Eyewear designer startup Warby Parker has joined Facebook, Marriott and an ongoing roster of other companies in feeling the sting of a hacker. According to reports, the company sent out an email last week to customers notifying them that approximately 198,000 accounts had been targeted in an attack using stolen user names and passwords acquired from breaches at other companies.

Most young startups typically don't have the resources of a massive global hotel chain to fall back on, making a single breach a potentially fatal occurrence. And if you think surviving a cyberattack on a tight budget is tough, try planning for one.

While law firms can help clients focus priorities and channel their limited cash flow in the right direction, all of that work could still be for nothing if at least a few of those dollars aren't earmarked toward data privacy and compliance vulnerabilities.

“A lot of it is really just going where the client is, and a lot of it is really just scoping out where their needs are. I think that's where sometimes businesses go sideways, or maybe firms don't provide the right services and actually listen to what a client needs,” said Sean Hoar, chairman of the data privacy and cybersecurity practice at Lewis Brisbois Bisgaard & Smith.

Not that it necessarily has to be a one-sided conversation. Ideally, new companies or startups have already paid their cybersecurity needs some thought before they show up at the door of a law firm or another third party, but the reality is that those concerns often play second fiddle to the other pressing financial demands associated with launching a new business.

Entrepreneurs who have a solid grasp of the basics—firewalls, complex password management procedures, encryption for sensitive data—can still fail to anticipate some very real threats until they have something to lose.

“At some point they wake up and realize that they're processing 10,000 payment cards a week or a month and then they say, 'Gee, what should we be doing about this?'” Hoar said.

Common requests at Lewis Brisbois include consumer response planning and security response assessments. Neither is prohibitively expensive, but for a company that's still finding its feet, there's a chance that money could be better spent elsewhere depending on the nature of the operation.

When working with clients on a fixed budget, Hoar and his team try to identify the greatest points of legal vulnerability within a given company's business model and address those first. Typically, the list includes ongoing agreements with third-party providers to house data that could be better tailored to limit liability in the event of a breach.

“Businesses are finally waking up to third-party liability, and so a lot of businesses are now recognizing that third-party contracts are actually critical,” Hoar said.

Privacy has become a big-ticket item in the last eight months as companies try to pre-emptively address potential compliance issues under the European Union's General Data Protection Regulation (GDPR) or the forthcoming California Consumer Privacy Act.

Clients could ask for help with everything from a review of the organization's privacy policy to operational concerns regarding the mechanics behind satisfying a consumer's request to have their personal data redacted. Firms should expect to see more requests such as these from web-dependent small businesses if the financial stakes involved continue to rise.

“If [businesses are] compromised, they're not compliant and that contributes to the breach. They can face a large amount of assessments from payment card brands that could put them out of business,” Hoar said.

The good news for businesses and the firms that are trying to help them bring their cybersecurity programs up to speed is that no one is expected to reach the top of the mountain overnight. Still, it's important that those initial steps are taken sooner rather than later.

“I think everybody needs to recognize that information security is a marathon, not a sprint. You put one foot in front of the other. You'll never be able to accomplish it all at once but you've got to start moving forward or leaning forward today,” Hoar said.