You might think your startup is too small to be a target and it’s only larger organisations at risk. But attackers don’t work like that. They behave more like drive by opportunists than trained assassins. They scan the internet to see what comes back, then probe for weaknesses. They spray phishing emails to see who bites. If your defences are weak, you’re low-hanging fruit.

One of the biggest threats today is ransomware – where attackers lock you out of your own systems and demand payment to unlock them. These attacks are widespread and often hit smaller companies simply because they’re easier targets.

Here are some practical, low-cost steps every founder should take – no deep tech knowledge needed:

🔐 Turn on two-factor authentication for all key accounts – (email, cloud services etc).

🔑 Use a password manager like 1Password or Bitwarden – never share passwords via Slack, email, or docs.

🔒 Limit access – only give people what they need. Avoid shared logins.

📬 Set up your email securely – Google Workspace and Microsoft 365 include spam and phishing protection, but you still need to enable sender validation to prevent attackers sending emails that pretend to be from your domain (SPF, DKIM, DMARC).

🛡️ Use a web application firewall (WAF) – Cloudflare or AWS WAF can block common attacks before they reach your app.

💾 Back up your databases – and test that you can actually restore them.

🧊 Encrypt your databases – easy to enable in platforms like AWS or Azure.

🧪 Scan your code – GitHub and GitLab offer built-in code vulnerability scanning tools, even on free plans.

🔄 Keep third-party libraries and frameworks up to date – tools like GitHub Dependabot or Snyk are free or cheap and help let you know when things need patching.

🧩 And finally: have a plan for what you’d do if a device is lost, an account is compromised, or your data is locked or leaked.

None of this is expensive or particularly complicated. But recovering from an attack will be.