A simple story about a very expensive security mistake every founder should focus on
First, a Small Story
There is a bakery. A very good one.
The owner let’s call her Claire she started with two helpers, one kitchen, and recipes her grandmother gave her. Everything was simple. One key for the front door, and when you were inside, you were like family.
Then her croissants become famous on the internet.
Suddenly Claire has 80 employees, warehouses in different cities, and many software tools to manage everything. To keep things simple, she gives every employee one username and one password access to everything.
It seemed like a smart solution. It was actually a very expensive mistake.
One Wednesday, Everything Goes Wrong
Someone logs into Claire’s system using an account of an employee who left three weeks before. Nobody deleted that account. The system says “Welcome! Come inside!”
This person is not a baker. This person is a thief.
From the first system, they jump to file storage. From there they find the payment portal. No alarms. No warnings. Just open doors, one after another.
By next morning, Claire’s secret recipes are on a competitor’s website. Two fake invoices are already paid. And the lawyer is explaining that under GDPR, a data breach like this can cost up to 4% of total yearly revenue as a fine.
One old login. Never deleted. This is what caused all of it.
What Was the Real Mistake?
Not technology. Not people.
The real mistake was one wrong belief: “If someone has the password, they must be trusted.”
This thinking made sense 15 years ago, when a business lived in one office. But today a business is everywhere people work from home, from coffee shops, from other countries. Slack, Google Drive, accounting software, HR tools all in the cloud, all connected.
There is no single building to protect anymore. One password, one door, trust everyone inside this is now dangerous.
Zero Trust: The Better Way
Security experts call the new approach Zero Trust. The idea is simple:
Never assume someone is safe. Always check.
Every person. Every device. Every time. Here is what this means in real life:
Every room has its own lock. Each system needs its own permission. The marketing person sees marketing tools. The accountant sees finance tools. And when someone leaves the company their access is deleted immediately, not “sometime next month when someone remembers.”
Prove it is really you every time. That small code a bank sends to a phone when logging in this is called Multi-Factor Authentication, or MFA. The same logic should apply to all important business systems. A hacker may have a stolen password but they do not have the phone. Without that code, they cannot enter.
Do not give everyone access to everything. When a new person joins, the easiest thing is to copy permissions from someone in the same role. But over time, everyone ends up with access to too many things. Before giving any access, one question should be asked: “Does this person actually need this to do their job?” If the answer is no they do not get it.
Assume the thief is already inside. The smart question is not “How do we stop bad people from getting in?” It is “If someone bad is already inside how much damage can they do?” Building walls between systems means that if someone gets into one room, they cannot reach the rest of the house.
One Thing to Do This Week
Make a list of every software tool the company uses. Write who has access to each one.
There will be accounts from people who left months ago. There will be access levels that make no sense. Deleting what should not be there closes more security holes than most expensive tools and it takes only one hour.
For founders who are not sure where to begin, working with a specialist who can look at the whole picture makes a real difference. One name that comes up often in UK and European startup circles is Discover Web Tech known for explaining risks in plain language and fixing the important things first, without overcomplicating it.
Zero Trust is not only for big enterprises. It is for every founder in Europe and the UK operating under GDPR and who wants to still have a company next year.
Claire recovered from her breach. It was painful and expensive. Her grandmother’s recipes are still secret now but only after learning this lesson the hard way.
There is no reason to wait for the same mistake.
