August 28, 2023

5 cybersecurity mistakes putting your startup at risk — and how to fix them

Startups are a prime target for hackers, yet few of them are prepared for an attack. These are the most common cybersecurity mistakes they make, according to experts

It’s not only the Microsofts and Googles of this world that get hacked. Startups are equally at risk of data breaches, ransomware and other forms of cyber crime — sometimes with business-ending consequences. 

Yet early-stage startup founders rarely give much thought to cybersecurity. Many of them only realise the importance of having robust cyber infrastructure after they fall victim to an attack. 

Sifted asked experts what are the key mistakes that startups make that might compromise their cyber resilience — and how can they fix them before they get spotted by hackers.


1/ Bad password management

Ensure employees are using strong passwords and use third-party services to safely manage system access and password sharing — instead of writing them down in a Google Doc.

Have multi-factor authentication (MFA) deployed company-wide; a sign-in method that requires two or more pieces of identification before granting access (for example, by asking users to confirm their identity through an email or text message notification). 

2/ Neglecting to conduct regular risk assessments

Regularly assess where potential threats and vulnerabilities lie and conduct external security testing — hire third-party security experts to try to find ways to compromise your organisation’s systems. They can then identify the flaws that a real attacker could exploit before they do.

3/ No data backups

Follow a “3-2-1” rule. “Ensure that you have three copies of your data (your production data and two backup copies) on two different media (disk and tape) with one copy off-site (meaning offline, using a hard drive) for disaster recovery,” says Simon Hughes, general manager of cyber insurance company Cowbell.

4/ Not having an incident response plan

Have a plan in place for how to behave if an attack is carried out. An incident response plan should go over all the actions to take when companies experience a cyber incident.

“It should be put in place before ever falling victim,” says Hughes, who stresses that having a plan will reduce the time and money it takes to get the business back up and running.

5/ Failing to train your staff 

Remember that employees can fall for phishing attacks, use weak passwords or log in to company networks from unsafe personal devices. These are hackers’ privileged routes into company systems. Run regular cybersecurity training for all employees, covering topics ranging from identifying a scam email to handling sensitive data. 

Daphné Leprince-Ringuet

Daphné Leprince-Ringuet is a reporter for Sifted based in Paris and covering French tech. You can find her on X and LinkedIn