To get started, establish a beachhead around expenses, an asset inventory, and corporate identity.
If you have already established your business you may be able to skip much of this, but I found that it is very helpful to establish a completely separate Gmail address for bootstrapping, and then create a company Google Workspace presence that is perfectly clean and not contaminated with anything else you've done. This is the essence of starting from a clean slate: If you attempt to leverage email and web presences that you already own, you are going to find that you have weaknesses and mixed purposes you haven't thought about. In my experience regarding security, companies do weird things and develop bad habits: This guide is an attempt to set up some guard rails so that you don't have a messy information security program to administer.
If you are currently employed, your contract likely prohibits you from using company resources for anything not related to your employment. It is likely as well that your work computer is set up to track your activities. To be safe, for these early steps, use a computer that is not owned by your current company. Later on, I'll talk about getting a laptop for company work, but in these early steps we just want to make sure that there is no trace of this activity that can be tracked by your employer.
First, research a business name and decide what kind of business you are going to set up. For the work in this series, our business name is going to be Outside CTO, LLC. To keep it simple, we are going to establish a limited liability company, or LLC (other options are a "pass through" business in the form of an S-Corp, or a business that can easily have shared ownership and issue stock in the form of a C-Corp; consult a lawyer and an accountant to explore the pluses and minuses of an LLC vs an S-Corp vs a C-Corp). In Minnesota, where I am going to register the LLC, the business name must include "LLC" or something similar, which I discovered by following the guidance at WikiHow. WikiHow has similar pages for the details for creating an LLC in each state; it can be a little tricky: For instance, in many if not all states, the company name can't have the words "corporation," "insurance" (unless you are an insurance company), "bank" (unless you're founding a bank) or "partners" in it (you might find this article useful). Also, the name must not be used by other companies in the state where you are filing; the state should have an online database so you can check. So read the article carefully. We'll come back to the LLC setup but for now I just want to make sure you have a name. You may discover that you want to use a different name for advertising. This is OK; you can file a "doing business as" (DBA) form to conduct your business under some other moniker.
Ideally, a domain name should be available with a name similar to your business name; so in our case, we will be registering outsidecto.com. (Do not put "LLC" in your domain name in case the structure of your business changes.) If you know how to do it, register the domain now -- though I will walk you through that later on. If it's important to you, this would be a good time to establish accounts with your company's name on Twitter, GitHub, and any other web-based service where you might want to establish a presence.
You are going to need to identify a person who can get into your business in an emergency should you be unavailable. I would recommend that this not be a relative or a close friend: There is just too much potential to mix up your personal life with your business life and you don't want to create opportunities for collusion amongst people who may know you all too well. Choose someone you can trust. Who can you trust? Think about a person you've known for awhile who has a life that won't tolerate substance abuse or blackmail. It might be your hairdresser or a former neighbor but you want someone who would treat you with the discretion you would provide if that person appraoched you with a similar request -- you would not treat it lightly. If you need to comply with HIPAA, you probably want a doctor or someone who is involved in the healthcare business. We'll call this person your trusted security backup. Later on we'll ensure that this person has signed a non-disclosure agreement.
Even at this early stage, we want to manage secrets. A good free password vault is LastPass. If you are already using a password vault, this should be a different one and probably a different brand from what you are already using so that it is clear which password vault is for what. Install it. During the installation process, you will be asked to define a master password. Make this as long as you can tolerate, but make it easy to type. Write instructions that says what LastPass is and how to use it. You might also include the phone numbers of a technical supporter and anyone else who is involved with the business whom you trust. Write the master password onto a piece of paper (or save it on a CDROM) and put it and the instructions into an envelope with the name of your trusted security backup. (We'll deal with this envelope in the next section regarding Physical Safeguards.)
Don't forget to add credentials for each of the online services you've registered with so far (G Suite, Twitter, GitHub, etc.).
We need an email address that will be isolated from all of your other work. So in my case I created outsidecto@gmail.com which fortunately was not taken. Eventually we are going to create a business presence using Google tools for outsidecto.com but for now we just want that plain Gmail (Google Workspace, formerly known as G Suite) account. By the way, when you create this email address, you may be asked whether you are creating the account "For myself" or "To manage my business." I said "For myself" because I am using this email address to bootstrap; it will be a backup email for my business, but it won't be the authoritative email address for me as the business owner. If you like you might now sign up for Google Voice so that you have a phone number that is dedicated to your new LLC and separate from your personal phone number.
A few pointers when creating this account:
With your Google Workspace account, go to Documents and create a document called <Your Business Name> Business Facts (so mine is Outside CTO Business Facts). Put into this document the following facts:
Now that you have a Google account, you can go to Sheets, and start tracking your information security assets (eventually we'll move this and other sheets over to be owned by an account @outsidecto.com, and we'll protect them better). For compliance, your inventory is typically limited to servers, computers, and software. Title it <Your Business Name> Asset Inventory. To get started, your inventory sheet should have the following columns:
Add a row for LastPass and include the Username that is associated with the LastPass account. The colummns regarding LastPass might look like this:
I'd also put onto the list that computer you've been using. We will decomission it later.
If you use the Google Sheets Template Gallery, there is a nice free "Annual Business Budget" by Intuit Quickbooks. Create one of those with the name <Your Business Name> Expenses. Change the starting balance to whatever you have (I put $0.00), and then go to the Expenses tab. Enter your expense for the safe (you bought it, right?) under "Office/General Adminsistration" / "Supplies" under the correct month. Great, you're now running a deficit. You're a real business. Put the receipt into an envelope labeled "receipts" with the month and year.
Alrighty then. Now you have enough in place to set up your LLC. I'm following WikiHow, but note that in Minnesota, you must have a "registered agent" who is always available during business hours. This pretty much means that you are going to have to pay someone to do that. I used Northwest Registered Agent because they are well-regarded. It's a bit more expensive than other alternatives, but one thing that is nice is that they will send me a pre-populated PDF for submission to Minnesota. That's going to set me back another $125. With the PDF filled out, now I'm ready to mail my LLC document to the State: That requires a check for $135.
So if you've been following along, you now have a registered agent address. This provides a street address where you can always be served papers (god forbid) during business hours. This is only used if you need to be served papers or when you are asked for it.; also see here. Otherwise your home address, or possibly your coworking address or office address, will be your business address.
Add a couple of items to Business Facts document:
From here on out, I will not be mentioning your business documents (Facts, Budget, and Asset Inventory) until a later step where we move these items to your business account in Google Workspace.
Eventually you will receive by mail from the State your Certificate of Organization. This should also include a copy of your Article of Organization as submitted. You should put both of these in the safe.
TODO: LLC Insurance Also Why insurance Example
Not using employer's computer
Have a business name
Identify trusted security backup
Using company-only password vault
Create an envelope for your trusted security backup Create an envelope for receipts Set up a "setting up" email
Create a Business Facts document
Create an Expenses sheet (annual budget template) and put a few items on it
Create an Asset Inventory and put a few items on it
Obtaine a registered agent
Fill out the LLC forms
Put a copy of the LLC form in the safe
Mail the LLC form to the State
Receive your Certificate of Organization
Put your Certificate and Articles of Organization in your safe
| Item | Amount |
|---|---|
| Starting balance | $0 |
| Registered agent | $125 |
| LLC filing | $135 |
| Total for this part | $260 |
| Total so far | $260 |
No. But we've laid some groundwork for an asset inventory.