Introduction
Opening a small business, and especially a Management Consulting Firm, we knew we would have an uphill battle trying to build credibility in a well-established business category. It’s an interesting situation being on your own and prospecting: both Mark and I spent years working for large agencies and when we left, we were both the exact same professionals, with exactly the same level of experience, and the same expertise in our respective fields. We’d worked on hundreds of brands and with thousands of people. But walking into a room without an Agency name behind you somehow seemed to change things.
As part of the Agency world, we’ve both spent hours talking to executives and building trusted relationships deep within our client’s businesses. We’re comfortable expressing ideas, listening to feedback, and collaborating with diverse teams. As we embarked on trying to create our own business, we were all of a sudden living the Brand Equity story we’d been telling clients for years in a very personal way.
Central to our business model is trust. Trust, reliability, and quality. Trust takes a lifetime to build and a moment to break. So underneath all the pitch decks, cold calls, and client deliverables, we had to determine the best way to underpin the business with an infrastructure that reduced the friction points of working together and preserves that trust. If a client wanted to solve a data problem, we wanted to be able to access their systems securely. If they sent us a message, we wanted to be sure it was private. If we had someone who needed help with audiences, we wanted to slice and segment.
So we undertook a number of backend projects to build out our capabilities with one caveat: we were resource limited. We could only build what we could afford which meant much of this would need to be DIY. The first step was choosing premium and cost effective tech providers. This gave us a strong baseline to work from to ensure that we were coming from a solid starting point. The next was systems hardening and modular upgrades.
These are the kinds of details that only matter in two places: 1) when you are trying to gain access to systems and files or 2) when there is a problem. No one cares about a privacy policy until their data is leaked. Just like no one cares about an internet connection until its broken. Most of the time security and privacy is an inconvenience with endless MFA applications, login screens, and mind-numbing backend configurations. It seems almost daily that I am one ‘password change’ away from giving up on my accounts altogether.
As an individual, security is an obstacle. As a business, it is an asset. Every time we engage with a client, we’re taking responsibility for protecting their intellectual property (IP). So behind the scenes we began a long journey of hardening our infrastructure and creating a system architecture that is ready to integrate with the most sophisticated clients.
Aspirations are one thing, but execution is another entirely. There aren’t a lot of guides out there on comprehensively setting up a tech stack. As two partners in a boutique shop, we were all alone trying to navigate our technology choices and had to build them all by hand. We couldn’t just hire an Information Technology (IT) professional to come in and build so we would need to do it from scratch.
Storage, programs, antivirus software, servers, and book keeping were just some of the backend choices we had to make. But beyond picking the systems, we also needed to map them. How could we tell a client to reconfigure a Customer Relationship Management (CRM) system and not have ours set up internally? How could we talk about email marketing and not have a S/MIME certificates? How could we talk about first-party data management and not have a privacy policy?
All of this to say that among all the other business decisions we had to make, we also made a commitment to best-practice implementations. Doing so helps us stay prepared to have technical conversations and allows us to think critically about client business challenges across their tech stack. This methodology in its entirety isn’t for everyone and you certainly don’t need to go to the same lengths as us. The hope is that maybe you will find something in here that makes you think twice about how your security practices are set up and dig into what you can do to implement incremental changes.
Most of what we’ve done has been pretty cost effective. Sure it takes a little longer to build all this from scratch, but from a hard cost perspective, it is a very small percent of our Operating Expenses. It also removes a lot of friction when we start working with sophisticated clients. Nowadays if we want to work with a public company they want to see security policies, insurance, and have us plugging into their existing infrastructure. We can’t afford to be out of a pitch before we get started so this has been a business decision that pays off in spades.
In many cases, some of the systems we’ve put in place are more than a typical small business will need. However, there are a few critical components that every business should consider when building a website, databases, filesystems, and email infrastructure. Below, we’ll present a few of the topics that have been front and center in our business operations so you can think a bit about your own setup.
Frameworks and Resources to Consider
As you are considering what to include and exclude from your business security policies, it’s worth looking at the established industry standards through regulatory bodies and organizations. This has been what we’ve used to continue to build our business checklists. It’s also important to know that building hardened security systems and policy is an ongoing process and is as dependent on people management as it is about encryption. Here are some of the most helpful resources we have used in determining what to protect and how to think about our business.
NIST
The National Institute of Standards and Technology is a government body that is focused on Measurements and Standards. They are a far reaching research and development organization which supports the very foundation of American Industry. So what does that have to do with Cybersecurity? Well, among the hundreds of things they support, they created a cybersecurity framework designed to be useable to all companies to help guide the reduction of their risk profile and think critically about their infrastructure.
There are a few key resources you may consider using to set yourself up for success. The first, and most intense, is to download and read the entire NIST Framework. We’ve included a link to the file here. If you are looking for a more user friendly option, check out their quickstart guideand their online learning modules. Going through these materials will give you a strong starting point.
Our security framework is based on five key areas identified by NIST.
- Identify
- Protect
- Detect
- Respond
- Recover
Whenever we are in the process of updating and refining our policy framework, we have to take into account the limitations that come with having finite budgets and resources. We have to remain lean while doing everything in our power to continue to improve. The NIST framework is perfect for those situations because it is designed to scale with businesses as they grow and function at any size organization. Using these tools at regular intervals we can continue to think about “what is next” and “how does this compare to our last round of improvements”.
High Value Base Security Tactics and Considerations
Certificate Authority
When you go to buy a web server from Bluehost, GoDaddy, or Siteground, most of these companies will offer you some form of SSL certificate as part of your subscription. But what is an SSL certificate and why does it matter? Are all SSL certificates the same? How do they secure my website? And what don’t they do?
Let’s start first with what an SSL certificate on your domain does. An SSL certificate is a Security Socket Layer that enables your browser to identify your server. It is an identification marker that, through the magic or the internet, establishes a secure and encrypted handshake between your web server and the person accessing your site. This prevents ‘bad actors’ and ‘hackers’ from intercepting data as it is flowing from users to your site and back again.
This creates a baseline of trust with users and protects data in transit. However, certificates, just like credentials, come in a variety of flavors. Imagine the difference between your library card and your Company ID. Or between traveling to the airport using your drivers license versus having TSA Precheck. Each type of identification certificate provides increasing levels of validation of who you are, your organization, and your trustworthiness.
Depending on your organization, there are three types of SSL Certificates. Domain Validated (DV), Organization Validated (OV), or Extended Validation (EV). These go in order from lowest to highest in terms of the trust they provide the level of “proof” you need to produce to get them. Certificate Authorities are third party companies that are licensed to provide these different certificates and they perform various “checks” to ensure you are who you say you are. Some of the key providers in the space you can consider include Sectigo (also called Comodo), Entrust, and DigiCert. All three of these providers will be widely accepted, though you will likely find there can be some pretty sizable differences in price, so do your research.
One thing to be aware of is that by and large, the type of certificate you have doesn’t change your encryption. It may offer higher warranties to cover you in terms of a breach but the primary value proposition is to authenticate your business. The good news is that none of the certificate types listed are particularly cost prohibitive.
It is also important to remember that this is only a piece of the security pipeline, even with websites. For example, it does nothing to secure your actual server so make sure to check the settings on your server and content management system separately. It also has no bearing on how information is being stored. But it does help you validate that the pipeline between you and a website are closed off.
Domain Validated Certificates
Domain Validated certificates are what most sites have installed and are usually offered free with a hosting plans. All that a DV certificate verifies is that a person has control over a domain’s servers. Basically that someone who installed the certificate had the access needed to get them into your site’s backend systems.
This is the minimum viable product for a site’s encryption needs. In the grand scheme of things they provide a bit of extra protection, but they don’t verify anything substantial about the site owner. They are inexpensive and better than nothing, but if you are running a site with payment processors, account logins, or any other personal information, they aren’t technically appropriate.
That being said, if you search around the internet, many enterprise organizations still use these free certificates on their sites. This is something we’ve become accustomed to finding. Organizations are busy, complex, and with lots of different priorities. Sometimes obvious things slip through the cracks.
Organization Validated Certificates
As a general rule of thumb, this is the minimum a small business or company should be using to validate its domain. In terms of trust, organizations should verify that they are who they say they are. Organization Validated Certificates do just that: they validate the corporate entity is valid and in good standing. Certificate authorities will likely ask you detailed questions about your business formation and then use this to find your organization in the appropriate government databases. Often times this will also include some form of a phone verification.
Extended Validation Certificates
This is the most time intensive and difficult certificate to obtain, and for good reason. The attestation of the certificate authority is that they can 100% confirm that you are who you are claiming to be. The checks to obtain an EV certificate can be somewhat time consuming and can require a number of follow ups if your business is not easily located in a variety of online and offline sources.
In preparation for getting your Extended Validation Certificate, you may want to complete a few steps in advance. First and foremost, the process is much smoother if you have a Dun & Bradstreet number. The process is free, but be advised that it takes time to complete. If you are in a bit of a rush, you may also want to get an attestation letter from your accountant or a lawyer. This should be incredibly easy for your lawyer or CPA to complete and will go a long way if the CA validation team has any trouble finding what they are looking for.
Email Policy
From the very beginning we experimented with a variety of security measures. The first concern we had was somewhat selfish: how to avoid ending up in client spam folders. There is nothing worse than emailing a prospect or existing client only to find out that your message wasn’t delivered.
To combat this we did quite a bit of research around email best practice. One thing to keep in mind is that when you use an email provider or any other SaaS managed service like Google Workspace or Zoho, you will need to connect it on the backend to your web server. This involves all kinds of server side records such as CNAME, A, TXT, and more. When you send an email from your Zoho CRM or your POS system, you can’t sensibly have it coming from @zoho.com.
So this all needs to be properly configured on the backend along with some verification steps to prove your emails are actually coming from your business domain, better known as your web server. Below are some critical components to roll into your email configurations to ensure that the vast majority of your notes to clients are trusted and delivered spam free.
DKIM
Domain Keys Identified Mail is a record inside of your Domain Name System (DNS) that accompanies all your emails with a digital signature. This is a form of cryptographic signature that proves the email originated from the intended sender. It’s as if you have signed your emails yourself. This article by Google does a pretty good job of talking about the implementation of DKIM which is a little confusing but not overly complicated.
While some of these system implementations might seem daunting, it’s usually more of a lack of familiarity rather than being truly difficult. At the end of the day, all you are doing is going into your server, picking the right kind of record (TXT) and then putting in a bit of code from the different systems that are going to send emails on your behalf so that your DNS knows to sign emails coming from those 3rd party providers. Once you get the hang of it, the configuration is pretty simple so don’t be discouraged if it doesn’t “click” right away.
SPF
Sender Policy Framework is what authenticates the various servers that are sending emails on your behalf. Without getting too far into the technicals, the SMTP (simple mail transfer protocol) that helps power email across the globe is designed to let any computer request to send an email and define who is sending the email themselves.
Imagine that you are sending out a letter. You have the envelope in your hand and you decide to put someone else’s business mark on the envelope and their business information in the return address. Who is to say that you are lying from just looking at a sealed envelope?
SPF is a framework that designates who is allowed to send digital packages on behalf of a domain and deals with exactly this type of authentication. It is pretty similar to a watermark, and it is critical to help prevent things like spoofing. Servers are also more likely to trust a domain that can prove it came from where it claims. Many corporate systems are designed to screen out if an SPF validation fails as a standard best practice. Again, this is a relatively simple thing to add to your infrastructure and it is absolutely free. You just need to spend the time to navigate the specifications.
For a quick tutorial on how to implement, check out this article which may help. It’s specific to Google Workspace, but only insofar as the details. Generally speaking the process will always look this way and will just be differentiated in who you specify as authorized in the record.
S/MIME
In much the same way that a certificate authority can validate your domain, you can also use them to validate a number of other systems, applications, servers, and more. S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a widely accepted standard for enhancing the validity of your digital email signature. It helps to establish what is called an SSL/TLS connection via email which means that you can essentially shake hands with the person you are sending a message to and then establish an encrypted pipeline to send your message. If you’re sending any confidential information across email, this is critical. As a side note, your standard website SSL certificates will not cover S/MIME.
These certificates need to be one certificate to one email, so each person in your organization would need a distinct certificate created. This presents a challenge for our business because we use contract workers on some of our projects who need to have a company address. There are a number of ways to get around this, but your best bet is to set up an enterprise relationship with a certificate authority. They will often work with you to help keep costs down.
In keeping with some free ideas, you can find free S/MIME certificates out there from validated parties. Actalisis one we used early on that is generally accepted, but just like the OV and EV examples before, these S/MIME certificates are only the very basic credentials you’ll need to validate your organization. If you are just getting familiar with these types of tools, you may want to start here and graduate up as your organization becomes more sophisticated. However, our recommendation would be to get set up with at least an OV S/MIME certificate as you are setting up your systems. These are much faster to get implemented, less expensive than an EV certificate, and will allow you to get the basic levels of authenticated messaging covered while you build your infrastructure.
DMARC
Domain Message Authentication, Reporting, and Conformance is another critical step in the process of setting up your secure infrastructure. It is also the one we had the most difficulty implementing. DMARC policy isn’t a one step implementation; it instead takes some time to evaluate, analyze, and then configure.
The premise behind DMARC is to set up a system for reporting on the SPF and DKIM policies. It tells the receiver of the email message what your policy is and says what to do if a sender claiming to be from your domain does not have these signatures to accompany the message. Essentially it makes it easier for the receiving inbox to determine whether to accept, quarantine (junk), or reject outright the inbound message.
When searching for an email provider, it is important to ask them whether they support DMARC. From the getgo, if you are using a provider that does not support this type of policy it should raise some red flags about their overall security and data policies.
The reason DMARC is a little confusing is that at first it is mostly just a reporting tool. You implement it to tell receivers to “allow all messages” regardless of whether they have the proper cryptographic signatures and header records. When a server receives your emails they will send you a zip file report back that tells you the details of all the email meta data so you can review and determine if everything is configured properly.
When you first open these zip reports it seems much more technical than it really is. The reason is that they are all in written in an XML markdown which can be challenging to read. Essentially, what you are looking for is to see if the SPF and DKIM is marked as “pass” for each message. You are also looking for “fails” and then investigating if it is a legitimate sender that that needs some additional DKIM/SPF configuration, or if it is a spoof that should be ignored by the email recipient.
Once you go through this for a period of time and feel confident your sender configurations in your server are working as they should across all your tech stack, you can begin to implement more restrictive instructions in your DMARC policy. You will need to go in and update the TXT record in your DNS to essentially tell receivers of your messages to “enforce” the DMARC policy on their servers. Usually this involves setting a Quarantine policy with a few extra parameters. You gradually put the policy into production over time. For us, this was over a matter of months
Here are some important links on DMARC which will help you dig into the statements above:
DMARC is an email tool and configuration that will significantly improve your delivery rates with clients and potential customers. It is worth prioritizing from the very beginning if email delivery is important to your business.
Data Encryption
Data encryption is a critical component of your security system and in most cases something that can be engineered into all of your data. There are some sophisticated encryption methodologies and some simple ones we employ to keep our client data secure.
For one thing, we try to have everything configured to be encrypted in transit as well as at rest. Encrypted at rest is just what it sounds like: encryption on the files themselves. You can imagine it in an email as the difference between having a secure connection and having a password on a pdf attachment.
We take this pretty seriously because in many ways this is the last line of defense if everything else fails. Encryption at rest is one of the core principles in our data philosophy because we are dealing with more than just sensitive data, we’re dealing with confidential data as well. Again, most of the time this is just a check box on your local machine settings, your file servers, and backup disks. Sometimes, like in a database, it requires a bit of configuration in code, but generally speaking you can protect most of your local and cloud files at no additional cost to your business.
Our local machines use a hard drive encryption software called File Vault which we also use on our backup hard disks. But for other systems, we sometimes have to do a bit of configuration or look to something more specialized. That is also why we use products like Google Workspace for our cloud storage and business management. Even without encryption at rest configured here, there is a minimum level of trust that the default encryption is industry grade and the product is user friendly. However, you can also configure additional client side encryption to add controls to how individuals you are working with access and use data. This type of clients side encryption can be configured on more than just data files. It can be added to your email server, video meetings, and calendar.
Backups
Backup, backup backup. You want to backup everything and you want it backed up often. Depending on your architecture you may have a variety of backup needs. Local files need to have a form of storage that is safe and secure. It doesn’t need to be complicated, but having a block of solid state hard-drive space is a must.
Cloud storage is another option, but we find it to be generally more expensive than a local hard drive. For example, an Apple cloud storage plan can cost up to $120 per year for a terabyte of data. The same local storage on a decent San-Disk SSD can cost less than $80 for a lifetime. While there are advantages and disadvantages to having storage locally, the point is that you have options.
Another consideration is your cloud files. While these are technically built with all kinds of redundancies, backing up your cloud files in a separate location can be both a safeguard and in some cases a necessary compliance requirement. How and where you store these backups can also be a consideration. Generally speaking, we err on the side of caution and have systems in place to ensure our file systems can always be restored even under the worst circumstances.
Lastly, your website. We’ve gone through a number of iterations of managed backup plugins that are relatively inexpensive. However, I find them to be buggy and a little difficult to manage. If you’re looking for another way, consider doing a bit of research on SFTP through programs like Filezilla. Using Secure File Transfer Protocol (SFTP) and a few simple code prompts in your terminal can give you the flexibility to regularly pull backups and store them locally in your encrypted environments which can be extremely helpful if you are also managing your own website. We use both. For some instructions from WordPress on using SFTP through Filezilla, take a look here.
Antivirus Software and Threat Monitoring
This is absolutely critical. Most industry standard software is somewhat similar. If you do enough digging every one of them has some pros and cons. However, going with a name brand company gives you some basic peace of mind that they know what they are doing. We use Norton 360, but you can pick from a laundry list of other providers.
If you are using an Apple device, don’t fall into the trap of assuming that your Mac is safe. The world has changed since the days when Unix was off-limits to hackers, malware, and viruses. We protect our computers and our phones. The cost is minimal and it absolutely reduces our risk. Most providers also offer a number of additional services like web monitoring and VPNs. More on that later.
Regarding our Cloud infrastructure, would you believe these require some threat monitoring and controls too? We use a provider named spin.ai to check for all kinds of threats across our Google Workspace, Google Cloud, and CRM instances. Don’t let the janky site fool you, these are approved partners within the Google ecosystem specifically for cloud security. The product gets pricey on a yearly basis, but it covers us in terms of cloud backups, monitoring for sensitive stored data, bad application installations by our team, and links to external people through our files system. Have you ever shared a folder with someone outside your organization and then forgot about it? Those pesky “allow anyone to access” links to the outside world can become a long-term problem if they aren’t regularly reviewed and deprecated. Think of Spin as a command center for your system architecture. Again, this is not for every business use case, but for us it made the process of setting up and establishing another line of defense easy and seamless.
Virtual Private Networks
Every time you connect to a public network you are putting data at risk. As with all these topics, it’s not a problem until it is. For all the encryption standards we employ, logging into the wifi in the Delta Lounge still comes with risks. I tend to be mobile a lot of the time so coffee shops, libraries, and even other company networks are frequent connection points to the outside world.
One of the absolute necessities in our organization is having a strong VPN provider. Virtual Private Networks are one of the tools I use most. As with antivirus software, there are things you want to consider when picking a provider, namely how they log your browsing history. We look for providers that attest to retaining none of the browsing history or data of their clients. We use NordVPN but you can also use a multitude of other providers. Our Antivirus software through Norton even provides one as well for free with their plan.
The general principle behind a VPN is that it creates a link between your computer and the VPN servers before you connect to the greater internet. In doing so, your transmissions are masked behind another closed network to prevent them from being intercepted.
As with everything else, this is not a complete solution to all your data security needs, but it does provide some assurance that your connection is secure and can’t be read by an outside party when you’re sitting in a crowded lobby on a public network. Again, make sure you use a reputable provider. Free services just are not going to cut it.
Conclusion
This outline represents a small fraction of the types of data and security considerations we use at Cimply. The configurations, options, and system gates you can create are almost endless. Each layer deeper you go with best practice, the more there is to configure. However, if you are thinking about how to build infrastructure in your business, it is worth taking the time to really think about your risk vectors and do everything possible to reduce your risk profile through best practice.
All this infrastructure we use keeps us thinking about what to consider next as we track down our goal to be a secure service provider. We also get a chance to really dig into the inner workings of enterprise solutions. Sometimes it is as much about learning as it is building a technology stack. Conceptually PKIs, SSL, SSH, and other forms of endpoint protection are conceptually incredibly versatile and interesting.
I’ve mentioned this already, but we know that not everyone is going to need to have this much built into their business, but these points should help to make considerations when thinking about the access points to information and data. Sometimes these are obvious from the start and other times you have to learn as you go.
Everything we have built to date runs very lean, but that does not mean it is not sophisticated. As we’ve continued to build this out, we’re always looking at best practice documentation and stacking the blocks one at a time till we have a more complete structure. It has been a very rewarding exercise to configure each setting by hand one at a time.
One day we are most certainly going to hire a professional to help us continue to harden our systems and data, but until then, we’re making excellent progress doing some of these things ourselves and should be well prepared to spec this out when it comes time to bring someone else in to help.
In many cases we would never need to have this much protection and thought in our data systems, however we find that it really puts us in the shoes of client technicians. Then, when we are putting forth recommendations that affect one part of a company, we can thoughtfully consider the other areas of a business that might be impacted and the level of strain we are going to put on different resources across departments.
This is all a process of continuous improvement and continuing to build trust. Remember, this is the boring stuff, until you need it.