Startup Security Basics You're Probably Ignoring

A startup I advise got breached last month. Customer data leaked. They’d raised $2M. Now they’re spending $200K on incident response.

They knew they should have done better. They didn’t.

Here’s the minimum security every startup should have.

The Basics (Do These Today)

Two-Factor Authentication Everywhere

Every single account. No exceptions. Google Workspace, GitHub, AWS, bank accounts, everything.

Use app-based 2FA (Google Authenticator, Authy) or hardware keys. SMS 2FA is better than nothing but worse than app-based.

Time to implement: 2 hours for a 10-person team.

Password Manager for the Team

Everyone uses unique passwords for everything. Shared credentials go in a team vault.

1Password or Bitwarden for teams. Both are fine.

Time to implement: 1 day for setup and training.

Principle of Least Privilege

People only have access to what they need. Junior developer doesn’t need production database admin. Marketing doesn’t need AWS console.

Review permissions quarterly. Remove access same-day when people leave.

Time to implement: Half day initially, 2 hours quarterly.

Code and Infrastructure

Secrets Management

No secrets in code. No API keys in git history. Use environment variables and secrets managers.

Tools: Doppler, HashiCorp Vault, or just AWS Secrets Manager.

Check your git history. If there are secrets there, rotate them immediately.

Dependency Scanning

You’re using open source libraries. Some have vulnerabilities.

Enable GitHub Dependabot or Snyk. Auto-scan for known vulnerabilities. Actually fix the critical ones.

Time to implement: 30 minutes to enable. Ongoing time to fix issues.

Basic Monitoring

Know when something weird happens. Failed login attempts. Unusual API usage. Error spikes.

At minimum: CloudWatch or DataDog alerts for anomalies. Review weekly.

Data Protection

Encryption at Rest

Your database should encrypt data at rest. Most managed databases (RDS, Cloud SQL) do this by default.

Verify it’s actually enabled. Don’t assume.

Encryption in Transit

HTTPS everywhere. No exceptions. Free with Let’s Encrypt or your cloud provider.

Check that your staging environments use HTTPS too. Developers get sloppy.

Backups

Automated backups. Test restoring them. Store backups somewhere separate from production.

If ransomware hits, backups are your recovery plan. But only if they work.

The Human Layer

Security Training

Your team will get phishing emails. They’ll be tempted to click suspicious links.

Basic training: 1-hour session on common attacks. Repeat annually.

Phishing simulation: Services like KnowBe4 test your team. Worth it.

Incident Response Plan

When (not if) something goes wrong, who does what?

Write it down:

  • Who gets called?
  • What’s the escalation path?
  • Who talks to customers?
  • Who handles legal?

One page is enough. Having something beats having nothing.

Vendor Security

That SaaS tool you use? They have your data too.

Basic vendor check:

  • SOC 2 compliance?
  • Clear security policy?
  • Data handling terms in contract?

Don’t deep-dive every vendor. But for anything touching customer data, do basic diligence.

What You Can Skip (For Now)

Penetration Testing

Valuable but expensive. Do it before you raise Series A or handle serious customer data. Not necessary at day one.

Compliance Certifications

SOC 2, ISO 27001, etc. Expensive and time-consuming. Get them when enterprise customers require them.

SIEM and Advanced Monitoring

Security information and event management tools are overkill for small teams. CloudWatch alerts are enough initially.

Bug Bounty Programs

Great for mature companies. Premature for startups. You’ll get buried in reports you can’t handle.

The Compliance Question

Eventually, customers will ask about compliance.

If you handle healthcare data: HIPAA is non-negotiable. Get help.

If you handle European customer data: GDPR basics. Cookie consent, data deletion rights, breach notification.

If you want enterprise customers: SOC 2 is increasingly expected. Plan 6-12 months and $50-100K to get it.

If you handle payments: PCI compliance. Use Stripe—they handle most of it.

The Real Security Risk

The biggest risk isn’t sophisticated hackers. It’s:

  • Leaked credentials from phishing
  • Misconfigured cloud services
  • Former employees with active access
  • Developers pushing secrets to GitHub

Basic hygiene prevents 90% of breaches. Do the basics before worrying about advanced threats.

My Security Checklist

Do these in order:

  1. 2FA everywhere (Week 1)
  2. Password manager (Week 1)
  3. Access review and cleanup (Week 2)
  4. Secrets out of code (Week 2)
  5. Dependency scanning enabled (Week 3)
  6. Basic monitoring (Week 3)
  7. Backup verification (Week 4)
  8. Team security training (Month 2)
  9. Incident response plan (Month 2)
  10. Vendor security review (Month 3)

Total time: Maybe 40 hours spread over a few months. Cost of a breach: Potentially your entire company.

Do the basics. Sleep better.