by David Lam, CISSP, CPP | Check out the Startup Solutions series

As a startup organization, minimum security measures—or rather, commercially reasonable levels— are crucial to integrate to protect data and secure systems from any potential vulnerabilities. Although securing information is a journey and not a destination, to achieve these minimum levels, you’ll want to ensure you’ve addressed the following three categories: 

  • Confidentiality: Ensuring that your information is only accessible to your employees and other authorized parties. 
  • Integrity: Certainty that the data isn’t tampered with or has been subject to unauthorized modification. 
  • Availability: Making sure that the information is accessible at all times. 

Startup organizations need to take prudent and commercially reasonable steps to protect themselves. Enlisting subject matter experts to help you break it all down into manageable steps can help you minimize the risk of security and data breaches—enabling you to focus on scaling your business. 

Achieving confidentiality 

Ensure Network Security. It is crucial to secure sensitive information through firewalls, intrusion detection, multi-factor authentication, data encryption, and compliance scanning. And in case it’s not obvious, be sure to enable automatic software updates and confirm all devices are secured with up-to-date malware and antivirus software.  

Vulnerability Scans. Run authenticated vulnerability scans to learn what’s happening behind the scenes and know the answer to this key question: “what is the state of my vulnerability management system?”. 

Vendor Assessment. If you work with a third-party vendor in any capacity, you should evaluate their information security program as well; you’ll want to ensure they have a well-documented information security program and appropriate security measures in place. Also, ensure that the vendor only has access to the systems and data they need. 

When renewing or implementing any piece of technology or software, it’s crucial to conduct a careful review of an organization’s ecosystem to ensure compliance with industry regulations, standards, and laws relevant to data protection and privacy.  

Set Your Team Up for Success. All startups should provide cybersecurity and phishing training for their employees, so they are equipped to recognize any threats in their inbox or across your organization. Remember, it is not just information security’s responsibility to safeguard data. Everyone, regardless of their position, should be contributing to secure innovation by reporting any vulnerabilities to mitigate overall risk. 

Maintaining integrity 

Implement Secure Development Practices. Follow secure coding practices to ensure your software is as secure as you can make it. Remember to identify and address vulnerabilities and secure the development environment.  

Back It Up. All critical files should be backed up and stored outside of your regular system (and offsite of your regular location). Be sure that your backups are protected in such a way that ransomware cannot access them.  

Ensuring availability 

Build in Resiliency. Ensure all your systems are redundant. As your systems are likely in the cloud, ensure that your design is available, especially if a region is unavailable. 

Incident Response Plan. A formal plan helps in quickly detecting, analyzing, containing, and recovering from security incidents – minimizing exposure and downtime. Establishing this plan doesn’t need to be complicated, but it does need to be completed before an incident arises. 

Secure foundations 

Keeping the above strategies in mind will prepare you for a formal, well-documented information security program that meets minimum, commercially reasonable levels of security. A program that includes proactive monitoring for risks such as security breaches, data losses, and hacks (that could lead to fines, damaged reputation, loss of business relationships, revenue, and significant costs), and having reviews conducted by external experts will all enable you to manage and minimize risk effectively so that you can focus on innovation, growth, and market disruption.  

For more information on implementing commercially reasonable security measures, please contact us. 



We highly recommend you confer with your Miller Kaplan advisor to understand your specific situation and how this may impact you.