ARTICLE

What should founders actually do to keep their company secure?

·Wilson Spearman ·1 min read

Brief

Wilson Spearman frames startup security as a practical question of which controls actually reduce risk for an early-stage team. He contrasts recent threats such as supply-chain attacks and package compromise with skepticism about process-heavy measures like SOC 2, and uses a real incident involving a compromised engineer laptop and a day of key rotation to emphasize the need for concrete protections around developer devices, dependencies, and credentials.

Why it matters

Wilson Spearman asks what a small YC startup should prioritize for security amid a perceived rise in incidents, citing the axios supply-chain attack, the Mercor hack, and a malicious LiteLLM package.

Key details

  • The company reportedly does not serve enterprise customers and handles little PII beyond email addresses, suggesting a lower compliance burden but still meaningful operational risk from compromised developer environments and leaked credentials.
  • A recent incident forced the team to spend a full day rotating keys after an engineer’s laptop was compromised while installing a package for a college class, highlighting software supply-chain exposure and secret-management weaknesses.
Source evidence

title: What should founders actually do to keep their company secure?
author: Wilson Spearman
source_url: https://bookface.ycombinator.com/posts/99323

word_count: 136

What should founders actually do to keep their company secure?
Seems like there has been a massive uptick in threats recently (axios supply chain
attack, Mercor hack, LiteLLM
package). At the same time, there’s a lot of discourse about things that
startups currently do that don’t actually seem to improve security (SOC II).
So my question is: what should I actually do to keep our company secure? We don’t have enterprise customers and we
don’t handle PII beyond emails, but obviously I don’t want to get PWN’d (we spent all day yesterday rotating keys
because our engineer who’s finishing his last semester of college got his laptop taken over by the axios supply chain
attack installing the package for class).
Would love to know what the more experienced would recommend to a small YC team :)