Cybersecurity for startups

Startups can be flippant with cybersecurity, but even small companies are targets for attack. Worse, many startups never outgrow their poor security habits. For every high-profile breach, many early-stage startups face existential risk due to poor security posture.

Fortunately, healthy security practices are easy to achieve when you have them in mind from early in the lifecycle of your startup. A single article can’t comprehensively cover everything a startup should do, but this is a good start for anyone yet to take security seriously.

Access management

Startups use a lot of SaaS products to get their work done. When a startup is breached, it is usually because someone on the outside has managed to access an employee account for an important SaaS tool. By managing access responsibly, you can mitigate this risk.

First, create and maintain a list of all company-provided software tools. This list will help you to periodically audit access and billing and guide your employee on/off-boarding procedures.

Second, ensure authentication for each tool is managed in the most secure way possible:

Prepare for phishing

Phishing is one of the most common ways that startups are breached or scammed. No business is too small to be the target of a phishing scam. Almost every startup I have worked with has had phishing attempts against them.

Phishing is a method of identity theft that relies on individuals unwittingly volunteering personal details or information that can then be used for nefarious purposes. It is often carried out through the creation of a fraudulent website, email, or text appearing to represent a legitimate firm.Investopedia

Phishing is relevant to SaaS startups because:

Common phishing/spoofing scams include:

Some ways to reduce the likelihood of being phished include:

Establish a data-management policy

Leaky file storage and data loss can be major risks for startups. Establish a standardised policy for how data, documents, and files should be managed:

Centralise and log sensitive requests

Some business operations are more sensitive than others. Delegate these tasks to a specialised team of individuals (this could be your HR, finance, or operations team), and log requests and actions.

Examples of this type of work include employee on/off-boarding tasks, granting an employee access to a new system, adjusting terms and conditions, and installing a new Slack app.

The easiest way to do this is to funnel these requests through a standardised request form that creates work in your support help desk, CRM, ERP, or task management system like Jira.

Avoid sensitive data

The best way to secure sensitive data is to delete it or never have access to it in the first place. Only collect and keep what is necessary to provide services to your customers.

Responsible product development

As a software vendor, you have the same responsibilities as your own vendors. Offer SSO and MFA to your customers. It is much easier to offer these from the start than to add them later.

Architect your product with security and privacy in mind. Consider quarantining services that handle sensitive data from other services so that as few people as possible can access them. Encrypt sensitive data in transit and at rest. Collect service logs, so you know who is accessing what. Don’t keep secrets (API keys) in code repositories. Sanitise inputs to mitigate code and SQL injection.

Audit your dependencies and keep them up to date. Subscribe to publicly disclosed cybersecurity vulnerabilities to be notified when new vulnerabilities are disclosed.

Unless you can properly enforce it, avoid charging customers per user. This encourages them to share accounts internally. Try to charge based on the value you provide instead. Similarly, many SaaS companies charge a premium for SSO — you should avoid this, if possible, as it is always in your best interest to provide the best security to your users.

Seek external advice. As you grow, the potential damage of a breach grows exponentially. So, your security practices should improve beyond the simple baseline outlined in this article. Most governments have cybersecurity recommendations for small businesses that you should be across. Data residency, for example, is regulated in many geographies and industries. OWASP is a great resource for engineers. If, as a technical founder, you don’t have experience with securing a SaaS product, ensure one of your early hires has done this before.

Subscribe for advice

Free weekly advice covering product strategy, development operations, building teams and more.

More advice

Great startups lean into chaos

Most managers in early-stage startups think that chaos is inversely correlated with results. That is, they think that chaos breeds bad results and an unhealthy environment, while order breeds good results and a more harmonious environment. This perception is wrong.

 
Salespeople need decisive decision makers

The best salespeople have great intuitions for which prospects are most decisive, and how to get access to better contacts. Everyone else wastes their time talking to people who will never buy, no matter how appealing they make it sound.

 
Startups must work smart and hard

To win, startups need to lean into their advantages because they’re a decade away from the kinds of moats enjoyed by established corporations. This means they need to work smart (i.e., mostly do the right things) and work hard (i.e., execute at a pace and with intense risk tolerance).

 
Privacy and terms

I will only use your email address to send you this newsletter or to reach out to you directly, and you can unsubscribe at any time. I will not share, sell, or rent your email address to any third party, though I do store it the software I use to dispatch emails.

The information provided on this blog is for informational purposes only and should not be considered investment advice. The content on this blog is not a substitute for professional financial advice. The views and opinions expressed on this blog are solely those of the author and do not necessarily reflect the views of other organizations. The author makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information on this blog and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its use. The author may hold positions in the companies or products discussed on this blog. Always conduct your own research and consult a financial advisor before making any investment decisions.