If you’re a problem solver, being part of a startup can be an exceptionally rewarding experience. Good entrepreneurs have a laser focus on solving customer problems, but unfortunately, following good data security practices often does not make it onto the radar of product and service designers.

We see both big and small companies make rather trivial data security design mistakes that have dire and expensive consequences. Some recent security blunders include BMW’s encryption vulnerability, which allowed hackers to remotely unlock and start cars; Brink’s digital safe design flaw, which can allow a hacker to open a safe without any physical force; and the very sad Code Spaces story, which led to the complete destruction of their business.

Having built three different software products in my career, I can assure you that building a product with security as part of the initial design is easier than trying to integrate proper security processes later on in the product’s development lifecycle.

I was fortunate enough to join a great security company after college, so I learned a lot of these best practices early on in my career. Below are five simple pieces of data security advice to help you cost effectively prevent a data breach at your startup:

  1. Strong passwords: We hear that we need a strong
    password all the time, but we don’t always get simple advice on how to
    achieve this. The generally accepted technical advice is to have a
    password that is at least 15 characters long with special characters. An
    easy way to accomplish this is to use a memorable sentence with
    punctuation as your password, e.g. “I enjoyed visiting the arcade @
    Nathans when I was 12!”
  2. Two-factor authentication: Most of your cloud
    service providers can require more than a password for you to gain
    access to the given cloud service. For instance, Dropbox can require
    that you enter a unique code sent to you as an SMS text message every
    time you log in to the website, and Amazon Web Services allows you to
    use a separate application to generate a unique code every time you log
    in to their console. You have to bear in mind that the burden is on you
    to use this security feature, as most cloud service providers make it
    optional. The Code Spaces story is a perfect example where two-factor
    authentication would have prevented a disaster, and Code Spaces cannot
    blame anyone except themselves. If you have a cloud service provider
    that stores sensitive data, or if their service is critical to your
    business, you should demand that they have this security feature. I
    recently dropped an infrastructure as a service provider for this exact
  3. Separate security and administration: The security
    concept is that you have two people managing different aspects of your
    IT infrastructure, so both people need to be compromised in order for
    you to suffer a breach. For example, you can have an IT administrator
    who can manage your systems by setting up new software for users, but he
    or she cannot add or manage the users; a separate security
    administrator is the only person who can manage users. I understand that
    at a startup it may be hard to find two people for these separate
    duties, so in that case, set up two logins for these purposes. I
    personally have a separate login ID for my cloud services for the
    purpose of managing security policies and another login ID with limited
    privileges for my daily use.
  4. Encrypt your data: Encrypt everything that you
    consider sensitive, and make sure you use SSL for any and all
    communication for your products. BMW had a rather embarrassing data
    security incident since their cars did not communicate to their servers
    via SSL. Also, employ full-disk encryption and file encryption for
    laptops and mobile devices that may have sensitive data. For example, if
    you store sensitive data in Dropbox or similar services, search for a
    third-party encryption solution to encrypt those files. By getting
    another company to encrypt the data in that given cloud, you are
    following step #3 above, and a breach within the cloud storage provider
    will not lead to a breach of your data.
  5. Talk to your customers about their security requirements:
    You probably already have a conversation going on with potential
    customers about how your new product will make their lives easier. Ask
    them what they require from you with regards to you internal and product
    related security practices. If you’re catering to a regulated industry
    like healthcare or finance, your customers will definitely have a
    compliance officer who can help you in this regard. At AlertBoot, we are
    constantly getting new customers in healthcare-related fields who are
    required to get our encryption services, since the compliance officers
    are educating their vendors about this HIPAA-related requirement.

This can all seem like unnecessary overhead when you’re trying to grow your business, but protecting all of your hard work should be a priority. I often advise customers to try to work their data security practices into their sales conversation as a way to assure your prospective customers that you have their best interests in mind. You’ll be pleasantly surprised how well this can work.

Much like electricity, hackers usually take the path of least resistance when it comes to stealing your data or disrupting your systems. The above tips will help make it more difficult for a hacker to penetrate your systems, and in many cases, the hacker will move on to the next potential victim. Most of the data breaches you hear about in the news are preventable, but you should also make data security education part of the ongoing growth plan for your business as the technology landscape is constantly changing.

Originally published at https://www.forbes.com/sites/theyec/2015/08/06/investing-in-data-security-early-will-pay-off-in-the-long-run/#56bc213648fe