6 things every founder should do about cybersecurity

I’ve long been of the view that cybersecurity is not an IT issue that can be delegated away. It is a core business risk, and ultimately a CEO responsibility. And the age of AI makes it even more so.

According to Verizon’s 2025 Data Breach Investigations Report, small businesses are now targeted nearly four times as often as larger organisations. That’s because large companies have hardened their defences, so attackers have moved down the chain. For early-stage companies, the exposure is even worse: lean teams, overlapping roles, and a culture of moving quickly often create the conditions that attacks are designed to exploit. And AI has removed the last barrier to attacking at scale. AI-generated phishing emails now achieve open rates of up to 78%, compared to around 12% for traditionally crafted attacks, and cost 95% less to execute. Add to this the fact that most startup teams now work remotely, across personal networks, hotel Wi-Fi, and co-working spaces that are straightforward for attackers to monitor or spoof, and the exposure is considerably higher than it was even three years ago.

The majority of serious incidents do not start with a sophisticated technical breach. They start with a process gap such as an unclear payment approval, a former employee whose access was never revoked, a team member using a personal AI tool that has no data protection guarantees. These are leadership-level challenges.

The good news is that getting the basics right eliminates the majority of avoidable incidents. None of the following requires a dedicated security team or significant budget.

Any payment request needs verbal confirmation

Business Email Compromise attacks work by impersonating a founder or executive to pressure someone into processing an urgent payment or updating banking details. They are effective because they exploit hierarchy, fear, and speed. And they are getting more and more convincing and sophisticated.

The solve is simple: any request involving a wire transfer, a change of banking details, or a document signature must be confirmed via a live phone call to a number already saved in your contacts, never a number provided in the email itself. This one rule, consistently applied, stops the most common and most financially damaging attacks.

One specific note for remote and travelling team members: if you need to act on something sensitive while away from the office, default to tethering from your phone rather than using hotel or co-working Wi-Fi. It is a private, encrypted connection and takes thirty seconds to set up. And never leave a device unlocked and unattended, even for two minutes. USB keyloggers are installed in seconds and are hard to spot.

MFA on every critical system, with no exceptions

Multi-factor authentication needs to be enforced on email, banking, Cloud infrastructure, and code repositories without exception. Where supported, Passkeys are preferable to one-time codes. A compromised password with MFA active stops most attacks. Without it, a single phishing click can hand over an entire account.

Handle customer data as carefully as you would handle cash

The moment you collect, store, or process customer data, your obligations increase materially. One practice that is genuinely underused: store internal identifiers rather than real names wherever possible. “User 1234” rather than “Jane Doe”. It sounds trivial but it significantly limits the damage if systems are compromised, because the data becomes far less usable to an attacker.

More broadly, do not collect data you do not strictly need. Every additional data field increases your exposure, your compliance burden, and the cost of a breach. If you do not need it, do not store it.

See Also

What does a SpaceX IPO mean for spacetech startups?

Personal AI tools are a data protection gap

Employees using personal AI accounts for work are feeding confidential information into platforms with no contractual data protection. This includes customer data, financial projections, and proprietary IP. This should be already in place everywhere, but our research shows it isn’t – mandate a company-approved AI subscription and define clearly which categories of data are off limits for any AI tool.

Access should leave the same day the person does

Many breaches originate from stale credentials: former employees or contractors who still have access to systems they no longer need. The ever-increasing list of software tools startups use means that the offboarding checklist that revokes all access on the day someone leaves, every system, no exceptions, needs to be updated monthly. And it has to include your OpenAI, Anthropic, Gemini, and other AI group plans you thought you’d try for a couple of months and then forgot about as you switched to your team’s favourite.

Treat team training as ongoing rather than a one-off

Every new hire should complete a short session on onboarding covering payments, access, and what to report. The whole team should refresh this at least once a year. But the more useful habit is making it continuous: twice a year, run a short session on real attacks your team or others have encountered, how they were identified, and how people responded. Seeing how an actual attacker operated, and what a good response looked like, builds pattern recognition in a way that no policy document does. The goal is a team where scepticism is expected and welcomed, not one where people feel embarrassed to flag something that turned out to be nothing.

Cyber risk is no longer a question of if but when. None of what is described here is complicated or expensive. It is a set of decisions that need to be made before the pressure is on, and that is exactly when most founders have not yet made them.