Online Services

There are a bunch of online services, and it’s hard to figure out who’s doing a good job unless you’re an expert.  This list only has services most people need.  There are lots of other secure solutions for each of these categories; this list only includes those I already know to be good.  

Note: I am not compensated by anyone, in any way, for any item on this list: it comes only from my own professional analysis.  Weird, I know.

Recommended Online Services

Office, email

Google G Suite

Microsoft Office 365

 

Online marketplace/Distribution

Amazon

Etsy

Wayfair

 

Website

Weebly

Wix

Squarespace

 

Hosting

Amazon AWS

Microsoft Azure

Google Cloud

 

Payments

Square

Stripe

Paypal

Transferwise

 

HR

Trinet

Justworks

 

CRM

Hubspot

SalesForce

 

Accounting

Xero

Quickbooks

Freshbooks


 

Certifications

Let’s say you need something weird that my list doesn’t talk about.  You’ve narrowed it down to three choices, and security is important because you want to store nuclear launch codes in it and bad people are after you.  One of the choices proudly advertises, “Guaranteed Secure by McAfee!” What exactly does that mean?

 

It usually means nothing.  

 

Certifications exist because the technical parts of security are complicated.  In theory, they are a low bar: if you are certified, it means that someone checked what you do, and then said you’re not terrible.  But for a lot of reasons, most of them are just marketing. Some mean a little, those are listed at the end. None of them come close to guaranteeing that someone’s doing a good job.  Here’s a quick summary of some of the most common certifications.

Website Seal

Completely worthless. It doesn’t mean anything about their security or even if they’re legitimate.  Examples:

PCI Certification

Completely worthless.  People who work with credit cards need to have this, but anyone can self-certify, and their answers only get checked if something terrible happens and VISA sends a cleanup crew to figure out who should pay for all the fraud.  

 

SOC1, SOC2, SOC3

Worth a little bit.  They are the security version of “Nobody ever got fired for buying IBM.”  It doesn’t tell you how good they are at the important things, and has lots of weasel-words.  

Big companies like them because if something goes wrong, they can point and say, “Not our fault: See the SOC2?  We did everything we’re supposed to!” when they get sued.  

ISO 27001

Worth a little bit.  It mostly means that someone spent a lot of time writing policies about security.  Like a SOC2, it doesn’t check for the important things.

SIG

Not a certification, but means a little bit.  A SIG is a huge list of technical questions to which a company answers yes or no.  If they have one, that sometimes means they thought about it. It may even mean that they get pressure from customers to actually do the things on the list.  But sometimes all it means is that a sales rep spent 40 minutes clicking “yes” to every question.

 

FEDRAMP

Worth a fair bit.  It means that they persuaded the US federal government to trust them to store government secrets.   Think what you want about the federal government, but they put you through the wringer.

 

HIPAA BAA

Not a certification, but still worth a fair bit.  If a business advertises a BAA, it usually means that they know the federal laws for securing health info.  Screwing those up gets you huge fines, so if you see one, it means they’ve thought about what they’re doing.