Why Startups Can’t Afford to Delay Their Cyber Resilience

Tom Burton
SUBSCRIBE CONTACT US

Author

Duncan Clubb

Tom Burton

Partner

Cyber Security

Introduction

When the founders are trying to do everything, and the biggest worry is whether you will be able to make payroll at the end of the month, it’s easy to just paper over your security cracks. 


“If our target customers don’t know who we are yet, how on earth are the cyber criminals of this world going to find us?” 


“We are still building our product, so why would anyone attack us?” 


Phrases like these are common, convenient, and misleading.


Misleading because hiding in plain sight is no longer an effective strategy (as if it ever was). Growing evidence shows that cyber criminals are increasingly using AI and other technologies to scan the internet for any organisations that have vulnerabilities to exploit. Furthermore, they are using AI to automatically generate convincing phishing messages tailored specifically for an organisation that has been identified by other technologies trawling the internet. 


If the bad people out there aren’t having to expend human effort to scale up from 10 targets to 10,000, then it is no surprise that the targeting aperture has opened to the maximum.


So, why is some investment in security important at every phase in a startup’s lifecycle? 


I’ll look at this in reverse chronology, starting where most businesses want to end up and then getting progressively younger from there.

Preparing for Scale and Exit

Most of us don’t start out wanting to remain small. We want our vision not just to succeed but to have the greatest impact possible on the addressable market. In this context exit may be through acquisition. Or it may just be exiting the startup world and becoming a grown up, mid-cap business with all the responsibilities that go with it. At this stage in life, good risk management and cyber security should be a given. 


If exit is through acquisition, then the buyer’s due diligence is going to expect mature processes and controls that are underpinned by robust and comprehensive policies – as well as a track record of avoiding embarrassing attacks and responding effectively to those that do get through. If this capability isn’t present, it is reasonable to expect the acquisition price to be discounted to allow for the additional work that will be required and the heightened risk carried while the improvements are carried out.


If the plan is for the business to continue its growth trajectory as an independent entity then there will be market, and probably regulator expectations to meet. The organisation may be increasingly dependent on large enterprises in its customer base, and these will increasingly demand similarly mature risk management. Investment raises, whether Series C+ or IPO, will also come with greater obligations and expectations. 



At this stage during scaleup you have a lot to lose and are not just protecting the business. You are also protecting the customers that you’re dependent on and preparing the business for adulthood.

The Growth Years: Investor Confidence

During this phase you have customers to prove that the market will buy into your value proposition but are still early in the journey. You don’t yet have the protective inertia of a constant stream of new orders and may be little known to the majority of your addressable market. If a key anxiety is that you are moving too slowly with concern that a competitor will steal a march, it is easy to defer anything that seems secondary to new sales or that isn’t ‘making the beer taste better’.


But this is illusory. Firstly, you are likely to be seeking increased investment during this phase to fund marketing and other growth catalysts. Leveraging ‘friends, family and fools’ is unlikely to be sufficient, and as you look for Seed, Series A or B investors this will bring with them their expectations. Ultimately, they want to protect their investment and maximise the potential return. 


They are likely to have a number of concerns related to the cyber risk you are exposed to:


  • Protecting the viability and value of the business today: If the business loses control of unique and competitive intellectual property and/or experiences a collapse of customer confidence as a result of a significant cyber-attack then this will have a direct impact on the value of the business. Even if you survive the experience, it is likely to lead to greater dilution of equity in the next raise.


  • Protecting their reputation: Investors care about their reputation, particularly if they are a fund dependent on the favour of their own investors rather than just a HNW individual. A few investments that go south could make future investors for the fund harder to find and possibly lead to capital flight as existing investors lose confidence.


  • Maximising the future divestment value: They are not investing as a charity and will ultimately have their eye on their exit when they can realise the return. Regardless of the timeframe that they are looking to divest, they will want to maximise that future value. Laying the foundations for a future exit in this phase will build confidence and increase attractiveness.


What if you don’t need investment? Well, if you are lucky enough to have a business generating so much free cash that it can grow and scale without investment, wouldn’t it be wise to have the same expectations about protecting shareholder value as a conventional investor?

Early Years: Building Good Habits

By now you will hopefully recognise the need for some focus on good risk management and cyber security during the growth, scaleup and exit stages. But what about that fledgling startup composed of a small band of determined founders and a few employees. 


Everyone is utterly committed to making it a success. Team cohesion comes easy when the whole organisation can fit in a six-desk room. Surely you don’t need to worry about inconvenient things like good security at this stage?


I’d agree that you probably don’t need to expend significant time and resources to achieve ISO27001 or SOC2 certification, unless you are addressing a market where that is considered table-stakes. And at this stage you may be quite content that it’s better to move fast and run the risk of breaking things.

But, if successful, you will move into one of the future phases where that situation changes. And it is far easier to establish some good habits at the outset than to try to break some bad ones once they have become entrenched. 


For example, if your developers are used to having complete control over their device including being able to install any tool they like on it, it will be a very painful experience removing those rights a year later. If all of the company’s files and resources can be accessed from any device, anywhere in the world, then it will be difficult to tell staff that they are going to have to carry the company laptop around wherever they. Try telling the five-year Head of Marketing, who joined as employee #12, that they can’t use their favourite applications and browser extensions.



In the digital world it has been recognised for decades – but not always acted upon – that unless a system or business has been designed to be secure from the outset, it is far harder to make it secure at a later date.

Conclusion: Start Today & Scale Safely

No startup is too small to be a target. Cybercriminals don’t discriminate, and the cost of waiting is steep. The right question isn’t if you should act, but how much is enough at this stage and your budget.


Security, like every other business process, should evolve with growth. Strong foundations make it easier to build and scale, while neglect creates growing pains that force painful and expensive rebuilds later.


Investing early in pragmatic, phased cybersecurity ensures your business can grow with confidence - and it protects the customers, investors, and markets you depend on.

Get in Touch

The title of this blog might have been leading, and our conclusions probably do not come as a surprise. No business is immune to the threats of cyber criminals, no matter how in ‘stealth mode’ they are right now.


The trick is working out how much is enough today, and where you want to be in the future. It is far easier to build on strong foundations established in the previous phase with security and risk management, just like all the other business processes, organisational designs and policies. 



The alternative is growing pains as parts of the business must be ripped out and rebuilt on a regular basis. As mentioned earlier, you’re unlikely to need enterprise grade risk management or security while working every hour to take a minimum-viable product to market. But you will need to have some care applied to the governance you put around your people, the access they have to resources and the devices they use to do their job.

Contact Form

Contact - Craig Devolution Blog

Subscribe to our Newsletter

Blog Subscribe

SHARE CONTENT

Pembroke College lawn bathed in sunlight

Case Study: A Corporate Partnership Between Pembroke College & Cambridge MC Based on Shared Values

by Tim Passingham 12 March 2026
CAMBRIDGE | See how Cambridge MC and Pembroke College are creating mutual value through a unique corporate partnership spanning student opportunities, academic collaboration and industry events | READ FULL CASE STUDY
Neon sharks made out of code.

Ransomware in 2026: What Boards Actually Need to Know

by Simon Crimp 9 March 2026
Cyber Security | Ransomware in 2026 is a board-level resilience issue. Learn the key risks, weak spots and practical questions boards should ask to improve readiness, recovery and response.
The Top 21.2026 at the awards event in Cambridge, UK.

#21toWatch 2026 Winners Revealed: Deeptech Founders Tackling Society's Toughest Health and Climate Challenges

6 March 2026
The #21toWatch Top21.2026 winners have been announced at an awards ceremony at The Glasshouse innovation hub in Cambridge.
Asian business woman near a long window and looking at a tablet.

IWD 2026: Embracing The Power of Femininity at Work

by Arianna Mortali 6 March 2026
BLOG | A student’s perspective on why women shouldn’t have to ‘play masculine’ to succeed at work – and how valuing empathy, confidence and inclusive leadership can help close gender gaps and build healthier organisations.
Abstract squiggle of circles

Where Should Leaders Really Start with AI in 2026?

by Simon Crimp 19 February 2026
Where should leaders start with AI in 2026? A practical guide to moving beyond pilots, clarifying risk appetite, strengthening governance, improving data readiness, and delivering measurable enterprise value from AI at scale | READ FULL ARTICLE
Close up of a data centre stack with ports and wires visible

Case Study: Enhancing Data Centre Infrastructure through a Comprehensive Connectivity Study

12 February 2026
We were approached by one of the fastest growing data centre providers in Europe. With over 20 data centres throughout the continent, they are consistently meeting the need for scalable, high-performance infrastructure. Despite this, a key data centre in Scandinavia had become reliant on a single, non-redundant 1 Gbps internet service from a local provider, posing significant risks to operational continuity. To enhance the reliability of its network and resolve these risks, our client needed to establish additional connectivity paths to ensure the redundancy of its infrastructure. The Ask Cambridge Management Consulting was engaged to address these connectivity challenges by identifying and evaluating potential vendors and infrastructure options to create second and third connectivity paths. This involved exploring various types of connectivity, including internet access, point-to-point capacity, wavelengths, and dark fibre. Additionally, Cambridge MC was asked to provide recommendations for building a local fibre network around the data centre to control and maintain diverse paths. This would allow the data centre to connect directly to nearby points of presence (PoPs) and reduce dependency on external providers, thereby enhancing network resilience and operational control. The goal of this project was to ensure that the Nordic data centre could maintain continuous operations even in the event of a failure in the primary connection. Approach & Skills Cambridge MC approached the project with a focus on ensuring operational continuity and resilience for the data centre. By identifying multiple connectivity paths, we aimed to mitigate the risk of network failures and ensure that the data centre could maintain continuous operations even in the event of a failure in the primary connection. This approach allowed Cambridge MC to provide a comprehensive solution to address both immediate and long-term connectivity needs. We employed a combination of Agile and Waterfall methodologies to manage the project. The initial investigative phase allowed a Waterfall approach, in which our team conducted thorough research and analysis to identify potential vendors and connectivity options. This phase involved detailed interviews with various telecommunications providers and an assessment of publicly available information. Once the initial analysis was complete, the workflow transitioned to an Agile approach for the implementation phase. This allowed Cambridge MC to adapt to new information and feedback from stakeholders, ensuring that the final solution was both flexible and robust. Challenges Lack of information: One of the primary obstacles we faced was the lack of detailed network maps and information from some of the potential vendors. To overcome this, the team conducted extensive interviews with contacts at these companies and leveraged its existing network of industry contacts to gather as much information as possible. Remote location: Another challenge was the remote location of the data centre, which limited the availability of local infrastructure and required us to explore creative solutions for connectivity. Cambridge MC addressed this by proposing the construction of a local fibre network around the data centre, which would allow for greater control and flexibility in connecting to nearby PoPs. Fragmented factors: Additionally, coordinating with multiple vendors and ensuring that their services could be integrated seamlessly posed a logistical challenge. We mitigated this by recommending a phased approach to implementation, starting with the most critical connectivity paths and gradually expanding to include additional options. Outcomes & Results Increased Connectivity: Cambridge MC successfully identified and evaluated multiple connectivity paths for the data centre. By exploring various types of connectivity, including internet access, point-to-point capacity, wavelengths, and dark fibre, we provided a comprehensive solution that significantly enhanced network resilience and reliability. Greater Control & Flexibility: Our recommendations for building a local fibre network around the data centre allowed for greater control and flexibility in connecting to nearby points of presence, ensuring continuous operations even in the event of a failure in the primary connection. New Vendors: The team’s extensive network of industry contacts and deep understanding of the regional telecommunications landscape allowed for a thorough and nuanced evaluation of potential vendors and connectivity options. Scope for Future Work: Cambridge MC identified several future developments with the potential to further enhance international connectivity and provide additional redundancy for the data centre. We also proposed further assistance, including a site visit for a more in-depth analysis of options, issuing RFI/RFP to vendors for capacity and fibre, and conducting similar connectivity studies for other candidate sites in the region.
Neon discs fading from blue to green to purple, cascading diagnolly across the screen.

Thames Freeport’s Connectivity Lab Participants Announced

by Cambridge Management Consulting 28 January 2026
Thames Freeport this week revealed the eight companies selected to participate in the Freeport’s Connectivity Lab, an initiative focused on validating commercially proven technologies in live port and logistics environments.
Aerial view of a data centre warehouse in the English countryside

The Modern Data Centre: Power, Progress, and Paradox

by Duncan Clubb 13 January 2026
Author

Case Study: Supporting Thames Freeport to Create an Innovation Strategy to Drive Inward Investment

by Matt Lawson 2 January 2026
Emerging as a hub for innovation, Thames Freeport is a unique initiative designed to stimulate trade and transform the lives of people in its region. Leveraging global connectivity and occupying a strategic position with intermodal capabilities across river, rail, and road, Thames Freeport has recognised its opportunity to drive economic regeneration for the local area. Thames Freeport engaged Cambridge Management Consulting to design a clear strategy for innovation over the next three to five years. Key considerations for this innovation strategy included objectives and KPIs, the future of the business ecosystem in the region, physical clusters and assets such as innovation hubs, and opportunities and challenges on the way. The Solution Working with our innovation partner, L Marks, Cambridge MC conducted an innovation strategy project which involved the following: Engaging with a range of stakeholders and partners from local authorities to corporate partners across the Thames Freeport area, leveraging interviews with key individuals to build a common picture of innovation aspirations, opportunities, and challenges. Conducting a series of workshops for the Thames Freeport team to consider visions and objectives, themes and focus areas, physical hubs and overall programme structure, and a three-year roadmap plan. Building a comprehensive innovation strategy which internalised all of the above questions. This was then presented to their board and formed the basis of the public tenders for innovation programmes that were then made public. 
More posts