Data Protection Playbook: Encryption, Backups, DLP, and Access Controls That Actually Stop Breaches

Why Data Protection Can't Wait

The headlines from this week alone are a masterclass in what goes wrong. DentaQuest lost 2.6 million patient records. The UN's World Food Programme exposed data on 600,000 vulnerable households. A Magecart skimming campaign weaponized Stripe's own API to host stolen card data. These aren't exotic zero-days — they're failures of basic data protection hygiene. The organizations that weather these incidents have four things in common: encrypted storage, verified backups, data loss prevention policies, and tight access controls. Here's how to build all four in a week.

1. Encryption at Rest and in Transit

Encryption is your last line of defense when everything else fails. If an attacker exfiltrates an encrypted database or lifts an encrypted laptop, the stolen data is unusable without the key.

At rest — endpoints and servers:

• BitLocker (Windows Pro/Enterprise, included with license): Full-disk encryption for every workstation and laptop. Enable via Group Policy across the domain. Zero additional cost if you already run Windows Pro.
• VeraCrypt (free, open source, Windows/macOS/Linux): Creates encrypted volumes for sensitive file storage. Ideal for shared workstations or machines running Windows Home editions that lack BitLocker. NIST SP 800-111 provides detailed guidance on storage encryption architectures and key management.
• LUKS (Linux): Full-disk encryption baked into most Linux distributions. Use during server provisioning — retrofitting is painful.

In transit — network and API layer:

• Enforce TLS 1.2+ on every external-facing service. Use free certificates from Let's Encrypt for web properties.
• Require VPN (WireGuard or Tailscale) for all remote access to internal systems. Tailscale's free tier covers up to 100 devices — enough for most SMBs.
• For email, enforce TLS for inbound/outbound mail and consider S/MIME or PGP for highly sensitive communications.

Cost estimate: $0–$50/month. BitLocker is included with Windows Pro licenses. VeraCrypt is free. Tailscale free tier handles most small teams. Let's Encrypt certificates are free.

2. The 3-2-1 Backup Rule

The Australian Cyber Security Centre (ACSC) explicitly recommends the 3-2-1 strategy: three copies of your data, on two different media types, with one copy off-site. This is not theoretical — ransomware routinely destroys primary storage and any connected backups. The off-site copy is your escape hatch.

Implementing 3-2-1 this week:

1. Primary copy — your production data on servers or workstations.
2. Local backup — a NAS or external drive on-premises. Veeam Backup Free Edition (up to 10 instances) handles VMware and Hyper-V environments at no cost. For file-level backup, SyncBackFree handles Windows; rsync with cron handles Linux.
3. Off-site backup — cloud-based. Backblaze B2 at $6/TB/month is the budget leader. Wasabi is another option at similar pricing. Both are S3-compatible, so Veeam or any standard backup tool can write directly to them.

Verification is non-negotiable. Backups you haven't tested are just wishful thinking. Schedule a monthly restore test: pick a random file, restore it, confirm integrity. Document the result. If you use Veeam, its SureBackup feature automatically verifies recoverability in an isolated environment.

Cost estimate: $0–$100/month for a typical SMB (1–5 TB of data). Veeam Free covers small environments. Backblaze B2 runs ~$6/TB/month. A 2-bay NAS for local backup is a one-time $200–$400 hardware cost.

3. Data Loss Prevention (DLP)

DLP policies detect and block sensitive data from leaving your organization — whether through email, cloud uploads, USB drives, or (increasingly relevant this week) AI agents with excessive data access. A CyberScoop report this week highlighted how AI agents are becoming the new insider threat, making DLP more critical than ever.

Start with classification:

You cannot protect what you cannot see. Before deploying DLP tools, classify your data:

• Public — marketing materials, published content.
• Internal — business plans, project documentation.
• Confidential — customer PII, financial records, health data.
• Restricted — encryption keys, credentials, trade secrets.

Tool options by budget:

• Microsoft Purview DLP (included in Microsoft 365 E3+/Business Premium): Policy-driven detection of SSNs, credit card numbers, health records across Exchange, SharePoint, OneDrive, and Teams. If you already have M365 Business Premium ($22/user/month), DLP is included — you just need to turn it on.
• Varonis (enterprise, pricing varies): Automated data classification, permission analysis, and threat detection. Strong for organizations with large file shares and complex permissions. Pricing typically starts around $50,000/year — better suited for mid-market and above.
• OpenDLP (free, open source): A starting point for scanning and identifying sensitive data across file systems. Requires technical expertise to deploy.

Quick-win DLP policies to enable immediately:

• Block USB mass storage on company workstations via Group Policy or MDM.
• Configure email DLP rules to flag or block outgoing messages containing SSN patterns, credit card numbers, or health record identifiers.
• Restrict third-party AI tool access to internal documents — review OAuth grants to tools like ChatGPT, Copilot, and Gemini.

Cost estimate: $0–$200/month. If you have M365 Business Premium, DLP is already paid for. OpenDLP is free. Varonis is enterprise-priced and not realistic for SMBs under 50 employees.

4. Access Controls That Actually Work

Access control failures are behind most breaches — not exotic exploits, but overprivileged accounts, stale credentials, and no monitoring. The CIS Controls v8 explicitly lists "Controlled Access" as a foundational safeguard.

Implement these this week:

• Enforce MFA everywhere. Not just email — VPN, admin panels, cloud consoles, SSH. Use a phishing-resistant method where possible: FIDO2 keys (YubiKey, ~$55 each) or authenticator apps as a minimum. SMS-based MFA is better than nothing but vulnerable to SIM swaps.
• Adopt least-privilege access. Audit who has admin rights. Remove local admin from standard user accounts. Use just-in-time (JIT) privileged access for IT tasks. Azure AD / Entra ID Privileged Identity Management handles this for Microsoft shops.
• Review and revoke stale accounts quarterly. Disable accounts within 24 hours of employee departure. Former employees' active credentials are a quiet, common attack vector.
• Implement role-based access control (RBAC). Define roles (finance, engineering, sales, admin) and assign permissions by role — not by individual. This makes onboarding, offboarding, and auditing dramatically simpler.

Cost estimate: $0–$150/month. YubiKeys are a one-time ~$55/user purchase. Entra ID P2 (for PIM) is $9/user/month. Many SMBs can start with free tiers of Tailscale (which includes RBAC) and built-in MFA in their existing platforms.

Quick-Win Checklist: What to Do This Week

FAQ

Conclusion

The breaches in this week's news — 2.6 million DentaQuest records, 600,000 WFP households, credit card data stolen through Stripe's own infrastructure — all exploited gaps that basic data protection controls would have mitigated. Encryption renders stolen data useless. Verified backups neutralize ransomware. DLP policies catch data exfiltration before it succeeds. Access controls limit blast radius when credentials are compromised.

You do not need a six-figure security program to get started. Enable BitLocker, configure a 3-2-1 backup with Backblaze B2, turn on the DLP rules you already pay for in Microsoft 365, and enforce MFA on every account. That is a credible data protection posture built in a single week.

Ready to go deeper? Visit consult.lil.business for a free cybersecurity assessment tailored to your business size and industry.

References

1. NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices
2. ACSC Guidance: Backups — Australian Cyber Security Centre
3. CIS Controls v8: Safeguards for Data Protection
4. BleepingComputer: DentaQuest Data Breach Exposes 2.6 Million Accounts
5. CyberScoop: Your AI Agent Could Become Your Biggest Insider Threat