Cyber attacks don’t just happen to large corporations. In fact, small businesses and startups are often the most vulnerable.
You’re dealing with sensitive customer information without the luxury of big budgets, IT support teams, or round-the-clock monitoring. A breach can destroy customer trust and kill the progress you’ve worked so hard to build.
That’s why we spoke to Susie Jones, CEO of Cynch, for our recent Cyber Security for Founders workshop.
Susie has spent over 10 years in cyber risk and governance, helping both corporates and startups understand where their blind spots are – and how to fix them. Her work with Cynch has supported hundreds of small businesses across Australia to build security strategies.
Here's her five practical tips that your startup can use right now to keep your data safe and build the kind of trust customers never forget.
How to protect your startup from data breaches
1. Treat personal information as toxic
As a business, you are often given the personal data of your customers. Think names, emails, phone numbers, IDs, health or financial info.
Susie recommends you treat it as if it were a dangerous substance.
Every new record increases your risk and responsibility. Your business should consider the follow questions:
- Do we really need this data? If not, don’t collect it.
- If we need it now, do we need to keep it later? If not, set a deletion date.
- Who can touch it? The fewer people, the safer it is.
Customers are now asking tougher questions after big breaches like Optus and Medibank.
In the housing industry, Susie has seen mortgage brokers go from zero questions about data handling to clients regularly asking, “How do you protect my information?”
If you treat data as toxic, you’ll naturally make better choices when you handle it.
Quick win: Run your email through Have I Been Pwned (by Australian researcher Troy Hunt) to see if your details have been leaked in past breaches. It’s often a wake-up call that sparks stronger habits.
2. Know how you collect, store and access data
Many businesses lock the cupboard but forget the corridor. In other words, the final storage might be secure, but the journey there isn’t.
That's why it's important that you can securely trace the full journey that the data takes.
Collection: When someone submits a web form or emails a document, what happens to it? Does it sit unmonitored in an inbox?
Transmission: How does it travel? Is it secure and encrypted?
Storage: Where does it ultimately live – CRM, cloud drive, accounting system, vendor tools? What about backups?
Access: Who can see, edit, or delete it? And do they really need that access?
Susie also points out two issues keep showing up in small businesses, and both are easy to overlook. The good news is they’re also easy to fix once you know what to look for.
1. Lingering data
Someone sends you a sensitive document, you upload it into your CRM, but the original email just sits there. Months later, it’s still floating around in three different inboxes.
The fix is simple. Decide what gets filed and what gets deleted. Set clear rules for storing attachments. And switch on audit logs in tools like Microsoft 365, Google Workspace, your CRM, or file storage.
That way, if something ever goes wrong, you can see exactly what happened.
2. Creeping access
Here’s another one. A team member covers someone’s leave, so they get extra admin access to the system. But when the leave ends, the extra access stays. Do that a few times over a year, and suddenly you’ve created a quiet security hole.
The way to manage this is to keep everyday accounts separate from admin accounts so one password slip doesn’t open everything. And make multi-factor authentication (MFA) a must-have for email, storage, and admin tools.
Quicks wins: If you do only one thing this week, review who has access to your systems right now and remove anything no longer required. You’ll be surprised how much you can safely cut.
3. Don't store sensitive data you don’t need
If you don’t keep it, you can’t lose it. That single idea will cut your risk more than any fancy piece of software.
The problem is, most teams save things “just in case.” It feels safer at the time but ends up creating long-term risk.
Susie shares a great example from a rental agency. Many agents keep scanned copies of driver’s licences. But they don’t actually need the copy, they just need to check it and note that the ID was verified. Keeping the scan only adds unnecessary exposure.
Your business probably has similar habits. Instead of “keep everything,” shift to “check, record, and move on.” A simple way to do this is by writing a short data minimisation policy that covers:
- What you collect and why.
- How long you’ll keep it (for example, delete ID checks after a set number of days).
- Automating deletion where you can (in email, CRM, or storage tools).
This gives you a clear map of what stays, what goes, and helps keep your systems lean and safe.
Quick win: Run a one-hour data clean-up sprint. Search for files named “ID”, “licence”, “passport”, “Medicare”, “bank”, “TFN”, “pay slip”, etc. Delete what you don’t need, move genuine records to a secure folder, and make a quick note of what you changed.
4. Set clear expectations with your staff
Most security issues don’t come from clever hackers, they come from everyday people. A rushed email. A link that looks real. A password that gets reused once too often.
The best protection is culture: clear rules, gentle reminders, and a safe space to ask for help.
Make security part of your onboarding process so it becomes second nature:
- Show new team members how to set up MFA and a password manager.
- Explain where sensitive information should (and shouldn’t) be stored.
- Share short refresher tips regularly (people remember small nudges more than a long lecture once a year).
- Run light phishing practice so staff learn what to watch out for, without fear or blame.
- Celebrate near-misses as learning moments.
You should also give your team a safe place to share suspicious emails, like a Slack or Teams channel. One dodgy email spotted by one person could protect everyone.
It also helps to be upfront about consequences. Even accidental breaches can affect customers. If you’re clear early on about what counts as a policy breach and how warnings work, people tend to be more careful, without feeling like they’re being policed.
Quick win: Since people are the biggest risk, take care of them. Susie shared a simple habit her remote team uses: at the start of stand-up, everyone shares their energy level from 1–10. If someone’s sitting at a “3” for a few days, they get extra support, and sensitive work gets a second check. A little human context goes a long way in reducing mistakes.
5. Document your systems
Good security can actually give you an edge in beating out the competition. When you can show that you take security seriously, you become a more attractive partner for larger companies and government clients.
These organisations now look much more closely at who they work with. Procurement teams often send long questionnaires based on standards like ISO 27001, the ACSC Essential Eight, SOC 2, or IRAP. It can feel like paperwork, but it’s become part of doing business. If you can answer quickly and confidently, you’ll stand out from competitors who can’t.
The level of scrutiny usually depends on how critical you are to the buyer. If you’re handling customer data or linking into their systems, expect deeper questions. Some may even ask for formal certifications like ISO 27001 or SOC 2. These take time and investment, but the effort you put into one standard usually carries over to others.
A smart way to start is to simply ask your prospective customers which frameworks matter most to them, then focus your efforts there.
It also helps to build a small “evidence library.” Keep plain-language answers to common questions, your policies, logs, and training records in one place. Pair that with a short security roadmap that shows where you are today and what you’re working on next. Buyers often value clear, honest progress more than vague promises.
Quick win: Make sure you have an incident response plan. This should be a short document with names, numbers and first steps, such as who isolates systems, who communicates with customers, and who calls your lawyer. Print it and keep it handy. In a crisis, you do not want to be hunting around for a lost PDF.
Final thoughts
There is plenty of danger our there, so now is a great time to show strength through security.
Businesses everywhere want partners who are organised, careful with information, and easy to trust. When you put clear policies in place, manage access properly, handle data with care, and keep good records, you show that your business is built for growth.
When security becomes part of everyday culture, it builds trust with your customers, partners, and investors, and sets your business up for long-term success.