OK, Workspace (web-hosted) business environment on Windows systems. You should probably use Google’s built-in 2FA enforcement for access to your business stuff. It will be the easiest to implement and manage. Also consider implementing Chrome Enterprise as a requirement for accessing your business apps, it will give you more control and if you’re using Workspace then the integration should be smooth. If your business needs expand beyond Google services, you might look at Island.

Are the laptops on Windows Enterprise? or Professional? Do you have any domain management for them? Or are they off-the-shelf with Home/OEM installs?

In any case, Applocker is built-in and free. With this you can restrict the laptops to only executing the applications that your business needs - if everything is accessed through Chrome, then it’s really simple, nothing else needs to run and if an employee has a specific extra need (Photoshop or CAD or QuickBooks or w/e) you can handle that on a case-by-case basis. If you have domain management then it’s easy to enforce Applocker on all the laptops, if not you’ll have to do each one manually, but it’s worth it because it will prevent a lot of nonsense. If your business expands and you outgrow the functionality of Applocker, consider Airlock Digital.

A big question is, where is your data? Is all of it in Workspace? Or do individual employees have pieces of it sitting on their hard drives? What happens if one of those hard drives crashes and you lose the employee’s work? Are those laptops going home with them? Are they on home/shared/public networks? As a startup, your business is your information, whatever form that takes. You need to get tracking on where your most sensitive bits of information are (customer lists, proprietary design/code/concept/etc, high-value assets, licenses/certifications/contracts, financial records, employee PII, anything that could end your business if you lost it), how they’re stored and how they’re used, and that is much more important than 2FA login. If possible, implement Bitlocker on the laptops. Maybe learn to use filesystemwatcher if you have sensitive files living on the Windows laptops. And start figuring out a backup plan (even if everything important is done in Workspace, keeping all of your data in Workspace doesn’t count as a backup plan).

I would highly recommend that you develop a security plan based on something like the NIST Cybersecurity Framework (this is a quickstart guide aimed at small businesses with little to no existing security planning). Don’t buy any fancy security products yet. Sit down and plan your security in a systematic way, and that will help expose your actual needs and blind spots.

Finally, some useful information sources:

• SANS Stormcast - 10-minute daily podcast with alerts about current threats
• Risky.biz - weekly cybersecurity news podcast and interviews with industry professionals
• Security Now - weekly cybersecurity news with deep dives into security topics