Security Best Practices: Lessons Learned at a High-Growth Startup


Over the past few years, cybersecurity has become an integral part of operating an organization. Yet there are still plenty of small businesses that know very little about security or where to start. Most think they can get away without paying too much attention to security since they’re not a big target and they don’t have much that is worth stealing. But cybercriminals don’t always attack for money—some hackers attack for ideological reasons or revenge, and some do it for the thrill.

You might think you don’t have the resources to invest in cybersecurity, but this is dangerous thinking. By not focusing on security, you’re leaving the business exposed as a potential soft target for hackers. Moreover, you have a lot more to lose than larger corporations; a single security event can be a crippling financial burden with an average cost of $20,000, and there’s a high chance it could severely harm your business.

Thankfully, upfront investment in security can prevent a data breach that could spell disaster for your business. In this article, we’ll go over some easy steps to secure your data and protect the future of your small business.

Step 1: Identify and understand your risks

The first thing you need to do is identify the assets you want to protect, as well as the risks you’re willing to take by leaving other assets less protected. The goal here isn’t to protect everything—you have limited time and money. Instead, you’re helping yourself understand what your priorities are.

In other words, you need to divide your data into two groups: critical information that must be protected and hidden, and information that can remain a little less secure and displayed.

Some examples of critical information are:

  • Contracts
  • Customer lists and contact information
  • Strategic plans
  • Notes from board meetings
  • Patents and intellectual property

This isn’t a complete list, but it should help you start.

After identifying what is critical and what is not, you can prepare policies and actions for employees’ education.

Step 2: Create cybersecurity policies and procedures

You need to document your cybersecurity policies and procedures for two main reasons.

First, your employees need to know these policies, and they need a document they can refer to at any time. Second, you need to remain compliant with any applicable laws or regulations.

Design your security policies to prevent attacks, and include a list of actions to be taken in different scenarios.

Some examples of common security policies are:

  • Incident response policy
  • General security policy
  • Information security policy

Search the web to find examples and help in creating these policies. You may need seek the advice of your legal or compliance team before finalizing your policies.

Have all your employees read and sign your security policy and procedure documents.

Step 3: Educate and train your employees

Even if you manage to create the best cyber defense money can buy, it means nothing if you don’t educate your employees. Users are the weakest point in your cybersecurity armor, and this fact is routinely exploited by attackers.

There’s no way around it: You can’t rely on a single security expert or team of experts to keep your data secure. Your employees need to know the risks of the security world and the actions required to prevent them.

Effective training will teach your employees to:

  • Understand and comply with security policies and procedures.
  • Be aware of actions they can take to protect company information. This can include creating strong passwords, backing up and encrypting data, reporting suspected security incidents, and detecting social engineering attacks.

We recommend holding regular security training sessions that supplement and reinforce your policies.

Step 4: Back up your data regularly

Besides the potential threat of hackers erasing your data, corrupting it, or holding it for ransom, you also have to worry about employees accidentally erasing data. To deal with these possibilities, back up mission critical assets on a regular basis.

You’ll need to decide which data should be backed up, how often it will be backed up, and who will have access to the backups. Backups should be encrypted and protected.

These days, there are many affordable, easy-to-use backup options you can find on the internet.

Step 5: Check with your cloud service providers

For securing data in the cloud, ask your service providers to confirm that your information is adequately protected.

Your provider can offer additional services, like encryption, backup and restore, and high availability.

Step 6: Secure your WiFi networks

Finally, you’ll need to secure your physical devices.

Business traffic for most companies passes through WiFi networks, including emails, documents, and login credentials. This makes WiFi an attractive and easy target for attackers. Make sure your WiFi is secured and has a strong password that only employees know. For added security, change your password regularly.


The landscape of data security is always changing. The actions described in this article are good first steps—but your company isn’t fully protected if these are the only steps you take. Keep yourself educated on the latest security news and exploits, and always be a step ahead of the attackers.

This is the first piece in a series on cyber protection, forensics, and finding security holes in your own system, so stay tuned for future articles. If there’s a security topic you’re interested in hearing more about, leave a comment below.

Get started for free

Completely free for 14 days, no strings attached.