Ideas Made to Matter

Entrepreneurship

How to bake cyber resilience into your startup culture

By

In their new book, “Unlikely Entrepreneurs: Wins, Losses, and Crucial Lessons on Building Great Companies,” Harvard Business School’s Lou Shipley and MIT Sloan’s Patricia Favreau make the case that founders must assume the role of chief security officer for their startups from day 1.  

In the following excerpt, they share insights from Keri Pearlson, a principal research scientist and senior lecturer in information technology at MIT Sloan, about why startups are not immune to cyberattacks. Pearlson offers entrepreneurs six ways to build cybersecurity into their company culture from the outset.

Keri Pearlson listened intently to renowned business leaders presenting at the featured session of the 2025 South by Southwest conference on what America’s 33 million small businesses needed to do to prosper. One topic of particular interest to Pearlson never came up: cybersecurity. It wasn’t the first time. At other business conferences and in other conversations with everyone from CEOs to founders, cybersecurity typically emerged as a secondary concern, if at all.

Pearlson is a principal research scientist at MIT Sloan whose research on small to midsized companies has identified a false sense of security among their leadership. “The problem is, they think cybercriminals are targeting larger, well-established companies in part because these are the type of cyberattacks — the ones that impact an extensive customer base — that are covered by the media. They don’t think of themselves as potential targets.”

But Pearlson says their smaller size is often the very reason why they’re targeted — in particular, small to medium-sized businesses that make up larger companies’ supply chains are often viewed by cybercriminals as vectors to infect the systems of larger, harder-to-access companies.

One study [found] that small businesses account for 43% of cyberattacks annually, and 46% of [those] cyberattacks were against small businesses with 1,000 or fewer employees. On average, small and medium-sized businesses lose $25,000 [per incident] due to cyberattacks. In 2020, small businesses faced over 700,000 attacks, which caused a total of $2.8 billion in damages. Such damage can ultimately lead to failure.

According to Pearlson, the lack of attention to cybersecurity is exacerbated by a prevailing attitude that cybersecurity should be relegated to the IT department and a belief that artificial intelligence can protect against all cyberattacks.

“An IT department can’t keep an employee from clicking on a malicious link,” says Pearlson. “And while AI promises to make it easier to identify malicious activity, you have to remember that the bad guys have AI too. They’re determined to find a way around just about any defense we create to stop them.”

Because cybercriminals are always evolving their methods and techniques, Pearlson stresses the importance of building a cyber preventative and resilience culture. “Cybersecurity is everyone’s issue, which is why it’s so important for companies at all stages of growth to develop a cybersecurity culture as their first line of defense against cyber breaches,” she says.

Startups, Pearlson notes, hold an advantage in this area. Whereas processes may already be in place and habits formed at established companies, startup founders have an opportunity to implement a cyber-savvy culture from the ground up.

To best protect your company, customers, employees and investors, founders need to assume the role of “chief security officer.” According to Pearlson, here’s how:

Create a cybersecurity crisis communications plan

The early stages of a cyber crisis are often chaotic, with customers, partners, investors, and reporters, among others, demanding answers. By creating your plan in advance, you are better positioned to pivot and move quickly. Elements to consider in its creation are:

  • How will you reach clients if your email is down?
  • Which stakeholders will you need to contact?
  • Who should you contact at your local and national law enforcement agencies? For example, do you know the number of your local FBI field office?
  • If you lose your data, who do you contact and who is responsible?
  • Are there any responses you can craft in advance to use as a template in the event that reporters contact you?
Digital imagery juxtaposed with business leader and employees

Leading Technical Professionals and Teams

In person at MIT Sloan

Get information

Hold fire drills

Businesses regularly hold fire drills to ensure that work staff know what to do in the event of a fire or natural disaster. In a cyber-drill, simulate a cyberattack — case studies on cybersecurity breaches can help in this area — and have everyone act out their assigned roles. Then, simulate your step-by-step recovery. 

Buy cyber insurance

Contact your insurance company to find out whether it offers any form of cyber insurance. If it doesn’t, consider looking into cyber insurance policies to determine if it’s worth the investment. 

Back it up old-school style

Pearlson’s research uncovered a company that created a robust business continuity plan for a cyber crisis. But after it was hacked, no one was able to get online to access the plan.

As panic built, an administrative assistant clutching a folder approached her director. She asked, “Is this the plan?” Up until then, she’d been teased by colleagues about her habit of making hard copies of important documents. Now, she emerged as the company’s hero.

Make it a habit to save key documents to a thumb drive, email them to yourself, and print them so you have multiple ways to access them in an emergency.

Reward cyber heroes 

Host a competition among your staff to see who can figure out real from fake links, documents, vendor invoices, and emails. This will help employees learn to pay attention to small irregularities, like a minor misspelling in a website address, or clues to identify an email’s origins. Then reward those employees who do well. 

Host cybersecurity moments

Pearlson once consulted on a cybersecurity plan with a bank in Brazil where the CEO would start every meeting with a “cybersecurity moment.” These moments included his sharing media coverage on, or social media posts about, cybersecurity attacks, practices, and solutions.

“The CEO is sending the message that cybersecurity is something their business talks about,” says Pearlson. “As chief security officer, you set the stage for building a cyber-savvy workforce.”

Excerpted with permission from the publisher, Wiley, from “Unlikely Entrepreneurs: Wins, Losses, and Crucial Lessons on Building Great Companies,” by N. Louis Shipley and Patricia Favreau. Copyright © 2026 by Lou Shipley and Patricia Favreau. All rights reserved. 

N. Louis Shipley is a former three-time software CEO and a senior lecturer in the Entrepreneurial Management unit at Harvard Business School. He previously lectured at MIT Sloan. Shipley serves as a board director at Wasabi Technologies, Fairmarkit, and CustomerGauge and is a founding donor to the Trinity College Entrepreneurship Center.

Patricia Favreau is associate director of media relations at MIT Sloan, where she dissects complex academic research to make it accessible to business audiences around the globe. She began her career as a news correspondent and holds an MFA in creative writing from Lesley University.

For more info Patricia Favreau Associate Director (617) 895-6025

Related Articles

Business startup illustration featuring a rocket ship, charts, dart board, lightbulb, money, etc Ideas Made to Matter 8 MIT startups to watch in 2026 Dani Valencia Ideas Made to Matter ‘This AI tool helped me choose the right market for my startup’ An illustration of a globe and elements of energy: wind turbine, battery, etc. Ideas Made to Matter Why climate and energy entrepreneurs need their own playbook