrounding that must be secured. Hundreds of platforms exist for collaboration, which I can't discuss at length in this book.
However, I will discuss some of the more popular platforms for sharing data. Some of the most common are Dropbox, Box, Google Drive (part of Google Workspace) and Microsoft OneDrive (part of Microsoft O365). You've probably noticed by now that encryption and access are key components to protecting information. When storing that data you should encrypt it if possible. There are many solutions that have the ability to encrypt files you store in those file-sharing tools and share with your team in an even more secure manner. This doesn't always scale but can help protect your sensitive information early on. Additionally, this level of file-based encryption should be kept for only the most sensitive data to maintain efficiency of your start-up.
In the case of software development, care should be taken when considering access to services such as GitHub,13 which is a service that allows developers to store and retrieve
