Sifted Talks

June 22, 2023

How much do startups need to invest in data security?

We asked the experts how startups can protect their customer’s data on tight budgets

Tom Ritchie

5 min read

In partnership with


Recent data breaches at corporations such as the BBC, British Airways and Boots have made headlines. These names may grab attention, but the threat of cyber attacks for startups is existential. A study by the US National Cyber Security Alliance found 60% of small businesses shut down within six months of a data breach. 

What steps can startups take to avoid that fate? How much do they need to invest in their cybersecurity in their earliest stages? And how do you implement a company culture with data security at its core? 

We put these questions to our expert panel: 

  • Herman Errico, cybersecurity executive at Vanta, an automated cybersecurity platform
  • Emily Castles, cofounder and CTO at global employee payment platform Boundless
  • Miguel Pinho, head of technology at Seedcamp

Watch this Sifted Talks here or read about what we learnt: 

1/ Most startup breaches are accidental, rather than malicious

Errico said that phishing attacks were increasing, while Pinho pointed out that generative AI had the potential to sophisticate the methods of bad actors. 


One of the main risks to startups is through a lack of process in adopting cloud technologies. Errico said cloud environment misconfiguration — any glitches, gaps or errors in the implementation of a cloud platform — could leave a startup vulnerable to attack. He also said that while the cloud brought many benefits to agile businesses, it does have greater risk than on-premise, especially in a company’s early days.

The shift is really more companies have started to use cloud environments…That brings a lot of agility, but it exposes you to a lot of new threats” — Herman Errico, Vanta

2/ Update your policy and tools as your risk profile changes

The amount of budget, tools and data safety policies required to protect a company’s data is never uniform. However, there are one or two tools that will always be helpful. 

Pinho said something as simple as a password manager could be overlooked by startups, while Errico listed software such as anti-virus, cloud configuration and spam filters as need-to-haves. 

However, he also said that startups needed to look at the tools they used as and when the risk profile of the company changes. Castles said that a company’s exposure to risk increased as it grew, and can become even greater when operating across countries. That may require the business to seek out greater protections, such as liability or cyber insurance. 

You should have people on your management team that are worrying about risk, and it increasingly becomes something you should talk about more and more” — Emily Castles, Boundless

3/ Security isn’t just tech, you need cultural buy-in

The need to reach a certified level of compliance is paramount in the current landscape, especially for SaaS businesses. Each member of the panel suggested that failing to get an ISO 27001 — an international standard for data management — would result in losing business. 

Getting the right tech in place to achieve this is obviously important, but instilling a culture where proper data policy is followed is just as crucial. Castles said leaders needed to be vocal about proper oversight from the beginning, while Pinho made the case for a company-wide commitment to proper data management, not just within specific teams. 

It floats to everything. It's not only for the technical people but also for the user interface people that are designing things and for the product people that are designing features” — Miguel Pinho, Seedcamp

4/ Business impact and incident management are key for early-stage businesses

For early-stage startups, the oversight for security generally falls on the CTO. Castles said this was the case at Boundless, which had proved difficult as she didn’t come from a cybersecurity background. She used a consultant to help build out processes, even though there wasn’t much budget in their pre-seed or seed stage. 

But even if a company doesn’t have formalised protocols, there can be discussion of how data is used, which employees should have access to confidential information and what to do when things go wrong. This can form the foundation of a more stringent policy as you grow.

Castles said the priority was to perform a business impact assessment for a breach and to implement an incident management plan as soon as possible.

An incident management plan can be really lightweight. It can be five bullet points in a Slack channel, but it means when something happens, nobody messes it up further” — Castles

5/ Act quickly and admit when things go wrong

Should the worst happen, and there is a breach or data is lost, it's important the company fronts up to its mistakes — both internally and externally. 


Pinho shared a story of a new recruit that lost 1,700 rows of customer data within their second week in the company. That led to new policy being introduced and any potential issues being resolved quickly. 

Errico pointed out that with GDPR regulations, a company needs to inform its customers of a data breach within 72 hours. He suggests that any company that doesn’t deal with such a scenario quickly and efficiently could lead themselves open to fines, litigation from customers and trouble with investors.

You need to have a process in place to communicate to the client that there is a breach occurring within my organisation, while you deal with the breach” — Errico

Like this and want more? Watch the full Sifted Talks here: