Cybersecurity for non-techies: What every startup needs to know from day 1

When talking about cybersecurity, many newborn startups think that it is a topic reserved for large companies, complex servers or specialized IT teams. However, the reality is that digital security must be present from minute zero, especially in startups with small teams and without a technical profile in the founding team.

According to the Cyberthreat Defense Report 2024 from CyberEdge Groupmore than 80% of organizations globally suffered at least one cyberattack in the last year. And many of them were startups or SMEs that did not have basic protection measures in place.

In our community, unfortunately we have many founders who have gone through a cybercriminal attack, and that compromises the continuity of the startup, the founder's reputation, and customer data, which can also cause legal problems.

Why should you care about cybersecurity if you're just starting out?

• Your startup can be an easy target: attackers know that startups tend to have weaker systems and fewer resources dedicated to security.

• Data is your most valuable asset: users, customers, IP... All this can be lost or leaked if there is no basic protection.

• One incident can cost you your reputation (and customers): according to IBM, the average cost of a data breach in small businesses is around $2.98 million (source).

• The investment in security is cheaper than the consequences of ignoring it.

• Let's not underestimate the mental health damage it can cause, imagine that everything you have built up could be at stake at a moment's notice.

8 things every founder should know (and do)

1. Strong (and unique) passwords are not optional.

Yes, it is basic, but it is still the Achilles heel of many startups. Use password managers (such as Google Password Manager or Bitwarden) and enable two-step authentication on all critical accounts (email, cloud storage, CRM, etc.).

Avoid day-to-day carelessness, because not every attack comes from outside. Sometimes, the risk lies in unsafe habits within the team:

• Leaving passwords written down on post-its or unprotected shared documents.

• Sharing access via Slack or WhatsApp without encryption.

• Leave the computer unlocked when going out to eat.

• Use public Wi-Fi without VPN.

All of these are open doors to leaks. So, try to foster a culture of digital care with small clear rules and a lot of common sense.

2. Minimal and controlled access

Avoid everyone having access to everything. There is a principle called the principle of "least privilege": each person should have access only to what he or she needs. This may seem obvious but it is very important, it avoids human error.

And remember: when someone leaves the team, revoke their access immediately.

3. Beware of suspicious e-mails

Phishing continues to be one of the most frequent threats. A single click on a malicious link can put all your information at risk. If something in an email seems strange to you - such as an unusual tone, an unexpected file or a slightly altered domain - do not act on impulse. The best thing to do is to contact the person in question directly through another channel (telephone, internal chat, etc.) to confirm that the message is legitimate. When in doubt, it is better to be safe.

4. Automatic and encrypted backups

Make regular backups of your critical information (database, legal documents, etc.). Use services with end-to-end encryption and check that backups are running correctly.

5. Review your tools and suppliers

Don't assume that a tool is secure just because it is known. Investigate if it complies with regulations such as GDPR, if it offers encryption, if it has a history of incidents. Read the fine print.

6. Educate (and re-educate) the team on a regular basis.

Cybersecurity is not just for the technical area. Hold small sessions or periodic reminders to keep the team up to date on best practices: how to detect phishing attempts, what to do in the event of an incident, how to handle sensitive information, etc. 

7. Have a plan for when something goes wrong

Don't wait for an incident before improvising. Design a response plan for cyber-attacks or information leaks. Who should act? What steps should be taken? How to communicate it to the team or to users if necessary? Having clarity can greatly minimize the damage.

8. Secure devices, even if personal

In startups, personal devices are often used for work. Make sure they are protected with antivirus, firewall, encrypted disks and automatic locking. If there is budget, consider MDM (Mobile Device Management) tools to centrally manage devices.

Cybersecurity is not a plugin: it should be part of your culture.

Including best practices from the beginning not only protects you, but also positions you better in front of investors and customers. Many funds and corporations already require startups to have a certain degree of digital maturity before collaborating. 

And the best part: you don't need to be a technician to start getting it right. Just adopt a preventive mindset, rely on simple tools and keep your team informed. 

Don't know where to start?

In Tetuan Valley we know that taking the first steps in cybersecurity can seem complex, especially without a technical profile in the team. That is why we accompany founders on this path through different initiatives and practical resources.

We have initiatives designed for early-stage and growing startups, and together with INCIBE we offer different programs such as the Startup SchoolSchool, the ScaleUp School and, especially, the Express Accelerationprogram, where we help incorporate cybersecurity as an integral part of the business model.

We also promote the W4C Startup School, a special edition focused on women entrepreneurs in the cybersecurity sector. And if you are interested in knowing more, you can click this link.

Also, if you are exploring options for implementing digital solutions with financial support, you can benefit from the Digital KitKit, a grant from the Government of Spain to digitize SMEs and the self-employed, which includes options linked to cybersecurity.

So, we invite you to subscribe to our newsletter to receive free resources, open calls and upcoming content on how to protect and strengthen your startup from day one.