Free: the GTM BlueprintThe stack, by funding stageThe CRM data model, written downSeven steps, six handoffsRoles, and when to hire themA 90-day plan you can run on MondayThe three numbers that decide itNo PDF, no drip sequenceGet the blueprintFree: the GTM BlueprintThe stack, by funding stageThe CRM data model, written downSeven steps, six handoffsRoles, and when to hire themA 90-day plan you can run on MondayThe three numbers that decide itNo PDF, no drip sequenceGet the blueprint
RevOpsXL
GTM Diagnostic Book the audit

You don’t have an IT department. You have the risk anyway.

Mandatory 2FA, why an authenticator app still gets phished, what a hardware key actually does, seats, passwords, and which regulations genuinely reach a ten-person company.

On this page

Nobody is coming to secure this for you.

There is no IT department. There is no security team. There is you, eleven people, about forty SaaS accounts nobody has counted, and a shared login to the ad account that three former employees still know.

That’s the actual starting position for most companies we walk into. So this is the version without the enterprise budget, in the order that matters.

You are not a target. You are a result.

The comforting story is that nobody would bother attacking a company this size. It’s true, in the sense that no human is sitting somewhere thinking about you specifically.

That isn’t how it works. Credentials get harvested at scale, sorted, and sold. Your account shows up in a list because someone reused a password, not because anyone chose you. You are not on a target list. You are a search result.

Which is good news, oddly. Attacks that find you by scanning are stopped by controls that are boring and cheap. You don’t need a security department. You need six things done properly and never skipped.

Two-factor, mandatory, no exceptions — but the methods are not equal

Every account. Every person. No opt-outs for the founder, who is the most impersonated person in the company and usually the one asking for the exception.

Then the part most teams never get to: the methods sit on a ladder, and the rungs are far apart.

SMS codes. The weakest. A SIM swap — someone social-engineering your mobile operator into moving your number — hands over every code you’ll ever receive. Still better than nothing. It stops the scanning attacks entirely. Use it where nothing else is offered, and don’t use it on anything that matters.

Authenticator apps (TOTP). The six-digit code that rotates every thirty seconds. A real step up: no SIM to steal, no network to intercept. This is where most teams stop, and they think they’re finished.

Push approvals. Convenient. The failure mode is human: send someone forty prompts at 3am and eventually one gets tapped to make it stop. That has a name in the industry now, which tells you how often it works.

Passkeys and hardware keys. Different in kind, not degree. This is the rung worth climbing to.

Why you have to understand phishing to understand any of this

Here is the thing that changes how you buy 2FA.

The modern phishing attack does not ask you for your password and go away happy. It puts itself in the middle. You click a link, you land on a page that looks right — because it is right; the attacker is proxying the real site to you in real time. You type your password. The real site asks for your code. You type your code. Everything works. You’re logged in. Nothing looks wrong, because nothing went wrong, from your side.

The attacker now holds your session cookie, which is the thing that actually says “this person is logged in.” They don’t need your password again. They don’t need your next code. Your two-factor did what it was designed to do, and it made no difference.

Read that again if you’re the person who rolled out authenticator apps and considered the job closed. I have been that person.

This is why phishing training that says “check for spelling mistakes” is close to useless now. The page has no spelling mistakes. The page is the real page. The only reliable tell is the domain in the address bar, and you are asking a tired human at 5pm to catch a character-level difference in a string they’ve read ten thousand times without ever reading it.

People are not the answer here. People are the thing being attacked.

What a hardware key actually does, and why it’s the whole game

A YubiKey — or a passkey in your phone, same underlying standard — does not give you a code to type. That’s the point. A code can be relayed by a human who has been fooled. A key can’t.

When you tap the key, it signs a challenge that is bound to the domain asking for it. The browser checks. If the site is a proxy sitting on a lookalike domain, the signature is for the wrong domain, and it doesn’t verify. The attack fails. Not because the human noticed — the human noticed nothing — but because the maths didn’t line up.

That’s the difference between a factor that is strong and a factor that is phishing-resistant. Almost every conversation about 2FA conflates them.

Practically: buy two keys per person who holds anything that matters. Two, because a single key is a single point of failure and you will eventually watch someone lose one on a train. Register both. Keep the spare somewhere that isn’t the same bag.

Start with the accounts where a compromise ends you: your identity provider or email, your domain registrar, your CRM, your cloud console, your payment and ad accounts. If you only ever do one thing from this piece, make it the registrar and the email — every password reset in your company flows through those two, and whoever owns them owns everything else by default.

Unique passwords, because of how breaches are actually used

The reason to never reuse a password has nothing to do with your password being clever.

Some site you signed up to in 2019 gets breached. Your email and password end up in a corpus. Nobody targets you. A script simply replays that pair against a few hundred well-known services to see what opens. That’s credential stuffing, and it works purely because reuse is normal.

So: one unique password per account, every account, generated and stored by a password manager. That’s the whole control. It costs a few euros per person per month and it removes an entire class of attack.

And drop the theatre while you’re there. NIST’s own guidance moved away from forced ninety-day rotation and from composition rules — the special-character-and-a-number ritual — because both make passwords worse. They push people toward Summer2024! and then Summer2025!. Length beats symbols. A long passphrase, unique, checked against known breach corpora, changed when there’s a reason to change it. That’s it.

The complexity rules were never protecting the password. They were protecting whoever wrote the policy.

Seats and roles: every seat is a door

Every seat on every tool is a credential that can be phished. So the question “who has access to this” is the same question as “how many doors does this building have.”

Three rules, and they are not difficult, they are just tedious, which is why they don’t get done.

Named seats only. No marketing@ shared login. Shared logins can’t be revoked without breaking everyone, can’t carry a second factor properly, and destroy the only thing you’ll want during an incident: knowing who did what, when.

Admin is a role, not a status. Most people asking for admin want one setting they can’t reach. Give them the setting. Admin count should be a number you know by heart, and it should be small enough to say out loud without pausing.

Offboarding is a list, not a memory. Write down every tool the day you buy it. When someone leaves, the list gets walked, and the ad account and the registrar come first — not the ones you happen to remember. If you can’t produce that list right now, that’s the finding. That’s the whole audit. The protocol version of this is the one we actually deploy.

Which regulations actually reach a ten-person company

Most of what gets quoted at you doesn’t apply. Some of it does, and the ones that do arrive from an angle nobody expects.

GDPR, Article 32. If you touch personal data of people in the EU or UK — and if you run a CRM, you do — you owe “appropriate technical and organisational measures.” Deliberately not a checklist. Appropriate to your risk, your size, the state of the art. A ten-person company with unique passwords, enforced 2FA and a written access list is arguing from a defensible position. One with a shared login isn’t.

NIS2 (Directive (EU) 2022/2555, transposition deadline October 2024) and DORA (Regulation (EU) 2022/2554, applying from January 2025). Read the scope before you panic: NIS2 lands on essential and important entities in listed sectors, DORA on financial entities and their critical ICT providers. You are probably not directly in scope. But both push obligations down the supply chain — which means they reach you as your customer’s vendor questionnaire, not as a letter from a regulator.

SOC 2, ISO 27001, Cyber Essentials. None of these are laws. SOC 2 is an attestation, ISO 27001 a certifiable standard, Cyber Essentials a UK government-backed baseline that is genuinely cheap and genuinely useful for a small team. You’ll pursue one because a buyer asked, not because a regulator did.

Which is the honest shape of it: you don’t get regulated directly. You get regulated through your customers. The first real audit of your security is a procurement spreadsheet from a company four times your size, and it arrives the week you’re trying to close them.

If you have no budget, do it in this order

Password manager for everyone. Two hardware keys each for whoever holds email, the registrar, the CRM, the cloud console and the money. Enforced 2FA everywhere else, authenticator app rather than SMS. Named seats, no sharing. An admin count you know. A written tool list that doubles as the offboarding checklist.

That is a weekend and a small monthly bill, and it puts you past the great majority of companies your size — including the ones with a security policy PDF nobody has opened since it was written.

Then leave it alone until something changes. Security work for a small team is not a programme. It’s six things, done once, and not quietly undone the next time someone needs access in a hurry.

That last part is the hard one. It always is.

Go and count your admins. I’ll wait.

The onboarding-to-offboarding protocol, named seats and enforced 2FA are part of the operating system we build — not a policy document nobody opens.

See how we build the protocol Run the GTM diagnostic

Get the next one

New field notes twice a month. We don’t do newsletters — follow RevOps XL on LinkedIn instead.

Follow on LinkedIn

Sound familiar?

If this is happening in your stack, tell me about it. A senior expert reads these, not a bot — and you’ll get a real answer, whether or not you ever hire us.

← More field notes