Running a startup means operating in a permanent state of too much to do and not enough time. Security sits on the list somewhere below hiring, product, customers, revenue, and about twelve other things that feel more urgent. This is understandable. It is also a setup for a specific kind of disaster that tends to hit at the worst possible moment.
Small startups are genuinely vulnerable. Not in an abstract, theoretical way. In a concrete, happening-right-now way. Automated attacks scan for the exact gaps that startups consistently have. And the damage when something goes wrong is disproportionate, because a startup does not have the financial cushion or the institutional infrastructure to absorb a serious breach and keep moving. This checklist is designed to get you to a defensible baseline without consuming weeks of time or requiring expertise you do not have. Work through it section by section. Not everything in one sitting, but steadily, with actual follow-through.
Identity and Access Management
Set up a proper business email domain and enforce its use for everything work-related. Personal email addresses should not be used for any business account. This is foundational. Without it, when someone leaves the company you have no control over the accounts they set up using their personal email on behalf of the business. It also makes offboarding clean, deactivate the business email account and access to everything attached to it goes with it.
Enable multi-factor authentication on every account that supports it. Start with email, then banking, then any account that holds financial information or client data, then work outward from there. This is the single highest-impact action on this entire list. If you do nothing else today, enable MFA on your business email account right now. Deploy a password manager and make it mandatory before the week is out. Assign licenses to every team member. Set up shared vaults for accounts the team shares access to. Change every shared account password to something generated by the manager. Run this as a required process, not an optional upgrade.
Create a written offboarding checklist and keep it somewhere everyone can find it. When someone leaves, whether on good terms or not, you need to revoke their access to every system within the hour. Email, project management, cloud storage, code repositories, communication tools, any SaaS product they had credentials for. Write the list when you are calm and have time to think, not in the middle of an uncomfortable departure.
Device Security
Enable full-disk encryption on every machine used for work. On Mac this is FileVault, found in System Preferences under Privacy and Security. On Windows it is BitLocker, found in Settings under Privacy and Security. Both take a few clicks and run invisibly after the initial setup. If a laptop is stolen, encrypted data is completely inaccessible without the login credentials. Unencrypted, a stolen laptop is a stolen hard drive worth however much sensitive data you had on it.
- Set automatic screen locks after no more than five minutes of inactivity. It sounds minor. It becomes non-minor the moment a laptop gets left unattended at a conference, a coworking space, or a coffee shop.
- Turn on automatic updates for operating systems and all work applications. Disable the habit of clicking Remind Me Later. The majority of successful cyberattacks exploit vulnerabilities that have had patches available for weeks or months. Keeping software current is one of the most reliable defenses available and requires almost no ongoing effort once automatic updates are enabled.
- For any personal devices that access company data, which in most early-stage startups means everyone’s phone and possibly their personal laptop, set a minimum standard: full-disk encryption enabled, operating system current, screen lock with biometric or PIN required. Communicate this as a condition of accessing company systems, not a preference.
Network Security
Require VPN use whenever team members connect from any network other than their own home network. Coffee shops, hotels, airports, coworking spaces, anywhere. Set the VPN client to connect automatically on unfamiliar networks so the decision does not rely on remembering.
If you have a physical office, set up a separate guest WiFi network isolated from any internal systems. Visitors connecting to your network should have no access to anything beyond basic internet. Change the admin password on every office router from whatever it shipped with. Default router credentials are publicly documented and are among the first things automated attacks try. This takes two minutes.
Review your domain’s email authentication settings. SPF, DKIM, and DMARC records protect against attackers impersonating your email address. If you are not sure whether these are configured, check with your web host or use a free online DMARC checker. No record found means work to do, and it is a one-time task.
Data and Cloud Storage
Make a list of where your sensitive data actually lives. Client information. Employee records. Financial data. Contracts. Intellectual property. Source code if relevant. For each category, identify which tool or platform holds it and who currently has access. You will likely find access that should not exist, former team members, overly broad permissions, shared links that never expired.
Implement the 3-2-1 backup rule for everything that matters. Three copies of the data. Two on different types of storage. One offsite or in the cloud. Most importantly, actually test your backups by restoring from them. A backup you have never tested is a backup that may not work when you need it. Ransomware specifically targets backups. Make sure yours are air-gapped or versioned in a way that ransomware cannot encrypt. Tighten cloud storage sharing settings. Disable public link sharing where possible, or require sign-in to access shared links. Set expiration dates on anything shared externally. Review folder permissions quarterly.
Phishing and Social Engineering
Have an actual conversation with your team about phishing, not a video, a conversation. Show real examples of what convincing phishing emails look like. Walk through the specific signals that reveal them. Teach the hover check. Establish that it is always acceptable to verify through a separate channel before acting on any email request involving money, credentials, or sensitive information.
Be thoughtful about what your company shares publicly on LinkedIn and social media. Job titles, project names, client relationships, technology stack details. All of that is research material for targeted attacks. This does not mean going dark, but it means being conscious of the information landscape you are creating.
Run a simulated phishing test if you can. Services like KnowBe4 have options for small teams. The experience of nearly falling for a fake phishing email is more effective training than anything abstract.
Vendors and Third-Party Access
Make a list of every third-party service that has access to your systems or data. Your accounting software, your CRM, your customer support platform, your analytics tools, your deployment infrastructure, your communication stack. Each one is a potential attack vector that exists outside your direct control.
For each vendor that handles sensitive data, understand what data they actually store, where it is held, and what their security practices look like. Most reputable vendors publish security documentation and have completed SOC 2 audits. If a vendor cannot tell you where your data is stored and who can access it, that is a meaningful red flag. Audit and remove integrations and API connections for tools you no longer actively use. Startups accumulate connected applications quickly. An annual cleanup of stale integrations eliminates attack surface that nobody is actively monitoring.
Incident Response
Write a one-page incident response plan and make sure everyone on the team has seen it. It does not need to be comprehensive. It needs to answer four questions clearly. Who gets notified first when something goes wrong? What is the first action taken? Who has the authority to shut down systems if necessary? What are the legal notification requirements if client data was involved?
Know your breach notification obligations before you need them. Depending on your industry, jurisdiction, and the type of data you handle, you may have legal requirements around notifying clients, regulators, or affected individuals within specific timeframes. Understanding these obligations in advance, rather than during the chaos of an actual incident, is the difference between responding competently and making things significantly worse. The businesses that survive security incidents are almost always the ones that responded quickly and decisively. Quick response requires having thought through what you would do before it happens.