This article was published on May 14, 2016

10 data security mistakes to avoid as a startup

10 data security mistakes to avoid as a startup
Scott Gerber
Story by

Scott Gerber

Scott Gerber is the founder of Young Entrepreneur Council (YEC), an invite-only organization comprised of the world’s most successful young Scott Gerber is the founder of Young Entrepreneur Council (YEC), an invite-only organization comprised of the world’s most successful young entrepreneurs. YEC members represent nearly every industry, generate billions of dollars in revenue each year and have created tens of thousands of jobs. Learn more at

Startups move fast, and aren’t always thinking about data security as they rush to get a MVP to market. But they should.

Data security is increasingly important. As a new business, a mistake in this area can shut down the company. To help combat the common mistakes, I asked 10 entrepreneurs from YEC the following question:

What’s the biggest mistake you see tech startups making in terms of data security right now and why?

1. Blurring the lines between personal and professional devices

Nick ChasinovBring your own device (BYOD) has gained popularity over the last few years, especially in the startup space. Nobody wants to carry multiple smartphones and constantly utilize different mobile operating systems to check email and manage calendars. However, the security risk is often overshadowed by convenience. Employees’ personal devices have access to and store confidential corporate data directly on the device. When an employee leaves an organization, that information is still present on their device and can be accessed indefinitely. In terms of data security this is a major mistake. – Nick ChasinovTeknicks

2. Neglecting two-factor authentication

David CiccarelliTwo-factor authentication – the system that sends your mobile phone a text message with code that you enter upon logging into a new website – is a simple but often overlooked first step. All major business platforms offer this now including Google Apps for Work and Salesforce. Even social networks make this functionality available at the flick of a switch. With password breaches becoming more common, it’s only prudent to add a second layer of protection on the sensitive information that is stored in web-based software. – David

3. Having inadequate exit protocols

David MainieroCompanies that rely on large fleets of part-time employees or contractors are especially prone to security breaches or data lapses if they don’t carefully follow a standard exit procedure. Confidential information, account access and other data loss can easily occur when your company’s data remains resident on those peoples’ devices. People forget it’s even there, and may not take security as seriously on their personal devices. Protect your and your customers’ information by doing some work ahead of time with your legal advisors. – David MainieroInGenius Prep

4. Not having SSL from the start

Peter BoydSSL (Secure Sockets Layer) is easy to implement from the start. Every website should have it integrated as standard. It provides assurance to your users and, of course, a higher level of security for communications. – Peter BoydPaperStreet Web Design


5. Not making security a priority from the very beginning

Matthew WeinbergStartups often fall into the trap of thinking they can deal with security later, when their company is larger. The problem with not taking security seriously from the beginning is that security is not built into the company’s DNA, making it a more difficult issue to deal with when it is finally faced. – Matthew WeinbergVector Media Group

6. Putting product development ahead of security

Vik PatelGetting a viable product in front of users is the No. 1 priority of startups, which can lead to lapses in security in the early days of development. Building secure systems is a painstaking process that can get in the way of product development. But if a startup takes shortcuts, this will come back to bite them in the future.Security and privacy should be primary goals from the start. – Vik PatelFuture Hosting

7. Lack of cloud drive policies

Matt KneeCloud Drives like Box, Dropbox and Google Drive are a fantastic way to keep your team in sync and manage documents. However, they can be vulnerable to viruses, ransomware and unauthorized access if they are not locked down properly. The fact files can be so easily shared and synced via Cloud Drives is their main vulnerability, meaning anti-virus, backups, email attachment, password and access policies must be in place before allowing one user to cause problems for the whole company. – Matt, Inc.

8. Not staying up-to-date with security practices

Dan SapozhnikovTechnology changes fast and so do security practices. Security standards from 5-10 years ago should not be used anymore. Many startups don’t bother keeping up with the latest security updates and end up using old encryption algorithms or outdated techniques that can be abused by hackers and malicious actors. – Dan SapozhnikovAdGate Media

9. Lack of internal infrastructure and policies

Michael SaffitzTech startups have a strong advantage when it comes to data security because they aren’t encumbered by legacy systems, and instead are able to apply best practices from the start. As a result, their products have never been more secure. But while they’re more secure, internal practices and protocols at tech startups have lagged behind. Credential sharing, limited use of single sign on, and poor password policies are all common examples of tech startups mistakenly not focusing enough on their own internal infrastructure and policies and the impact that it has on their data security. – Michael SaffitzApptentive, Inc.

10. Not having notifications for suspicious activity

Kristopher JonesSix months ago I was the victim of a data breach that almost led to considerable financial distress. First, I used the same weak password across multiple organizations and for personal use. Someone guessed the password and multiple entities were quickly breached. This situation could have been avoided if I simply maximized password strength. Second, I learned that many systems have advanced data security tools to help mitigate data breaches. For instance, on Google Apps for Business I set up notifications to be alerted when suspicious activity occurs. Theses steps greatly maximize data security. – Kristopher

Get the TNW newsletter

Get the most important tech news in your inbox each week.