As regular readers of TechCrunch will know, 2024 was — much like the years before it — full of data breaches, ransomware attacks, and mass-hacks exploiting some of the most trivial software vulnerabilities. Even the most well-resourced organizations failed to keep hackers out of their systems over the past twelve months. AT&T experienced its second massive breach of the year, this time affecting “nearly all customers”; Ticketmaster had an alleged 560 million records stolen in the hack of cloud storage giant Snowflake; and health insurance giant Change Healthcare was hit by a ransomware crew that accessed the sensitive medical details of at least a third of all Americans.
Your startup doesn’t have to suffer the same fate in 2025. Some of the simplest things in security can help keep malicious hackers at bay.
Here are some simple — but effective! — cybersecurity resolutions you should make as we head into the new year.
Securely store your company passwords
Password managers securely store all of your company passwords, so your employees don’t have to worry about remembering them. Password managers also help to create and save unique and complex passwords for all your accounts. This can help prevent account intrusions caused by password re-use, where hackers take advantage of people using the same username and password across various online accounts. As soon as one password is compromised, the hackers can access the person’s other accounts using the same password. Some companies are moving away from passwords altogether and relying on passkeys, which are resistant to phishing attacks, and other passwordless technology.
Implement multi-factor authentication
Passwords alone are not on their own enough to defend your most important accounts against malicious threats. Hackers stole at least 1 billion personal records in 2024, helped largely by the use of stolen credentials for corporate accounts that were left unprotected by multifactor authentication.
MFA, a security feature that requires users to provide an additional code beyond just a password when logging in, makes it far more difficult for cybercriminals to break into online accounts. In the case of cloud computing giant Snowflake, mandating the use of MFA could have prevented a pair of hackers from stealing highly sensitive data from AT&T and more than a hundred other corporate customers.
Most security folks will recommend using authenticator apps that generate login codes on the device, rather than codes sent by SMS text message, which can in some cases be intercepted.
Keep your software up-to-date
Some of the most damaging breaches of 2024 were caused by a years-old problem: Unpatched vulnerabilities in third-party software. One big hacking target in recent years are managed file-transfer tools, the software used by large companies and enterprises for transferring often large data files over the internet. Some file-transfer products and other enterprise technologies have been around for years (or longer), and are targeted for their propensity to store troves of sensitive company data.
While some bugs are exploited as zero-days — a vulnerability that comes to light before a patch is available — the best thing companies can do is ensure your internal software is kept up-to-date and that security patches are applied as soon as possible.
Backup your company data
Ransomware attacks had another record-breaking year in 2024, with companies paying hackers huge sums of money in order to get their data back (and prevent it from being leaked online). Regularly backing up your company’s data is a critical line of defense against data encryption and data-theft attacks. Backups, too, can also be targeted by hackers for their ability to help victims effectively restore their business operations without significant data loss. Having encrypted offsite backups can help in the event of security or data disasters.
Stop picking up the phone
While hackers have for years relied on malware-laced email lures as their weapon of choice against unsuspected victims, some hacking groups are turning to fraudulent phone calls as their primary way of hacking into organizations. A single phone call to the IT help desk of casino and hotel giant MGM reportedly led to its massive breach in 2023, which cost the entertainment giant at least $100 million. As TechCrunch’s Zack Whittaker writes perfectly here: Always be skeptical of unexpected calls, even if they come from a legitimate-looking contact, and never share confidential information over the phone without verifying them through another means of communication first.
Be transparent
Even if you do everything right, there are no guarantees that your startup won’t be targeted. Startups are a prime target for hackers, thanks to their limited resources compared to larger companies. If your company falls victim to a cyberattack, being upfront about the incident can make a real difference in terms of outcomes. Transparency can help your customers take any action as necessary, and sharing information can help others defend against similar attacks in future.
Not only can keeping a data breach under wraps cause reputational damage and potentially cost you significantly in fines — but it could also land you a spot in TechCrunch’s annual ‘badly handled breaches’ roundup.
