editione1.0.0
Updated October 9, 2023You now have an inventory of devices, accounts, and tools used; you have a strategy for keeping devices used (work or personal) secured; the last step we want to talk through is securing the accounts and tools you listed. We will use tools and accounts interchangeably here, this is because they are quite synonymous in this context. We are referring to any software or website (or Software as a Service) that you use for your business and you need to log in for.
We split this into two sections to tackle two very common licensing situations: tools where most of your team need access, and specialized tools where only a limited few require access.
For tools that nearly everyone needs to access, the options are:
Have users sign up or sign in using your email provider (single sign-on).
Have users create an account and generate a unique and long password from their password manager. (If the account is higher risk or if you want to require it, configure your team’s access to require 2FA.)
You can see how easy the first option is, hence why we recommend it! You should opt as much as possible for tools that allow you to sign in with your email provider. This is also sometimes referred to as single sign-on, meaning you use one single set of login details for your email provider to access your email and other accounts.
A few years ago, this type of feature might have cost a bit extra. Nowadays, most entry-level or free pricing offer this as a base feature. This is great for a few reasons:
It allows you to control access from one central point. This means if your staff leave, you only have to worry about removing them from one account rather than many.
It allows you to take advantage of strong security with your email provider to protect these other tools. Let me let you in on a developer secret: creating a way for users to log into software is easy. Making it secure—not so much. If a developer can just hook their system up so that the email provider has to do all the hard work on securing things, they often will. The other positive here is that your email provider will require 2FA (because we already set that up before), so this account is also protected by that same two-step process. Win-win.
When going through your inventory of tools, or when assessing which tool to pick when signing up for a new one—check for and use single sign-on where possible. This is a great practice that will pay off later if you ever end up growing too, so start this habit early.
This won’t always be available, or it might only be available in tiers that are well outside your price point and are not worth the extra cost. This is entirely reasonable, and where you choose this path it will be critical to make sure the password used to sign up is unique and long. Previously, we spoke about giving your staff password managers, and this is where that really starts paying off. Have staff use their password managers in ways that make it frictionless to sign up and create unique passwords. This means having staff use browser-based plugins or extensions or mobile apps for their password managers, so when they are on a log in or sign up page, it does all the work for them. Generating and storing a password in their password manager is probably even faster and easier then them sitting and thinking of a password they use elsewhere and making sure it checks any specific password requirement boxes.
What about 2FA? Good security advice says “use 2FA wherever you can,” and we agree. If we are being honest with you though, you might opt to accept the risk of not forcing staff to use it for your truly lower-risk accounts. I can hear the audible gasps around the globe as people read this line, so let me explain how to make that risk call.
A tool is going to be higher risk and need 2FA if:
It has personal information (such as in the form of documents or data stored).
It is used for communicating with people (such as social media or marketing emails).
It has any financial data or use (such as invoicing, payroll, or accounting tools).
It holds control or access to important IT things (such as your website or domain name).
It relates to your email or website (but you already knew that from previous chapters, right?).
Unauthorized access to this account would not be acceptable to you and would be an incident you wouldn’t want to clean up (not that anyone would find them fun or opt in to one, but you get what we mean).
Those above need 2FA, and if they don’t currently provide it, I am sorry but you should spend the extra time to find a provider that does. Thankfully, to make sure you don’t spend much time on that, 2FA Directory shows you alternatives by type of tool.
Even if you want your staff to use 2FA, some tools might not allow you to enforce this. If a tool does not have any group management features, that means if someone signs up their account might exist in their own world—you might not have authorization rights (also called account rights) to control what they do inside the tool. This is why you need to support your staff when they sign up, and make sure they take the right steps at the start.
For all the other tools that don’t fall into the list above, you can make a call as a business owner about what you want to do. If the values of your organization prioritize security, or if you want your staff to follow a very security positive culture, you might want them to sign up for 2FA for everything. However, given the context we set out at the start of this part, you may opt to allow your staff to make the call when they sign up. Forcing them to use 2FA for every account if they don’t have a smartphone and therefore have to receive a SMS every time when their cellular coverage can sometimes be spotty—that might not be a fun experience. It would cause a negative association with this security control, which often leads to people finding creative ways around security. Reducing friction for your team can support a positive security culture, especially when your team might not be as technically savvy and these barriers might be harder for them to manage.
Now let’s get into those specialized tools. The most common examples are:
tools that don’t allow you to make unique, individual logins (such as most social media)
tools that are not widely used by the team and charge per user.
Regardless of which bucket it falls into, the solutions are the same.
Some accounts we need might not let us set up individual accounts. Twitter and other social media accounts are perfect examples of this. Others might be quite special-use tools that have a high cost associated with each user you sign up for. We will preface this: we are not lawyers, just people trying to run a small, growing business as best we can. You have to be mindful of all the tools and accounts you pay for, and the type of licenses you use. Now, we are not telling you to break terms of service of your tools. We are just saying that if only one or two people on your team require access to a specialized tool, and they don’t use it at the same time—buying a single license might be a cost effective option for you.
As a business owner, you need to have access to manage the licenses or accounts your business pays for. You need to be able to access payment details, license details, and other information that your team won’t need. You might access them through the same login you use to access the tool itself, or you might have the ability to give the license key to the staff member who has downloaded and uses the software. Either way, you will have the need to share something secret with someone else.
You don’t want to go against all the good advice you have gone through in this part and share that account login or secret key via email or written down on a Post-it Note on the office desk. There are safer and even smarter ways to handle this.
We spoke earlier about team password managers, and how they give you the ability to share secrets with others on the team. This is a perfect use case for using those secret sharing features. This allows you to retain and control access, while also giving it to those on your team that might need access to that account or key.
Now that you’ve inventoried these business accounts and devices, you can have a digital board or internal team wiki pages that capture the tools that your team uses and what data they store. Your team will also have better techniques for securing their individual accounts and securely sharing the others. This inventory you have will change over time, and having this all captured in a central place means it can be a team effort to keep this updated.