Why even start-ups need to care about security

Max Kabakov | iStock | Getty Images Plus

Start-ups beware: Security is not just for established companies. One big data breach could cost you your business.

Big companies such as Sony, Home Depot and Target have been able to weather major data breaches, but young companies that aren't taking security seriously are at high risk of losing everything when they get hit with an attack, security industry pros said on Monday at eMerge Americas conference.

"You are never too small. If you have a vulnerability and it gets exploited. It will bring a great deal of attention on you, and the smaller the start-up the more likely it is that a major incident will kill your company," said Matt Anthony, a senior vice president at the Herjavec Group, a security consulting company.

So what should young companies be doing to protect themselves?

First, start-ups should have a plan in place for how they will deal with a breach, said Ian Ballon, a shareholder in Greenberg Traurig LLP.

"If you are not planning ahead you are going to have terrible, terrible legal problems," said Ballon, who defends companies that have been breached.

Read MoreGuess who's been hacked now?

Forty-seven states have notification laws in place for breaches under certain circumstances, he said. Companies who have experienced a breach may be required legally to provide notice of the incident and if there isn't a proper plan in place they could land themselves in more legal trouble.

"Every company is going to have a security breach, there is no question about it," Ballon said.

"Just because you are an emerging company, there's no 'emerging company exception' to the federal laws and notification laws."

Besides having a plan in place, companies should also constantly be monitoring what kind of information they are collecting about their users, Anthony said.

"It's really important to know what data you are collecting, processing and storing and why. One of the best things you can do as a start-up business is be very, very selective of what information you collect and store," Anthony said. "They can't steal what you don't have."

Another thing companies should be doing is encrypting all their stored data, Ballon said. If data is encrypted and there is a breach, companies reduce their risk of information's being exposed, but there could still be legal implications.

"There are a number of states, though, that even if the data is encrypted, under the terms of the statute, you have to provide notice to the consumers and perhaps to the attorney general and that's the kind of thing that could spark an investigation," he said.

Read More How this security start-up joined the unicorn club