Is it too early to implement security? Never! A companies culture is typically set within the first 10-20 hires. This is also true for the company IT and Security Culture. Every startup I've worked at waited for 50, 100, 200+ employees to implement IT and Security. What happens then is they apply the move fast now, break things, and fix later strategy. This is often the case after a round of funding and VC influence to hire many, fast, and as of yesterday.
This causes strain on the IT person, as most startups don't consider at least 1 IT hire and one security hire until it's too late.
Here is how early-stage startups can implement lean security as early as employee #5.
Define what is acceptable, set standards early. Inform employees what is expected of them, i.e., how they are expected to treat work devices, that it's not OK to forward work emails to a personal account, they must use the device provided by the company, etc. Most important of all, define if your company will support a mixed environment such as using both Windows and Mac Devices. If your company is seeking compliance, supporting both types of devices and operating systems can get very expensive, and you will need to hire someone who can manage both.
📜 Security Policies
An information security policy in-depth with supply chain risk management, disaster recovery, and vulnerability management may not be applicable or realistic when your company has under 20-50 employees. However, policies around the application, infrastructure, and identity access management such as passwords, data security, software development lifecycle (SDLC), bring your device (BYOD) may be more achievable.
There are plenty of websites with policies and Documentation that is open source or available for purchase. Use a centralized place where all employees can access policies and instructions in place. This ensures minimal ambiguity.
🔑 Multi-Factor Authentication (MFA)
Setup Multi-Factor Authentication for all Google Workspace or Office 365 accounts. Invest in hardware security keys, especially for any admins of core business applications. Provide Documentation on how to use software-based two-factor authentication applications such as Authy, Aegis, or Tofu.
🤐 Password Management
Encourage password managers such as Dashlane, One Password, and Bitwarden; however, choose a standard everyone should use and do not make this appear optional.
💻 Device Management
Also known as Mobile Device Management (MDM) or Enterprise Mobility Management Management (EMM), Enroll in Apple Business Manager as early as they will let you. This will also push you to get your DUNS number early as well. For Windows, choose a vendor like Dell that will allow you to easily set up Endpoint Manager (previously known as Intune) and Autopilot.
🚨 Incident Response
It's never too early to work on a short playbook of what your team should do if there is a Data Breach or Data Leak. It can happen to any company of any size. Atlassian and Gitlab have public examples of their Incident Response playbook, and there are plenty of guides such as the Awesome Incident Response repository on Github.
Keep track of receipts and devices early. A simple excel sheet with the device type, manufacturer, model number, purchase date, assignee, receipt, and region. Another option once there is a person dedicated to IT responsibilities, is to use software such as Airtable or open-source software such as Snipe-IT.
There are plenty of IT, and Security video's for free via Youtube and via vendor websites. Regarding security training, SANS has plenty of videos on subjects such as securing employees' home networks.