The Security Basics Startups Skip (Until the Incident)
You don't need a CISO to avoid the breaches that kill young companies. You need these eight practices, most of which cost a day each to implement.
Startups don't get breached by geniuses
The breaches that end young companies are rarely sophisticated. They're leaked API keys in git history, admin panels without MFA, and S3 buckets open to the world. The fixes are boring, cheap, and endlessly postponed. Here's the list we implement on every project.
The non-negotiables
1. Secrets out of code. API keys and credentials live in a secrets manager, never in the repository. Scan git history — keys committed two years ago are still live more often than you'd hope.
2. MFA everywhere that matters. Cloud console, email, code hosting, payment providers. One phished password shouldn't be game over.
3. Least-privilege access. Engineers get the access their work needs, not admin-on-everything. Offboarding revokes it the same day.
4. Dependency updates on autopilot. Automated dependency scanning and patching. Most real-world exploits target vulnerabilities that were patched upstream months earlier.
The next tier
5. Encrypted everything. TLS in transit, encryption at rest, and — for sensitive fields — application-level encryption so a database dump isn't a data breach.
6. Audit logs you can actually search. When something looks wrong, the first question is "what happened?" If you can't answer it in ten minutes, you don't have logging.
7. Backups you've restored. A backup that's never been test-restored is a hope, not a plan. Schedule restore drills quarterly.
8. An incident plan on one page. Who's on point, how you communicate, when you notify users and regulators. Deciding this during the incident is how bad days become fatal ones.
Security as a feature
Enterprise buyers now send security questionnaires before contracts. Every practice above maps directly to questions on those forms — meaning basic security hygiene isn't just risk reduction, it's sales enablement.