Dan Martell - Manage Your Company Risk (Security Tutorial)

00:00:00.000 Five shocking ways your team members and developers are putting your SaaS company at risk.

00:00:05.660 Literally, you could go out of business if you don't understand these five ways

00:00:09.180 and how to protect yourself. Let's get into it.

00:00:13.680 Number one, no agreement. It doesn't matter who the person is. If they touch your system

00:00:21.280 in any way, shape, or form, you need an agreement. It doesn't matter if it's a developer writing code

00:00:27.880 or a biz dev person getting access to your customer data.

00:00:31.680 You need to make sure they have agreement.

00:00:33.480 Even if I have somebody that's doing some R&D project

00:00:37.540 and they want access to our CRM,

00:00:39.900 we need to get them to sign an agreement.

00:00:41.660 Why?

00:00:42.600 When you go to exit the business,

00:00:45.180 anybody who touches the code,

00:00:47.200 anybody that was involved in your business,

00:00:49.660 the buyer will ask to see their agreement,

00:00:52.180 contractor agreements, full-time employee agreements,

00:00:54.300 et cetera, and they're gonna look for certain things.

00:00:56.220 They're gonna look for an IP ownership agreement.

00:00:58.120 They're gonna look for the code rights.

00:00:59.940 They're gonna look for all these things

00:01:01.100 because they don't wanna buy code that you built,

00:01:04.720 that you think you own,

00:01:06.140 that somebody else got paid to build,

00:01:08.360 but you didn't have an agreement with them.

00:01:10.060 And at any point, they can come back and say,

00:01:11.620 hey, that part, that 10%, that's mine.

00:01:14.240 I did not give you guys that.

00:01:15.940 That is mine and I want it back.

00:01:17.840 That's happened to me.

00:01:19.060 Back when I started my company Flowtown,

00:01:21.240 we had a biz dev guy that was walking around 1% equity.

00:01:24.900 We did not have an agreement with him.

00:01:27.140 We essentially assigned him that equity,

00:01:29.900 part of an email thread.

00:01:31.620 And when our lawyers were putting together

00:01:33.400 our first round of funding,

00:01:34.660 they noticed that this person had 1% equity in the business,

00:01:38.140 but he wasn't involved.

00:01:39.200 It was called debt equity.

00:01:40.240 You literally have a cap table.

00:01:42.400 And I've seen companies with 10, 15, 25% equity

00:01:46.000 assigned to Billy Bob,

00:01:47.600 and Billy Bob's not even in the business.

00:01:49.440 I'm like, who's Billy Bob?

00:01:50.400 They're like, oh yeah, he was a co-founder.

00:01:52.020 He's no longer here.

00:01:52.760 and like he's walking around with 25% of your business.

00:01:55.940 You know, my case is 1%.

00:01:57.060 It still required me to get on a plane,

00:01:59.980 drive to his house, find him, negotiate with him.

00:02:03.660 And trust me, that wasn't easy

00:02:04.940 to get him to sign the paperwork,

00:02:06.920 to give back that 1% equity

00:02:08.460 so we could close our funding round.

00:02:10.140 You do not want this to stop you

00:02:12.280 from having an incredible payday

00:02:14.040 or move your business forward

00:02:15.960 because you have agreements that have not been signed.

00:02:18.700 Make sure that anybody who touches your business,

00:02:21.120 you've got to get them to sign a simple agreement

00:02:23.380 from your lawyer, every person.

00:02:25.380 So stop, make an audit, look at anybody that's touched

00:02:28.540 the code and ask yourself, do we have an agreement?

00:02:30.280 Let's go get it.

00:02:31.420 You wanna get it now.

00:02:32.300 You don't wanna wait three or four or five years

00:02:33.820 and your business gets all this press in the news

00:02:35.460 and the person knows what they're sitting on.

00:02:37.080 And when you go ask for a signature,

00:02:38.740 they ask you to write a big check.

00:02:40.960 No agreement, don't move forward.

00:02:43.180 Number two is using their servers.

00:02:45.880 So here's the deal.

00:02:46.620 If you have developers, you have designers,

00:02:48.400 you have contractors, you have anybody

00:02:49.940 that is doing work for you,

00:02:52.600 you want them to be working from within your system.

00:02:56.500 You know, I had a client, Marcus,

00:02:57.860 and he called me up because he was stressed out

00:02:59.480 because his developer, his lead developer,

00:03:02.220 essentially was holding him for ransom.

00:03:05.500 He pretty much had access to the GitHub.

00:03:08.320 It was built on his GitHub.

00:03:09.980 They never got the passwords.

00:03:11.240 They never got the keys.

00:03:12.080 They don't know how to get access to it.

00:03:13.540 And the person saying,

00:03:14.760 hey, you promised me an extra 10%, blah, blah, blah.

00:03:18.160 And he didn't know what to do.

00:03:19.660 he's like do i i mean do i have to give him access i'm like look at the end of the day you don't have

00:03:25.260 to but you can either evaluate the cost of giving him what he wants versus the legal route and what

00:03:31.260 that's going to cost you in time and headspace and and speed and all these things and the the

00:03:36.620 default to consider is never allow a contractor to collaborate on their server so even a designer

00:03:44.060 they're working out of my dropbox when they're creating you know designs and pdfs or whatever

00:03:50.300 the the raw image that they're using the photoshop files the a whatever it is those are done inside

00:03:56.540 of our world we want all the contractors the writing copy to write it inside of our google

00:04:03.260 drive you want to start thinking of not letting anybody create on their servers you want them to

00:04:08.860 use your accounts so that way for whatever reason you got to transition from them all the source

00:04:13.980 files, all the original things, all the stuff for editing. It's easily discovered. It's there. It's

00:04:19.020 yours. It's within your universe. Number three is not sharing logins. This one is a heartbreaker.

00:04:26.820 You know, recently one of my clients posted that their lead developer is not sharing the password

00:04:33.820 for their code repository and they don't know what to do. And what is their response? As I just

00:04:39.500 mentioned you could go down the path of legal response but the truth is is this might be

00:04:45.500 happening across your organization where you have team members that are either sharing logins or

00:04:52.740 they're not giving you the login to your own systems they're creating their own personal

00:04:57.680 logins and you're only going to find out when you transition off from them it's like hey who's got

00:05:02.200 the login for this if your leaders and yourself you're not collecting these logins and putting

00:05:07.520 them in a tool like a last pass like a one password then you're leaving yourself exposed

00:05:13.280 to not getting access to the systems that you've asked people to help you develop right so like

00:05:20.840 one of the things that you want to do especially if you bring on a contractor say hey what are we

00:05:24.540 setting up where the login is going to live can you make sure we spend time and you schedule a

00:05:29.960 meeting for 30 minutes and they give you the login and you test out the password and you reset the

00:05:36.000 password so now you have it and you can give them access through a password management system

00:05:40.020 but I'm always making sure I'm making the list I'm tracking and I'm getting the login so that

00:05:45.380 they're within my system I do not want somebody else to have it and oftentimes I will reset the

00:05:50.620 password and then create an account for them to get access to for their code but I own the

00:05:55.640 administrative login for that system number four is giving access to third-party apps here's what

00:06:01.500 I mean by this and this is probably the biggest vulnerability right now in your business is your

00:06:06.800 team that you set up and you give them access you know to all the different systems typically through

00:06:11.840 their email login right their Google account or whatever their Microsoft account sometimes when

00:06:17.760 they go to use other tools other third-party apps it could be something they saw in Product Hunt it

00:06:22.540 could be like this new startup they read about on TechCrunch whatever it is they'll log in using

00:06:28.600 their corporate login and they don't even realize when they do that they're just like log in click

00:06:34.020 click click next okay I'm going to use this tool oh that's cool that doesn't really work the way

00:06:38.660 I want it to and then they just like stop using it but they don't realize they've given that tool

00:06:43.700 access to their system and oftentimes these tools when you they get prompted to like give access

00:06:50.400 they're sucking the data out of your system they're sucking all of the contacts in your contacts

00:06:55.940 system and your CRM. They're looking at the email, they're evaluating security. They could even crawl

00:07:02.540 through your internal network and your team gave them access to do this. So I want you to encourage

00:07:08.780 some training around this so that they understand I do not log in my personal email to any startup

00:07:16.420 that requires that. I just won't use the product. It's not worth the risk, the exposure for me.

00:07:22.260 oftentimes what we do is we force two-factor authentication across all the systems so if

00:07:27.900 somebody's trying to do this it makes it incredibly hard for those tools to get access on an ongoing

00:07:33.840 basis but have the conversation with your team train them explain to them what that means to

00:07:39.060 give third-party access to your login to your infrastructure to your tool into your project

00:07:44.180 management software to potentially your HubSpot account your CRM people are doing this willy-nilly

00:07:50.400 They don't, they're not even aware the risk and exposure

00:07:53.840 they're putting your SaaS company at

00:07:56.700 by trying these new cool tools

00:07:59.400 and then having your customer database

00:08:01.800 suck dry out of your business 0.59

00:08:03.340 and made public on the internet. 0.99

00:08:05.100 And then you've got to deal with the security vulnerability

00:08:07.060 that wasn't really a security vulnerability.

00:08:08.600 It was your own team giving access

00:08:10.480 to a tool they shouldn't have.

00:08:11.720 Number five is not using strong authentication.

00:08:15.420 Here's the crazy part.

00:08:16.840 As I go through the world,

00:08:17.940 I look at people use their phones and I see every day folks that do not have a password phrase on

00:08:25.520 their phone or honestly they don't try to hide it too well I'm like hey what's your show me your

00:08:31.340 Instagram and then they pull up their phone and they type in their passcode I'm like you just

00:08:35.740 showed me your passcode you might as well just show me your pin your bank account because if I

00:08:39.220 have access to your phone I've accessed your email and I probably have access to all your other

00:08:42.340 systems and I can transfer money around I can reset your telco I can freaking go into your

00:08:49.640 your phone system and reset the password to your voicemail box I can log into your GoDaddy account

00:08:55.200 and reset all your DNS and your your emails and your domains I mean it's crazy that people do not

00:09:02.980 have security set up so two-factor authentication is required in today's age right and what's cool

00:09:09.600 is a lot of the password management tools

00:09:11.040 will actually let you set it up

00:09:12.500 and then maintain the two-factor authentication

00:09:14.820 in the tool so that your team can keep moving forward

00:09:17.860 even if you do a shared login

00:09:19.160 and it's not calling you all the time.

00:09:20.520 It's like, hey, I need the token

00:09:22.180 that they just text message to your phone.

00:09:24.560 So be sure that everybody's using strong authentication

00:09:27.860 because if they're not, there's a very good chance

00:09:30.400 their password is not that strong.

00:09:33.000 Their login's gonna get compromised.

00:09:35.280 Most third-party tools eventually get hacked.

00:09:37.560 And what happens is all these hackers collect the logins, decrypt it, and then share it publicly in

00:09:43.620 these databases that other hackers can buy for like 5,000 bucks. And then they'll just do brute

00:09:48.040 attacks across new logins that you might have thinking you've recycled old passwords that

00:09:52.540 they've seen. I mean, if you use a password management tool, it'll actually literally tell

00:09:55.860 you like this password has been seen in a vulnerability, please stop using it. But

00:10:01.200 some people aren't that clever and they keep using it without changing it. So you got to make sure

00:10:05.880 that your team is using strong password

00:10:08.980 and two-factor authentication

00:10:09.900 to keep your system protected.

00:10:12.720 So those are the five shocking ways

00:10:14.520 your team and developers are putting your SaaS at risk

00:10:18.200 by not doing the stuff on your servers,

00:10:21.620 not having IP agreements in place,

00:10:23.800 sharing logins, not sharing logins,

00:10:26.860 not having two-factor authentication,

00:10:28.640 not having a mature security model within your company

00:10:32.420 is causing you risk and exposure,

00:10:34.980 especially if you're gonna spend the next five to seven years

00:10:37.800 to build this business, 10 years,

00:10:39.780 and then just have one moment, bring the whole thing to zero.

00:10:43.420 That is a scary proposition.

00:10:44.860 That's why I wanted to share this with you.

00:10:46.180 If you enjoyed this video, be sure to leave a comment.

00:10:48.940 Let me know what resonated the most.

00:10:51.440 Share it with somebody that you care about,

00:10:53.000 that you think it could serve.

00:10:54.300 And most importantly, subscribe

00:10:55.780 if you're not already subscribed.

00:10:57.820 And with that, I wanna thank you for watching

00:10:59.380 right to the end.

00:11:00.260 Have an amazing day.

00:11:01.000 I'll see you next week.

00:11:01.940 Boom.

00:11:04.980 We'll be right back.

Dan Martell - February 27, 2023

Manage Your Company Risk (Security Tutorial)

Episode Stats

Summary

Transcript