The Founders Guide to Not Getting Hacked: Security for Non-Technical CEOs

You did not start a company to think about cybersecurity. You started it to solve a problem, build a product, and grow a business. But here is the reality: a single breach can destroy everything you have built. Not in some abstract, far-off way. In a very concrete, "your customers' data is on the dark web and your investors are on the phone" kind of way.

In 2023, the average cost of a data breach for organizations with fewer than 500 employees was $3.31 million.^[1] For a startup burning through a Series A, that is an extinction event. And the attacks hitting small companies are not sophisticated nation-state campaigns. They are preventable. They exploit the same gaps over and over: weak passwords, missing multi-factor authentication, unpatched software, and employees clicking on phishing emails.

This guide covers the 10 things that actually matter. No jargon. No fear-mongering. Just the practical steps that will stop the most common attacks dead in their tracks.

1. Turn On Multi-Factor Authentication Everywhere

If you only do one thing after reading this article, do this. Multi-factor authentication (MFA) means that logging in requires two things: your password and a second proof of identity, usually a code from your phone or a physical security key.

Why does this matter so much? Because passwords get stolen constantly. They leak in data breaches, employees reuse them, and attackers guess them. But if a stolen password is not enough to log in, the attacker is stuck.

Microsoft reported in 2023 that MFA blocks over 99.9% of account compromise attacks.^[2] That is not a marketing number. It is based on telemetry from billions of authentication attempts across Azure Active Directory.

What to do right now

• Enable MFA on every SaaS tool your company uses: Google Workspace (or Microsoft 365), Slack, GitHub, AWS, Stripe, your CRM, your banking portal. All of it.
• Make it mandatory, not optional. Use your admin panel to enforce it for every user.
• Prefer authenticator apps (Google Authenticator, Authy) or hardware keys (YubiKey) over SMS codes. SIM-swapping attacks can intercept SMS, but they cannot intercept a code generated on your physical device.
• Set up MFA on your personal accounts too. Attackers target founders directly because compromising your email often means access to everything.

2. Get Secrets Out of Your Code

Your engineering team almost certainly has API keys, database passwords, and other secrets somewhere they should not be. Hardcoded in source code. Pasted in Slack messages. Stored in a shared Google Doc labeled "passwords."

This is how breaches happen at startups more than almost any other way. A developer pushes an AWS access key to a public GitHub repository. Within minutes, automated bots scanning GitHub find it and spin up cryptocurrency mining instances on your AWS account. You find out when you get a $50,000 bill.

This is not hypothetical. GitGuardian's 2024 State of Secrets Sprawl report found over 12.8 million new secrets exposed in public GitHub commits in a single year.^[4]

What to do right now

• Use a secrets manager. AWS Secrets Manager, HashiCorp Vault, or even 1Password for Teams can store secrets securely and inject them into your applications at runtime.
• Enable GitHub's secret scanning feature. It is free for public repos and available for private repos on GitHub Advanced Security. It will alert you when secrets are accidentally committed.
• Add a pre-commit hook using a tool like gitleaks or truffleHog to catch secrets before they ever reach the repository.
• Rotate any secrets that have ever been in source code. Assume they are compromised.

3. Conduct Quarterly Access Reviews

When was the last time you checked who has access to what in your company? If the answer is "never" or "I'm not sure," you are in the majority of startups, and you are at risk.

Startups move fast. People join, change roles, and leave. Contractors come and go. But their access to systems often stays long after it should. That former developer who left three months ago might still have admin access to your production database. That freelance designer might still be in your Google Workspace.

What to do right now

• Pull up the user list for every major system: Google Workspace, AWS/GCP/Azure, GitHub, Slack, your CRM, your payment processor.
• Remove anyone who should not have access. If someone has not used a system in 90 days, disable their account.
• Apply the principle of least privilege. Engineers do not need admin access to your billing system. Your marketing team does not need access to production servers.
• Put this on a calendar. Do it every quarter. It takes an hour, and it closes one of the most common attack paths.

4. Build a Backup Strategy That Actually Works

Ransomware does not just hit hospitals and Fortune 500 companies. It hits startups too. And when it does, the question is simple: can you restore your systems without paying the ransom?

The answer for most startups is no. Not because they do not have backups, but because they have never tested them. A backup you have never restored is not a backup. It is a hope.

What to do right now

• Follow the 3-2-1 rule: three copies of your data, on two different types of storage, with one copy offsite (or in a different cloud region).
• Back up your SaaS data. Google Workspace, Salesforce, and other cloud platforms do not guarantee they will recover your data if you delete it or if an attacker wipes it. Use a third-party backup service like Backupify or Spanning.
• Test your restores. Once a quarter, pick a system and actually restore it from backup. Time how long it takes. If it takes three days to restore your production database, you need to know that before an emergency.
• Keep at least one backup offline or immutable. Ransomware often targets backup systems too. An immutable backup (one that cannot be modified or deleted for a set period) is your last line of defense.

5. Have an Incident Response Plan

You do not need a 200-page document. You need a one-page plan that answers the basic questions everyone panics about when something goes wrong. Who do we call? What do we shut down? Who talks to customers?

The reason this matters is that breaches get worse the longer they go uncontained. IBM's 2024 Cost of a Data Breach Report found that organizations that contained a breach in under 200 days spent an average of $1.02 million less than those that took longer.^[5] Speed matters, and speed comes from preparation.

What to do right now

• Write a one-page incident response plan covering: who is on the response team (names and phone numbers), how to contain common incidents (disable compromised accounts, isolate affected systems), who communicates with customers and the board, and when to call a lawyer and your cyber insurance provider.
• Pre-select an incident response firm. Do not try to find one during a crisis. Companies like CrowdStrike, Mandiant, and smaller firms offer retainer agreements where you pay a small annual fee in exchange for guaranteed response times.
• Get cyber insurance. For a startup, a policy with $1-2 million in coverage typically costs $2,000-$5,000 per year. It covers forensic investigation, legal fees, customer notification, and sometimes the ransom itself.
• Run a tabletop exercise. Sit your leadership team down for one hour and walk through a scenario: "Our customer database was posted on the dark web. What do we do?" The first time you do this, you will discover all the gaps.

6. Vet Your Vendors

Your security is only as strong as the weakest vendor in your supply chain. If your customer support tool gets breached, the attackers get your customers' data. If your payment processor is compromised, your revenue stream is at risk.

The 2020 SolarWinds breach, which compromised over 18,000 organizations including multiple U.S. government agencies, was a supply chain attack. The attackers did not break into those organizations directly. They compromised a software update from a trusted vendor.^[6]

What to do right now

• Make a list of every vendor that touches your data or connects to your systems. Most startups have 30-80 SaaS tools. Many of those tools have access to sensitive data.
• For critical vendors, ask for their SOC 2 Type II report. This is a third-party audit that verifies their security controls. If they do not have one, that is a red flag.
• Check what data each vendor can access and whether it is more than they need. Your analytics tool does not need access to payment data.
• Include security requirements in vendor contracts. At minimum, require them to notify you within 72 hours if they experience a breach that affects your data.

7. Train Your Employees (Without Boring Them to Death)

Your employees are simultaneously your biggest vulnerability and your best defense. Verizon's 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, whether that was clicking a phishing link, misconfiguring a system, or using a weak password.^[7]

But here is the thing. Those hour-long, checkbox compliance trainings with outdated slides do not work. Nobody remembers them. What works is short, frequent, relevant training that feels like it applies to their actual job.

What to do right now

• Use a platform like KnowBe4, Curricula, or Hoxhunt that delivers short (3-5 minute) training modules monthly. These platforms also simulate phishing attacks so you can see who clicks.
• Customize the training for different roles. Your engineers need to know about secure coding and secrets management. Your finance team needs to know about business email compromise (BEC) and invoice fraud. Your customer support team needs to know about social engineering.
• Make it clear that reporting a phishing email is a good thing, not something to be embarrassed about. Reward people who report. Never punish someone for clicking a simulated phishing email; use it as a teaching moment.
• Send a monthly security tip in Slack or email. One paragraph. One actionable thing. Keep it in front of people.

8. Enforce a Real Password Policy

Passwords are still the front door to most of your systems. And if your team is using "Company2026!" as their password, you are not as secure as you think.

The latest guidance from NIST (the National Institute of Standards and Technology) has actually simplified password recommendations.^[8] They no longer recommend forcing password changes every 90 days, because that just leads to people incrementing a number at the end. Instead, the focus is on length and uniqueness.

What to do right now

• Require a minimum password length of 14 characters. Length matters far more than complexity. A 14-character passphrase like "correct-horse-battery-staple" is much stronger than "P@ssw0rd!" and much easier to remember.
• Deploy a company-wide password manager. 1Password Business, Bitwarden, or Dashlane. Every employee gets an account. Every password is unique and randomly generated. The password manager handles the complexity so employees do not have to.
• Screen passwords against breach databases. Tools like Have I Been Pwned's API can be integrated with your identity provider to block passwords that have appeared in known breaches.
• Stop requiring periodic password changes unless there is evidence of compromise. Forced rotation leads to weaker passwords, not stronger ones.

9. Keep Everything Updated

Unpatched software is one of the most exploited attack vectors in existence. When a vulnerability is publicly disclosed, attackers start scanning the internet for vulnerable systems within hours. If you are running software with known vulnerabilities, it is not a matter of if you will be targeted. It is a matter of when.

The 2017 Equifax breach, which exposed the personal data of 147 million people, happened because Equifax failed to patch a known vulnerability in Apache Struts (CVE-2017-5638) for over two months after a fix was available.^[9] Two months. That is all it took for attackers to find and exploit it.

What to do right now

• Enable automatic updates on every laptop and phone in your company. macOS, Windows, iOS, and Android all support this. Turn it on.
• For servers and infrastructure, establish a patching cadence: critical vulnerabilities within 48 hours, high-severity within one week, everything else within 30 days.
• Use a vulnerability scanner like Qualys, Tenable Nessus, or the free OpenVAS to identify unpatched systems. You cannot fix what you cannot see.
• Do not forget your third-party libraries. If your product is built on open-source software (and it is), use tools like Dependabot, Snyk, or Renovate to automatically flag outdated dependencies with known vulnerabilities.

10. Build a Phishing Defense

Phishing is not just those obvious "Nigerian prince" emails anymore. Modern phishing is targeted, convincing, and increasingly powered by AI. Business email compromise (BEC) alone cost organizations $2.9 billion in 2023, according to the FBI's Internet Crime Complaint Center.^[10] These attacks often impersonate a CEO or CFO, asking an employee to wire money or change payment details for a vendor.

As a founder, you are a prime target. Attackers research you on LinkedIn, learn who your investors and partners are, and craft emails that look like they come from people you trust.

What to do right now

• Configure SPF, DKIM, and DMARC records for your company's email domain. These are email authentication standards that prevent attackers from sending emails that appear to come from your domain. Google Workspace and Microsoft 365 both have guides for setting these up, and it takes about 30 minutes.
• Enable external email warnings. Both Google Workspace and Microsoft 365 can add a banner to emails from outside your organization, making it obvious when an email is not from a colleague.
• Set up a verification process for financial transactions. Any request to change payment details, wire money, or transfer funds should require verbal confirmation over a known phone number. Not a number from the email. A number you already have on file.
• Run phishing simulations monthly. This is not about catching people. It is about building the muscle memory to pause, check, and report suspicious emails.

Putting It All Together

You do not need to do everything at once. Here is a realistic timeline for a startup founder who wants to get the basics right:

This week: Turn on MFA everywhere. Deploy a password manager. These two steps alone will eliminate the majority of account compromise risk.

This month: Conduct an access review. Set up email authentication (SPF/DKIM/DMARC). Get secrets out of your code. Start phishing simulations.

This quarter: Write your incident response plan. Get cyber insurance. Vet your top 10 vendors. Set up automated patching and vulnerability scanning. Roll out employee security training.

None of this requires a security team. It requires a founder who takes it seriously enough to dedicate a few hours per month. And when you are ready to go deeper, whether that is a penetration test, a security audit, or building a security program, you will be starting from a strong foundation instead of a blank slate.

Lorikeet Security Team

Penetration Testing & Cybersecurity Consulting

We've completed 170+ security engagements across web apps, APIs, cloud infrastructure, and AI-generated codebases. Everything we publish here comes from patterns we see in real client work.