As a start-up founder you must have asked these questions “Is there a big enough market out there for my idea?” and “how can I make this happen before we run out of cash?”

Even since the introduction of GDPR, questions regarding security do not always sit at the top of the agenda; this is concerning when most start-ups are likely to be application or web-based and collect significant amounts of customer data.

Founders of ‘tech based’ start-ups often want to see their business grow quickly.  Rapid growth is necessary for success, to fight off the competition and secure investment.  It is, however, this rapid growth that increases the risks and can destroy the business even before it reaches launch day.

Depending on the premise of your start-up - whether you have a significant online presence or not - your people are both your biggest asset and your biggest risk.  It is your employees who open the door to malware in all its forms and who action requests from fraudulent phishing emails.  It is disgruntled ex-employees who still have access to data on leaving that can cause untold damage to your business.

Defining how good you need to be, depends on what you are trying to protect - your ‘crown jewel assets’.  The following five points are great for building a foundation of security as your start-up grows:

1. Call out the risks

Ask the question: “If I was to try and destroy my business how would I go about it?”.  Sounds drastic, but the answer will throw up a whole load of possible threats that you face and what you deem most important to your survival.  Once these risks have been identified and prioritised then put in a plan to counter them.  Document your findings within a straightforward register and introduce measures to treat these risks.


This process will form the foundation of your risk management regime and will help to ensure that security is integrated into your business strategy.  It should be led by a senior leader and be formally reviewed and ideally updated every month.

2. Ensure your employees know what is ‘acceptable’

Create and publish a common sense ‘Acceptable Use Policy’ alongside any other Information security policies to ensure that your employees know what is expected of them when it comes to system and hardware usage.  Make sure the policy is read by all new joiners as part of the ‘onboarding’ process within the first couple of days of employment.

3. Improve your employee knowledge with regular training

You must ensure delivery of basic cyber security awareness training.  This does not have to be onerous or complicated.  If you do not have the expertise or resources to deliver the training, there are a number of quality online training platforms that offer specific modules and simulated phishing exercises.

Not everyone understands the risks of cybercrime and the likely impact this may have on your business, so any training should be incorporated into the employee induction process.

4. Never be lazy with system access management

Alongside traditional networked systems, companies with 10-50 employees use an average of 54 SaaS-based applications.  Managing the access rights to these applications will become challenging if they are not rigidly controlled.  It is therefore vital that a ‘Joiners, Movers and Leavers’ process is implemented and governed to ensure that the ‘active users’ reflect the current workforce across all platforms.  Extra vigilance should be paid to privileged users, third parties and any terminated employees.

5. Use your enquiring mind; monitor usage and challenge anomalies

Leverage as many ‘in-app’ usage reports and alert notifications as possible to monitor your systems.  Most business licenses for applications such as G Suite and O365 allow you to download security reports to monitor usage, login history, and unusual behaviour.  Only you will know what 'normal' looks like, so if you do see something out of the ordinary then challenge it.  Most likely it will be benign but by questioning and reviewing any discrepancies means that your employees will know that user activity can be tracked and will be called out.

We appreciate that in the absence of a security and governance function there is a tendency to ‘implement and forget’ information security policy and process.  At Savanti we have proven experience of assisting start-ups with our NCSC aligned Cyber Security Model and our Virtual CISO service to help counter complacency and provide continuous strategic security management.

We would be happy to support you on your journey, please get in touch or visit the chat function on our website: