TL;DR

Most data breaches that devastate businesses are preventable with four foundational controls: encrypting data at rest and in transit, following the 3-2-1 backup rule, deploying DLP policies, and enforcing least-privilege access. This week's headlines — a Japanese energy firm losing a drive with 10.9 million client records, a $409 million fine hitting Coupang, and a PeopleSoft zero-day enabling data theft — underscore that the cost of inaction is measured in millions. Here is what you can deploy this week for $0 to $200/month.

1. Encrypt Everything — At Rest and In Transit

Encryption is your last line of defense when every other control fails. A lost laptop, a stolen external drive, or an intercepted network connection should expose nothing of value. NIST SP 800-111 defines three classes of storage encryption — full disk, volume/virtual disk, and file/folder — and recommends full disk encryption as the baseline for endpoint protection.

What to deploy this week:

  • BitLocker (Windows Pro/Enterprise, included at no extra cost): Enable on every workstation and laptop. Open an elevated command prompt, run manage-bde -on C: -RecoveryPassword, and back up the recovery key to Active Directory or a secure password manager. Done in under five minutes per machine.
  • VeraCrypt (free, open source, cross-platform): Use for encrypting external drives, USB sticks, and shared folders on file servers. Create a VeraCrypt volume on any removable media — the free price makes it ideal for budget-constrained teams.
  • FileVault (macOS, built-in): Enable via System Settings > Privacy & Security > FileVault. Escrow recovery keys to your MDM solution.
  • TLS 1.2+ everywhere: Force HTTPS on all web services, enforce encrypted connections for email (SMTPS/IMAPS), and require VPN with AES-256 for remote access. If any service accepts plaintext connections, disable it today.

Cost estimate: $0/month. BitLocker and FileVault ship with business OS licenses. VeraCrypt is free. TLS certificates are free via Let's Encrypt. The only expense is operational discipline.

Quick win: Run a single command to audit BitLocker status across your fleet: manage-bde -status on each machine, or use a PowerShell script to report across all domain-joined endpoints. Any machine showing "Protection Off" gets encrypted before lunch.

2. The 3-2-1 Backup Rule — Your Ransomware Insurance

The 3-2-1 rule means three copies of your data, on two different media types, with one copy stored offsite. The Australian Cyber Security Centre (ACSC) explicitly recommends this model as a baseline for organizational resilience. CIS Controls v8 (Control 11: Data Recovery) requires establishing and maintaining a data recovery process with tested backup integrity.

What the architecture looks like for an SMB:

Copy Media Location Tool Monthly Cost
Primary Production storage (NAS/SAN) On-premises Your existing infrastructure $0
Secondary External hard drive or separate NAS On-premises, physically separate Veeam Backup Free Edition $0
Tertiary Cloud object storage Offsite/different region Backblaze B2 ($6/TB) or Wasabi ($6.99/TB) $6–$30

Tools to deploy this week:

  • Veeam Backup & Replication Community Edition (free for up to 10 instances): Protects VMware, Hyper-V, and physical servers. Set up a backup job with a 30-day retention policy, and enable built-in backup verification (SureBackup) to confirm restores actually work.
  • Backblaze B2 ($6/TB/month): As your offsite tier, configure Veeam or rclone to push encrypted backups to B2 nightly. Backblaze's S3-compatible API integrates with virtually every backup tool.
  • Test your restores: This is the step everyone skips. On Friday, restore a random backup to a test folder and verify file integrity. A backup you cannot restore is not a backup — it is a false sense of security.

Cost estimate: $0–$36/month depending on data volume. A 5 TB environment costs roughly $30/month for cloud offsite storage.

What happens without this: Kyushu Electric Power Co. lost a physical drive containing data on 10.9 million clients — a breach that proper offsite backup and encryption would have rendered harmless. Physical media loss is still a top breach vector.

3. Data Loss Prevention — Stop Sensitive Data from Walking Out the Door

DLP policies prevent sensitive data — customer PII, financial records, intellectual property — from leaving your organization through email, cloud uploads, USB drives, or clipboard transfers. CIS Controls v8 (Control 3: Data Protection) mandates that organizations develop processes to classify, handle, and dispose of sensitive data throughout its lifecycle.

DLP tools that fit SMB budgets:

  • Microsoft Purview DLP (included in Microsoft 365 E3/Business Premium, ~$22/user/month): If you already use M365, you have DLP capabilities you may not be using. Start by enabling default policies for credit card numbers and Social Security numbers in Exchange Online, SharePoint, and OneDrive. Configure endpoint DLP to block USB transfers of labeled documents.
  • Varonis DatAdvantage (starts around $150/month for small deployments): Maps who has access to what, flags overexposed sensitive data, and detects anomalous data access patterns. Its data classification engine automatically tags PII, PHI, and financial data across file servers and cloud storage.

Deploy this week:

  1. Classify your sensitive data first. You cannot protect what you cannot identify. Use Microsoft Purview's trainable classifiers or Varonis's automated scanning to tag documents containing PII, payment data, and credentials.
  2. Enable one DLP policy. Start with blocking outbound emails containing credit card numbers. Monitor mode first (log only), then enforce after a week of tuning.
  3. Restrict removable media. Use Group Policy to deny write access to USB mass storage on all machines that do not explicitly require it. This alone blocks many exfiltration paths.

Cost estimate: $0 if you have Microsoft 365 Business Premium. $150–$200/month for dedicated DLP/classification tools like Varonis for a small environment.

4. Access Controls — Least Privilege Is Not Optional

The Oracle PeopleSoft zero-day (CVE-2026-35273) enabled unauthenticated remote code execution for data theft attacks. The Nottingham University breach exposing 450,000 student records involved attackers gaining access to student records systems. Both incidents share a root cause: excessive access and inadequate segmentation.

The framework to implement this week:

  • Enforce least privilege: Audit every account with admin rights. Remove local admin from standard user workstations. Use Microsoft's Local Administrator Password Solution (LAPS, free) to randomize and manage local admin passwords.
  • Segment access by role: Finance does not need access to engineering source code. HR does not need access to production databases. Use Active Directory security groups to enforce boundaries, and review quarterly.
  • Enable multi-factor authentication everywhere: Azure AD Conditional Access, Duo (free for up to 10 users), or any TOTP-based MFA. Prioritize VPN, email, and admin consoles. CIS Controls v8 IG1 (Safeguard 6.3) requires MFA for all externally exposed applications.
  • Kill dormant accounts: Disable any account that has not logged in for 30 days. Delete after 90 days. Orphaned accounts are low-hanging fruit for attackers.

Cost estimate: $0 for LAPS and Duo Free. M365 Conditional Access is included in Business Premium ($22/user/month).

Quick-Win Checklist: This Week's Action Items

  • Monday: Run manage-bde -status on all Windows endpoints. Encrypt every machine showing "Off."
  • Monday: Enable FileVault on all macOS devices. Escrow recovery keys.
  • Tuesday: Install Veeam Community Edition. Create your first backup job with 30-day retention. Enable backup verification.
  • Tuesday: Sign up for Backblaze B2. Configure nightly offsite backup sync.
  • Wednesday: Restore a random file from yesterday's backup to a test location. Verify it opens correctly.
  • Wednesday: Run Microsoft Purview's data classification scan across SharePoint and OneDrive. Review flagged documents.
  • Thursday: Enable one DLP policy in monitor mode (credit card detection in outbound email).
  • Thursday: Disable USB mass storage write access via Group Policy on non-exempt machines.
  • Friday: Audit all accounts with domain admin or local admin rights. Remove access that is not justified.
  • Friday: Enable MFA on all externally facing services (VPN, email, admin portals).
  • Friday: Disable accounts inactive for 30+ days.

FAQ

How much does a basic data protection setup cost for a 25-person business?

For a 25-person SMB already using Microsoft 365 Business Premium ($22/user/month = $550/month), the incremental cost is close to zero. BitLocker, FileVault, Purview DLP, Conditional Access, and MFA are all included. Add Backblaze B2 for offsite backups at roughly $15–$30/month depending on data volume. Veeam Community Edition is free. Total additional spend: $15–$30/month.

What if we do not use Microsoft 365?

Use VeraCrypt (free) for encryption, Veeam Community Edition (free) for backups, Backblaze B2 ($6/TB) for offsite storage, and Duo Free (up to 10 users) for MFA. For DLP without Purview, consider Forcepoint DLP or Digital Guardian's endpoint agent, though costs rise to $15–$30/user/month. The open-source tool OpenDLP can handle basic data discovery at no cost.

How often should we test backup restores?

At minimum once per quarter for a full recovery test, and weekly automated verification using Veeam's SureBackup or equivalent. NIST and ACSC both recommend testing backup integrity after any significant infrastructure change. If you cannot restore from backup, you do not have a backup — you have a prayer.

Is full disk encryption enough, or do we need file-level encryption too?

Full disk encryption protects against physical theft or loss — the device scenario behind the Kyushu Electric breach. File-level or folder-level encryption adds protection against attacks where an attacker gains authenticated access to a running system. For regulated data (HIPAA, PCI DSS), layer both: BitLocker for the disk, and file-level encryption (VeraCrypt volumes or Azure Information Protection) for sensitive folders.

Conclusion

The breaches in this week's news cycle — 10.9 million records from a lost drive, a $409 million regulatory fine, a zero-day enabling data theft — share a common thread. They exploited gaps in encryption, backup, data classification, or access control. The four pillars in this playbook are not theoretical. They are deployable this week, mostly with tools you already own, at a cost that rounds to zero for most SMBs.

Start with the checklist. Encrypt every endpoint tonight. Verify your backup restore tomorrow. Classify your sensitive data by Wednesday. Lock down access by Friday. The difference between organizations that survive a breach and those that do not is rarely budget — it is whether the basics were actually implemented before the incident occurred.

Visit consult.lil.business for a free cybersecurity assessment and get a customized data protection roadmap for your organization.

References

  1. NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices — Foundational guidance on full disk, volume, and file/folder encryption for endpoint protection.
  2. CIS Critical Security Controls v8.1 — Prioritized safeguards including Control 3 (Data Protection) and Control 11 (Data Recovery) with implementation groups for SMBs.
  3. ACSC Cyber Security Principles — Essential Eight — Australian government's prioritized mitigation strategies including daily backups and application control.
  4. Oracle PeopleSoft Security Advisory — CVE-2026-35273 — Vendor advisory for the actively exploited PeopleSoft zero-day enabling unauthenticated remote code execution.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation