New Year’s cybersecurity resolutions that every startup should keep
06:04 Share

This is TechCrunch. Imagine what's possible when learning doesn't get in the way of life. At Capella University, our game-changing FlexPath learning format lets you set your own deadlines so you can learn at a time and pace that works for you.

It's an education you can tailor to your schedule. That means you don't have to put your life on hold to pursue your professional goals. Instead, enjoy learning your way and earning a degree without missing a beat. A different future is closer than you think with Capella University. Learn more at capella.edu.

As regular listeners of TechCrunch will know, 2024 was, much like the years before it, full of data breaches, ransomware attacks, and mass hacks exploiting some of the most trivial software vulnerabilities.

Even the most well-resourced organizations failed to keep hackers out of their systems over the past 12 months. AT&T experienced its second massive breach of the year, this time affecting nearly all customers. Ticketmaster had an alleged 560 million records stolen in the hack of cloud storage giant Snowflake, and health insurance giant Change Healthcare was hit by a ransomware crew that accessed the sensitive medical details of at least a third of all Americans.

Your startup doesn't have to suffer the same fate in 2025. Some of the simplest things in security can help keep malicious hackers at bay. Here are some simple but effective cybersecurity resolutions you should make as we head into the new year.

Securely store your company passwords Password managers securely store all of your company passwords so your employees don't have to worry about remembering them. Password managers also help to create and save unique and complex passwords for all your accounts.

This can help prevent account intrusions caused by password reuse, where hackers take advantage of people using the same username and password across various online accounts. As soon as one password is compromised, the hackers can access the person's other accounts using the same password. Some companies are moving away from passwords altogether and relying on pass keys, which are resistant to phishing attacks and other passwordless technology. Implement multi-factor authentication

Passwords alone are not on their own enough to defend your most important accounts against malicious threats. Hackers stole at least 1 billion personal records in 2024, helped largely by the use of stolen credentials for corporate accounts that were left unrecognized.

unprotected by multi-factor authentication. MFA, a security feature that requires users to provide an additional code beyond just a password when logging in, makes it far more difficult for cybercriminals to break into online accounts. In the case of cloud computing giant Snowflake, mandating the use of MFA could have prevented a pair of hackers from stealing highly sensitive data from AT&T and more than 100 other corporate customers.

Most security folks will recommend using authenticator apps that generate login codes on the device rather than codes sent by SMS text message, which can, in some cases, be intercepted.

Keep your software up to date Some of the most damaging breaches of 2024 were caused by a years-old problem: unpatched vulnerabilities in third-party software. One big hacking target in recent years are managed file transfer tools, the software used by large companies and enterprises for transferring often large data files over the Internet.

Some file transfer products and other enterprise technologies have been around for years or longer and are targeted for their propensity to store troves of sensitive company data. While some bugs are exploited as zero days, a vulnerability that comes to light before a patch is available, the best thing companies can do is ensure internal software is kept up to date and that security patches are applied as soon as possible. Back up your company data

Rantamware attacks had another record-breaking year in 2024, with companies paying hackers huge sums of money in order to get their data back and prevent it from being leaked online. Regularly backing up your company's data is a critical line of defense against data encryption and data theft attacks.

Backups too can also be targeted by hackers for their ability to help victims effectively restore their business operations without significant data loss. Having encrypted off-site backups can help in the event of security or data disasters.

Stop picking up the phone. While hackers have for years relied on malware-laced email lures as their weapon of choice against unsuspected victims, some hacking groups are turning to fraudulent phone calls as their primary way of hacking into organizations. A single phone call to the IT help desk of casino and hotel giant MGM reportedly led to its massive breach in 2023, which cost the entertainment giant at least $100 million.

As TechCrunch's Zach Whitaker writes perfectly, always be skeptical of unexpected calls, even if they come from a legitimate-looking contact, and never share confidential information over the phone without verifying them through another means of communication first. Be transparent.

Even if you do everything right, there are no guarantees that your startup won't be targeted. Startups are a prime target for hackers thanks to their limited resources compared to larger companies. If your company falls victim to a cyberattack, being upfront about the incident can make a real difference in terms of outcomes.

Transparency can help your customers take any action as necessary, and sharing information can help others defend against similar attacks in the future. Not only can keeping a data breach under wraps cause reputational damage and potentially cost you significantly in fines, but it could also land you a spot in TechCrunch's annual Badly Handled Breaches Roundup.