Security Baselines on a Shoestring ================================== Slide 1: Security Baselines on a Shoestring Narration Anna: This section sets up Security Baselines on a Shoestring. Treat it as the frame for the decisions, handoffs, and evidence that appear in the next slides. Greg: The practical question is simple: by the end, what should a junior IT professional be able to explain, check, or document in a real workplace? On-screen text Security Baselines on a Shoestring Keep founders secure without burning the runway - Security debt accrues interest; early baselines keep future compliance projects from exploding in cost. - Compliance basics like GDPR Article 32 or SOC 2 CC6 expect controls even at ten-person scale; ignoring them stalls enterprise momentum. Slide 2: Security 101: Threats that sink startups Narration Anna: [inviting] Imagine your seed-stage startup spending more on coffee than on security tooling. Greg: Yet the board still expects you to survive a phishing email or a stolen laptop without dialing 911 for IT. Anna: We will decode the jargon, translate compliance checklists, and show which controls actually buy you sleep. Greg: Think of us as your pragmatic advisor and technical translator, tag-teaming to stretch every security dollar. On-screen text Security 101: Threats that sink startups - Phishing is the con-artist email that steals passwords and invoices; ransomware locks files until you pay in crypto; insider mistakes leak customer data without malice. - Attackers do not check your runway before blasting campaigns—see the 2023 Mailchimp breach that let intruders pivot into countless small SaaS companies. - One lost laptop without encryption can trigger GDPR breach notices or torpedo a SOC 2 deal worth six figures of ARR. - Baselines do not guarantee invincibility, but they stack the odds so that common incidents are expensive inconveniences instead of existential crises. - Security debt accrues interest; early baselines keep future compliance projects from exploding in cost. - Compliance basics like GDPR Article 32 or SOC 2 CC6 expect controls even at ten-person scale; ignoring them stalls enterprise momentum. Slide 3: Security jargon decoder for new IT pros Narration Anna: Security jargon decoder for new IT pros focuses attention on a concrete part of the work. MFA (multi-factor authentication): extra proofs like a YubiKey or authenticator app layered on top of passwords so stolen credentials alone fail, SOC (security operations centre): humans plus tooling watching telemetry to spot and respond to suspicious activity—think night-shift security guards with dashboards, and SIEM (security information and event management): the log brain collecting alerts from identity, endpoint and cloud systems for the SOC to interpret. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: SOC (security operations centre): humans plus tooling watching telemetry to spot and respond to suspicious activity—think night-shift security guards with dashboards; SIEM (security information and event management): the log brain collecting alerts from identity, endpoint and cloud systems for the SOC to interpret; MDM (mobile device management): software that enforces encryption, patching and remote wipe on laptops and phones—even from a beach Wi-Fi connection. On-screen text Security jargon decoder for new IT pros - MFA (multi-factor authentication): extra proofs like a YubiKey or authenticator app layered on top of passwords so stolen credentials alone fail. - SOC (security operations centre): humans plus tooling watching telemetry to spot and respond to suspicious activity—think night-shift security guards with dashboards. - SIEM (security information and event management): the log brain collecting alerts from identity, endpoint and cloud systems for the SOC to interpret. - MDM (mobile device management): software that enforces encryption, patching and remote wipe on laptops and phones—even from a beach Wi-Fi connection. - Zero trust: the philosophy that every access request must prove it is legitimate, no matter the network location or job title. Slide 4: Why baselines still matter when cash is tight Narration Anna: [pragmatic] First, let’s level-set the threat landscape—phishing, ransomware and accidental leaks do not wait for Series B funding. Greg: Customers know it too, which is why GDPR clauses and SOC 2 questionnaires now hit before the second sales call. Anna: A written baseline becomes the playbook you hand contractors, fractional CISOs and auditors so everyone enforces the same guardrails. Greg: With that context set, we can prioritize the handful of controls that stop the bleeding fastest. On-screen text Why baselines still matter when cash is tight - Investors, enterprise customers and cyber insurers now bake security questionnaires into contracts; failing them can delay six-figure deals by months. - Real incidents are brutal: Code42 reported $4M in recovery costs after a ransomware hit, and password reuse enabled the LastPass breach that rippled through startups for weeks. - Regulations like GDPR and US state privacy laws mandate timely breach reporting and fines; strong baselines reduce both likelihood and penalties. - Sleep matters: leaders who know patching, backups and access reviews are humming can focus on product, not worst-case tabletop fantasies at 2 a.m. - Documented guardrails turn ad-hoc heroics into repeatable habits that contractors, MSPs and auditors can understand instantly. Slide 5: Essential controls triage (with real stakes) Narration Anna: [focused] Start with four anchors: phishing-resistant MFA, a shared password vault, automatic patching and resilient 3-2-1 backups. Greg: If you cannot prove who logged in, whether the laptop was healthy, or that data is recoverable, every other control is theatre. Anna: Hardware keys for admins and $20-per-user password managers are cheaper than the revenue lost during a forced credential reset week. Greg: Nail these basics and you are ready to treat identity as the new perimeter, which is exactly where we go next. On-screen text Essential controls triage (with real stakes) - Start with MFA everywhere: hardware keys for admin roles and phishing-resistant app prompts for staff; a $70 YubiKey beats weeks of resetting compromised SaaS portals. - Mandate a team password manager so shared credentials and API tokens live in audited vaults; cite the LastPass cascade as the cautionary tale for storing secrets in docs. - Automate patching by enabling auto-update channels and alerting on drift—missing a browser patch enabled the 0-day that hit Uber’s contractor in 2022. - Follow the 3-2-1 backup pattern with offline snapshots so ransomware can’t wipe both production and synced cloud drives in one shot. - Expect to spend $15–$25 per person monthly for MFA, password management and backup tooling combined—less than catered coffee yet business-saving. Slide 6: Identity and access on a lean budget Narration Anna: [analytical] Identity is the control plane, so treat Workspace or Entra ID as the perimeter you can actually defend. Greg: Our technical translation: block legacy auth, require healthy devices, and script joiner-mover-leaver flows so access changes within minutes. Anna: Quarterly access reviews become storytelling moments—"here’s who lost admin rights and how we mitigated the risk." Greg: With accounts locked down, it’s time to harden the laptops and phones people carry into coffee shops. On-screen text Identity and access on a lean budget - Use Google Workspace or Entra ID as the identity backbone, enforcing zero-trust defaults like blocking legacy IMAP and requiring device compliance for sensitive apps. - Configure conditional access like a bouncer who actually checks IDs, evaluating location, device health and role before opening the velvet rope. - Automate joiner/mover/leaver steps with HRIS webhooks or low-code scripts so account creation and revocation happen within minutes, not when someone remembers. - Demonstrate cost-benefit: a $6/month automation beats the $30k bill from a disgruntled ex-contractor who retained production access. - Run quarterly least-privilege reviews with founders and functional leads so business context guides access trims instead of blunt, confusing removals. Slide 7: Device security without a full IT team Narration Anna: [grounded] Devices are still where breaches begin, especially when the team is scattered across kitchen tables and coworking hubs. Greg: Lightweight MDM like JumpCloud or Kandji enforces encryption, patch automation and remote wipe for less than a nice lunch. Anna: Pre-built recovery kits mean a stolen laptop triggers a one-hour replacement play, not a two-week GDPR panic. Greg: Once endpoints behave, we can tackle the SaaS sprawl and "don’t tell mom" apps that hide outside IT. On-screen text Device security without a full IT team - Adopt lightweight MDM such as Kandji, JumpCloud or Intune Business Premium for <$10 per user; they handle encryption enforcement, firewall, screen-lock timers and lost-device wipes. - Share the coffee-shop cautionary tale: a stolen laptop once forced a two-week scramble because no remote wipe existed—MDM turned the sequel into a two-hour non-event. - Pre-register hardware keys and recovery contacts in the MDM so replacements ship ready to go, avoiding frantic setup calls during an incident. - Segment update rings to push critical patches within 24 hours, with dashboards that flag stragglers before auditors or malware do. - Document DIY checklists for founders covering "power wash and redeploy" steps so basic remediation doesn’t require heroics from the sole IT contractor. Slide 8: SaaS and network hygiene (with a wink) Narration Anna: [strategic] SaaS bloat sneaks up faster than payroll, so shine a light on every subscription and browser plug-in. Greg: Finance exports, SSO logs and discovery add-ons expose the "free" tools bypassing MFA, logging and data retention commitments. Anna: We pair that visibility with DNS filtering—the remote-friendly firewall that blocks malware domains before anyone clicks. Greg: With the app layer tidy, we can decide whether to build detection in-house or rent a virtual SOC bench. On-screen text SaaS and network hygiene (with a wink) - Centralise SaaS discovery using finance exports, browser extensions and SSO logs to expose the "don’t tell mom" shadow IT apps before compliance teams do. - Force SSO or at least MFA on critical services; disable password-plus-email logins where possible so phishing kits meet dead ends. - Deploy DNS filtering via NextDNS or Cloudflare Teams as the remote-friendly firewall that blocks malware domains without shipping firewalls to apartments. - Catalogue vendor data locations, default retention and breach playbooks so customer questionnaires and GDPR Article 30 records are answered without panic. - Sprinkle humour in onboarding: "Security hygiene—like dental hygiene but with fewer cavities and more credentials." It sticks better than policy PDFs. Slide 9: Outsourced detection and monitoring options Narration Anna: [reassuring] You do not need a 24/7 internal SOC; you need trustworthy humans on retainer who know your environment. Greg: Huntress, Arctic Wolf or Defendify drop straight into Slack with curated alerts and human analysts translating the noise. Anna: Negotiate the playbook now—who calls whom at 2 a.m., how fast they escalate, and what evidence they collect. Greg: Keep an internal owner accountable so the MSSP augments your team instead of becoming an expensive scapegoat. On-screen text Outsourced detection and monitoring options - Virtual SOC subscriptions such as Arctic Wolf, Huntress or Defendify start near $1,000/month for sub-50 seat companies—cheaper than even a part-time analyst. - Demand service-level clarity: 24/7 alerting, one-hour escalation on critical issues, and monthly playbook alignment sessions to keep context fresh. - Share a scenario: "Arctic Wolf flags suspicious PowerShell on the marketing laptop—do we investigate or snooze?" Walk the leadership team through the response path now. - Treat MSSPs as staff augmentation by assigning an internal owner who reviews reports, tunes detections and ensures lessons become updated baselines. - Bundle basic compliance outputs—GDPR incident logs, SOC 2 evidence folders—so outsourced monitoring directly supports audits rather than adding parallel work. Slide 10: Lightweight telemetry stack (aka digital breadcrumbs) Narration Anna: [technical] Even on a budget we can centralise the signals that matter by treating telemetry as our flight recorder. Greg: Wazuh, Elastic Agent or Panther Community keep costs low while Tines-style automation enriches alerts with owner, criticality and runbook links. Anna: Prioritise identity, endpoint and cloud audit trails—the logs that tell us who did what, where and when. Greg: Once those breadcrumbs are flowing, the culture work kicks in to make every teammate part of the detection surface. On-screen text Lightweight telemetry stack (aka digital breadcrumbs) - Telemetry is your flight recorder: aggregated logs that reconstruct who did what, when, and from where when something smells off. - Prioritise identity, endpoint and cloud audit trails first; skip the noisy firewall syslog until you have people to interpret it. - Choose approachable tooling—open-source Wazuh or Elastic Agent, or affordable SaaS like Panther community or Tines workflows—that integrates alerts and automation without six-figure spend. - Set retention tiers such as 30 days of hot searchable data and 180 days of cold storage to satisfy regulator or customer inquiries without blowing S3 budgets. - Enrich alerts automatically with asset owner, data sensitivity and relevant runbook links so responders can move from "what happened?" to "what’s next?" in minutes. Slide 11: Everyday hygiene culture (keep it human) Narration Anna: [playful] Remember the classic "have you tried turning it off and on again?" We weaponise that humour for patch hygiene. Greg: Scheduled reboot windows, phishing drill shout-outs and coffee vouchers for first reporters make security feel winnable, not punitive. Anna: Publishing MFA and patch scoreboards sparks friendly competition, proving culture change without shame. Greg: That energy sets the stage for calm incident response rehearsals instead of panicked, once-a-year checkbox exercises. On-screen text Everyday hygiene culture (keep it human) - Embed the "have you tried turning it off and on again?" meme into operations hours to normalize quick patch restarts instead of procrastination. - Publish a monthly hygiene scoreboard showing MFA coverage, patch compliance and phishing-sim click rates; celebrate the teams hitting targets with shout-outs, not shaming. - Rotate mini-drills so every department experiences a simulated password reset, lost device or SaaS lockout—muscle memory beats policy binders during stress. - Encourage "see something, say something" with Slack emojis or forms for suspicious emails; reward the first reporter with coffee vouchers to reinforce good instincts. - Remind the crew: "Security hygiene—like dental hygiene but with fewer cavities and more credentials." Repetition cements culture. Slide 12: Incident readiness without big spend Narration Anna: [calm] Preparation is the cheapest resilience—two-page runbooks, crisis comms templates and a speed-dial list beat Slack archaeology at 3 a.m. Greg: Free tabletop guides from CISA or your insurer give you structure without consultancy rates or slide decks thicker than the product roadmap. Anna: Capture lessons learned immediately so scripts, automations and contact trees evolve alongside the business. Greg: Those notes flow straight into the roadmap we’ll walk through next, keeping momentum without overwhelming lean teams. On-screen text Incident readiness without big spend - Draft two-page runbooks for ransomware, account takeover and lost devices, mapping decision trees, evidence collection and external counsel contacts. - Pre-stage crisis comms templates, insurance hotline numbers and legal counsel retainer agreements so you are not googling at 3 a.m. under duress. - Schedule quarterly tabletop exercises using free CISA or vendor guides; assign clear narrator, responder and observer roles to maintain engagement. - Capture lessons learned in a shared playbook repository, updating baselines, automation scripts and vendor contacts immediately. - Align digital forensics steps with legal hold obligations early; even startups may face discovery requests from enterprise customers or regulators. Slide 13: Real-world failure stories (and recoveries) Narration Anna: Real-world failure stories (and recoveries) focuses attention on a concrete part of the work. Case 1: A Series A fintech lost six months of revenue when ransomware encrypted production and backups stored in the same cloud zone—3-2-1 backups would have cut downtime to hours, Case 2: A biotech lost a seven-figure pharma partnership after failing a basic SOC 2 questionnaire because only 40% of staff used MFA; remediation plus proof regained trust the following quarter, and Case 3: A hardware startup’s unencrypted demo laptop was stolen at a conference, triggering GDPR reporting and delaying their EU launch by eight weeks. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Case 2: A biotech lost a seven-figure pharma partnership after failing a basic SOC 2 questionnaire because only 40% of staff used MFA; remediation plus proof regained trust the following quarter; Case 3: A hardware startup’s unencrypted demo laptop was stolen at a conference, triggering GDPR reporting and delaying their EU launch by eight weeks; Flip side: A small marketing agency stopped a phishing campaign cold because their password manager and security awareness nudges trained staff to report suspicious invoices immediately. On-screen text Real-world failure stories (and recoveries) - Case 1: A Series A fintech lost six months of revenue when ransomware encrypted production and backups stored in the same cloud zone—3-2-1 backups would have cut downtime to hours. - Case 2: A biotech lost a seven-figure pharma partnership after failing a basic SOC 2 questionnaire because only 40% of staff used MFA; remediation plus proof regained trust the following quarter. - Case 3: A hardware startup’s unencrypted demo laptop was stolen at a conference, triggering GDPR reporting and delaying their EU launch by eight weeks. - Flip side: A small marketing agency stopped a phishing campaign cold because their password manager and security awareness nudges trained staff to report suspicious invoices immediately. - Share these stories to underline that controls are not academic—they protect cash flow, contracts and credibility. Slide 14: 30/60/90-day implementation roadmap Narration Anna: [motivating] Sequencing keeps the workload sane—MFA, vaulting and inventory in the first sprint, then SOC contracts and table-tops as confidence grows. Greg: By day 60 the outsourced analysts know your escalation path; by day 90 you are iterating telemetry instead of firefighting. Anna: Wrap every sprint with metrics: MFA coverage, patch SLAs, incidents closed internally versus escalated. Greg: Those benchmarks become the board slide that proves security spend is disciplined, compliant and revenue-enabling. On-screen text 30/60/90-day implementation roadmap - Day 0–15: Inventory devices and SaaS apps; roll out password manager and MFA, so when the CFO can’t log in on day 15 the reset takes 30 seconds instead of a 30-minute IT fire drill. - Day 16–30: Finalize baseline document, communicate expectations, and start DNS filtering pilots while measuring adoption. - Day 31–60: Deploy MDM, automate backups and sign the outsourced SOC contract; rehearse escalation paths with a "suspicious PowerShell" scenario run-through. - Day 61–90: Tune telemetry alerts, run the first tabletop exercise, and complete an access review with board-visible metrics and remediation owners. - Close each sprint with retro notes so improvements compound without adding headcount. Slide 15: Metrics the board will back (with benchmarks) Narration Anna: Metrics the board will back (with benchmarks) focuses attention on a concrete part of the work. Track MFA coverage above 95%, device compliance above 90% and mean time to patch critical updates within 24 hours—align these with SOC 2 and cyber insurance requirements, Compare cost per secure seat (<$50/user/month for sub-100 companies) against ARR impact from accelerated enterprise deals to prove ROI, and Report incidents contained internally versus escalated to the MSSP within four hours; highlight trend improvements quarter over quarter. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Compare cost per secure seat (<$50/user/month for sub-100 companies) against ARR impact from accelerated enterprise deals to prove ROI; Report incidents contained internally versus escalated to the MSSP within four hours; highlight trend improvements quarter over quarter; Show evidence of continuous improvement: updated baseline documentation, completed training, audit-ready logs and privacy impact assessments. On-screen text Metrics the board will back (with benchmarks) - Track MFA coverage above 95%, device compliance above 90% and mean time to patch critical updates within 24 hours—align these with SOC 2 and cyber insurance requirements. - Compare cost per secure seat (<$50/user/month for sub-100 companies) against ARR impact from accelerated enterprise deals to prove ROI. - Report incidents contained internally versus escalated to the MSSP within four hours; highlight trend improvements quarter over quarter. - Show evidence of continuous improvement: updated baseline documentation, completed training, audit-ready logs and privacy impact assessments. - Map progress to compliance checklists (GDPR Article 32, SOC 2 CC6, ISO 27001 A.8) so stakeholders see direct contributions to certifications and customer trust.