Startup Mishaps — Culture, Capital Controls & Device Hardening
When founders receive funding, there is a huge amount of work to be done to get the business up and running, and it can be easy to forget to spend time setting up controls on how money is authorized within a company, at what levels, and on what devices.
Sadly, when this goes wrong, it goes very wrong. Recently, a friend had his phone stolen. This incident cost him and his company lost hours, cash, but worst of all, the trust of some of the people around him. On further review, by him and his team, a few of the steps below would have materially impacted the outcome of this incident.
Perversely, as the digital landscape continues to evolve to make our lives easier, devices are increasingly being used for both personal and business purposes by colleagues and employees, so it is essential to ensure that the necessary controls and hardening measures are in place to protect against any unexpected transactions and single points of escalation when things go wrong.
There are three key steps that need to be taken to ensure the safety and security of data and funds: Leading a culture of vigilance, establishing capital controls and hardening mobile devices.
Leading a Culture of Vigilance
The biggest hurdle to your company taking anything you do on this subject is you. If you see it as a nuisance, they will too. If you see it as something not spending time on, they will too. If you showcase irritation around the processes and precautions you’ve put into place, they will too and you’ll just create a culture of rebellion towards something that is really there to help everyone in case of when things go awry.
The ideal scenario is when you can recruit your team to co-own this issue with you rather than them seeing it as an imposition on them. You need to make it ‘ok’ to engage on this topic. Think about how you can educate them on the severity of the implications, engage them during any process that checks how things are going (audits), and encourage them to speak up when they see something that isn’t quite up to what the spirit of what you are trying to achieve. This makes it feel less like a police state and more like something you are all in together for the betterment of the org.
Establishing Capital Controls
Capital controls are a way to ensure that only designated people can authorize the transfer of funds, when, and for how much. Having these prevents any rogue or unauthorized actions from taking place and also stops any money from being spent without the proper authorization. It also serves to protect against the security risks that can arise from device theft. This does not mean you lose control of your company to your colleagues who facilitate this, it merely implies there are two steps to complete, thus securing key transactions having multiple checks prior to a possible failure. If you want to read more about these kinds of controls, go here.
Also, make sure you choose a financial institution that allows you to have and/or enable these kinds of controls for added safety.
Hardening Devices
It is scary what can be done with one device these days. It’s not un-usual for a device to contain someone’s social life, work life, financial life, and health life. It is downright scary. Thus spending some time in choosing what to have on your device, how you access it, and what controls you have in place is as important for you in the long term as health insurance is.
To begin with, the use of a password manager enables you to start addressing the main issue of remembering and managing the multiple accounts you will accrue as you build your company. 1Password is what many people use, but Dashlane, Bitwarden, and Lastpass are other favourites. Once you have this in place, think about creating groupings within this that grants specific access to subgroupings of your organization. A virtual ‘capital control’ if you will. Also make sure you enable two-factor authentication where you can. Modern password managers make it super easy to do this. However, make sure you avoid consumer-grade options like browser-based password managers and OS-based password managers, which make it harder to manage when things go wrong.
Moving on from passwords onto devices themselves, there are so many entry-doors to a device that it is downright scary. Spend some time thinking about what kind of features you think should be enabled or disabled within your team’s devices. For example.. is there a reason why any app on your device should not be behind a Touch or FaceID? Is there a reason why you are using a simple pin to protect key access? Sometimes using a company Mobile Device Manager (MDM) for setting secure configurations, and setting appropriate policies that prevent people from saving sensitive information in the wrong places can help protect against device issues when there is a loss or theft. MDMs can also help to enforce security policies and prevent unauthorized access to data. Here are some MDM’s you can check out:
https://simplemdm.com
https://www.kandji.io/
https://www.jamf.com/
https://jumpcloud.com/
https://workspace.google.com/products/admin/endpoint/
Lastly, hardening devices from OS-level feature creep can also help slow things down from going awry and when things go really really awry. They reduce the footprint of exposure, if you will. These three links cover the basic ones you should review for sure:
For really really sensitive apps, you can consider buying a hardware token to avoid having to use SMS or Google Authenticator-type Two Factor. Yubico’s keys are the ones that are generally the most compatible, in particular for iOS. Hardware tokens add an extra layer of security as they require something you have as well as something you know, and something you don’t know but generate.
In conclusion, establishing capital controls and hardening devices are two important measures to protect against unexpected transactions and single points of escalation. Taking the necessary steps to create a secure environment can help to give founders and their investors peace of mind that their data is safe and secure, while also providing the company with the necessary protections to prevent any rogue or unauthorized actions from taking place.
