Security for Startups: The Five Things to Do in Your First 12 Months

September 12, 2023

Security decisions made in the first twelve months of a startup tend to persist far longer than founders expect. The identity architecture you build when you have ten people will still be influencing your risk posture when you have two hundred. The data handling practices you establish in year one become the defaults your engineering team works around when you reach compliance requirements in year three. Getting this right early is not about spending a lot. It is about making the right choices in the right sequence.

The most common mistake we see is not neglecting security entirely. It is doing security out of sequence: spending money on a penetration test before implementing multi-factor authentication, or commissioning a policy library before anyone in the business has been trained on the three or four things that actually matter. Sequence determines whether your security investment compounds or sits idle.

One: Identity First

The first investment is identity and access management. This means a centralised directory that every application and system authenticates against, multi-factor authentication enforced for all accounts, and a defined process for provisioning and deprovisioning access when people join and leave. For most early-stage companies this is achievable with readily available identity platforms at low cost. The cost of not doing it is felt the first time a former employee retains access to a production system or a phishing attack compromises an account that has administrative access to your core infrastructure.

Privilege management is part of this. Every person in the business should have the minimum access they need to do their job. Engineers should not routinely operate with administrative access to production systems. Founders and executives should not have administrative access to systems they do not manage. This is not bureaucracy. It limits the blast radius of a compromised credential, which is the most common initial access technique used against organisations of every size.

Two: Endpoint and Email Protection

The second investment is ensuring every device used for work is managed and protected, and that your email environment is configured to reduce the effectiveness of phishing. Managed devices means the company can remotely wipe a lost or stolen laptop, enforce disk encryption, and push security updates. Unmanaged personal devices used for work email and code repositories are one of the most consistent sources of data exposure we see in startups.

Email security configuration, specifically SPF, DKIM, and DMARC records, prevents your domain from being used in spoofing attacks against your customers and staff. These take an hour to implement and should be done before you start sending commercial email at scale. Most startups we review have not fully implemented DMARC, meaning their domain can be spoofed to impersonate them in phishing attacks against their own customers.

Three: Data Classification and Handling Basics

The third investment is knowing what data you hold and establishing a small number of clear rules about how it is handled. This does not require a formal data classification policy with five tiers. It requires answers to a handful of questions: where does customer personal information live, who has access to it, is it encrypted at rest and in transit, and what happens to it when a customer churns or requests deletion?

These questions become Privacy Act obligations as your company scales. Building the habit of data minimisation, which means collecting only what you need and retaining it only as long as necessary, is easier to establish at ten people than to retrofit at two hundred. If you handle health information, financial data, or government sector data from the start, the obligations arrive earlier and with less flexibility.

Four: Basic Security Awareness for the Team

The fourth investment is making sure the people in your company know the three or four things that matter most. Not a compliance training module. A direct conversation about how phishing works and what to do when they receive a suspicious message, how to recognise a social engineering attempt, what to do if they think a device has been compromised, and who to tell. This should be part of onboarding and should be delivered by someone who can answer questions, not an automated platform.

Culture around security is set early. If the founders treat security as an IT problem that sits in someone else's domain, that attitude propagates. If the founding team treats security as a shared responsibility and makes it visible, that propagates too. The investment here is mostly time, not money.

Five: An Incident Response Procedure

The fifth investment is a basic incident response procedure. Not a hundred-page document. A one-page reference that answers: who do we call first, what do we not do (specifically, do not wipe or reformat before forensics), what are our notification obligations, and who is authorised to make decisions during an incident? This procedure should be tested at least once with a tabletop exercise before you genuinely need it.

The first time your team responds to a security incident should not be during an actual security incident. A simple tabletop scenario, even a one-hour session with five people, will surface gaps in your procedure and in your team's shared understanding of roles. It will also produce a much better outcome if a real incident occurs in the months following it. For startups with a small team, a vCISO engagement can accelerate all five of these investments and ensure they are sequenced and calibrated correctly for where the business is.

To discuss security for your startup or early-stage company, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Cyber Strategy
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?