Security & IT 101 for Seed Companies [All Free, Bare Minimum]

When you're a seed-stage startup, security probably isn't your top priority — and that's understandable. You're focused on product-market fit, hiring, and not running out of money. But a single security incident can end your company before it starts.

The good news? You don't need to spend a dime to dramatically improve your security posture. Here are 7 things every seed-stage startup should do immediately, all free or nearly free.

1. Enable 2FA Everywhere

Two-factor authentication is the single highest-impact security measure you can take. It prevents over 99% of credential-based attacks.

• Google Workspace: Enforce 2FA for all users in Admin Console → Security → 2-Step Verification
• GitHub: Require 2FA for your organization under Settings → Authentication security
• AWS/GCP/Azure: Enable MFA on root and all IAM accounts
• Slack, Notion, Linear: Enable 2FA in each tool's security settings

Pro tip: Use hardware security keys (YubiKey) or authenticator apps (1Password, Authy). Avoid SMS-based 2FA — it's vulnerable to SIM swapping attacks.

2. Lock Down Your Google Workspace

Google Workspace is the hub of most startups. A compromised Google account means access to email, docs, drive, and every OAuth-connected app.

• Enforce strong passwords (12+ characters)
• Disable less secure app access
• Review and limit OAuth app permissions (Admin → Security → API controls)
• Enable alerts for suspicious login activity
• Set up Google Advanced Protection for founders and executives

3. Separate Cloud Environments

Never run production and development in the same cloud environment. This is a mistake that's easy to make early on and painful to fix later.

• Create separate AWS accounts (or GCP projects) for dev, staging, and production
• Use AWS Organizations or GCP Resource Manager to manage them
• Apply the principle of least privilege — developers shouldn't have production access by default
• Use separate databases for each environment (never seed dev with real customer data)

4. Set Up GitHub Branch Protection

A single bad commit to main can take down your product. Branch protection rules prevent accidental (or malicious) changes.

• Require pull request reviews before merging to main
• Require status checks to pass (CI/CD must be green)
• Prevent force pushes to main
• Require signed commits if possible
• Enable Dependabot for automatic vulnerability alerts

5. Configure Email Authentication (SPF, DKIM, DMARC)

Email spoofing is one of the most common attack vectors. Without proper email authentication, anyone can send emails that appear to come from your domain.

• SPF: Add a TXT record specifying which servers can send email for your domain
• DKIM: Enable in Google Workspace Admin → Apps → Google Workspace → Gmail → Authenticate email
• DMARC: Start with a monitoring policy (p=none), then move to p=quarantine or p=reject

6. Use a Password Manager

Shared credentials in Slack messages and spreadsheets is a security incident waiting to happen.

• Choose a business password manager (1Password, Bitwarden)
• Create shared vaults for team credentials
• Generate unique, complex passwords for every service
• Never share passwords via email, Slack, or text

7. Set Up Basic Device Management (MDM)

When a laptop gets lost or an employee leaves, you need to be able to remotely wipe company data.

• Enable Google Workspace device management (free with Workspace)
• Require disk encryption (FileVault on Mac, BitLocker on Windows)
• Enable automatic screen lock after inactivity
• Consider a lightweight MDM solution like Mosyle or Kandji as you grow

What Comes Next

These 7 steps are the bare minimum. As you grow and start selling to enterprise customers, you'll need to think about formal compliance frameworks (SOC 2, ISO 27001), incident response plans, vendor security assessments, and more. Check out our SOC 2 Policy Templates when you're ready for that next step.