How concerned should startups be about cybersecurity?

It's easier to address it from the start than to add it back in later.

"Should" doesn't make it so 🙂 Of course it is best if cyber security awareness is there from the very start and best practices are organically incorporated, but for most startups to survive they need to have an almost maniacal focus on the subject matter (product, service, etc.) So, unless cyber security is critical/integral to that pursuit it's not likely to get much attention. It is what it is, not what it should be 🙂

All of the options may apply, depending on the situation and task at hand. Startups rarely have full-time security personnel. At the same time, there should be security-savvy people who can provide informal guidance and advice and ensure the product is built on secure engineering principles -- and this includes knowing when to worry and when to be relaxed. The systematic approach, governance, policies, security operations and everything can come later when the product proves to be viable, but if the backgrounds are designed poorly, no-one would fix that, ever.

If you’re going to collect any kind of data, you should be thinking about how you’re going to protect that data. On our news feed that we have coming in, every day there’s a new new breach that we hear about. Security is a problem and until we have a security-first mindset as a startup, then we’re going to keep having these problems.

And it’s only going to get worse because people are making the same problems that are very easy to fix. For example, they’re not configuring S3 buckets properly or not patching external facing systems properly. People are getting that because of these common issues and then ‘script kiddies’ and people that aren’t experts in security are black-hat hacking or finding issues and sucking down data. People really need to start thinking about problems earlier.