If there’s one thing your tech startup should take away from 2025, it’s that no business is too small to be a target for cybercriminals. In fact, SMBs are now more attractive prospects for ransomware than legacy enterprises, thanks to their limited resources and valuable customer data.
Often, startups lack the knowledge or the resources they need to make good decisions early on in their businesses. We reached out to an IT security expert who frequently works with tech startups to gain insights into what businesses need to know when they’re just starting out.
Gary Power, COO and Director of Client Services at Power Consulting(新視窗), has 25 years of expertise in the outsourced IT industry. Power Consulting works closely with businesses of all sizes in all industries, providing services including managed IT services, IT strategic planning, and cybersecurity audits and services.
We spoke with Gary to understand where tech startups are making mistakes early in their businesses.
Your business isn’t too small for cybersecurity measures
Using our Data Breach Observatory, Proton tracked leaked business data on the dark web to understand who hackers were targeting and how businesses were being breached. We uncovered 794 breaches, totaling more than 300 million leaked records, and it became obvious that smaller organizations are increasingly at risk.
Your business can benefit from examining how and why other businesses have been impacted by data breaches. The insights gained from the Data Breach Observatory, as well as our cybersecurity recommendations for tech startups, can be found in our latest eBook, The breaches that broke 2025.
Whether their credential management fell short, or they failed to utilize protective measures such as end-to-end encryption, it appears SMBs are making crucial mistakes in their security practices. And if small businesses remain vulnerable to cyber threats, it will ultimately damage industries and innovation across the world by limiting business growth.
Gary notes that a key part of adequately protecting your business is shifting your mindset when it comes to the security measures you employ.
“Early on, founders usually ask reactive questions like ‘Do we need this?’ or ‘Is this overkill for our size?’ As they mature, the questions shift to ‘What would actually stop us from getting breached?’ and ‘How do we scale securely without slowing the business down?’”
Instead of skipping steps as your business becomes established, invest from the beginning in your cyber security. After all, as Gary says: “The most successful founders realize security is an enabler, not a blocker.”
Legacy tools aren’t automatically secure
When it’s time to pick the tools, such as the email, drive, and password manager solutions your business will use, your choice makes a big difference. Gary warns against assuming popular and modern solutions will automatically be the most secure option.
“The biggest blind spot is assuming security is ‘implicit’ because they’re using modern tools or cloud platforms. Founders often believe that Microsoft 365, Google Workspace, or AWS automatically equals secure. In reality, most breaches stem from misconfiguration, weak identity controls, poor access hygiene, and lack of monitoring — not exotic hacking techniques.”
This may not sound positive, but it is: It’s much harder to predict and prevent sophisticated hacking techniques than it is to build strong identity management and monitoring practices within your network. The issues Gary highlights can be approached using the following:
- Thorough web application security practices that allow you to identify and mitigate potential threats to your environment.
- Identity management measures such as single sign-on (SSO) and two-factor authentication (2FA) that protect your business network while making it easier and more secure for team members to access your business network.
- Dark web monitoring is a helpful tool that can inform you if any of your business data appears on the dark web, allowing you to act quickly and prevent a data breach.
Human error is a serious threat
It doesn’t matter if your tools are secure if they’re not being used securely. Human error is actually one of your business’s biggest cybersecurity threats. Attack surfaces are growing exponentially thanks to the intricacy of modern business networks, requiring team members to create dozens of accounts with unique passwords and potentially access these accounts from their personal devices.
“Another major miss is underestimating human risk: phishing, credential reuse, and unmanaged devices are usually the front door.“
These risks can be attributed to lack of awareness in cybersecurity and unclear expectations about how or if your business network can be accessed via team members’ personal devices. Thankfully, they can be addressed easily with a dual-pronged approach of policies and education:
- Business-wide education about how to spot phishing scams and other types of malware(新視窗) will help every team member protect your business network
- A remote working policy and a bring your own device (BYOD) policy if relevant for your business
- A secure business password manager will ensure that your password policies are being enforced and that sensitive credentials are stored in a central location, and even safely shareable if necessary.
“Early decisions become permanent defaults,” Gary says. “Identity models, data locations, admin access, and device standards are incredibly hard to unwind later — especially once customers, investors, and regulators are involved. Security debt compounds just like technical debt. It’s far cheaper and less disruptive to set good guardrails early than to retrofit controls after a breach, audit failure, or cyber insurance denial.”
Security fundamentals are more important than tools
Tools aren’t the only consideration that businesses need to make as they’re coming to market. Your IT infrastructure will dictate how securely team members can work, how well you can spot risks, and how fast you can mitigate issues.
Gary explains how the experts at Power Consulting approach setting up IT and cybersecurity infrastructure for startups. “We focus on fundamentals before shiny tools.”
- Set up strong identity and access management policies, including MFA and “least privilege”, meaning people should only have access to the systems they need.
- Secure your endpoints, including employees’ personal devices, from day one. Device management software can help you keep track of who is logging into your network and where.
- Use centralized logging and monitoring so that issues like unauthorized access or account breaches don’t go unnoticed.
- Prepare for an event with proper backup and recovery tools such as immutable backups(which can’t be changed after they’re been created) or offsite protection where critical data is sent and stored away from your main business site.
By building your business on solid fundamentals, ultimately you’re investing in a safer business for your future. The time you spend building secure infrastructure is worth the money you’ll save and the risk you’ll avoid in the long run.
Take the time to set up properly
Gary recommends focusing on your identity architecture because this is the area with the highest security impact. Every team member has a digital identity that allows them access to the data and tools they need in your business network, and configuring this well makes all the difference down the line.
“Poor identity architecture is the hardest to undo — shared accounts, weak MFA adoption, and too many admins create long-term risk,” Gary explains. “Unstructured data sprawl is another major issue; once sensitive data is scattered across personal drives, email inboxes, and unmanaged SaaS apps, regaining control is painful. Finally, lack of documentation and ownership early on leads to confusion and blind spots as teams grow.”
