Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.



411 University St, Seattle, USA


+1 -800-456-478-23

Web Application Security Testing
cyber security for startups

Cybersecurity for startups – top 10 practical recommendations

Cybersecurity for startups – good and bad recommendations

Providing generic recommendations in the area of cybersecurity for startups is not an easy task. This is because every company is different, has a different structure, and protects different assets. On top of that, I’ve seen articles with very bad recommendations, which may be more harmful than useful.

Additionally, very often articles cover just the surface of cybersecurity for startups leaving readers with a knowledge gap. This forces them to either hire a company or implement the generic concepts by a trial and error when searching for more information on the Internet.

That is why I decided to create a series of articles covering practical cybersecurity recommendations for startups.

!This is the first post of the series “Cybersecurity for startups” aiming to help increase the cybersecurity of startups by going through every security recommendation step-by-step.

In this article I’ll present the Top 10 Practical Cybersecurity Recommendations for Startups with a limited budget:

Practical security recommendations for start-ups with limited budgets

The inspiration for this series is the article created by Alex Chapman featuring Practical Security Recommendations for Start-ups with Limited Budgets.

Alex is an IT security professional and recent Startup founder, which allows him to look at cybersecurity from both perspectives.

His recommendations are indeed practical contrary to some other articles therefore, I highly recommend reading Alex’s article.

In this series, we will look at cybersecurity for startups from a bit different perspective and expand on the topics mentioned in Alex’s article.

Top 10 practical cybersecurity recommendations for startups – infographic

To make things easier we created the infographic featuring 10 practical security recommendations for startups presented by Alex.

That way you can easily visualize all the recommendations and quickly remember the most important ones.

cybersecurity for startups top 10 practical recommendations
A clever way to approach cybersecurity recommendations for your startup

Instead of diving into specific recommendations, I would like to start from a different angle. There is always something to be done in the area of cybersecurity. No matter how much you secure yourself, no one can guarantee that you are unhackable. I briefly write about it in the article about penetration testing reports: 3 things that you will not find in a penetration testing report. Because no solution secures your startup against all cyberattacks, it makes sense to focus on the most important areas first. But the most important ones for you, not for others.

To know what is the most important for you, you can ask yourself three following questions:

  1. What valuable assets does my company have?
  2. What types of threats exist that aim at my assets?
  3. How much will it cost if any of the threats materialize themselves?

By assets, I mean everything valuable to your company such as:

  • Company know-how in form of documentation, procedures
  • Sensitive company data in form of documents, emails, source code
  • Sensitive customers’ data in form of databases, credentials, personal information, and financial documents
  • Services supporting your startup such as email, document storage, task management systems, network devices

The second question I’ll expand on in the next section of this article.

The answer to the last question does not have to be very precise at the beginning. It can be an estimate of the time and money required to handle a potential attack of defined threats to your assets.

It is important to write all of the answers down and sort them in the order of perceived importance.

Who is after your startup?

When defining threats that can pose some harm to your startup they can be categorized in the following sections:

  • Criminal groups – Organized cybercriminal groups with financial motives. They more often use wide attacks targeting multiple organizations using the same technique rather than focusing on a specific company.
  • Individual criminals – Cybercriminals with lower budgets and skillset than criminal groups. Often their main motivation is also financial or political.
  • Malicious insiders – An employee, or an ex-employee who wants to gain additional profits out of the company values, damage the organization for personal reasons, or to conduct cyber espionage.
  • Terrorist organizations – Criminal organizations that main goal is to influence a political decision, damage economies, or cause physical harm to citizens.
  • Nation-State Threat Actors – National agencies with huge financial support, significant technical capabilities, and additional resources are focusing on specific targets. Those targets are usually big companies and critical organizations, and the goal is to achieve a very precise intelligence or counter-intelligence advantage over a defined “enemy”.

I sorted the above threats in order of importance for the typical startup.

Because let’s be honest. Regardless of whether you have just one or twenty employees, you will not be able to effectively protect against Nation-State Threat Actors with billion-dollar budgets and access to the core cellular or Internet national infrastructure. Even huge corporations very often fail to do that. It is definitely possible to make it much harder for these types of threat actors but it’s just not practical as there is very little chance that you are a defined target for such an organization.

Cybercriminals groups that target a wide audience, or individual criminals targeting organizations with lowered security are much more common, and the effort required to protect against them is incomparably lower.

However, the sad truth is that you may still be an indirect victim of Nation-State Threat Actors in so-called supply-chain attacks. In these types of attacks, an attacker compromises an organization, whose infrastructure serves as a proxy for other attacks. The supply-chain attack is also used by individual cybercriminals and organized groups. They sell access to the organization’s infrastructure or even specific services such as Distributed Denial of Service (DDoS), spam, or proxy attackers on the black market.

The Verizon team in the Data Breach Investigation Report 2020 summarizes it in the following way:

The simple fact is this: If you leave your internet-facing assets so unsecured that taking them over can be automated, the attackers will transform your infrastructure into a multi-tenant environment.

Most common cyberattacks

Since you already know what types of threat actors exist, it is also important to know what are the most common attacks that those threat actors utilize. As previously mentioned Verizon’s team every year creates a report describing data breach statistics. The Data Breach Investigation report 2022 includes eight incident categories that reflect the most common attacks.

Some of the categories may not be easy to understand so here is the list of those categories with their quoted descriptions:

  • Basic Web Application Attacks – These attacks are against a Web application, and after initial compromise, they do not have a large number of additional Actions. It is the “get in, get the data and get out” pattern.
  • Denial of Service – Attacks intended to compromise the availability of networks and systems. This includes both network and application layer attacks
  • Lost and Stolen Assets – Incidents where an information asset went missing, whether through misplacement or malice.
  • Miscellaneous Errors – Incidents where unintentional actions directly compromised a security attribute of an information asset. This does not include lost devices, which are grouped with theft instead.
  • Privilege Misuse – Incidents predominantly driven by unapproved or malicious use of legitimate privileges.
  • Social Engineering – A psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality.
  • System Intrusion (7013 incidents) – Complex attacks that leverage malware and/or hacking to achieve their objectives including deploying Ransomware.
  • Everything Else – This “pattern” isn’t really a pattern at all. Instead, it covers all incidents that don’t fit within the orderly confines of the other patterns. Like that container where you keep all the cables for electronics, you don’t own anymore: Just in case.
CEO, Cybersecurity Expert

Let’s talk about securing your web application

Book a chat with me

    Follow the most important cybersecurity recommendations for your startup

    You have your valuable assets defined. You know what cyber threats exist and what attacks they use. You estimated the damages of a successful attack on each of your assets. You also know what are the typical cybersecurity recommendations for startups. Now it’s time to connect the dots, choose the recommendations for you, and prioritize them. To help you with this process I assigned typical attacks (incident categories from Verizon’s report) to recommendations that should minimize the risk of a successful attack. You can also see what type of data will be protected after implementing a specific recommendation.

    It is important to note that this assignment is subjective, and other experts can do it differently.

    Recommendation titleTechnical AbilityImpactIncident categoriesNumber of incidents
    Use a Password Manager and Two-Factor AuthenticationLow HighSocial Engineering, System Intrusion,
    Basic Web Application Attacks
    14 013
    Develop with Modern FrameworksMediumMediumBasic Web Application Attacks,
    System Intrusion
    11 764
    Configure an Edge Security ServiceLow/MediumMediumDenial of Service,
    Basic Web Application Attacks
    13 207
    Enable HTTP Security HeadersLow/MediumMediumBasic Web Application Attacks4751
    Apply Security PatchesMediumHighBasic Web Application Attacks4751
    Backup User Data and Source CodeMediumMediumLost and Stolen Assets,
    Basic Web Application Attacks,
    Social Engineering,
    System Intrusion
    14 898
    Centralize All LoggingLowMediumPrivilege Misuse,
    Lost and Stolen Assets, Basic Web Application Attacks,
    Social Engineering, System Intrusion
    15 173
    Recruit the Good HackersLowHighMiscellaneous Errors, Basic Web Application Attacks,
    System Intrusion
    12 479
    Service ContainerizationHighHighBasic Web Application Attacks,
    System Intrusion
    11 764
    Deploy Canary TokensLowHigh Lost and Stolen Assets, Social Engineering,
    Basic Web Application Attacks,
    Social Engineering, System Intrusion
    17 147

    Cybersecurity for startups – checklist

    It is good to know about all of it but the knowledge is useless if no action is taken. To make the action even easier for you we created the document containing the checklist of recommendations to implement. This will help you keep track of what you plan to implement and what is already implemented. That way you will not forget about anything:

    checklist of cybersecurity recommendations for startups

    Generic cybersecurity recommendation

    All this may seem complex and lengthy but the general approach is quite simple.

    Think of the most valuable thing in your startup. This is your valuable company’s asset. Think how much time, effort, and money would you require if this asset gets destroyed, stolen, or corrupted.

    Once you have that, think of the potential ways the bad actors can get to it. We call them “attack vectors”. Subsequently, focus on limiting the attack vectors and protecting those valuable assets first.

    This process is a bit longer than a typical “read and apply” approach, but in the long run, it can save time and resources by focusing on the most valuable assets and most probable attack vectors.

    Moreover, if you do it right and document everything on the way, increasing cybersecurity in your startup will be easier in the future as you will already have the basis. Whenever your company grows, you will need to add new assets and reprioritize the list.

    !The next article will shed some light on our first security recommendation for startups: using a password manager and two-factor authentication (2FA).

    Beyond the cybersecurity recommendations

    Implementing the above recommendations automatically puts your start-up on another level in terms of security. The most mature startups conduct a verification of the security mechanisms implemented.

    If your start-up is one of those mature start-ups where you value cybersecurity and would like to verify if all the mechanisms were implemented correctly contact us.

    We help in verifying and increasing cybersecurity for startups by conducting penetration testing, vulnerability assessment, red teaming, and other types of cybersecurity services.

    Is this article helpful to you? Share it with your friends.


    Dawid Czarnecki