1) Set up 2FA in Google Workspace -> super easy way to make your company not the lowest hanging fruit for phishing 

There’s a decent chance some of your employee’s passwords are horrendous, and compromised passwords remain one of the most common cybersecurity attack vectors. Simply configuring 3 settings for 2FA in Google Workspace will significantly mitigate phishing attacks 

Bonus tip (that costs money ~$5/employee/month): set up a password manager such as Keeper or 1Password

2) Don’t create shared google user accounts (i.e. support@company.com) with a shared password -> it’s easier to compromise that account, you won’t be able to check who got compromised, and it adds unnecessary cost per google account

Instead of creating a shared google user account, create a single google group, set the group email to i.e. team@company.com, and toggle “Who can post” to “External”. This creates that email alias, and whoever is added to the google group can manage that email. 

There are many security and operational benefits, but just to name a few: new google user accounts cost money, while new google groups are free. You’d have to turn off 2FA for shared google user accounts to make them usable which is super bad, while you’ll automatically enforce 2FA for google groups if the org has set up 2FA

3) Separate out staging, production, and corporate/internal accounts for infrastructure providers such as AWS, Azure, and GCP -> it’ll be more painful the longer you wait, and it satisfies many controls for compliance frameworks such as SOC 2 Type 2 anyway 

First, this is a far superior engineering practice anyway. Second, you will save yourself a lot of headache as you’ll eventually need to have these separate accounts. For example with Azure, moving credits between subscriptions (i.e. you got credits when you only had one account, and now you want to move credits to a newly created production account subscription) is very painful and sometimes not allowed. Even with AWS, moving resources between i.e. production and a newly created staging account is difficult. 

4) In Github, turn on the branch protection rules to prevent direct merging to main -> it’ll be painful to change people’s workflows later, and it’s satisfies many controls for essentially every compliance framework (such as GDPR, SOC 2 Type 2, etc.) down the road anyway

Even if the company is only one person, it’s important to get into the workflow of pull requests where somebody reviews code before it goes into production. This process scales, for example by layering in more code review or more developers, and it is an efficient way of satisfying the control that “code must be reviewed before merging into production”, a requirement of most compliance frameworks.

5) Turn on Dependabot in Github and fix high and critical alerts -> will alert you to the most egregious application security (app sec) vulnerabilities

It alerts you to the vulnerabilities in the dependencies in your repository and automatically creates pull requests for many known security vulnerabilities. High and critical alerts need to be handled, the rest should be handled on a best-effort basis. There are other app sec software providers, many of which are more powerful, but this one is free with a normal Github license.

6) Configure SPF, DKIM, and DMARC for email -> to increase email deliverability as recently required by Gmail, Yahoo

Without getting into the nuances of the new Gmail and Yahoo requirements, just know that configuring these 3 DNS records will help with email deliverability. These 3 records prevent spammers from sending emails that appear to come from your domain (SPF), verify that you own the domain of the email you’re sending from (DKIM), and handle, i.e. report on, unauthorized emails (DMARC). 

7) Get a DUNS number, then set up Apple Business Manager (ABM) -> DUNs builds business credit and is required for ABM

Getting a DUNS number is free, but it takes up to a month to receive one, so it’s worth doing early (you can as soon as you’ve incorporated). 

Getting ABM is also free and will allow you, among other benefits, to automatically enroll new devices with mobile device management software  (MDM) and is a scalable way to manage the company’s device inventory.